Jump to content

Is my computer infected?


YPMajor

Recommended Posts

I'm wondering if my computer is infected. Weird things are happening and yet Malwarebyte Anti-Malware, NOD32, and Webroot SpySweeper, report nothing wrong upon scanning.

But "My Computer" folder always open at startup and I'm starting to receive spam emails sent from my own email address!

Please help! I have no clue what is going on and I'm getting very nervous. I'm pasting a copy of the scan logs from MBAM, Panda ActiveScan, and HijackThis below. Do you see anything abnormal? Anything to be concerned about?

Your feedback will be very much appreciated. Thanks in advance!

Best regards,

Yvon-Pierre Major

==============================

MBAM Log on Saturday Nov 15 when a malware was detected:

Malwarebytes' Anti-Malware 1.30

Database version: 1399

Windows 5.1.2600 Service Pack 3

15/11/2008 6:50:50 AM

mbam-log-2008-11-15 (06-50-50).txt

Scan type: Quick Scan

Objects scanned: 54627

Time elapsed: 2 minute(s), 52 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 7

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 3

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\xml.xml (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\xml.xml.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{9233c3c0-1472-4091-a505-5580a23bb4ac} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\MSFox (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSFox (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\msxml71.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Documents and Settings\Y-P Major\Local Settings\Temp\xxx1986.exe (Trojan.FakeAlert) -> Delete on reboot.

C:\Documents and Settings\Y-P Major\Local Settings\Temp\~tmpb.exe (Trojan.FakeAlert) -> Delete on reboot.

==============================

MBAM Log one week later on Sunday Nov 23:

Malwarebytes' Anti-Malware 1.30

Database version: 1419

Windows 5.1.2600 Service Pack 3

23/11/2008 10:44:16 PM

mbam-log-2008-11-23 (22-44-16).txt

Scan type: Quick Scan

Objects scanned: 54059

Time elapsed: 3 minute(s), 9 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

==============================

Panda ActiveScan Log:

;*******************************************************************************

********************************************************************************

*

*******************

ANALYSIS: 2008-11-23 22:51:17

PROTECTIONS: 1

MALWARE: 2

SUSPECTS: 0

;*******************************************************************************

********************************************************************************

*

*******************

PROTECTIONS

Description Version Active Updated

;===============================================================================

================================================================================

=

===================

ESET NOD32 Antivirus 3.0 3.0 Yes Yes

;===============================================================================

================================================================================

=

===================

MALWARE

Id Description Type Active Severity Disinfectable Disinfected Location

;===============================================================================

================================================================================

=

===================

00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Y-P Major\Cookies\y-p_major@atdmt[1].txt

00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Y-P Major\Cookies\y-p_major@com[1].txt

;===============================================================================

================================================================================

=

===================

SUSPECTS

Sent Location

;===============================================================================

================================================================================

=

===================

;===============================================================================

================================================================================

=

===================

VULNERABILITIES

Id Severity Description

;===============================================================================

================================================================================

=

===================

;===============================================================================

================================================================================

=

===================

==============================

HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:52:58 PM, on 23/11/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\Program Files\Faronics\Deep Freeze\Install C-0\DF5Serv.exe

C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\PROGRA~1\MI948F~1\GAMECO~1\Common\SWTrayV4.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe

C:\Program Files\Microsoft Hardware\Mouse\point32.exe

C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\Program Files\ASUS\AI Suite\AiNap\AiNap.exe

C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe

C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe

C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

C:\Program Files\ASUS\AASP\1.00.61\aaCenter.exe

C:\Program Files\Roxio Creator 2009\5.0\CPMonitor.exe

C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe

C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe

C:\Program Files\Webroot\Washer\wwDisp.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Faronics\Deep Freeze\Install C-0\_$Df\FrzState2k.exe

C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe

C:\WINDOWS\system32\tcpsvcs.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe

C:\WINDOWS\System32\ups.exe

C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe

C:\Program Files\Webroot\Washer\WasherSvc.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

C:\DOCUME~1\Y-PMAJ~1\LOCALS~1\Temp\RoboForm\RoboTaskBarIcon.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.com/accounts/ServiceLogi...mp;ltmplcache=2

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [TrueImageMonitor.exe] "C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [sideWinderTrayV4] "C:\PROGRA~1\MI948F~1\GAMECO~1\Common\SWTrayV4.exe"

O4 - HKLM\..\Run: [RTHDCPL] "C:\WINDOWS\RTHDCPL.EXE"

O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\11.0\SharedCOM\RoxWatchTray11.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [POINTER] point32.exe

O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"

O4 - HKLM\..\Run: [nwiz] "C:\WINDOWS\system32\nwiz.exe" /install

O4 - HKLM\..\Run: [NvMediaCenter] "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice

O4 - HKLM\..\Run: [CPU Power Monitor] "C:\Program Files\ASUS\AI Suite\AiGear3\CpuPowerMonitor.exe"

O4 - HKLM\..\Run: [Cpu Level Up help] "C:\Program Files\ASUS\AI Suite\CpuLevelUpHelp.exe"

O4 - HKLM\..\Run: [ASUS Energy Saving] "C:\Program Files\ASUS\AI Suite\EnergySaving\PwSave.exe"

O4 - HKLM\..\Run: [Alcmtr] "C:\WINDOWS\ALCMTR.EXE"

O4 - HKLM\..\Run: [Ai Nap] "C:\Program Files\ASUS\AI Suite\AiNap\AiNap.exe"

O4 - HKLM\..\Run: [Adobe_ID0EYTHM] "C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE"

O4 - HKLM\..\Run: [AcronisTimounterMonitor] "C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe"

O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"

O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"

O4 - HKLM\..\Run: [NvCplDaemon] "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [CPMonitor] "C:\Program Files\Roxio Creator 2009\5.0\CPMonitor.exe"

O4 - HKLM\..\Run: [WinPatrol] "C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe" -expressboot

O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

O4 - HKLM\..\Run: [spySweeper] "C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe" /startintray

O4 - HKCU\..\Run: [Window Washer] "C:\Program Files\Webroot\Washer\wwDisp.exe"

O4 - HKCU\..\Run: [update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKCU\..\Run: [sHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background

O4 - HKCU\..\Run: [CTFMON.EXE] "C:\WINDOWS\system32\ctfmon.exe"

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: OpenOffice.org 3.0.lnk = ?

O4 - Global Startup: APC UPS Status.lnk = C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html

O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://www.pandasecurity.com/activescan/cabs/as2stubie.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1219824127875

O20 - Winlogon Notify: DfLogon - C:\WINDOWS\SYSTEM32\LogonDll.dll

O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe

O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: DF5Serv - Faronics Corporation - C:\Program Files\Faronics\Deep Freeze\Install C-0\DF5Serv.exe

O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe

O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Roxio UPnP Renderer 11 - Sonic Solutions - C:\Program Files\Roxio Creator 2009\Digital Home 11\RoxioUPnPRenderer11.exe

O23 - Service: Roxio Upnp Server 11 - Sonic Solutions - C:\Program Files\Roxio Creator 2009\Digital Home 11\RoxioUpnpService11.exe

O23 - Service: LiveShare P2P Server 11 (RoxLiveShare11) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\11.0\SharedCOM\RoxLiveShare11.exe

O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)

O23 - Service: RoxMediaDB11 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\11.0\SharedCOM\RoxMediaDB11.exe

O23 - Service: Roxio Hard Drive Watcher 11 (RoxWatch11) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\11.0\SharedCOM\RoxWatch11.exe

O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe

O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe

O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe

O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--

End of file - 15468 bytes

==============================

Anxiously waiting for your feedback. Thanks again!

Yvon-Pierre

Link to post
Share on other sites

Please perform this online scan: F-Secure Online Scanner Next Generation Beta

1. Click on the link "F-Secure Online Scanner Next Generation Beta".

2. You may receive an alert on the address bar at this point to install the ActiveX control.

3. Click on that alert and then Click Insall ActiveX component.

4. Read the license agreement and click "Accept".

5.Click "Custom Scan" and be sure the following are checked:

  • Scan whole System
  • Scan all files
  • Scan whole system for rootkits
  • Scan whole system for spyware
  • Scan inside archives
  • Use advanced heuristics

6. When the scan completes, click the "I want to decide item by item" button.

7. For each item found, Select "Disinfect" and click "Next".

8. When done, click the "Show Report" button, then copy and paste the entire report into your next reply.

Link to post
Share on other sites

Hello 1972Vet,

Thanks for your reply. Unfortunately, I cannot get the "F-Secure Online Scanner" to perform the scan (and by the way, the Online Virus Scanner beta program has ended - Version 3.3 is now available).

Here is what happens:

I follow your instructions to start the scan. When the download finishes and the scan is just about to start, I receive this message:

"An error has occured! Please close the scanner and your browser, then try again. (Id:12)"

I closed my browser as instructed and started the whole process all over again but I got the same error message.

So I restarted my computer and then pointed my browser to the F-Secure site to start the scan once more but I ended up with the same error again.

Please let me know what I should do.

Thanks,

Yvon-Pierre

Link to post
Share on other sites

Hello,

After deleting "F-Secure Online Scanner 3.3" from "Downloaded Program Files" in Windows Explorer, I was able to re-download F-Secure Online Scanner and get the scan to work. Here is the content of the "Show Report".

Hope this is going to help.

Yvon-Pierre

(((((((((( F-Secure Online Scanner 3.3.1 Scanning Report ))))))))))

Scanning Report

Thursday, November 27, 2008 03:27:00 - 06:24:49

Computer name: Y-P-P5K-SE

Scanning type: Scan system for malware, rootkits

Target: C:\ D:\

--------------------------------------------------------------------------------

Result: 7 malware found

TrackingCookie.2o7 (spyware)

System

TrackingCookie.Advertising (spyware)

System

TrackingCookie.Atdmt (spyware)

System

TrackingCookie.Doubleclick (spyware)

System

TrackingCookie.Mediaplex (spyware)

System

TrackingCookie.Revsci (spyware)

System

TrackingCookie.Yieldmanager (spyware)

System

--------------------------------------------------------------------------------

Statistics

Scanned:

Files: 554121

System: 3990

Not scanned: 166

Actions:

Disinfected: 0

Renamed: 0

Deleted: 0

None: 7

Submitted: 0

Files not scanned:

8xLIBERFIL.SYS

C:\PAGEFILE.SYS

C:\PERSI0.SYS

C:\WINDOWS\TEMP\PERFLIB_PERFDATA_8A8.DAT

C:\WINDOWS\TEMP\WRSTEMP\SSMS0144ACA2-C12E-492B-A306-D0062FD95B94.TMP

C:\WINDOWS\TEMP\WRSTEMP\SSMS02D29209-8B02-4116-8EBF-A5B50641AE72.TMP

C:\WINDOWS\TEMP\WRSTEMP\SSMS0617A811-DE3D-4E56-AD0E-D8C5F80B52E3.TMP

C:\WINDOWS\TEMP\WRSTEMP\SSMS0B8306B3-1828-485A-82CA-776FB04BF559.TMP

C:\WINDOWS\TEMP\WRSTEMP\SSMS12F77231-245B-4216-A3FA-D2CF420299F3.TMP

C:\WINDOWS\TEMP\WRSTEMP\SSMS1A023F12-8135-447B-9641-611D0B2B6A35.TMP

C:\WINDOWS\TEMP\WRSTEMP\SSMS1D82FD3A-6BA3-460C-8515-CA565ADBE476.TMP

C:\WINDOWS\TEMP\WRSTEMP\SSMS1DFC0DE6-0C18-4268-9CFB-5D0B9201D2A0.TMP

C:\WINDOWS\TEMP\WRSTEMP\SSMS20371F8D-A416-4DBB-B53B-096D3CCEA357.TMP

C:\WINDOWS\TEMP\WRSTEMP\SSMS2430D821-AF8D-49FC-8FA1-7B1BBBF4F0A1.TMP

C:\WINDOWS\TEMP\WRSTEMP\SSMS25FC528B-62B8-4B06-90BD-E9CCFEBB6567.TMP

C:\WINDOWS\TEMP\WRSTEMP\SSMS293617C5-8A63-4A52-809E-6EBCF554E8FE.TMP

C:\WINDOWS\TEMP\WRSTEMP\SSMS2B4D5F63-92C7-4B1E-A47A-35DAFC0924A5.TMP

C:\WINDOWS\TEMP\WRSTEMP\SSMS30BE4441-0F14-4DF2-8F44-431AC5A0690C.TMP

C:\WINDOWS\TEMP\WRSTEMP\SSMS3153D57E-E6AD-478C-AADF-17660FFB6E49.TMP

C:\WINDOWS\TEMP\WRSTEMP\SSMS3227E035-03DC-4DCA-88BC-0B96F61336F9.TMP

C:\WINDOWS\TEMP\WRSTEMP\SSMS334F108E-4AB6-4313-82FF-5BBDE5CA1FEA.TMP

C:\WINDOWS\TEMP\WRSTEMP\SSMS352DCA78-A276-4EF5-AFD8-F3ED300EA68D.TMP

C:\WINDOWS\TEMP\WRSTEMP\SSMS3B6FEA55-951A-4E16-A664-6BE11BC856A3.TMP

C:\WINDOWS\TEMP\WRSTEMP\SSMS3CA98511-E2CE-4EF8-9625-B38E83802F99.TMP

C:\WINDOWS\TEMP\WRSTEMP\SSMS3E426E56-4DC2-4439-B79D-35821B7B5D83.TMP

C:\WINDOWS\TEMP\WRSTEMP\SSMS3F2F38F9-59EE-429E-B624-1714506CFDA7.TMP

C:\WINDOWS\TEMP\WRSTEMP\SSMS48142AE7-DF8F-471E-9B3B-B8AF5A7C2C76.TMP

C:\WINDOWS\TEMP\WRSTEMP\SSMS4A464274-F22E-48C3-9773-971E011DC175.TMP

C:\WINDOWS\TEMP\WRSTEMP\SSMS4BD22F3D-A8D6-41F5-B086-3FF7446376C5.TMP

C:\WINDOWS\TEMP\WRSTEMP\SSMS4CB3CEA8-6019-4BF4-AD70-7EA40C077C03.TMP

C:\WINDOWS\TEMP\WRSTEMP\SSMS4D3D5689-BE33-468E-908F-DAA74C84D455.TMP

C:\WINDOWS\TEMP\WRSTEMP\SSMS4DE65FDB-0494-4F7E-BEB8-63A6E5F763F1.TMP

C:\WINDOWS\TEMP\WRSTEMP\SSMS4DFF314A-992C-4468-A29E-4E0BB2158EC7.TMP

C:\WINDOWS\TEMP\WRSTEMP\SSMS4F8663AA-5385-46B6-BD44-3D1D5E853A28.TMP

C:\WINDOWS\TEMP\WRSTEMP\SSMS52A184B2-BAD5-4351-A6AD-5FE6329B7D55.TMP

C:\WINDOWS\TEMP\WRSTEMP\SSMS59B44713-8909-40D6-81CF-E18213742585.TMP

C:\WINDOWS\TEMP\WRSTEMP\SSMS601A30A2-DDF0-4F55-871C-D9820174F92B.TMP

C:\WINDOWS\TEMP\WRSTEMP\SSMS60B4B523-1DDE-4BE3-8573-F8F7EC65333A.TMP

C:\WINDOWS\TEMP\WRSTEMP\SSMS615FC69A-E4A4-45D3-AA59-0ACEDD2E5580.TMP

C:\WINDOWS\TEMP\WRSTEMP\SSMS622542D5-C212-4980-98BE-375FF73DF674.TMP

C:\WINDOWS\TEMP\WRSTEMP\SSMS64739DEC-C1F5-45CD-9D8F-7D431F3F9E67.TMP

C:\WINDOWS\TEMP\WRSTEMP\SSMS652D7524-BD9D-46A0-8E18-7B022B1DCF54.TMP

C:\WINDOWS\TEMP\WRSTEMP\SSMS67F4A03C-2547-42B2-AC62-CEABEBBE21BE.TMP

C:\WINDOWS\TEMP\WRSTEMP\SSMS68F0BA4B-C2F1-41BA-BEA4-6849D50ADECE.TMP

C:\WINDOWS\TEMP\WRSTEMP\SSMS6ADDDCEB-AA32-4A4B-A38B-8473427F4D07.TMP

C:\WINDOWS\TEMP\WRSTEMP\SSMS6FFBF99E-30A9-4BCB-BEE8-2DEC46B781DB.TMP

C:\WINDOWS\TEMP\WRSTEMP\SSMS72DFFE17-99C7-4669-ABFE-B974138EF6E1.TMP

C:\WINDOWS\TEMP\WRSTEMP\SSMS7943CCA7-EB7F-4B89-955E-6B975495C649.TMP

C:\WINDOWS\TEMP\WRSTEMP\SSMS7A13A6B2-E424-4E2C-B609-0FA8C0525BC0.TMP

C:\WINDOWS\TEMP\WRSTEMP\SSMS7C88B860-4709-4258-9949-6F16698626C5.TMP

C:\WINDOWS\TEMP\WRSTEMP\SSMS7D36C282-31B4-4725-AFFB-2A6CC1544892.TMP

C:\WINDOWS\TEMP\WRSTEMP\SSMS7EB66F15-CDFF-4184-A7F2-019C366A748F.TMP

C:\WINDOWS\TEMP\WRSTEMP\SSMS7F480329-77BD-4D5B-9478-3C98538A2A8D.TMP

C:\WINDOWS\TEMP\WRSTEMP\SSMS8085C41C-0F03-42EA-A247-BCE3A6A809D0.TMP

C:\WINDOWS\TEMP\WRSTEMP\SSMS81D47383-0233-429C-80DB-E283E7EA3DAE.TMP

C:\WINDOWS\TEMP\WRSTEMP\SSMS825C0C71-A10E-4374-9DF9

--------------------------------------------------------------------------------

Options

Scanning engines:

F-Secure USS: 2.40.0

F-Secure Hydra: 2.8.8110, 2008-11-27

F-Secure AVP: 7.0.171, 2008-11-27

F-Secure Pegasus: 1.20.0, 2008-10-25

F-Secure Blacklight: 2.4.1093

Scanning options:

Scan all files

Scan inside archives

Use Advanced heuristics

--------------------------------------------------------------------------------

Copyright

Link to post
Share on other sites

Click start-->Control Panel-->Folder Options-->View tab...scroll down and locate the option "Restore previous folder windows at logon" to see if there is a check in that box. If so, remove the check, click "Apply" and "OK". Close everything and reboot the system to properly record the change made to your hard disk.

Does "My Computer" still open on startup?

Are you still receiving Spam from your own email account? Tell us how you know that it is coming form your own account.

Link to post
Share on other sites

Hello again!

As instructed, I went to Start-->Control Panel-->Folder Options-->View tab but there are no check mark beside "Restore previous folder windows at logon". "My Computer" folder still opens at startup.

I have not seen spam coming from my own email address in the last few days. To answer your question, I don't know how these spam emails got to my inbox but they were sure showing my complete email address as the person sending the emails.

Below is how my troubles started. I thought a little background would help:

While browsing the internet last week, NOD32 reported an intrusion and quarantined the files (but I could not figure out how to remove them). Eventually, I started seeing an alert reporting that "Windows has detected spyware infection". Then a scan started on its own and I could not stop it. After a few minutes, a message appeared reporting that my computer was infected with ipexewin.exe, audiopitusr.exe, and exeiptransfer.exe. I did not download the software they were recommending. Instead I tried to research the files on the internet but my browser (IE7) kept opening other pages than the ones I was asking for. So I used another computer and eventually found and downloaded Malwarebyte Anti-Malware. I transfered this utility to my infected computer using a USB key. I ran the utility and it reported that it had removed the threat. I thought I was OK.

But weird things keep happening more than one week later and I can't fix them, no matter what I try:

-The computer takes more time to startup

-"My Computer" folder always open at startup

-When I start my IE7 browser, it always opens in a smaller window even though I maximize it every time (it seems windows size settings are not kept)

-I'm receiving spam emails from my own email address

-My security utilities task tray icons get disabled randomly at startup: the first time it was NOD32, then Malwarebyte Anti-Malware, and then, Webroot SpySweeper.

I've run multiples scans using MBAM, NOD32, and SpySweeper but they always report that everything is fine. During all of this, I also ran the Startup Manager module within Advanced System Optimizer to see if it would help. I deleted the startup icon for "SpyNoMore" (SNM.exe) but it kept showing in the list every time I restarted the Startup Manager. So I concluded that Advanced System Optimizer was not working properly and uninstalled it (I re-installed it since but didn't use the Startup Manager).

The only way I found to stop "My Computer" folder from automatically open at startup is to run msconfig and disable all Startup files. I tried to isolate the startup file creating the problem (very long process) but one day it seemed to be "CPMonitor", but when I tried again another time, disabling CPMonitor didn't make a difference! Go figure!

Maybe I should simply reformat the hard drive and start all over again but I'd prefer to avoid spending countless hours re-installing everything if possible. I'm ready to go this way it if turns out to be the ONLY solution but I need to kwow.

What do you suggest?

Thanks again!

Yvon-Pierre

Link to post
Share on other sites

Advanced System Optimizer is shareware that is only going to function for the 30 day trial after which time, the software will undoubtedly nag you to purchase the program. It may still function without a license but would be limited in it's intended purpose

Spy no more used to be listed on the Spyware Warrior's web site as a rogue/suspect anti-spyware application. You can read more about it Here. Although it has been removed from the list, I would still not recommend it as there are far more (and better) "Free" applications available on the public domain.

Please copy the text in the code box below and paste it into a blank notepad:

regedit /e c:\text.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"

...save this file as showme.bat. Change the Save as type: to "All files" and save it to your desktop. Double-click on the bat file...it might appear that nothing at all happened. Now navigate to your C:\ drive to locate the text file:

c:\text.txt

Please copy and paste the contents of that text file back here on your next reply. Thanks!

Link to post
Share on other sites

Hello 1972vet,

As requested, I've copied the content of the text.txt file below.

But before going on, I need to clarify something. I opened a thread on the same subject 4 days ago but nobody was replying. In my ignorance (and in panic with my computer problem), I thought I had to open another thread to get noticed. So I opend this thread the next day. But Maurice Naggard started working on my first thread today. Since he replied to my first message, I assumed it was OK to let both threads go. Maurice brought this to my attention and explained that we should not have two threads on the same subject. I'm sorry for creating this problem - this is a true rookie mistake! Maurice will most likely get in contact with you to sort this out. Like I told Maurice, I really appreciate the help I've received so far and I hope that one of you will continue with my case.

So here is the content of the file you requested:

(((((((((((((((((((( text.txt ))))))))))))))))))))

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"AutoRestartShell"=dword:00000001

"DefaultDomainName"="Y-P-P5K-SE"

"DefaultUserName"="Y-P Major"

"LegalNoticeCaption"=""

"LegalNoticeText"=""

"PowerdownAfterShutdown"="0"

"ReportBootOk"="1"

"Shell"="Explorer.exe"

"ShutdownWithoutLogon"="0"

"System"=""

"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"

"VmApplet"="rundll32 shell32,Control_RunDLL \"sysdm.cpl\""

"SfcQuota"=dword:ffffffff

"allocatecdroms"="0"

"allocatedasd"="0"

"allocatefloppies"="0"

"cachedlogonscount"="10"

"forceunlocklogon"=dword:00000000

"passwordexpirywarning"=dword:0000000e

"scremoveoption"="0"

"AllowMultipleTSSessions"=dword:00000001

"UIHost"=hex(2):6c,00,6f,00,67,00,6f,00,6e,00,75,00,69,00,2e,00,65,00,78,00,65,\

00,00,00

"LogonType"=dword:00000001

"Background"="0 0 0"

"DebugServerCommand"="no"

"SFCDisable"=dword:00000000

"WinStationsDisabled"="0"

"HibernationPreviouslyEnabled"=dword:00000001

"ShowLogonOptions"=dword:00000000

"AltDefaultUserName"="Y-P Major"

"AltDefaultDomainName"="Y-P-P5K-SE"

"ChangePasswordUseKerberos"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}]

@="Wireless"

"ProcessGroupPolicy"="ProcessWIRELESSPolicy"

"DllName"=hex(2):67,00,70,00,74,00,65,00,78,00,74,00,2e,00,64,00,6c,00,6c,00,\

00,00

"NoUserPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}]

@="Folder Redirection"

"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"

"DllName"=hex(2):66,00,64,00,65,00,70,00,6c,00,6f,00,79,00,2e,00,64,00,6c,00,\

6c,00,00,00

"NoMachinePolicy"=dword:00000001

"NoSlowLink"=dword:00000001

"PerUserLocalSettings"=dword:00000001

"NoGPOListChanges"=dword:00000000

"NoBackgroundPolicy"=dword:00000000

"GenerateGroupPolicy"="GenerateGroupPolicy"

"EventSources"=hex(7):28,00,46,00,6f,00,6c,00,64,00,65,00,72,00,20,00,52,00,65,\

00,64,00,69,00,72,00,65,00,63,00,74,00,69,00,6f,00,6e,00,2c,00,41,00,70,00,\

70,00,6c,00,69,00,63,00,61,00,74,00,69,00,6f,00,6e,00,29,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]

@="Microsoft Disk Quota"

"NoMachinePolicy"=dword:00000000

"NoUserPolicy"=dword:00000001

"NoSlowLink"=dword:00000001

"NoBackgroundPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000001

"PerUserLocalSettings"=dword:00000000

"RequiresSuccessfulRegistry"=dword:00000001

"EnableAsynchronousProcessing"=dword:00000000

"DllName"=hex(2):64,00,73,00,6b,00,71,00,75,00,6f,00,74,00,61,00,2e,00,64,00,\

6c,00,6c,00,00,00

"ProcessGroupPolicy"="ProcessGroupPolicy"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}]

@="QoS Packet Scheduler"

"ProcessGroupPolicy"="ProcessPSCHEDPolicy"

"DllName"=hex(2):67,00,70,00,74,00,65,00,78,00,74,00,2e,00,64,00,6c,00,6c,00,\

00,00

"NoUserPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}]

@="Scripts"

"ProcessGroupPolicy"="ProcessScriptsGroupPolicy"

"ProcessGroupPolicyEx"="ProcessScriptsGroupPolicyEx"

"GenerateGroupPolicy"="GenerateScriptsGroupPolicy"

"DllName"=hex(2):67,00,70,00,74,00,65,00,78,00,74,00,2e,00,64,00,6c,00,6c,00,\

00,00

"NoSlowLink"=dword:00000001

"NoGPOListChanges"=dword:00000001

"NotifyLinkTransition"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}]

@="Internet Explorer Zonemapping"

"DllName"=hex(2):69,00,65,00,64,00,6b,00,63,00,73,00,33,00,32,00,2e,00,64,00,\

6c,00,6c,00,00,00

"ProcessGroupPolicy"="ProcessGroupPolicyForZoneMap"

"NoGPOListChanges"=dword:00000001

"RequiresSucessfulRegistry"=dword:00000001

"DisplayName"=hex(2):40,00,69,00,65,00,64,00,6b,00,63,00,73,00,33,00,32,00,2e,\

00,64,00,6c,00,6c,00,2c,00,2d,00,33,00,30,00,35,00,31,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]

"ProcessGroupPolicy"="SceProcessSecurityPolicyGPO"

"GenerateGroupPolicy"="SceGenerateGroupPolicy"

"ExtensionRsopPlanningDebugLevel"=dword:00000001

"ProcessGroupPolicyEx"="SceProcessSecurityPolicyGPOEx"

"ExtensionDebugLevel"=dword:00000001

"DllName"=hex(2):73,00,63,00,65,00,63,00,6c,00,69,00,2e,00,64,00,6c,00,6c,00,\

00,00

@="Security"

"NoUserPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000001

"EnableAsynchronousProcessing"=dword:00000001

"MaxNoGPOListChangesInterval"=dword:000003c0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}]

"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"

"GenerateGroupPolicy"="GenerateGroupPolicy"

"ProcessGroupPolicy"="ProcessGroupPolicy"

"DllName"="iedkcs32.dll"

@="Internet Explorer Branding"

"NoSlowLink"=dword:00000001

"NoBackgroundPolicy"=dword:00000000

"NoGPOListChanges"=dword:00000001

"NoMachinePolicy"=dword:00000001

"DisplayName"=hex(2):40,00,69,00,65,00,64,00,6b,00,63,00,73,00,33,00,32,00,2e,\

00,64,00,6c,00,6c,00,2c,00,2d,00,33,00,30,00,31,00,34,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}]

"ProcessGroupPolicy"="SceProcessEFSRecoveryGPO"

"DllName"=hex(2):73,00,63,00,65,00,63,00,6c,00,69,00,2e,00,64,00,6c,00,6c,00,\

00,00

@="EFS recovery"

"NoUserPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000001

"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}]

@="802.3 Group Policy"

"DisplayName"=hex(2):40,00,64,00,6f,00,74,00,33,00,67,00,70,00,63,00,6c,00,6e,\

00,74,00,2e,00,64,00,6c,00,6c,00,2c,00,2d,00,31,00,30,00,30,00,00,00

"ProcessGroupPolicyEx"="ProcessLANPolicyEx"

"GenerateGroupPolicy"="GenerateLANPolicy"

"DllName"=hex(2):64,00,6f,00,74,00,33,00,67,00,70,00,63,00,6c,00,6e,00,74,00,\

2e,00,64,00,6c,00,6c,00,00,00

"NoUserPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}]

@="Microsoft Offline Files"

"DllName"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,63,\

00,73,00,63,00,75,00,69,00,2e,00,64,00,6c,00,6c,00,00,00

"EnableAsynchronousProcessing"=dword:00000000

"NoBackgroundPolicy"=dword:00000000

"NoGPOListChanges"=dword:00000000

"NoMachinePolicy"=dword:00000000

"NoSlowLink"=dword:00000000

"NoUserPolicy"=dword:00000001

"PerUserLocalSettings"=dword:00000000

"ProcessGroupPolicy"="ProcessGroupPolicy"

"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]

@="Software Installation"

"DllName"=hex(2):61,00,70,00,70,00,6d,00,67,00,6d,00,74,00,73,00,2e,00,64,00,\

6c,00,6c,00,00,00

"ProcessGroupPolicyEx"="ProcessGroupPolicyObjectsEx"

"GenerateGroupPolicy"="GenerateGroupPolicy"

"NoBackgroundPolicy"=dword:00000000

"RequiresSucessfulRegistry"=dword:00000000

"NoSlowLink"=dword:00000001

"PerUserLocalSettings"=dword:00000001

"EventSources"=hex(7):28,00,41,00,70,00,70,00,6c,00,69,00,63,00,61,00,74,00,69,\

00,6f,00,6e,00,20,00,4d,00,61,00,6e,00,61,00,67,00,65,00,6d,00,65,00,6e,00,\

74,00,2c,00,41,00,70,00,70,00,6c,00,69,00,63,00,61,00,74,00,69,00,6f,00,6e,\

00,29,00,00,00,28,00,4d,00,73,00,69,00,49,00,6e,00,73,00,74,00,61,00,6c,00,\

6c,00,65,00,72,00,2c,00,41,00,70,00,70,00,6c,00,69,00,63,00,61,00,74,00,69,\

00,6f,00,6e,00,29,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}]

@="IP Security"

"ProcessGroupPolicy"="ProcessIPSECPolicy"

"DllName"=hex(2):67,00,70,00,74,00,65,00,78,00,74,00,2e,00,64,00,6c,00,6c,00,\

00,00

"NoUserPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\

6c,00,00,00

"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\

6c,00,6c,00,00,00

"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]

"DLLName"="cscdll.dll"

"Logon"="WinlogonLogonEvent"

"Logoff"="WinlogonLogoffEvent"

"ScreenSaver"="WinlogonScreenSaverEvent"

"Startup"="WinlogonStartupEvent"

"Shutdown"="WinlogonShutdownEvent"

"StartShell"="WinlogonStartShellEvent"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\DfLogon]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"Startup"="DfEventStartup"

"DllName"=hex(2):4c,00,6f,00,67,00,6f,00,6e,00,44,00,6c,00,6c,00,2e,00,64,00,\

6c,00,6c,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy]

"Asynchronous"=dword:00000001

"DllName"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,\

00,69,00,6d,00,73,00,6e,00,74,00,66,00,79,00,2e,00,64,00,6c,00,6c,00,00,00

"Startup"="WlDimsStartup"

"Shutdown"="WlDimsShutdown"

"Logon"="WlDimsLogon"

"Logoff"="WlDimsLogoff"

"StartShell"="WlDimsStartShell"

"Lock"="WlDimsLock"

"Unlock"="WlDimsUnlock"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]

"DLLName"="wlnotify.dll"

"Logon"="SCardStartCertProp"

"Logoff"="SCardStopCertProp"

"Lock"="SCardSuspendCertProp"

"Unlock"="SCardResumeCertProp"

"Enabled"=dword:00000001

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]

"Asynchronous"=dword:00000000

"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\

6c,00,6c,00,00,00

"Impersonate"=dword:00000000

"StartShell"="SchedStartShell"

"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]

"Logoff"="WLEventLogoff"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\

6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]

"DLLName"="WlNotify.dll"

"Lock"="SensLockEvent"

"Logon"="SensLogonEvent"

"Logoff"="SensLogoffEvent"

"Safe"=dword:00000001

"MaxWait"=dword:00000258

"StartScreenSaver"="SensStartScreenSaverEvent"

"StopScreenSaver"="SensStopScreenSaverEvent"

"Startup"="SensStartupEvent"

"Shutdown"="SensShutdownEvent"

"StartShell"="SensStartShellEvent"

"PostShell"="SensPostShellEvent"

"Disconnect"="SensDisconnectEvent"

"Reconnect"="SensReconnectEvent"

"Unlock"="SensUnlockEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]

"Asynchronous"=dword:00000000

"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\

6c,00,6c,00,00,00

"Impersonate"=dword:00000000

"Logoff"="TSEventLogoff"

"Logon"="TSEventLogon"

"PostShell"="TSEventPostShell"

"Shutdown"="TSEventShutdown"

"StartShell"="TSEventStartShell"

"Startup"="TSEventStartup"

"MaxWait"=dword:00000258

"Reconnect"="TSEventReconnect"

"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]

"Logon"="WLEventLogon"

"Logoff"="WLEventLogoff"

"Startup"="WLEventStartup"

"Shutdown"="WLEventShutdown"

"StartScreenSaver"="WLEventStartScreenSaver"

"StopScreenSaver"="WLEventStopScreenSaver"

"Lock"="WLEventLock"

"Unlock"="WLEventUnlock"

"StartShell"="WLEventStartShell"

"PostShell"="WLEventPostShell"

"Disconnect"="WLEventDisconnect"

"Reconnect"="WLEventReconnect"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000000

"SafeMode"=dword:00000001

"MaxWait"=dword:ffffffff

"DllName"=hex(2):57,00,67,00,61,00,4c,00,6f,00,67,00,6f,00,6e,00,2e,00,64,00,\

6c,00,6c,00,00,00

"Event"=dword:00000000

"InstallEvent"="1.8.0031.9"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon\Settings]

@=""

"Data"=hex:01,00,00,00,d0,8c,9d,df,01,15,d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,\

00,00,7e,c0,93,6a,39,e0,b1,4a,a0,97,55,1e,5c,17,96,80,04,00,00,00,04,00,00,\

00,53,00,00,00,03,66,00,00,a8,00,00,00,10,00,00,00,df,6e,b8,0b,6c,73,06,3a,\

24,c1,2c,cb,db,bd,9f,d1,00,00,00,00,04,80,00,00,a0,00,00,00,10,00,00,00,27,\

8f,67,4d,b4,53,5b,be,39,7e,be,30,91,99,0e,56,b0,01,00,00,6d,7c,49,8c,cc,99,\

23,60,0a,ea,75,94,1a,89,47,ef,30,5a,ba,68,1c,00,d5,dd,b4,3d,42,0c,1d,ea,58,\

f6,5b,d7,9f,57,e0,b3,89,f6,27,66,5b,70,ad,32,56,0f,6e,30,ad,b7,fc,c1,26,3d,\

2d,ef,cb,f1,48,90,75,65,34,91,b1,5d,d3,d9,e2,90,c0,8f,6b,ad,26,f3,d0,cb,dc,\

79,a1,5c,b2,2f,73,36,2a,5d,12,ce,aa,57,66,a5,52,1d,8e,df,1c,8d,45,5a,e0,7a,\

d3,f3,42,08,29,e5,e7,b5,f7,ce,26,0f,21,73,df,7a,7a,7b,db,85,5e,d6,03,66,b3,\

66,2e,39,37,b7,6b,f6,47,b8,11,40,a6,b5,e6,e2,83,8c,06,a9,d9,0e,39,96,84,44,\

83,93,5c,65,27,14,e3,23,38,ab,5f,32,f5,d6,86,cf,d9,29,5c,8e,25,19,95,a3,f9,\

d8,eb,e2,cc,46,da,93,b9,92,7e,b1,4f,a0,e5,4d,e1,72,d7,61,ab,0b,32,de,97,08,\

16,55,6b,61,37,ce,ee,21,18,fd,22,98,f9,d0,92,81,4f,c0,7e,96,08,29,6f,a4,b0,\

33,27,0d,19,84,87,6b,91,27,84,61,fa,d9,7e,47,3a,17,fb,ab,9a,af,11,ba,ed,86,\

d5,b6,83,80,a9,23,4e,b2,10,1b,a2,2c,38,e0,35,b4,08,4a,2c,21,a0,4b,d2,76,d4,\

20,59,1d,00,17,61,9a,12,1b,98,84,6e,fe,f3,00,75,55,20,03,bc,ad,63,e5,87,50,\

b9,6a,c6,31,bd,f2,ca,5b,9e,f9,f8,01,55,a2,6a,da,2e,da,1e,81,a3,50,70,a9,76,\

9f,66,a1,f5,ee,05,1c,a3,71,31,e8,f9,d5,3b,d1,e5,5c,f0,ca,da,18,50,2a,9c,79,\

05,75,1c,e0,ca,0e,d6,c2,ff,a7,d3,2a,a7,99,62,1d,40,dd,d0,b3,fe,02,ac,e6,af,\

65,a2,b8,b7,92,7f,62,ba,0d,da,c1,69,68,76,6f,b9,51,db,f2,ee,eb,94,92,27,d2,\

8c,77,ed,0a,52,b8,a4,99,3e,97,be,3a,2c,5f,cc,c4,10,e4,85,e1,ed,24,24,97,2b,\

bc,14,00,00,00,51,e7,4d,26,bc,d9,47,ab,20,2b,6b,1c,89,ca,ce,79,18,39,be,f6

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]

"DLLName"="wlnotify.dll"

"Logon"="RegisterTicketExpiredNotificationEvent"

"Logoff"="UnregisterTicketExpiredNotificationEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]

"HelpAssistant"=dword:00000000

"TsInternetUser"=dword:00000000

"SQLAgentCmdExec"=dword:00000000

"NetShowServices"=dword:00000000

"IWAM_"=dword:00010000

"IUSR_"=dword:00010000

"VUSR_"=dword:00010000

Link to post
Share on other sites

Yes I received the PM from Maurice and have indicated in my reply that by protocol, having answered the thread prior to my arrival, I respectfully concede.

You should continue working with Maurice...you are in good hands!

Link to post
Share on other sites

Due to the duplication of this Topic, this thread is closed to prevent others

from posting here. If you need this topic reopened, please send a

Private Message to any one of the moderating team members. Please

include a link to this thread with your request. This applies only

to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for

this machine only. Do not apply the instructions from this thread to

your own machine. Please start a new thread describing your issue

and someone will be along to assist you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.