gsgi´s own topic

Die Hard · December 31, 2005, 09:24:08 AM

gsgi :)

Nothing is showing there. That´s good....and bad. Because we still haven´t found the strange items we´re looking for.

Could you please run a tool called datFind.bat : http://virus-protect.net/bat/datFind.bat
When clicking it once it will create a log, collapse it to the taskbar and click any key to create the next one, until you have four logs. Copy the top files in the logs from the last 2 months and paste it into the thread.

And I whish you a Happy New Year :thumbsup:

Die Hard :)

gsgi · December 31, 2005, 02:41:17 PM

Volume in drive D has no label.
Volume Serial Number is C88A-F42B

Directory of D:\WINNT\system32

12/23/2005 11:26p 2,550 Uninstall.ico
12/23/2005 11:26p 1,406 Help.ico
12/23/2005 11:26p 1,718 Open.ico
12/23/2005 11:26p 5,350 IE.ico
12/23/2005 11:26p 9,470 Desktop.ico
12/23/2005 11:26p 1,718 Quick.ico
12/23/2005 09:50p 0 asfiles.txt
12/21/2005 11:35a 16,384 Perflib_Perfdata_648.dat
12/18/2005 11:09p 181,760 AM-Install.exe
12/18/2005 10:12p 2,715 MRT.INI
12/18/2005 09:56p 16,384 Perflib_Perfdata_454.dat
12/14/2005 05:28p 1,145 0g6490eo.sys
12/14/2005 05:24p 16,384 Perflib_Perfdata_51c.dat
12/13/2005 10:22p 16,384 Perflib_Perfdata_134.dat
12/13/2005 10:19p 16,384 Perflib_Perfdata_4f0.dat
12/13/2005 10:18p 16,384 Perflib_Perfdata_318.dat
12/13/2005 04:50p 16,384 Perflib_Perfdata_47c.dat
12/12/2005 09:57p 16,384 Perflib_Perfdata_310.dat
12/12/2005 05:02p 16,384 Perflib_Perfdata_4b8.dat
12/11/2005 04:46p 16,384 Perflib_Perfdata_48c.dat
12/09/2005 10:56a 16,384 Perflib_Perfdata_524.dat
12/07/2005 01:38p 2,714,976 MRT.exe
12/04/2005 12:31p 16,384 Perflib_Perfdata_52c.dat
12/03/2005 11:04p 16,384 Perflib_Perfdata_49c.dat
12/03/2005 10:37p 16,384 Perflib_Perfdata_498.dat
12/03/2005 10:32p 16,384 Perflib_Perfdata_1dc.dat
12/03/2005 08:40a 16,384 Perflib_Perfdata_3f8.dat
12/03/2005 08:37a 16,384 Perflib_Perfdata_4cc.dat
12/03/2005 08:36a 16,384 Perflib_Perfdata_3a0.dat
12/03/2005 07:52a 4,147,013 etwr.txt
11/22/2005 04:49p 2,700,288 MSHTML.DLL
11/16/2005 05:07p 16,384 Perflib_Perfdata_490.dat
11/15/2005 12:12p 126,680 GCCollection.dll
11/15/2005 12:12p 117,976 hashlib.dll
11/15/2005 12:12p 95,448 gcUnCompress.dll
11/14/2005 09:46p 624 app.log
11/09/2005 10:14p 91,888 FNTCACHE.DAT
11/03/2005 05:23p 16,384 Perflib_Perfdata_3a8.dat
10/29/2005 07:13a 16,384 Perflib_Perfdata_38c.dat
10/23/2005 10:28p 13,536 spmsg.dll
10/22/2005 02:55p 16,384 Perflib_Perfdata_434.dat
10/21/2005 03:17p 1,339,392 SHDOCVW.DLL
10/21/2005 02:05p 184,320 adwerkz.dll
10/21/2005 12:51p 575,488 WININET.DLL
10/21/2005 12:51p 459,776 URLMON.DLL
10/21/2005 12:49p 192,512 DXTRANS.DLL
10/21/2005 12:49p 496,640 MSTIME.DLL
10/20/2005 07:08p 986,112 DANIM.DLL
10/07/2005 01:19a 233,744 GDI32.DLL
10/06/2005 04:33a 1,638,672 WIN32K.SYS
10/06/2005 04:20a 1,713,600 NTKRNLPA.EXE
10/06/2005 04:20a 1,691,008 NTOSKRNL.EXE
09/23/2005 06:03a 245,008 WINSRV.DLL
09/23/2005 06:03a 1,120,016 webvw.dll
09/23/2005 06:03a 17,680 linkinfo.dll
09/23/2005 06:03a 2,360,592 SHELL32.DLL
09/05/2005 03:18a 35,600 mtxlegih.dll
09/05/2005 03:18a 122,640 mtxoci.dll
09/05/2005 03:18a 71,440 stclient.dll
09/05/2005 03:18a 19,216 xolehlp.dll
09/05/2005 03:18a 153,872 msdtcui.dll
09/05/2005 03:18a 1,200,400 msdtctm.dll
09/05/2005 03:18a 726,288 msdtcprx.dll
09/05/2005 03:18a 52,496 mtxclu.dll
09/05/2005 03:18a 26,896 mtxdm.dll
09/05/2005 03:18a 96,016 msdtclog.dll
09/05/2005 03:18a 1,471,248 comsvcs.dll
09/05/2005 03:18a 625,936 comuid.dll
09/05/2005 03:18a 36,624 OLECNV32.DLL
09/05/2005 03:18a 398,608 txfaux.dll
09/05/2005 03:18a 165,648 catsrv.dll
09/05/2005 03:18a 69,392 olecli32.dll
09/05/2005 03:18a 595,728 catsrvut.dll
09/05/2005 03:18a 97,040 clbcatex.dll
09/05/2005 03:18a 551,184 clbcatq.dll
09/05/2005 03:18a 97,552 comrepl.dll
09/05/2005 03:18a 41,744 colbact.dll
09/05/2005 03:18a 242,448 es.dll
09/05/2005 03:18a 957,712 OLE32.DLL
09/05/2005 03:18a 212,240 rpcss.dll
09/02/2005 04:24a 94,480 UMPNPMGR.DLL

Volume in drive D has no label.
Volume Serial Number is C88A-F42B

Directory of D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp

12/31/2005 09:37a 618 jusched.log
1 File(s) 618 bytes
0 Dir(s) 60,721,922,048 bytes free

Volume in drive D has no label.
Volume Serial Number is C88A-F42B

Directory of D:\WINNT

12/31/2005 09:37a 2,004,414 WindowsUpdate.log
12/30/2005 12:45a 32,634 SchedLgU.Txt
12/30/2005 12:45a 1,008,438 ShellIconCache
12/29/2005 07:46a 13,732 unmsjvm.log
12/29/2005 07:25a 0 Sti_Trace.log
12/29/2005 07:21a 35,546 ntbtlog.txt
12/28/2005 12:25a 24 prf5d
12/23/2005 11:53p 229,376 outlook.pst
12/23/2005 11:26p 32 pavsig.txt
12/23/2005 09:49p 787 win.ini
12/22/2005 02:40a 0 nsreg.dat
12/22/2005 02:40a 107,132 UninstallFirefox.exe
12/22/2005 02:40a 2,293 mozver.dat
12/04/2005 12:28p 231 SYSTEM.INI
10/02/2005 11:36a 35,280 Administrator.acl
09/28/2005 03:36p 0 iPlayer.INI
07/20/2005 08:59a 57,344 uneng.exe
04/14/2005 05:08p 10,752 hh.exe
03/16/2005 06:56p 7,168 Administrator.pcb
03/04/2005 02:10p 106,496 bdoscandel.exe
03/01/2005 03:30p 453 bdoscandellang.ini
12/30/2004 07:02p 6,144 ArtGalry.cag
12/17/2004 09:06p 31 ?
12/17/2004 08:50p 31 G
08/15/2004 08:12p 316,640 WMSysPr9.prx
08/15/2004 08:10p 23,494 Microsoft Outlook.FAV
08/15/2004 08:10p 681 Win.ipe
08/15/2004 07:36p 22 exchng.ini
08/15/2004 07:36p 4,254 ODBCINST.INI
08/15/2004 07:36p 707 ODBC.INI
08/15/2004 05:40p 288,880 WMSysPrx.prx
08/15/2004 05:39p 395 videoimp.ini
08/15/2004 04:27p 0 control.ini
08/15/2004 04:26p 271 desktop.ini
08/15/2004 04:26p 21,692 folder.htt
08/15/2004 04:24p 36 vb.ini
08/15/2004 04:24p 37 vbaddin.ini
08/15/2004 12:19p 41 ModemDet.txt
08/15/2004 12:15p 231 System.ipe
08/15/2004 12:15p 231 SYSTEM.UNV
06/18/2004 01:40p 33,280 muninst.exe

Volume in drive D has no label.
Volume Serial Number is C88A-F42B

Directory of D:\

12/31/2005 09:41a 0 sys.txt
12/31/2005 09:41a 4,885 systemc.txt
12/31/2005 09:41a 4,885 system.txt
12/31/2005 09:41a 275 systemtempa.txt
12/31/2005 09:40a 275 systemtemp.txt
12/31/2005 09:40a 91,915 system32a.txt
12/31/2005 09:39a 91,915 system32.txt
12/31/2005 09:39a 429 datFind.bat
12/31/2005 09:37a 201,326,592 pagefile.sys
12/23/2005 10:41a 4,030 hijack.log
12/23/2005 10:28a 1,132 ewido.txt
11/13/2005 07:12p 11,321,344 iPod for Windows 2005-10-12.msi
11/13/2005 07:12p 740,864 1033.MST
11/13/2005 07:11p 4,632 0x0409.ini
10/19/2005 02:28p 3,687 data
09/15/2005 01:42p 207 IPH.PH
08/15/2004 08:23p 1,024 system.dat
08/15/2004 12:46p 4,818 ffastun.ffa
08/15/2004 12:46p 110,592 ffastun.ffo
08/15/2004 12:46p 114,688 ffastun.ffl
08/15/2004 12:46p 344,064 ffastun0.ffx
21 File(s) 214,172,253 bytes
0 Dir(s) 60,721,901,568 bytes free

gsgi · December 31, 2005, 02:48:33 PM

Are we hunting a BHO exploit - or aren't we to sure how whatever crap is left is running.

-greg

gsgi · December 31, 2005, 03:04:34 PM

Here is a sysinternals shortened autoruns log - autoruns is really cool

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

+ Ad Muncher         d:\program files\ad muncher\admunch.exe

+ iTunesHelper   iTunesHelper Module   (Not verified) Apple Computer, Inc.   d:\program files\itunes\ituneshelper.exe

+ SunJavaUpdateSched   Java(TM) 2 Platform Standard Edition binary   (Not verified) Sun Microsystems, Inc.   d:\program files\java\jre1.5.0_01\bin\jusched.exe

D:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup

+ Adobe Gamma Loader.lnk   Adobe Gamma Loader   (Not verified) Adobe Systems, Inc.   d:\program files\common files\adobe\calibration\adobe gamma loader.exe

+ Adobe Reader Speed Launch.lnk   Adobe Acrobat SpeedLauncher   (Not verified) Adobe Systems Incorporated   d:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

+ Display Panning CPL Extension         File not found: deskpan.dll

+ SmartFTP Shell Extension DLL   SmartFTP Shell Extension   (Not verified) SmartFTP   d:\program files\smartftp\smarthook.dll

+ WinZip   WinZip Shell Extension DLL   (Not verified) WinZip Computing, Inc.   d:\program files\winzip\wzshlstb.dll

+ WinZip   WinZip Shell Extension DLL   (Not verified) WinZip Computing, Inc.   d:\program files\winzip\wzshlstb.dll

+ WinZip   WinZip Shell Extension DLL   (Not verified) WinZip Computing, Inc.   d:\program files\winzip\wzshlstb.dll

+ WinZip   WinZip Shell Extension DLL   (Not verified) WinZip Computing, Inc.   d:\program files\winzip\wzshlstb.dll

HKLM\Software\Classes\Folder\Shellex\ColumnHandlers

+ PDF Shell Extension   PDF Shell Extension   (Not verified) Adobe Systems, Inc.   d:\program files\adobe\acrobat 7.0\activex\pdfshell.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

+ AcroIEHlprObj Class   Adobe Acrobat IE Helper Version 7.0 for ActiveX   (Verified) Adobe Systems, Incorporated   d:\program files\adobe\acrobat 7.0\activex\acroiehelper.dll

HKLM\System\CurrentControlSet\Services

+ MicroService32   Filters Bad Packets      File not found: D:\WINNT\msvcrs.exe

HKLM\System\CurrentControlSet\Services

+ GEARAspiWDM   CDRom Class Filter Driver   (Verified) GEAR Software Inc.   d:\winnt\system32\drivers\gearaspiwdm.sys

+ nv4   NVIDIA Compatible Windows 2000 Miniport Driver, Version 6.34    (Not verified) NVIDIA Corporation   d:\winnt\system32\drivers\nv4_mini.sys

+ RIOUNIV   Rio USB driver   (Not verified) Digital Networks North America, Inc.   d:\winnt\system32\drivers\riouniv.sys

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls

+ NVDESK32.DL         File not found: NVDESK32.DL

Die Hard · January 02, 2006, 07:32:28 AM

gsgi :)

Finally we found something !
This file doesn´t belong in your system adwerkz.dll It has been there for a while, it might not being active with its friends lost.
Please download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.
Once posted do not restart your pc untill suggested
IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

Die Hard :)

gsgi · January 03, 2006, 03:08:06 PM

L2MFIX find log 122705
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network and Dial-up Connections"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{1A9BA3A0-143A-11CF-8350-444553540000}"="Shell Favorite Folder"
"{20D04FE0-3AEA-1069-A2D8-08002B30309D}"="My Computer"
"{86747AC0-42A0-1069-A2E6-08002B30309D}"="Briefcase Folder"
"{0AFACED1-E828-11D1-9187-B532F1E9575D}"="Folder Shortcut"
"{12518493-00B2-11d2-9FA5-9E3420524153}"="Mounted Volume"
"{21B22460-3AEA-1069-A2DC-08002B30309D}"="File Property Page Extension"
"{B091E540-83E3-11CF-A713-0020AFD79762}"="File Types Page"
"{FBF23B41-E3F0-101B-8488-00AA003E56F8}"="MIME File Types Hook"
"{C2FBB630-2971-11d1-A18C-00C04FD75D13}"="Microsoft CopyTo Service"
"{C2FBB631-2971-11d1-A18C-00C04FD75D13}"="Microsoft MoveTo Service"
"{13709620-C279-11CE-A49E-444553540000}"="Shell Automation Service"
"{62112AA1-EBE4-11cf-A5FB-0020AFE7292D}"="Shell Automation Folder View"
"{4622AD11-FF23-11d0-8D34-00A0C90F2719}"="Start Menu"
"{7BA4C740-9E81-11CF-99D3-00AA004AE837}"="Microsoft SendTo Service"
"{D969A300-E7FF-11d0-A93B-00A0C90F2719}"="Microsoft New Object Service"
"{09799AFB-AD67-11d1-ABCD-00C04FC30936}"="Open With Context Menu Handler"
"{3FC0B520-68A9-11D0-8D77-00C04FD70822}"="Display Control Panel HTML Extensions"
"{75048700-EF1F-11D0-9888-006097DEACF9}"="ActiveDesktop"
"{6D5313C0-8C62-11D1-B2CD-006097DF8C11}"="Folder Options Property Page Extension"
"{57651662-CE3E-11D0-8D77-00C04FC99D61}"="CmdFileIcon"
"{4657278A-411B-11d2-839A-00C04FD918D0}"="Shell Drag and Drop helper"
"{A470F8CF-A1E8-4f65-8335-227475AA5C46}"="Add encryption item to context menus in explorer"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{568804CA-CBD7-11d0-9816-00C04FD91972}"="Menu Shell Folder"
"{5b4dae26-b807-11d0-9815-00c04fd91972}"="Menu Band"
"{8278F931-2A3E-11d2-838F-00C04FD918D0}"="Tracking Shell Menu"
"{E13EF4E4-D2F2-11d0-9816-00C04FD91972}"="Menu Site"
"{ECD4FC4F-521C-11D0-B792-00A0C90312E1}"="Menu Desk Bar"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{D82BE2B0-5764-11D0-A96E-00C04FD705A2}"="IShellFolderBand"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{0E5CBF21-D15F-11d0-8301-00AA005B4383}"="&Links"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7487cd30-f71a-11d0-9ea7-00805f714772}"="Thumbnail Image"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{8BEBB290-52D0-11D0-B7F4-00C04FD706EC}"="Thumbnails"
"{EAB841A0-9550-11CF-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{1AEB1360-5AFC-11D0-B806-00C04FD706EC}"="Office Graphics Filters Thumbnail Extractor"
"{9DBD2C50-62AD-11D0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{500202A0-731E-11D0-B829-00C04FD706EC}"="LNK file thumbnail interface delegator"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8C-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{fe1290f0-cfbd-11cf-a330-00aa00c16e65}"="Directory Namespace"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{450D8FBA-AD25-11D0-98A8-0800361B1103}"="MyDocs Folder"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{BB7DF450-F119-11CD-8465-00AA00425D90}"="Microsoft Access Custom Icon Handler"
"{59850401-6664-101B-B21C-00AA004BA90B}"="Microsoft Office Binder Explode"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{B8323370-FF27-11D2-97B6-204C4F4F5020}"="SmartFTP Shell Extension DLL"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"

**********************************************************************************
HKEY ROOT CLASSIDS:
**********************************************************************************
Files Found are not all bad files:

D:\WINNT\SYSTEM32\
adwerkz.dll Fri Oct 21 2005 2:05:50p A.... 184,320 180.00 K
danim.dll Thu Oct 20 2005 7:08:44p A.... 986,112 963.00 K
dxtrans.dll Fri Oct 21 2005 12:49:58p A.... 192,512 188.00 K
gccoll~1.dll Tue Nov 15 2005 12:12:08p A.... 126,680 123.71 K
gcunco~1.dll Tue Nov 15 2005 12:12:06p A.... 95,448 93.21 K
gdi32.dll Fri Oct 7 2005 1:19:38a A.... 233,744 228.27 K
hashlib.dll Tue Nov 15 2005 12:12:08p A.... 117,976 115.21 K
mshtml.dll Tue Nov 22 2005 4:49:10p A.... 2,700,288 2.57 M
mstime.dll Fri Oct 21 2005 12:49:52p ..... 496,640 485.00 K
shdocvw.dll Fri Oct 21 2005 3:17:22p A.... 1,339,392 1.28 M
spmsg.dll Sun Oct 23 2005 10:28:08p ..... 13,536 13.22 K
urlmon.dll Fri Oct 21 2005 12:51:26p A.... 459,776 449.00 K
wininet.dll Fri Oct 21 2005 12:51:36p A.... 575,488 562.00 K

13 items found: 13 files, 0 directories.
Total of file sizes: 7,521,912 bytes 7.17 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive D has no label.
Volume Serial Number is C88A-F42B

Directory of D:\WINNT\System32

12/29/2005 07:46a <DIR> dllcache
0 File(s) 0 bytes
1 Dir(s) 60,718,563,328 bytes free

Die Hard · January 03, 2006, 09:13:56 PM

gsgi :)

I do not think this file is active. It´s belonging to an adware,though.
But better be safe than sorry.
Pleae download "KillBox" by Option^Explicit from here: http://www.bleepingcomputer.com/files/killbox.php
Open KillBox and add this line into "Full path of file to delete"
D:\WINNT\SYSTEM32\adwerkz.dll
Then hit the red button with the white "X"
Maybe it will tell you it cant be deleted. Then try this:
Checkmark the box "Delete on reboot", then paste the filepath again into the tool and when prompted to reboot, click "yes".

Die Hard :)