gsgi´s own topic

Started by gsgi, December 20, 2005, 04:51:19 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Print
Go Down Pages1 2
User actions

gsgi

December 20, 2005, 04:51:19 PM
I also have spybot showing hklm\system\controlset001\services\cmdservice and ...currentcontrolset\services\cmdservice as unfixable and i cannot remove them from the registry.  What do these do?  What do they start?  and how do i change permissions or whatever was said above to blow them away?

thanks,

gsgi

Die Hard

#1
December 20, 2005, 11:06:11 PM
gsgi , hi :)

Please have a look at this thread,last post, where I wrote info about editing the registry. I repeat what I wrote there, don´t change anything without backing up .
http://www.landzdown.com/index.php?topic=3566.msg14803#msg14803

You click next to those entries in the registry:
+hkey_local_machine
+system
+controlset001
+services
cmdservice

Rightclick "cmdservice" and remove it. If it wont work, follow the instructions on how to change permissions and try again.

Then do the same with
+hkey_local_machine
+system
currentcontrolset
services
cmdservice

Also, I would like to see a HiJack This log. We might be able to modify things from there when we know better what is hiding in your system.

Download HiJack This from here:  http://www.thespykiller.co.uk/files/HJTsetup.exe

This will download HiJack This to your computer, choose "Save" and navigate to the folder where it´s saved and doubleclick upon it.
This is a complete installer that installs Hijackthis onto the computer to C:\Program Files\HijackThis and makes an entry in the start menu & allows you to have a shortcut on desktop as well.

then.......
Doubleclick the HJT icon on your desktop, hit "Do a system scan and save logfile". Save the logfile and a txt-file will be produced.. Copy that one and paste it here and we´ll have a look at it.

Die Hard :)

I create and edit my posts in GS-NOTES

gsgi

#2
December 21, 2005, 04:35:56 AM
ok - this is my bosses computer - his kid had kazza on it --- it was full of malware
i have run all of these many times and in safe mode ad 1.06r, spybot 1.4, ewido, nod32, microsoft malicious remover, cwsshredder 2.15, and microsoft anti spyware ...  trend 2006 won't scan (it doesn't find any drives) nothing else had this problem.  mc cafe security suite comes with our cable modem service - maybei'll use that ...

hijack log

Logfile of HijackThis v1.99.1
Scan saved at 11:31:04 PM, on 12/20/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\SYSTEM32\WINLOGON.EXE
D:\WINNT\SYSTEM32\SERVICES.EXE
D:\WINNT\SYSTEM32\LSASS.EXE
D:\WINNT\system32\svchost.exe
D:\WINNT\SYSTEM32\SPOOLSV.EXE
D:\WINNT\System32\svchost.exe
D:\Program Files\ewido anti-malware\ewidoctrl.exe
D:\PROGRAM FILES\EWIDO ANTI-MALWARE\EWIDOGUARD.EXE
D:\PROGRA~1\TRENDM~1\INTERN~1\PCCTLCOM.EXE
D:\WINNT\system32\regsvc.exe
D:\WINNT\system32\MSTask.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\system32\mspmspsv.exe
D:\WINNT\system32\svchost.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\TMPFW.EXE
D:\WINNT\Explorer.EXE
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
D:\PROGRAM FILES\AD MUNCHER\ADMUNCH.EXE
D:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe
D:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_5_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_5_0.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - D:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [Outlook Mail Services] express.exe
O4 - HKLM\..\Run: [Ad Muncher] D:\Program Files\Ad Muncher\AdMunch.exe /bt
O4 - HKLM\..\Run: [gcasServ] "D:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [pccguide.exe] "D:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\RunServices: [Outlook Mail Services] express.exe
O4 - HKCU\..\Run: [Outlook Mail Services] express.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar Search - d:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - D:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - D:\WINNT\system32\shdocvw.dll (HKCU)
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - D:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Secure MSVS (MicroService32) - Unknown owner - D:\WINNT\msvcrs.exe (file missing)
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - D:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - D:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - D:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - D:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

Corrine

#3
December 22, 2005, 01:38:26 AM
Hi, gsgi.  Die Hard is currently unavailable and asked for backup until he returns.

Real time monitoring programs can interfer with the cleanup of your computer.  It is advisable that you temporarilly disable those programs before cleaning and then enable after the cleanup is completed.

Ewido Security Suite (EwidoGuard)

Launch Ewido and in the main window click "Realtime protection" (in green indicating "Active") to change to inactive.

MS AntiSpyware (MSAS) Beta

   1. Right-click on the Microsoft Anti-Spyware icon in the system tray [it's the one with the red and yellow bulls-eye].
   2. Click on "Security Agents Status".
   3. Click on "Disable real-time protection".

Next right-click on the Microsoft Anti-Spyware icon in the system tray again to open Microsoft Anti-Spyware.

   1. Click on the Options menu and choose Settings.
   2. In the left pane column click on "Real Time Protection".
   3. Under Startup Options, uncheck "Enable (MSAS) Security Agents on startup (recommended)"
   4. Under Real-time spyware threat protection, uncheck and "Enable real-time spyware threat protection" (recommended).
   5. Click the Save button and close Microsoft AntiSpyware.

    Finally, right-click on the MSAS icon in the system tray and select "Shutdown Microsoft Antispyware".

Spybot TeaTimer

As you indicated you ran Spybot, please also make sure TeaTimer is also disabled.  To disable SpybotSD TeaTimer:

Open Spybot and click on Mode and check Advanced Mode
Check yes to next window.
Click on Tools in bottom left hand corner.
Click on System Startup icon.
Uncheck Teatimer box.
Click Allow Change box.

You can follow this link if you need help: http://russelltexas.com/malware/teatimer.htm


Ok, now that the system is ready, please scan with HijackThis and place a checkmark next to each of the following items and click FIX CHECKED:

R3 - Default URLSearchHook is missing
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - D:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O4 - HKLM\..\Run: [Outlook Mail Services] express.exe
O4 - HKLM\..\RunServices: [Outlook Mail Services] express.exe
O4 - HKCU\..\Run: [Outlook Mail Services] express.exe
O23 - Service: Secure MSVS (MicroService32) - Unknown owner - D:\WINNT\msvcrs.exe (file missing)

Download CCleaner from the link at the upper right of this page: http://www.filehippo.com/download_ccleaner.html .

Instructions for using CCleaner:

1. Before first use, check under Options > Advanced > UNcheck "Only delete files in Windows Temp folder older than 48 hours".
2. A pop up box will appear advising this process will permanently delete files from your system.
3. To protect logon cookies that you wish to retain, under Options > Cookies.  Select and using the arrow move those cookies to the "Cookies to keep" column.
4. Then select the items you wish to clean up.

In the Windows Tab:

Clean all entries in the "Internet Explorer" section.
Clean all the entries in the "Windows Explorer" section.
Clean all entries in the "System" section.
Clean all entries in the "Advanced" section.
Clean any others that you choose.

In the Applications Tab:

Clean all in the Firefox/Mozilla section if you use it.
Clean all in the Opera section if you use it.
Clean Sun Java in the Internet Section.
Clean any others that you choose.

5. Click the "Run Cleaner" button and it will scan and clean your system.
6. Click exit. 
7. Shutdown/restart the computer.

If you have any questions, just ask.

Please post a fresh HijackThis© (Merijn) log and let us know how your bosses machine is running. 

Thanks,

Corrine :rose:

Note:  After the cleanup is completed, you'll want to check for Windows updates as I see IE is at SP1 and needs to be updates to SP2.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

gsgi

#4
December 22, 2005, 07:31:33 AM
ok, i did everything as advised.  i uninstalled trend pccillin since it was not working - stopped ewido, ms anti spyware, ran ccleaner, rebooted, unloaded ms anti-spyware and ewido and ran hijack this.  i looked for explorer sp2 but this is 2000 pro not xp, so explorer sp1 seems to be the latest ...

thanks for your wonderful assistance

Logfile of HijackThis v1.99.1
Scan saved at 2:29:07 AM, on 12/22/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\spoolsv.exe
D:\WINNT\System32\svchost.exe
D:\Program Files\ewido anti-malware\ewidoctrl.exe
D:\WINNT\system32\regsvc.exe
D:\WINNT\system32\MSTask.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\system32\mspmspsv.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\Explorer.EXE
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
D:\Program Files\Ad Muncher\AdMunch.exe
D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_5_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_5_0.dll
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [Ad Muncher] D:\Program Files\Ad Muncher\AdMunch.exe /bt
O4 - HKLM\..\Run: [gcasServ] "D:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar Search - d:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - D:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - D:\WINNT\system32\shdocvw.dll (HKCU)
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - D:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Secure MSVS (MicroService32) - Unknown owner - D:\WINNT\msvcrs.exe (file missing)

gsgi

#5
December 22, 2005, 07:40:30 AM
since i seemed to see ewido and ms antiapyware things in the last hijack this log - i uninstalled them - rebooted and here is a  cleaner hijack this log

Logfile of HijackThis v1.99.1
Scan saved at 2:37:23 AM, on 12/22/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\spoolsv.exe
D:\WINNT\System32\svchost.exe
D:\WINNT\system32\regsvc.exe
D:\WINNT\system32\MSTask.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\system32\mspmspsv.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\Explorer.EXE
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
D:\Program Files\Ad Muncher\AdMunch.exe
D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_5_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_5_0.dll
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [Ad Muncher] D:\Program Files\Ad Muncher\AdMunch.exe /bt
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar Search - d:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - D:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - D:\WINNT\system32\shdocvw.dll (HKCU)
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - D:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Secure MSVS (MicroService32) - Unknown owner - D:\WINNT\msvcrs.exe (file missing)

Die Hard

#6
December 22, 2005, 08:16:29 PM
gsgi   :)

You had the outmost expertice helping you out while I was absent :)

Maybe you misunderstood the advice about Ewido and MSAS ? You should just turn off the real time monitor.
But never mind, they are free so please install them again , they work wonderfully together.

Ewido:  http://www.ewido.net/en/download/
MSAS:  http://www.microsoft.com/athome/security/spyware/software/default.mspx

Install them both to start with, but turn off the real time monitor in accordance with Corrine´s instructions :)
Do not run them yet.
A quick guide to the Ewido program is found here:
http://www.greyknight17.com/spy/Tutorials/ewidoQuickGuide.pdf

Start with HiJack This and checkmark this detail, then hit "fix checked" and click "yes" at the prompt that follows:
O23 - Service: Secure MSVS (MicroService32) - Unknown owner - D:\WINNT\msvcrs.exe (file missing)

Now reboot into safe mode (press the F8-key repetedly on bootup) and delete the following files, in bold text. Once the computer starts in safe mode your desktop will look differently than usual, with less number of icons and they are larger :
D:\WINNT\msvcrs.exe
D:\WINNT\express.exe

In order to find them, click (Windowskey+E) and in the toolbar click "Tools>Folder options" and under tab "View" checkmark "Show hidden files and folders" and uncheck "Hide protected system files" and "Hide file extentions for known filetypes"

Now, while still in safe mode, run the Ewido scanner and remove what it finds.Save the report and reboot normally and post the Ewido report together with a new HiJack This-log.

Die Hard :)




I create and edit my posts in GS-NOTES

gsgi

#7
December 23, 2005, 05:49:22 PM
Logfile of HijackThis v1.99.1
Scan saved at 10:41:14 AM, on 12/23/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\spoolsv.exe
D:\WINNT\System32\svchost.exe
D:\Program Files\ewido anti-malware\ewidoctrl.exe
D:\Program Files\ewido anti-malware\ewidoguard.exe
D:\WINNT\system32\regsvc.exe
D:\WINNT\system32\MSTask.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\system32\mspmspsv.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\Explorer.EXE
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
D:\Program Files\Ad Muncher\AdMunch.exe
D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
D:\Program Files\ewido anti-malware\securitysuite.exe
D:\Program Files\Hijackthis\HijackThis.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_5_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_5_0.dll
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [Ad Muncher] D:\Program Files\Ad Muncher\AdMunch.exe /bt
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar Search - d:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - D:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - D:\WINNT\system32\shdocvw.dll (HKCU)
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - D:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Secure MSVS (MicroService32) - Unknown owner - D:\WINNT\msvcrs.exe (file missing)


---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on:         10:28:47 AM, 12/23/2005
+ Report-Checksum:      25BA7EE0

+ Scan result:

   C:\WINDOWS\Application Data\Wildtangent\Cdacache\00\00\15.dat/wtvh.dll -> Spyware.WildTangent : Cleaned with backup
   C:\_RESTORE\ARCHIVE\FS1469.CAB/A0154874.CPY -> Spyware.WildTangent : Cleaned with backup
   C:\_RESTORE\ARCHIVE\FS1469.CAB/A0154918.CPY -> Spyware.WildTangent : Cleaned with backup


::Report End

gsgi

#8
December 23, 2005, 05:53:02 PM
D:\WINNT\msvcrs.exe
D:\WINNT\express.exe

i did not find these files, but i did forget to click on show hidden files.  i did a dir /s from cmd window to look over the whole hd for them too.  I'll look again this time with the system file switches.

-gsgi

gsgi

#9
December 23, 2005, 10:38:11 PM
D:\WINNT\msvcrs.exe
D:\WINNT\express.exe

these files do not exist.  have a double check the whole system.

-gsgi

gsgi

#10
December 24, 2005, 05:46:11 AM
I have now also scanned with panda on-line, bit-defender on-line and trojan hunter on-line ... a few things were found and deleted but nothing I think was running.
Housecalls will not work, nor will pc-cillin 2006.  Two processes do not finish loading when pc-cillin 2006 is installed, ctlart32.exe and asynwcfg.exe ...  asynwcfg is in winnt/system32 and is not marked at all.  ctlart32.exe is in program files\mvrinzip and is marked with long non-sensical strings in the comments, company name, internal name etc ... there is also a ace,dll and a wingenerics.dll in this directory and ace.dll on goggle comes up as this: http://www.scanspyware.net/info/PeopleOnPage.AproposMedia.htm

ctlart32.exe shows up in the registry at HK USERS s-1-...\software\microsoft\internet explorer\explorer bars
ace.dll shows up in the installation history of the registry at the end of a line on acrobat reader

thanks,
greg

Die Hard

#11
December 28, 2005, 12:56:33 AM
gsgi :)

Sorry for the late reply  :flowers:
We celebrate hollidays, but malwares don´t  :(

Download the FREE Swandog46 Apropos Fix from here :

http://swandog46.geekstogo.com/aproposfix.exe


Save to your desktop but DON'T run it just yet.

Reboot your computer in Safe Mode. Reboot and tap the F8-key repetedly on bootup.

Then Unzip  aproposfix.exe to your desktop. From inside the new folder run the RunThis.bat and follow the prompts.

While still in safe mode, run Ewido once again.

After they have completed reboot back as Normal and post the Ewido report together with a new HiJack This log.

Die Hard :)

I create and edit my posts in GS-NOTES

gsgi

#12
December 29, 2005, 12:27:57 PM
Logfile of HijackThis v1.99.1
Scan saved at 7:23:14 AM, on 12/29/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\system32\userinit.exe
D:\WINNT\Explorer.EXE
D:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [Ad Muncher] D:\Program Files\Ad Muncher\AdMunch.exe /bt
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar Search - d:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - D:\WINNT\system32\shdocvw.dll (HKCU)
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - D:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Secure MSVS (MicroService32) - Unknown owner - D:\WINNT\msvcrs.exe (file missing)


i think this is pretty clean.  still left with thelast entry which does not go away even when i select fix_this in hijack this and the original problem i posted about -- cmdservice entries remain unfixable by spybot -- what are they...   also i have run a sfc /scannow ... svchost crashes when loading safe mode with networking support but safe mode and normal mode are unaffected ...

Die Hard

#13
December 29, 2005, 12:48:26 PM
gsgi :)

Could you please do this for me?

Open the registry editor (click [windowskey+R]  and type regedit>OK ) and navigate to the following regkeys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE083}

and

HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache

Once found, on each of them click in the toolbar "File>Export" and choose to export them as a .txt-file and put to a location of your convenience.

Then copy the contents of the text-files and post it here.

Die Hard :)
I create and edit my posts in GS-NOTES

gsgi

#14
December 30, 2005, 05:40:40 AM
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
@=""

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"LangID"=hex:09,04
"@D:\\WINNT\\system32\\shell32.dll,-9227"="My Documents"
"@D:\\WINNT\\system32\\shell32.dll,-8964"="Recycle Bin"
"@D:\\WINNT\\system32\\shell32.dll,-9216"="My Computer"
"@D:\\WINNT\\system32\\shell32.dll,-9217"="My Network Places"
"@shdoclc.dll,-866"="Related"
"@shdoclc.dll,-864"="Show &Related Links"
"@shdoclc.dll,-865"="Shows links related to the current page."
"@D:\\WINNT\\System32\\cdfview.dll,-4610"="Channel File"
"@shdoclc.dll,-867"="&Tip of the Day"
"@shdoclc.dll,-868"="Shows the Tip of the Day."
"@browselc.dll,-13137"="&Address"
"@browselc.dll,-13138"="&Links"
"@D:\\Program Files\\AIM\\AimRes.dll,-255"="AOL Instant Messenger"
"@D:\\WINNT\\System32\\msi.dll,-34"="Windows Installer Package"
"@D:\\WINNT\\System32\\msi.dll,-35"="Windows Installer Patch"
"@D:\\Program Files\\iTunes\\iTunes.Resources\\iTunesRegistry.dll,-3"="AIFF Audio File"
"@D:\\Program Files\\iTunes\\iTunes.Resources\\iTunesRegistry.dll,-5"="Audio CD Track"
"@D:\\Program Files\\iTunes\\iTunes.Resources\\iTunesRegistry.dll,-6"="iTunes Music Database File"
"@D:\\Program Files\\iTunes\\iTunes.Resources\\iTunesRegistry.dll,-16"="iTunes Music Store URL"
"@D:\\Program Files\\iTunes\\iTunes.Resources\\iTunesRegistry.dll,-7"="M3U Audio Playlist"
"@D:\\Program Files\\iTunes\\iTunes.Resources\\iTunesRegistry.dll,-1"="MPEG-4 Audio File"
"@D:\\Program Files\\iTunes\\iTunes.Resources\\iTunesRegistry.dll,-2"="MPEG-4 Audio File (Protected)"
"@D:\\Program Files\\iTunes\\iTunes.Resources\\iTunesRegistry.dll,-9"="MPEG Layer 2 Audio"
"@D:\\Program Files\\iTunes\\iTunes.Resources\\iTunesRegistry.dll,-10"="MPEG Layer 3 Audio"
"@D:\\Program Files\\iTunes\\iTunes.Resources\\iTunesRegistry.dll,-12"="PLS Audio Playlist"
"@D:\\Program Files\\iTunes\\iTunes.Resources\\iTunesRegistry.dll,-15"="WAVE Audio File"
"@D:\\WINNT\\inf\\unregmp2.exe,-9903"="AIFF Format Sound"
"@D:\\WINNT\\inf\\unregmp2.exe,-9909"="Windows Media Audio/Video file"
"@D:\\WINNT\\inf\\unregmp2.exe,-9910"="Windows Media Audio/Video playlist"
"@D:\\WINNT\\inf\\unregmp2.exe,-9904"="AU Format Sound"
"@D:\\WINNT\\inf\\unregmp2.exe,-9905"="Video Clip"
"@D:\\WINNT\\inf\\unregmp2.exe,-9918"="CD Audio Track"
"@D:\\WINNT\\inf\\unregmp2.exe,-9902"="Movie Clip"
"@D:\\WINNT\\inf\\unregmp2.exe,-9926"="M3U file"
"@D:\\WINNT\\inf\\unregmp2.exe,-9907"="MIDI Sequence"
"@D:\\WINNT\\inf\\unregmp2.exe,-9925"="MP3 Format Sound"
"@D:\\WINNT\\inf\\unregmp2.exe,-9908"="Wave Sound"
"@D:\\WINNT\\inf\\unregmp2.exe,-9911"="Windows Media Audio shortcut"
"@D:\\WINNT\\inf\\unregmp2.exe,-9912"="Windows Media Audio file"
"@D:\\WINNT\\inf\\unregmp2.exe,-9920"="Windows Media Player Download Package"
"@D:\\WINNT\\inf\\unregmp2.exe,-9915"="Windows Media Player Skin File"
"@D:\\WINNT\\inf\\unregmp2.exe,-9914"="Windows Media Audio/Video file"
"@D:\\WINNT\\inf\\unregmp2.exe,-9916"="Windows Media Player Skin Package"
"@D:\\WINNT\\inf\\unregmp2.exe,-9923"="Windows Media playlist"
"@D:\\WINNT\\inf\\unregmp2.exe,-9913"="Windows Media Audio/Video playlist"
"@inetcplc.dll,-4774"="ActiveX controls and plug-ins"
"@inetcplc.dll,-4775"="Run ActiveX controls and plug-ins"
"@inetcplc.dll,-4803"="Enable"
"@inetcplc.dll,-4806"="Administrator approved"
"@inetcplc.dll,-4805"="Disable"
"@inetcplc.dll,-4804"="Prompt"
"@inetcplc.dll,-4776"="Download signed ActiveX controls"
"@inetcplc.dll,-4783"="Initialize and script ActiveX controls not marked as safe"
"@inetcplc.dll,-4784"="Script ActiveX controls marked safe for scripting"
"@inetcplc.dll,-4777"="Download unsigned ActiveX controls"
"@inetcplc.dll,-4788"="User Authentication"
"@inetcplc.dll,-4790"="Logon"
"@inetcplc.dll,-4807"="Anonymous logon"
"@inetcplc.dll,-4808"="Prompt for user name and password"
"@inetcplc.dll,-4810"="Automatic logon only in Intranet zone"
"@inetcplc.dll,-4809"="Automatic logon with current username and password"
"@inetcplc.dll,-4791"="Downloads"
"@inetcplc.dll,-4792"="File download"
"@inetcplc.dll,-4793"="Font download"
"@vmhelper.dll,-4003"="Java permissions"
"@vmhelper.dll,-4004"="Custom"
"@vmhelper.dll,-4005"="Disable Java"
"@vmhelper.dll,-4006"="High safety"
"@vmhelper.dll,-4007"="Low safety"
"@vmhelper.dll,-4008"="Medium safety"
"@inetcplc.dll,-4794"="Miscellaneous"
"@inetcplc.dll,-4862"="Don't prompt for client certificate selection when no certificates or only one certificate exists"
"@inetcplc.dll,-4785"="Access data sources across domains"
"@inetcplc.dll,-4796"="Drag and drop or copy and paste files"
"@inetcplc.dll,-4797"="Submit nonencrypted form data"
"@inetcplc.dll,-4795"="Installation of desktop items"
"@inetcplc.dll,-4798"="Launching programs and files in an IFRAME"
"@inetcplc.dll,-4870"="Allow META REFRESH"
"@inetcplc.dll,-4872"="Display mixed content"
"@inetcplc.dll,-4830"="Software channel permissions"
"@inetcplc.dll,-4816"="High safety"
"@inetcplc.dll,-4814"="Low safety"
"@inetcplc.dll,-4815"="Medium safety"
"@inetcplc.dll,-4855"="Navigate sub-frames across different domains"
"@inetcplc.dll,-4853"="Userdata persistence"
"@inetcplc.dll,-4782"="Scripting"
"@inetcplc.dll,-4786"="Active scripting"
"@inetcplc.dll,-4787"="Scripting of Java applets"
"@inetcplc.dll,-4854"="Allow paste operations via script"
"@inetcplc.dll,-4746"="Accessibility"
"@inetcplc.dll,-4731"="Always expand ALT text for images"
"@inetcplc.dll,-4732"="Move system caret with focus/selection changes"
"@inetcplc.dll,-4745"="Browsing"
"@inetcplc.dll,-4852"="Use inline AutoComplete"
"@inetcplc.dll,-4856"="Enable Personalized Favorites Menu"
"@inetcplc.dll,-4866"="Force offscreen compositing even under Terminal Server (requires restart)"
"@inetcplc.dll,-4833"="Show friendly HTTP error messages"
"@inetcplc.dll,-4734"="Show friendly URLs"
"@inetcplc.dll,-4743"="Use Passive FTP (for firewall and DSL modem compatibility)"
"@inetcplc.dll,-4737"="Enable folder view for FTP sites"
"@inetcplc.dll,-4840"="Show Go button in Address bar"
"@inetcplc.dll,-4748"="Show Internet Explorer on the desktop"
"@inetcplc.dll,-4837"="Automatically check for Internet Explorer updates"
"@inetcplc.dll,-4836"="Enable Install On Demand (Internet Explorer)"
"@inetcplc.dll,-4835"="Notify when downloads complete"
"@inetcplc.dll,-4838"="Close unused folders in History and Favorites (requires restart)"
"@inetcplc.dll,-4829"="Enable page transitions"
"@inetcplc.dll,-4861"="Reuse windows for launching shortcuts"
"@inetcplc.dll,-4736"="Enable offline items to be synchronized on a schedule"
"@inetcplc.dll,-4831"="Disable script debugging"
"@inetcplc.dll,-4832"="Display a notification about every script error"
"@inetcplc.dll,-4735"="Use smooth scrolling"
"@inetcplc.dll,-4828"="Underline links"
"@inetcplc.dll,-4825"="Always"
"@inetcplc.dll,-4827"="Hover"
"@inetcplc.dll,-4826"="Never"
"@inetcplc.dll,-4874"="Enable third-party browser extensions (requires restart)"
"@inetcplc.dll,-4839"="Always send URLs as UTF-8 (requires restart)"
"@inetcplc.dll,-4875"="Enable Install On Demand (Other)"
"@inetcplc.dll,-4747"="Security"
"@inetcplc.dll,-4750"="Empty Temporary Internet Files folder when browser is closed"
"@inetcplc.dll,-4749"="Do not save encrypted pages to disk"
"@inetcplc.dll,-4761"="Check for publisher's certificate revocation"
"@inetcplc.dll,-4762"="Check for signatures on downloaded programs"
"@inetcplc.dll,-4863"="Enable Integrated Windows Authentication (requires restart)"
"@inetcplc.dll,-4756"="Enable Profile Assistant"
"@inetcplc.dll,-4757"="Warn if changing between secure and not secure mode"
"@inetcplc.dll,-4759"="Warn about invalid site certificates"
"@inetcplc.dll,-4752"="Use SSL 2.0"
"@inetcplc.dll,-4753"="Use SSL 3.0"
"@inetcplc.dll,-4760"="Check for server certificate revocation (requires restart)"
"@inetcplc.dll,-4758"="Warn if forms submittal is being redirected"
"@inetcplc.dll,-4754"="Use TLS 1.0"
"@inetcplc.dll,-4822"="HTTP 1.1 settings"
"@inetcplc.dll,-4823"="Use HTTP 1.1"
"@inetcplc.dll,-4824"="Use HTTP 1.1 through proxy connections"
"@vmhelper.dll,-4000"="Java console enabled (requires restart)"
"@vmhelper.dll,-4001"="JIT compiler for virtual machine enabled (requires restart)"
"@vmhelper.dll,-4002"="Java logging enabled"
"@inetcplc.dll,-4744"="Multimedia"
"@inetcplc.dll,-4741"="Play animations in web pages"
"@inetcplc.dll,-4871"="Enable Automatic Image Resizing"
"@inetcplc.dll,-4876"="Don't display online media content in the media bar"
"@inetcplc.dll,-4865"="Enable Image Toolbar (requires restart)"
"@inetcplc.dll,-4742"="Show pictures"
"@inetcplc.dll,-4843"="Show image download placeholders"
"@inetcplc.dll,-4738"="Smart image dithering"
"@inetcplc.dll,-4739"="Play sounds in web pages"
"@inetcplc.dll,-4740"="Play videos in web pages"
"@inetcplc.dll,-4769"="Printing"
"@inetcplc.dll,-4770"="Print background colors and images"
"@inetcplc.dll,-4771"="Search from the Address bar"
"@inetcplc.dll,-4844"="When searching"
"@inetcplc.dll,-4845"="Display results, and go to the most likely site"
"@inetcplc.dll,-4847"="Just display the results in the main window"
"@inetcplc.dll,-4846"="Just go to the most likely site"
"@inetcplc.dll,-4848"="Do not search from the Address bar"
"@shell32.dll,-28964"="You have chosen to display protected operating system files (files labeled System and Hidden) in Windows Explorer.

These files are required to start and run Windows 2000. Deleting or editing them can make your computer inoperable.
Are you sure you want to display these files?"

Print
Go Up Pages1 2
User actions