Old 2nd July 2006, 01:18   #1
oldbwl
Junior Member
 
Join Date: Jul 2006
Posts: 3
NSIS Folder keeps coming back

Hi, I hope this is the right place to post this. I did a search of all forums and cannot find a mention elsewhere.

I am a PC user, XP SP2. I thought I would give Winamp and Shoutcast a look over. I downloaded 5.2.3 and selected 'Full' install

It installed just fine on the laptop (ASUS 2.8g 512 mb yadayada) and I played around with it for a couple of days.

However, although happy with the program generally, I decided to uninstall it along with the several skins I tried out.

Now, I have a program in my "Add or Remove Programs" list called NSIS Media Extension which keeps coming back. The Uninstaller resides in a folder C:\Program Files\Common Files\NSIS\ along with an NSXX.dll (where XX is a number)- when the Uninstaller runs, at the bottom of the main dialogue it refers to Nullsoft (hence this post).

I looked at both files with a text editor and can see the reference to Nullsoft in both.

I did deselect the Security program offered and toolbars etc and went with the plain vanilla install of winamp - I have also noticed a popup occurring upon browser closure, it may be a coincidence. A Hijackthis file is attached.

I have run Spybot, AdWare, Norton and Panda Active scan. Nothing comes up, but after a few reboots, the program always comes back.

Can you offer any advice? Is the File masquerading as a Nullsoft origin? - I have the Dll and the uninstaller if you want the posted somewhere to download, just in case I didn't attach them to this message.
Attached Files
File Type: txt hijackthis.txt (14.4 KB, 915 views)
oldbwl is offline   Reply With Quote
Old 2nd July 2006, 08:25   #2
oldbwl
Junior Member
 
Join Date: Jul 2006
Posts: 3
Clean Install/Uninstall did not help

Arrrgh! LOL it still keeps coming back.

I have attached a RAR file with the contents of the folder, can someone please help, this is driving me mad!
Attached Files
File Type: rar nsis.rar (21.7 KB, 942 views)
oldbwl is offline   Reply With Quote
Old 2nd July 2006, 08:41   #3
Rocker
Hiding in plain sight (mod)
 
Join Date: Jun 2000
Location: Melbourne, Australia
Posts: 9,910
its not part of winamp, shoutcast or the default install of nsis. I have no such files on my system.

nsis is open source, so anyone can use it, so it could be due to another program or an extenstion to an nsis installer you used at some time.
Rocker is offline   Reply With Quote
Old 2nd July 2006, 09:02   #4
oldbwl
Junior Member
 
Join Date: Jul 2006
Posts: 3
Thanks,
I have never used NSIS, and you are appear to be saying that it is a coincidence that having just installed Winamp from Nullsoft, the Installer is a Nullsoft one. I do not beleive I installed any other program recently.

Am submitting to Symantic as well to see what they can do,

Google reveal nothing about "NSIS Media Extension" apart from one forum message - which appeared to have resolved after the uninstaller was used, but sadly not for me.
oldbwl is offline   Reply With Quote
Old 2nd July 2006, 11:49   #5
DJ Egg
Techorator
Winamp & Shoutcast Team
 
Join Date: Jun 2000
Posts: 35,913
Hi.

As Rocker said, it's not part of the default Winamp or Shoutcast installer/uninstaller.

NSIS (Nullsoft Scriptable Install System) is used by thousands of software vendors/distributors worldwide. The installer system itself is a Nullsoft product, but it can be used to install absolutely anything by anyone.


Did you maybe also install any extra 3rd-party plugins from winamp.com/plugins?
If so, which ones?


As you said, there's not too many references to this issue anywhere on the net.
I only managed to find two, the second of which is in Dutch...
http://www.techsupportforum.com/showthread.php?t=104947
http://www.antispywareoffensief.nl/f...d.php?p=141744


It definitely would seem to be something undesirable (adware),
so let's see if we can find out more...


Registry Search Tool
http://www.billsway.com/vbspage/

Scroll down the page, find "Registry Search Tool" and download it.
It is zipped, so extract it to a folder where you will be able to easily find it later.

Double click on RegSrch.vbs

If you get a warning from your Anti Virus please ignore it and allow this to run.

When it starts, you will be prompted to enter a search phrase.

Type NSIS into the search field and click OK

When done, a message box will appear on the desktop.
Click OK to open the results.
Once you close that file, it will be deleted, so please save it as e.g. results.txt first.

Attach results.txt to your next reply here.


Logs from these other utilities might also shed some further light...


FindIt
http://www.thatcomputerguy.us/downlo...itnt2000xp.zip

Unzip the contents of finditnt2000xp.zip to a convenient location.
Open the "Find It NT-2K-XP" folder and double-click on find.bat
A command prompt will open and it will search your computer for malicious files.
Once it has finished a Notepad window will pop up with output.txt.
Attach output.txt here.


DLLCompare
http://www.thatcomputerguy.us/downloads/dllcompare.exe

Run DllCompare and click on the Locate.com button.
Wait a few seconds and then click on the Compare button.
Let it run, then click on 'Make a log of what was found'
Attach that log here.


L2MFix
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe.
Click the Install button to extract the files and follow the prompts,
then open the newly added l2mfix folder on your desktop.
Double click l2mfix.bat and select option #1 for "Run Find Log" by typing 1 and then pressing enter.
This will scan your computer and it may appear nothing is happening,
then, after a minute or 2, Notepad will open with a log. Save that log and attach it here.

IMPORTANT: Do NOT run option #2 or any other files in the L2mfix folder.


Hopefully, those 4 logs will shed some further light on the situation...
DJ Egg is offline   Reply With Quote
Old 4th July 2006, 14:02   #6
mtaylor0617
Junior Member
 
Join Date: Jul 2006
Posts: 11
Me 2

As I seem to be one of the 5 or 6 people on the entire planet who is also infected with this garbage, allow me to add what information I can. This thing turned up about a week ago (long after the last Winamp install) in the form of popups for NSIS media, completely unaffected by any ad blockers from my Maxthon or IE. I found the NSIS folder in Program Files, and used the uninstall, which was probably a mistake. It rebooted my computer immediately without allowing me to check the startup menu to ensure it hadn't placed a reloader.

On reboot, the folder was now in Program Files/Common Files, where it has remained despite every attempt I've made to get rid of it. Each time it reboots, the NS(xx).DLL is renumbered. I've used every type of virus scan, and spyware tool I could find. I have scoured the registry, looking for NSIS Media Extension references. I have removed entries that I probably shouldn't, and it STILL comes back on a reboot. Can't find it in Win.ini, boot.ini - NOWHERE!

I'm posting in this forum for the express purpose of offering an opinion that I don't think this is a Winamp problem per se. It seems to attach itself to a number of media utilities, Winamp just being one of them. Each time I try to purge it, it seems to propagate to new areas. I'm at my wits (such as they are) end with this.

For what it's worth, I offer this log from an older registry cleaner which I've always trusted. On a reboot, it will always show "NSIS Media" as a new installation, and when I remove the entry using this utility, these are (currently) the keys associated with it. Each time I try, this list just gets longer. I was unhappy about removing so many references to viable software, but I'm at that stage of desperation, and according to this cleaner, they tied in to this NSIS Media Extension thing. AAAAAGH!


RegCleaner 4.3 by Jouni Vuorio

Author : Nsis
Software : Media
Age : Old

If you choose to remove this item these keys would be removed
HKEY_LOCAL_MACHINE\Software\Nsis\Media
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Macromedia Shockwave Player
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\MediaMonkey_is1
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Windows Media Format Runtime
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Windows Media Player
Software\Microsoft\Windows\CurrentVersion\StillImage\Registered Applications: Picasa2
HKEY_CLASSES_ROOT\.3g2\shell\open\command
HKEY_CLASSES_ROOT\.3gp\shell\open\command
HKEY_CLASSES_ROOT\.3gp2\shell\open\command
HKEY_CLASSES_ROOT\.3gpp\shell\open\command
HKEY_CLASSES_ROOT\.mfp
HKEY_CLASSES_ROOT\.mmc
HKEY_CLASSES_ROOT\3g2file\shell\open\command
HKEY_CLASSES_ROOT\3gp2file\shell\open\command
HKEY_CLASSES_ROOT\3gpfile\shell\open\command
HKEY_CLASSES_ROOT\3gppfile\shell\open\command
HKEY_CLASSES_ROOT\ac3file\shell\open\command
HKEY_CLASSES_ROOT\aifcfile\shell\open\command
HKEY_CLASSES_ROOT\AIFFFile\shell\open\command
HKEY_CLASSES_ROOT\amrfile\shell\open\command
HKEY_CLASSES_ROOT\ASFFile
HKEY_CLASSES_ROOT\ASXFile
HKEY_CLASSES_ROOT\AUFile\shell\open\command
HKEY_CLASSES_ROOT\AVIFile\shell\open\command
HKEY_CLASSES_ROOT\bikfile\shell\open\command
HKEY_CLASSES_ROOT\cdafile\shell\open\command
HKEY_CLASSES_ROOT\d2vfile\shell\open\command
HKEY_CLASSES_ROOT\DAT_auto_file\shell\open\command
HKEY_CLASSES_ROOT\divxfile\shell\open\command
HKEY_CLASSES_ROOT\DMCConvert\shell\open\command
HKEY_CLASSES_ROOT\drcfile\shell\open\command
HKEY_CLASSES_ROOT\dsafile\shell\open\command
HKEY_CLASSES_ROOT\dsmfile\shell\open\command
HKEY_CLASSES_ROOT\dssfile\shell\open\command
HKEY_CLASSES_ROOT\dsvfile\shell\open\command
HKEY_CLASSES_ROOT\dtsfile\shell\open\command
HKEY_CLASSES_ROOT\FlashFactory.FlashFactory
HKEY_CLASSES_ROOT\FlashFactory.FlashFactory.1
HKEY_CLASSES_ROOT\flcfile\shell\open\command
HKEY_CLASSES_ROOT\flicfile\shell\open\command
HKEY_CLASSES_ROOT\flifile\shell\open\command
HKEY_CLASSES_ROOT\h323file\shell\open\command
HKEY_CLASSES_ROOT\hdmovfile\shell\open\command
HKEY_CLASSES_ROOT\ifofile\shell\open\command
HKEY_CLASSES_ROOT\iiifile\shell\open\command
HKEY_CLASSES_ROOT\IVFfile\shell\open\command
HKEY_CLASSES_ROOT\m1afile\shell\open\command
HKEY_CLASSES_ROOT\m2afile\shell\open\command
HKEY_CLASSES_ROOT\m2vfile\shell\open\command
HKEY_CLASSES_ROOT\m3ufile\shell\open\command
HKEY_CLASSES_ROOT\m4afile\shell\open\command
HKEY_CLASSES_ROOT\m4pfile\shell\open\command
HKEY_CLASSES_ROOT\m4vfile\shell\open\command
HKEY_CLASSES_ROOT\MacromediaFlashPaper.MacromediaFlashPaper
HKEY_CLASSES_ROOT\MCI.MMControl
HKEY_CLASSES_ROOT\MCI.MMControl.1
HKEY_CLASSES_ROOT\Media Type
HKEY_CLASSES_ROOT\MediaCatalog
HKEY_CLASSES_ROOT\MediaCatalog.1
HKEY_CLASSES_ROOT\MediaCatalogGroup
HKEY_CLASSES_ROOT\MediaCatalogGroup.1
HKEY_CLASSES_ROOT\MediaCatalogMoniker
HKEY_CLASSES_ROOT\MediaCatalogMoniker.1
HKEY_CLASSES_ROOT\MediaCatalogPathMoniker
HKEY_CLASSES_ROOT\MediaCatalogPathMoniker.1
HKEY_CLASSES_ROOT\MediaDevMgr.MediaDevMgr
HKEY_CLASSES_ROOT\MediaDevMgr.MediaDevMgr.1
HKEY_CLASSES_ROOT\MediaMonkey.File
HKEY_CLASSES_ROOT\MediaPlayer.MediaPlayer
HKEY_CLASSES_ROOT\MediaPlayer.MediaPlayer.1
HKEY_CLASSES_ROOT\MediaPlayerClassic.Autorun
HKEY_CLASSES_ROOT\MIDFile\shell\open\command
HKEY_CLASSES_ROOT\mkafile\shell\open\command
HKEY_CLASSES_ROOT\mkvfile\shell\open\command
HKEY_CLASSES_ROOT\Mmedia.AsyncMHandler
HKEY_CLASSES_ROOT\Mmedia.AsyncMHandler.1
HKEY_CLASSES_ROOT\Mmedia.AsyncPProt
HKEY_CLASSES_ROOT\Mmedia.AsyncPProt.1
HKEY_CLASSES_ROOT\Mmedia.RadioBand
HKEY_CLASSES_ROOT\Mmedia.RadioBand.1
HKEY_CLASSES_ROOT\Mmedia.RadioPlayer
HKEY_CLASSES_ROOT\Mmedia.RadioPlayer.1
HKEY_CLASSES_ROOT\Mmedia.RadioServer
HKEY_CLASSES_ROOT\Mmedia.RadioServer.1
HKEY_CLASSES_ROOT\mmst\shell\open\command
HKEY_CLASSES_ROOT\mmsu\shell\open\command
HKEY_CLASSES_ROOT\movfile\shell\open\command
HKEY_CLASSES_ROOT\Mp3CoolPlay.ogg\shell\open\command
HKEY_CLASSES_ROOT\mp3file\shell\open\command
HKEY_CLASSES_ROOT\mpcplfile\shell\open\command
HKEY_CLASSES_ROOT\mpegfile\shell\open\command
HKEY_CLASSES_ROOT\mpg"_auto_file\shell\open\command
HKEY_CLASSES_ROOT\MPlayer
HKEY_CLASSES_ROOT\msbd\shell\open\command
HKEY_CLASSES_ROOT\MystikMedia.Error
HKEY_CLASSES_ROOT\ogmfile\shell\open\command
HKEY_CLASSES_ROOT\pssfile\shell\open\command
HKEY_CLASSES_ROOT\pvafile\shell\open\command
HKEY_CLASSES_ROOT\qedit.MediaLocator
HKEY_CLASSES_ROOT\qedit.MediaLocator.1
HKEY_CLASSES_ROOT\qtfile\shell\open\command
HKEY_CLASSES_ROOT\rafile\shell\open\command
HKEY_CLASSES_ROOT\ramfile\shell\open\command
HKEY_CLASSES_ROOT\ratdvdfile\shell\open\command
HKEY_CLASSES_ROOT\rmfile\shell\open\command
HKEY_CLASSES_ROOT\rmvbfile\shell\open\command
HKEY_CLASSES_ROOT\roqfile\shell\open\command
HKEY_CLASSES_ROOT\rpfile\shell\open\command
HKEY_CLASSES_ROOT\rpmfile\shell\open\command
HKEY_CLASSES_ROOT\rtfile\shell\open\command
HKEY_CLASSES_ROOT\ShockwaveFlash.ShockwaveFlash\shell\open\command
HKEY_CLASSES_ROOT\smifile\shell\open\command
HKEY_CLASSES_ROOT\smilfile\shell\open\command
HKEY_CLASSES_ROOT\smkfile\shell\open\command
HKEY_CLASSES_ROOT\SongsDB.SDBMedia
HKEY_CLASSES_ROOT\SoundRec\shell\open\command
HKEY_CLASSES_ROOT\TerminalManager.Class
HKEY_CLASSES_ROOT\tpfile\shell\open\command
HKEY_CLASSES_ROOT\tprfile\shell\open\command
HKEY_CLASSES_ROOT\tsfile\shell\open\command
HKEY_CLASSES_ROOT\ulsfile\shell\open\command
HKEY_CLASSES_ROOT\vobfile\shell\open\command
HKEY_CLASSES_ROOT\vp6file\shell\open\command
HKEY_CLASSES_ROOT\WAXFile
HKEY_CLASSES_ROOT\Winamp.File
HKEY_CLASSES_ROOT\Windows Media
HKEY_CLASSES_ROOT\wmafile
HKEY_CLASSES_ROOT\WMDFile
HKEY_CLASSES_ROOT\WMNetSourcePlugin.NetSourcePlugin
HKEY_CLASSES_ROOT\WMNetSourcePlugin.NetSourcePlugin.1
HKEY_CLASSES_ROOT\WMP.DeskBand
HKEY_CLASSES_ROOT\WMP.DeskBand.1
HKEY_CLASSES_ROOT\WMP.Device
HKEY_CLASSES_ROOT\WMP.Device.1
HKEY_CLASSES_ROOT\WMP.DVR-MSFile\shell\open\command
HKEY_CLASSES_ROOT\WMP.WMDBFile
HKEY_CLASSES_ROOT\wmpfile\shell\open\command
HKEY_CLASSES_ROOT\WMPlayer.OCX
HKEY_CLASSES_ROOT\WMPlayer.OCX.7
HKEY_CLASSES_ROOT\WMSDKHTTPSourcePlugin.HTTPSource
HKEY_CLASSES_ROOT\WMSDKHTTPSourcePlugin.HTTPSource.2
HKEY_CLASSES_ROOT\WMSDKMMSSourcePlugin.MMSSource
HKEY_CLASSES_ROOT\WMSDKMMSSourcePlugin.MMSSource.2
HKEY_CLASSES_ROOT\WMSDKMSBSourcePlugin.MSBDSource
HKEY_CLASSES_ROOT\WMSDKMSBSourcePlugin.MSBDSource.2
HKEY_CLASSES_ROOT\WMSFile
HKEY_CLASSES_ROOT\WMVFile
HKEY_CLASSES_ROOT\WMZFile
HKEY_CLASSES_ROOT\WPLFile
HKEY_CLASSES_ROOT\WVXFile
mtaylor0617 is offline   Reply With Quote
Old 4th July 2006, 15:48   #7
DJ Egg
Techorator
Winamp & Shoutcast Team
 
Join Date: Jun 2000
Posts: 35,913
If I'm to help any further with this matter, then I'll need to see ALL the logs I requested in my previous post.

As you said, this malware is not installed by or connected to Winamp or Shoutcast in any way whatsoever. The only remote connection is the fact that they are either using an NSIS Installer to install it, or they are just using the NSIS name to try dupe people into thinking it's legit.

Judging by the RegCleaner log, it would seem to be pretty deep rooted, and it looks like it attaches itself to all media players installed... so it won't be easy to get rid of, but I'll certainly give it my best shot.
DJ Egg is offline   Reply With Quote
Old 4th July 2006, 17:13   #8
mtaylor0617
Junior Member
 
Join Date: Jul 2006
Posts: 11
I did download the first set of files for checking malicious software (the DOS apps) and the first scan showed some DLL's which I thought I would have to check one by one for some record of authenticity. At this stage I'm just so TIRED of dealing with this that I have yet to do that or run the other two executables. For what it's worth, here's the first result, and I'll get to the other two and the other instructions ASAP and post the results, in the hope that if nothing else, this adds to the general information pool and if this does turn out to be some (eventually) widespread and unique malware, smarter people than me will find a way to remove it. Thanks. (P.S. Nothing suspicious in "Hijack This" scan at all either.)

This is from "Find.bat:" (will post the other results when my strength is renewed and my anger dissipated! :-) )

(P.P.S.) Good little app btw! Thanks for that!

--------
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Internet Downloads

------- System Files in System32 Directory -------

Volume in drive C is C
Volume Serial Number is 1228-17FA

Directory of C:\WINDOWS\System32

04/27/2006 10:24 AM 2,945,024 Smab.dll
01/12/2006 06:23 PM 364,032 CoreAVC.ax
11/25/2005 03:46 PM 421,888 RealMediaSplitter.ax
11/25/2005 03:22 PM 421,888 MatroskaSplitter.ax
10/07/2005 07:14 PM 308,224 avisynth.dll
07/19/2005 04:28 PM <DIR> Microsoft
07/19/2005 03:36 PM <DIR> dllcache
07/14/2005 12:31 PM 27,648 AVSredirect.dll
06/26/2005 03:32 PM 616,448 cygwin1.dll
06/21/2005 10:37 PM 45,568 cygz.dll
06/20/2005 10:00 AM <DIR> ShellDHCP
02/28/2005 01:16 PM 240,128 x.264.exe
02/12/2005 06:00 PM 139,264 RLSpeexDec.ax
02/12/2005 06:00 PM 212,992 RLTheoraDec.ax
02/12/2005 06:00 PM 487,424 RLOgg.ax
02/05/2005 06:00 PM 212,992 RLVorbisDec.ax
01/17/2005 06:26 PM 421,888 DiracSplitter.ax
07/09/2004 03:47 AM 167,936 CoreAAC.ax
04/26/2004 06:00 PM 98,304 RLMPCDec.ax
01/25/2004 12:00 AM 70,656 yv12vfw.dll
01/25/2004 12:00 AM 70,656 i420vfw.dll
11/20/2003 06:00 PM 139,264 RLAPEDec.ax
08/19/2003 03:20 AM 180,224 ac3filter.ax
05/11/1998 08:01 PM 51,712 _isshell.exe
21 File(s) 7,644,160 bytes
3 Dir(s) 2,923,094,016 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C is C
Volume Serial Number is 1228-17FA

Directory of C:\WINDOWS\System32

07/04/2006 02:05 AM 48,882 vsconfig.xml
07/01/2006 06:55 AM 4,212 zllictbl.dat
04/27/2006 10:24 AM 2,945,024 Smab.dll
01/12/2006 06:23 PM 364,032 CoreAVC.ax
11/25/2005 03:46 PM 421,888 RealMediaSplitter.ax
11/25/2005 03:22 PM 421,888 MatroskaSplitter.ax
10/07/2005 07:14 PM 308,224 avisynth.dll
07/24/2005 02:27 PM <DIR> GroupPolicy
07/19/2005 03:58 PM 488 WindowsLogon.manifest
07/19/2005 03:58 PM 488 logonui.exe.manifest
07/19/2005 03:58 PM 749 nwc.cpl.manifest
07/19/2005 03:58 PM 749 cdplayer.exe.manifest
07/19/2005 03:58 PM 749 wuaucpl.cpl.manifest
07/19/2005 03:58 PM 749 sapi.cpl.manifest
07/19/2005 03:58 PM 749 ncpa.cpl.manifest
07/19/2005 03:36 PM <DIR> dllcache
07/14/2005 12:31 PM 27,648 AVSredirect.dll
06/26/2005 03:32 PM 616,448 cygwin1.dll
06/21/2005 10:37 PM 45,568 cygz.dll
06/20/2005 12:47 PM 13,122 folder.htt
06/20/2005 10:00 AM <DIR> ShellDHCP
02/28/2005 01:16 PM 240,128 x.264.exe
02/12/2005 06:00 PM 487,424 RLOgg.ax
02/12/2005 06:00 PM 212,992 RLTheoraDec.ax
02/12/2005 06:00 PM 139,264 RLSpeexDec.ax
02/05/2005 06:00 PM 212,992 RLVorbisDec.ax
01/17/2005 06:26 PM 421,888 DiracSplitter.ax
07/09/2004 03:47 AM 167,936 CoreAAC.ax
04/26/2004 06:00 PM 98,304 RLMPCDec.ax
01/25/2004 12:00 AM 70,656 i420vfw.dll
01/25/2004 12:00 AM 70,656 yv12vfw.dll
11/20/2003 06:00 PM 139,264 RLAPEDec.ax
08/19/2003 03:20 AM 180,224 ac3filter.ax
30 File(s) 7,663,385 bytes
3 Dir(s) 2,923,085,824 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C is C
Volume Serial Number is 1228-17FA

Directory of C:\WINDOWS\System32

02/14/2006 08:00 AM <DIR> AVGUARD_43f94baf
01/28/2006 11:48 AM <DIR> AVGUARD_43e9635f
0 File(s) 0 bytes
2 Dir(s) 2,923,077,632 bytes free

------ Temp Files in System32 Directory ------

Volume in drive C is C
Volume Serial Number is 1228-17FA

Directory of C:\WINDOWS\System32


------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"Avant Browser"="IEAK"


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
zllictbl.dat Sat 2006-07-01 6:55:14 ...H. 4 212 4,11 K
smab.dll Thu 2006-04-27 10:24:24 A.SHR 2 945 024 2,81 M
vsconfig.xml Tue 2006-07-04 2:05:18 A..H. 48 882 47,73 K

3 items found: 3 files, 0 directories.
Total of file sizes: 2 998 118 bytes 2,86 M

-------- Strings.exe Qoologic Results --------


--------- Strings.exe Aspack Results ---------

C:\WINDOWS\SYSTEM32\ntdll.dll: .aspack
C:\WINDOWS\SYSTEM32\MRT.exe: (ASPack)
C:\WINDOWS\SYSTEM32\MRT.exe: (AsPack2k)
C:\WINDOWS\SYSTEM32\MRT.exe: ASPack2000
C:\WINDOWS\SYSTEM32\MRT.exe: (Aspack %s)
C:\WINDOWS\SYSTEM32\MRT.exe: ASPack 1.61
C:\WINDOWS\SYSTEM32\MRT.exe: ASPack 1.084
C:\WINDOWS\SYSTEM32\MRT.exe: ASPack 1.083
C:\WINDOWS\SYSTEM32\MRT.exe: ASPack 1.08.02b
C:\WINDOWS\SYSTEM32\MRT.exe: ASPack 1.07b
C:\WINDOWS\SYSTEM32\MRT.exe: ASPack 1.05b
C:\WINDOWS\SYSTEM32\MRT.exe: ASPack 1.02
C:\WINDOWS\SYSTEM32\MRT.exe: ASPACK
C:\WINDOWS\SYSTEM32\MRT.exe: aspACK
C:\WINDOWS\SYSTEM32\MRT.exe: aspACK
C:\WINDOWS\SYSTEM32\MRT.exe: aspACK
C:\WINDOWS\SYSTEM32\MRT.exe: aspACK
C:\WINDOWS\SYSTEM32\MRT.exe: aspACK
C:\WINDOWS\SYSTEM32\MRT.exe: aspACK
C:\WINDOWS\SYSTEM32\MRT.exe: aspACK
C:\WINDOWS\SYSTEM32\MRT.exe: aspACK
C:\WINDOWS\SYSTEM32\Christmas Reflections.scr: .aspack
C:\WINDOWS\SYSTEM32\New World.scr: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"



mtaylor0617 is offline   Reply With Quote
Old 4th July 2006, 18:26   #9
DJ Egg
Techorator
Winamp & Shoutcast Team
 
Join Date: Jun 2000
Posts: 35,913
Nope, nothing strikingly suspicious there.

With maybe the exception of _isshell.exe (windows\system32 dir)
Any idea what that file is/does?
Google doesn't reveal any info about it either.

I also thought smab.dll sounded a bit iffy at first, but research seems to suggest that it's related to SUPER (Simplified Universal Player Encoder & Renderer), which I'm assuming you've knowingly installed?

Bring on the other 3 logs... hopefully they'll reveal more.

I might also attach a RegQuery.bat file later, which will query some registry keys and output them to a text file... but let's see what the other logs show first (please note that all those little apps are totally safe to use, but please don't run any of the fixes, eg. L2MFix Option #2, as it is designed to specifically fix the Look2Me/VX2 parasite, but it does provide quite a lot of useful info in the log).
DJ Egg is offline   Reply With Quote
Old 5th July 2006, 01:43   #10
mtaylor0617
Junior Member
 
Join Date: Jul 2006
Posts: 11
Thanks DJ. I appreciate your having looked into those files to assess their legitimacy. "Super" is a big, all-in-one freeware encoder, and I did indeed install it knowingly.

I found a file named "A~NSISu_.exe" in the Windows root, quite accidentally, and my early research tells me it might be malicious - or it might not. Bottom line, nobody seems completely sure what it's supposed to do, legitimately or otherwise. I'm not sure it's wise to simply zap it, or rename it, which is really my inclination. From the little I've read, it doesn't seem quite that simple, but seems related to Nullsoft in some circles.

That .exe file installed 5/17/06, so I'll do a search later and see if I can find it's source app from other installations on the same day or time.

Are you sure you want me to post the results of those other two DOS-based scanners that came in the "3 pak?"
"Locate.com" produced pages and pages of data, while "strings.exe" produced a long list of data consisiting of characters, that were "all Greek to me."

On with the fight.
mtaylor0617 is offline   Reply With Quote
Old 5th July 2006, 02:28   #11
DJ Egg
Techorator
Winamp & Shoutcast Team
 
Join Date: Jun 2000
Posts: 35,913
No, I don't want you to do anything at all with Locate.com or strings.exe. Leave them both alone.

Locate.com and strings.exe are both inside the "Find It" folder, but we've already got the find.bat/output.txt log from Find-It.

The other 3 logs I require are:

1. Registry Search Tool (results for NSIS search)
2. DLLCompare log
3. L2MFix log

These are 3 totally different apps that you need to download.

Read the instructions in my previous post again, very carefully, which I think explains everything quite clearly.


Re: A~NSISu_.exe
I think it's just a temp file created by NSIS installers/uninstallers.
It could be safe/clean, it could be bad. It all depends on the origin, and what was installed by the NSIS installer that it originally came from.
As already stated, NSIS is a freeware installer program created by Nullsoft, but can be used by anyone to install absolutely anything.
It's probably safe to just delete that file (though yeah, move it to a backup folder first and rename it to A~NSISu_.exe.off or something).
DJ Egg is offline   Reply With Quote
Old 5th July 2006, 17:53   #12
mtaylor0617
Junior Member
 
Join Date: Jul 2006
Posts: 11
The Beat Goes On :(

I thought I had this solved last night when I used ZA to block Internet access for "A~NSISu_.exe."
First time since this started that I rebooted and the NSIS Media folder was not present in Program Files or Program Files\Common Files. No joy this morning though, as it is back in its glory, with a newly numbered DLL.

(Note that with the registry check, I have removed some returns, as "consistency" was flagged by only using NSIS as a search criteria and these entries had no relevance to what is going on here. This is all with a complete purge of every NSIS Media reference last night, only to have this stuff back this morning:

Here are the 3 checks that I had not done. (I did the "Find It" earlier, right?)

REGEDIT4
; Copy of RegSrch.vbs © Bill James

; Registry search results for string "NSIS" 7/5/2006 12:18:13

; NOTE: This file will be deleted when you close metapad.exe.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5BACC17E-BDF7-405B-BC68-ECB506395118}"="NSIS Media Extension"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NSISMedia]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NSISMedia]
"DisplayName"="NSIS Media Extension"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NSISMedia]
"UninstallString"="C:\\Program Files\\Common Files\\NSIS\\uninst.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NSISMedia]
"DisplayIcon"="C:\\Program Files\\Common Files\\NSIS\\uninst.exe,0"

[HKEY_LOCAL_MACHINE\SOFTWARE\NSIS]

[HKEY_LOCAL_MACHINE\SOFTWARE\NSIS\Media]

[HKEY_LOCAL_MACHINE\SOFTWARE\NSIS\Media]
"InstDir"="C:\\Program Files\\Common Files\\NSIS\\"

[HKEY_USERS\S-1-5-21-1078081533-813497703-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\dll]
"a"="C:\\Program Files\\Common Files\\NSIS\\ns481.dll"

[HKEY_USERS\S-1-5-21-1078081533-813497703-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\exe]
"a"="C:\\Program Files\\Common Files\\NSIS\\uninst.exe"

[HKEY_USERS\S-1-5-21-1078081533-813497703-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\exe]
"b"="C:\\Documents and Settings\\{My User Name}\\A~NSISu_.exe"

___________________________________________________

And the DLL compare log:

* DLLCompare Log version()
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\cygwin1.dll Sun 2005-06-26 15:32:28 A.SHR 616 448 602,00 K
C:\WINDOWS\SYSTEM32\cygz.dll Tue 2005-06-21 22:37:42 A.SHR 45 568 44,50 K
C:\WINDOWS\SYSTEM32\avisynth.dll Fri 2005-10-07 19:14:52 A.SHR 308 224 301,00 K
C:\WINDOWS\SYSTEM32\i420vfw.dll Sun 2004-01-25 0:00:00 A.SHR 70 656 69,00 K
C:\WINDOWS\SYSTEM32\yv12vfw.dll Sun 2004-01-25 0:00:00 A.SHR 70 656 69,00 K
C:\WINDOWS\SYSTEM32\avsred~1.dll Thu 2005-07-14 12:31:20 A.SHR 27 648 27,00 K
C:\WINDOWS\SYSTEM32\smab.dll Thu 2006-04-27 10:24:24 A.SHR 2 945 024 2,81 M
________________________________________________

1 376 items found: 1 376 files (7 H/S), 0 directories.
Total of file sizes: 276 706 156 bytes 263,89 M

Administrator Account = True

--------------------End log---------------------


And finally, The LTMfix log: (In case this might be of any use also, the DLL (NSxx.dll) that keeps recreating itself with a different number on reboot had the following information from file properties:
Internal Name: Mediastub
Original File Name: Mediastub.dll
Product Name: kmdsvr

(There are only 2 files IN the NSIS folder - the uninstall.exe which doesn't uninstall, and this small (20KB) dll)

Here's the log (A biggy)

L2MFIX find log 051206
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"Avant Browser"="IEAK"
"Maxthon"="IEAK"

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{00E7B358-F65B-4dcf-83DF-CD026B94BFD4}"="Autoplay for SlideShow"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{568804CA-CBD7-11d0-9816-00C04FD91972}"="Menu Shell Folder"
"{5b4dae26-b807-11d0-9815-00c04fd91972}"="Menu Band"
"{8278F931-2A3E-11d2-838F-00C04FD918D0}"="Tracking Shell Menu"
"{E13EF4E4-D2F2-11d0-9816-00C04FD91972}"="Menu Site"
"{ECD4FC4F-521C-11D0-B792-00A0C90312E1}"="Menu Desk Bar"
"{D82BE2B0-5764-11D0-A96E-00C04FD705A2}"="IShellFolderBand"
"{0E5CBF21-D15F-11d0-8301-00AA005B4383}"="&Links"
"{7487cd30-f71a-11d0-9ea7-00805f714772}"="Thumbnail Image"
"{C2FBB630-2971-11d1-A18C-00C04FD75D13}"="Microsoft CopyTo Service"
"{C2FBB631-2971-11d1-A18C-00C04FD75D13}"="Microsoft MoveTo Service"
"{13709620-C279-11CE-A49E-444553540000}"="Shell Automation Service"
"{62112AA1-EBE4-11cf-A5FB-0020AFE7292D}"="Shell Automation Folder View"
"{4622AD11-FF23-11d0-8D34-00A0C90F2719}"="Start Menu"
"{7BA4C740-9E81-11CF-99D3-00AA004AE837}"="Microsoft SendTo Service"
"{D969A300-E7FF-11d0-A93B-00A0C90F2719}"="Microsoft New Object Service"
"{3FC0B520-68A9-11D0-8D77-00C04FD70822}"="Display Control Panel HTML Extensions"
"{75048700-EF1F-11D0-9888-006097DEACF9}"="ActiveDesktop"
"{6D5313C0-8C62-11D1-B2CD-006097DF8C11}"="Folder Options Property Page Extension"
"{57651662-CE3E-11D0-8D77-00C04FC99D61}"="CmdFileIcon"
"{B091E540-83E3-11CF-A713-0020AFD79762}"="File Types Page"
"{FBF23B41-E3F0-101B-8488-00AA003E56F8}"="MIME File Types Hook"
"{8BEBB290-52D0-11D0-B7F4-00C04FD706EC}"="Thumbnails"
"{7D688A77-C613-11D0-999B-00C04FD655E1}"="SlowFile Icon Overlay"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{8DE56A0D-E58B-41FE-9F80-3563CDCB2C22}"="Default Image Extrator for Properties"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{08AB18D7-ACFB-4B59-93BA-81BBEE32D401}"="Xentient.Thumbs"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{67C63340-679B-11D2-92EE-000021474C19}"="IrfanView Extensions"
"{19F500E0-9964-11cf-B63D-08002B317C03}"="Desktop Icon Layout"
"{EF14A54A-4901-4481-8391-3F43FD0564****"="Restore Desktop Context Menu"
"{21569614-B795-46b1-85F4-E737A8DC09AD}"="Shell Search Band"
"{FC0C9642-F433-4D36-932D-D7B6D70DFC57}"="OLE AutomationExt Extension"
"{e82a2d71-5b2f-43a0-97b8-81be15854de8}"="ShellLink for Application References"
"{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}"="Shell Icon Handler for Application References"
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"="AVG7 Shell Extension"
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}"="AVG7 Find Extension"
"{ABC70703-32AF-11d4-90C4-D483A70F4825}"="CMenuExtender"
"{08267B21-223F-11d3-ACD4-004F4902B913}"="Desktop Architect"
"{28681820-917D-11d5-8177-005056FDDA4B}"="Copy file names to clipboard"
"{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"="UnlockerShellExtension"
"{EFA24E62-B078-11d0-89E4-00C04FC9E26E}"="History Band"
"{611AD258-4138-4348-A534-9856FA6BA398}"="IconPackager Icon Handler"
"{D44E22BD-2D2C-4F13-BF1B-2DB458FD0C2C}"="KernelExtExt Extension"
"{3FF0AAD4-EF61-4409-B47C-62CD81A6D902}"="SFContextMenu"

**********************************************************************************
HKEY ROOT CLASSIDS:
**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
jgdw400.dll Thu 2006-06-01 14:47:08 A.... 163 840 160,00 K
browseui.dll Wed 2006-05-10 1:23:00 A.... 1 022 976 999,00 K
danim.dll Wed 2006-05-10 1:23:00 A.... 1 054 208 1,00 M
inseng.dll Wed 2006-05-10 1:23:00 A.... 96 256 94,00 K
wininet.dll Wed 2006-05-10 1:23:04 A.... 658 432 643,00 K
urlmon.dll Wed 2006-05-10 1:23:02 A.... 613 888 599,50 K
shlwapi.dll Wed 2006-05-10 1:23:02 A.... 474 112 463,00 K
sporder.dll Wed 2006-06-07 18:48:34 A.... 8 464 8,27 K
wmp.dll Sat 2006-04-29 6:07:48 A.... 5 533 696 5,28 M
px.dll Tue 2006-05-16 16:23:54 ..... 430 080 420,00 K
pxmas.dll Tue 2006-05-16 16:23:54 ..... 176 128 172,00 K
pxwave.dll Tue 2006-05-16 16:23:56 ..... 339 968 332,00 K
vxblock.dll Tue 2006-05-16 16:23:56 ..... 28 672 28,00 K
pxdrv.dll Tue 2006-05-16 16:23:54 ..... 450 560 440,00 K
shdocvw.dll Mon 2006-05-29 11:30:34 A.... 1 494 016 1,42 M
legitc~1.dll Wed 2006-05-17 11:23:38 A.... 579 888 566,30 K
msrating.dll Wed 2006-05-10 1:23:02 A.... 146 432 143,00 K
cdfview.dll Wed 2006-05-10 1:23:00 A.... 151 040 147,50 K
mshtmled.dll Wed 2006-05-10 1:23:02 A.... 448 512 438,00 K
dxtrans.dll Wed 2006-05-10 1:23:00 A.... 205 312 200,50 K
dxtmsft.dll Wed 2006-05-10 1:23:00 A.... 357 888 349,50 K
pngfilt.dll Wed 2006-05-10 1:23:02 A.... 39 424 38,50 K
mstime.dll Wed 2006-05-10 1:23:02 A.... 532 480 520,00 K
iepeers.dll Wed 2006-05-10 1:23:00 A.... 251 392 245,50 K
jscript.dll Thu 2006-05-18 1:24:26 A.... 450 560 440,00 K
rasmans.dll Thu 2006-06-22 6:47:18 A.... 181 248 177,00 K
smab.dll Thu 2006-04-27 10:24:24 A.SHR 2 945 024 2,81 M
mshtml.dll Fri 2006-05-19 11:08:32 A.... 3 052 544 2,91 M
jsproxy.dll Wed 2006-05-10 1:23:00 A.... 16 384 16,00 K
xpsp3res.dll Thu 2006-05-11 4:23:24 A.... 24 576 24,00 K
extmgr.dll Wed 2006-05-10 1:23:00 A.... 55 808 54,50 K
jgpl400.dll Thu 2006-06-01 14:47:08 A.... 27 648 27,00 K
vsdata.dll Sun 2006-06-18 17:54:18 A.... 83 960 81,99 K
vsmonapi.dll Sun 2006-06-18 17:54:20 A.... 104 440 101,99 K
vspubapi.dll Sun 2006-06-18 17:54:20 A.... 268 280 261,99 K
vsutil.dll Sun 2006-06-18 17:54:22 A.... 440 312 429,99 K
vsinit.dll Sun 2006-06-18 17:54:20 A.... 157 688 153,99 K
vsxml.dll Sun 2006-06-18 17:54:24 A.... 100 344 97,99 K
vswmi.dll Sun 2006-06-18 17:54:24 A.... 59 384 57,99 K
zlcomm.dll Sun 2006-06-18 17:54:26 A.... 83 960 81,99 K
zlcommdb.dll Sun 2006-06-18 17:54:26 A.... 71 672 69,99 K
vsregexp.dll Sun 2006-06-18 17:54:22 A.... 71 672 69,99 K
libeay~1.dll Sun 2006-06-18 17:54:08 A.... 796 584 777,91 K
msvcr20.dll Mon 2006-07-03 22:06:50 A.... 11 163 10,90 K
pxsfs.dll Tue 2006-05-16 16:23:54 ..... 1 257 472 1,20 M

45 items found: 45 files (1 H/S), 0 directories.
Total of file sizes: 25 518 387 bytes 24,34 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C is C
Volume Serial Number is 1228-17FA

Directory of C:\WINDOWS\System32

04/27/2006 10:24 AM 2,945,024 Smab.dll
01/12/2006 06:23 PM 364,032 CoreAVC.ax
11/25/2005 03:46 PM 421,888 RealMediaSplitter.ax
11/25/2005 03:22 PM 421,888 MatroskaSplitter.ax
10/07/2005 07:14 PM 308,224 avisynth.dll
07/19/2005 04:28 PM <DIR> Microsoft
07/19/2005 03:36 PM <DIR> dllcache
07/14/2005 12:31 PM 27,648 AVSredirect.dll
06/26/2005 03:32 PM 616,448 cygwin1.dll
06/21/2005 10:37 PM 45,568 cygz.dll
06/20/2005 10:00 AM <DIR> ShellDHCP
02/28/2005 01:16 PM 240,128 x.264.exe
02/12/2005 06:00 PM 139,264 RLSpeexDec.ax
02/12/2005 06:00 PM 212,992 RLTheoraDec.ax
02/12/2005 06:00 PM 487,424 RLOgg.ax
02/05/2005 06:00 PM 212,992 RLVorbisDec.ax
01/17/2005 06:26 PM 421,888 DiracSplitter.ax
07/09/2004 03:47 AM 167,936 CoreAAC.ax
04/26/2004 06:00 PM 98,304 RLMPCDec.ax
01/25/2004 12:00 AM 70,656 yv12vfw.dll
01/25/2004 12:00 AM 70,656 i420vfw.dll
11/20/2003 06:00 PM 139,264 RLAPEDec.ax
08/19/2003 03:20 AM 180,224 ac3filter.ax
05/11/1998 08:01 PM 51,712 _isshell.exe
21 File(s) 7,644,160 bytes
3 Dir(s) 3,606,609,920 bytes free


(I tried to do all these tests EXACTLY as you specified, as you seemed quite adamant about that. I can't believe that more people don't have this by now. Same old Google entries as last week! It's the most insidious thing I've ever dealt with.)
mtaylor0617 is offline   Reply With Quote
Old 5th July 2006, 22:04   #13
DJ Egg
Techorator
Winamp & Shoutcast Team
 
Join Date: Jun 2000
Posts: 35,913
Ok, we're getting somewhere now, especially with the registry search results for nsis.

It's gonna take some time to analyze those other logs, though at first glance there doesn't seem to be much relevant to the case at hand.


In the meantime, can you also post a Registry Search Tool results log for:

5BACC17E-BDF7-405B-BC68-ECB506395118


Please also post a Registry Search Tool results log for the name of the current ns*.dll
eg. if the current one is ns481.dll then do a search for that and post the results.txt here


The next part is to try work out where the hell it keeps reloading itself from.
Which browser are you getting the popups with?
Is it Avant? Or just one of Internet Explorer or Firefox, or all?


Once we've got all the information, I'm going to create separate .bat and .reg files that you'll need to run in Safe Mode. What they'll do is remove all the references from the registry, permanently block the clsid, delete the relevant files/folders, and delete all temp files....


Note, depending on the Registry Search Tool (RegSrch.vbs) results for 5BACC17E-BDF7-405B-BC68-ECB506395118 and the current ns*.dll, I might need to ask you to search for yet another string... we shall see.


btw, I've found another case here:
http://forums.mozillazine.org/viewto...95191aed8c5b9d
DJ Egg is offline   Reply With Quote
Old 6th July 2006, 19:17   #14
mtaylor0617
Junior Member
 
Join Date: Jul 2006
Posts: 11
Hi DJ - you should know that for almost every day since this started and being unable to resolve it, that I usually end up either deleting the NSIS folder right off the bat, or sometimes simply renaming the DLL, in the hopes of "throwing a monkey wrench into the works" on the next reboot. Messing with this DLL after it has reestablished itself SEEMS to stop all the pop ups. I haven't had an NSIS pop up for at least a week. FYI, these pop ups appeared on my Maxthon (default) browser, IE6, and Firefox. I eventually removed all of Firefox, after reading some of those forum entries which seemed to indicate most infections were limited to Firefox. I tried Avant at one point also, but can't remember if the problem appeared.

You noticed in an earlier log that there was a reference to NS481.DLL. This was a little strange, as the tool that replaces this missing DLL ONLY uses random TWO-DIGIT numbers. At the time of that scan, the file was NS48.DLL Yesterday, it was NS11.DLL, which I perverted to NS11x.DLL. This morning, the folder had a new entry - ns42.dll, along with the old file. I have elected to leave the file and registry entries "as is," for now, so that I may monitor the frequency of pop ups, or IF they occur at all (That is, unless you have subsequent instructions.) So far, all morning - no pop ups, but I've got every Maxthon Ad Hunter option running (and they are quite effective,) as well as the IE6 PUB checked, and the PUB on Google Toolbar checked.

Maybe I've done enough "damage" with the many registry changes to eliminate this malware's ability to get those pop ups installed, but I REALLY want this OFF my drive too. It is uninvited, untrustworthy, and it seems to be writing new code to the registry on a regular basis. It MUST go!
I would like to know where this thing is in the boot procedure also. I spent an hour or two this morning, slowly going through the properties and dependencies of services, modules etc., but found nothing obvious, at least, to MY untrained eyes.

To the logs:

------------

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "5BACC17E-BDF7-405B-BC68-ECB506395118" 7/6/2006 14:00:12

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5BACC17E-BDF7-405B-BC68-ECB506395118}"="NSIS Media Extension"

[HKEY_LOCAL_MACHINE\SOFTWARE\NSIS\Media]
"Clsid"="{5BACC17E-BDF7-405B-BC68-ECB506395118}"


-----------

And ...

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "ns42.dll" 7/6/2006 14:43:07

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\NSIS\Media]
"Stub"="ns42.dll"

-------

Also note that almost all the pop up windows were large, completely blank browser windows, although I did get a couple with the actual advertisements. They were both (ironically) links to shareware apps for registry cleaners.
mtaylor0617 is offline   Reply With Quote
Old 6th July 2006, 22:52   #15
DJ Egg
Techorator
Winamp & Shoutcast Team
 
Join Date: Jun 2000
Posts: 35,913
I'm struggling a bit here, but haven't given up hope yet.

Found another case here
http://www.tomcoyote.org/forums/lofi...hp/t65519.html

but running the uninst.exe uninstaller worked for the dude there,
although I can see that it didn't also remove the registry entries...


Alas, all of those logs don't show anything, except for the Registry Search Tool results.


You'll need to:

1. Empty all internet caches for all your browsers

2. Empty the Java cache

3. Empty the %temp% folder

4. Search for and delete all files/folders called nsis, eg.
C:\Program Files\Mozilla Firefox\chrome\nsis.jar
C:\Program Files\Common Files\NSIS
C:\Windows\A~NSISu_.exe
C:\Documents and Settings\(username)\A~NSISu_.exe
etc etc etc

5. Delete krnsvr32.dll & wmdmb32.dll from the Windows\System32 dir

6. Delete these reg keys:
HKEY_LOCAL_MACHINE\SOFTWARE\NSIS
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App_Management\ARPCache\NSISMedia
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ NSISMedia

7. Delete this reg string (ie. the string in bold text, do NOT delete the ShellExecuteHooks key): [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ ShellExecuteHooks]
{5BACC17E-BDF7-405B-BC68-ECB506395118}=NSIS Media Extension

(note to others, that string may have a different clsid #, but it'll still say "=NSIS Media Extension" no matter what the clsid is)


and do it all in Safe Mode


Yeah, I know I said I'd create .reg and .bat files to do it for you, but alas, I'm a bit busy tonight, and it'll take me quite a while to knock up those files. Let me know if you still want me to do it, and I'll see if I can get them done for you some time tomorrow.

I also can't guarantee that it'll work, because I'm still not sure where it keeps loading itself from :-(

Yup, it's definitely an evil one...

Just a shame that the uninstaller didn't work for you.
DJ Egg is offline   Reply With Quote
Old 6th July 2006, 23:22   #16
siebe83
Forum King
 
siebe83's Avatar
 
Join Date: Feb 2004
Posts: 9,229
If it helps in any way, a quick translation of the last post in that Dutch thread you mentioned.

Note to others: I only post this as a reference, not as a recommendation to do what it says.
Quote:
Issue fixed

When I used the uninstaller the pc needed to reboot; after rebooting the pc, the nsis folder had come back again. If I removed the folder, it came back after a bit of browsing the internet.

This time, I used the uninstaller but I didn't allow the pc to reboot: I forced a hard shut down by pressing and holding the power button on the pc.
Then I started Windows in safe mode and used jv16 powertools to remove all the nsis stuff from the registry.

That was 2 days ago, didn't have any trouble since.
Dunno if this report is reliable, but if it's true, maybe it does something after the reboot?

If you're bored go here or, if the boredom is more serious, here.
siebe83 is offline   Reply With Quote
Old 7th July 2006, 10:46   #17
DJ Egg
Techorator
Winamp & Shoutcast Team
 
Join Date: Jun 2000
Posts: 35,913
Thanks Siebe

Ahh, I didn't know that it prompted you to reboot after running the uninstaller.

Yes, never reboot if prompted after running any spyware/malware uninstallers.
Run it, then hard boot into Safe Mode and delete any leftover files and clean up the registry
(as per the instructions in my previous post).

We shall see...
DJ Egg is offline   Reply With Quote
Old 7th July 2006, 13:45   #18
mtaylor0617
Junior Member
 
Join Date: Jul 2006
Posts: 11
I appreciate all the time and effort you have put into this, DJ, and whereas "The Folder of Death" simply won't go away it hasn't been completely in vain. This is brand new malware, as it seems to have only appeared around the end of June.

All the scans and experiences of everyone infected, and those who try to assist will eventually add to the data pool which might be used to work a fix for this. Just think if this code was used for something a little more malicious than popups?

Personally, I have this NSIS folder on my drive, which is something I'd like to correct, but, knock wood, I'm not getting popups. In addition to the suite of PUB's I mentioned, I have also used the Maxthon Ad-Hunter tools to block any content with "NSIS" in the URL or titlebar string. Perhaps I might just live with that situation, provided it remains just as stable, until this problem becomes more widespread and there are other possible fixes or workarounds.

I was going to mention that "Coyote" forum to you today, as they seemed to be following a lot of the same clues. I wonder if the folder is GONE though - he said "no more popups," but I'd love to check for the NSIS folder. My bet is that it is still on that guy's computer.

If I do anything further, it will be deleting the NSIS folder again, purging all registry links, and then rebooting after disabling System Restore, as I'm wondering if the reloader isn't lurking inside there. Should have thought of that sooner, I think.

That idea about a hard shutdown might work too, but that uninstaller is bogus. If you press "OK" or even the close window key - it will reboot without any further prompts. That's the mark of malicious intent.

I'll post back if I have any success, or find out something new, as I'm sure you're probably a little curious about the mechanics of it by now, even though it's not on your machine.

Thanks again for all your efforts.
mtaylor0617 is offline   Reply With Quote
Old 7th July 2006, 14:09   #19
DJ Egg
Techorator
Winamp & Shoutcast Team
 
Join Date: Jun 2000
Posts: 35,913
Yes, please keep us informed of any progress.

As it stands, I think the only way I can actually get to the bottom of it is to physically examine an infected machine. But you're right, hopefully it won't be long before the likes of Ewido, Ad-Aware, Spysweeper, Pest Patrol, etc get this thing added to the detection/removal process.
DJ Egg is offline   Reply With Quote
Old 9th July 2006, 15:12   #20
mtaylor0617
Junior Member
 
Join Date: Jul 2006
Posts: 11
I'll tell ya' one thing I dicovered yesterday - I tried taking another type of file, in this case, a wave file, and renaming it as the DLL du jour, which yesterday, was ns58.dll.
It saw right through that "trick," and this morning there is another dll, ns98 alongside my fake dll in the NSIS folder. I half expected that, but at least I now know that this DLL gets replaced ON SHUTDOWN, and has nothing to do with the startup menu. Not quite sure what to do with this new information, but at least it means a lot of us have been looking in the wrong place for the malicious program as as traditionally, it would come back on a reload, not while shutting down.
mtaylor0617 is offline   Reply With Quote
Old 18th July 2006, 00:04   #21
mtaylor0617
Junior Member
 
Join Date: Jul 2006
Posts: 11
Update

Seems someone has discovered the root files responsible for this nasty and still undefined piece of malware.

http://www.zeropaid.com/bbs/spyware-...ups-38259.html

I followed the instructions for the removal of the two files in the Windows System directory:

krnsvr32.dll
wmdmb32.dll

As my post in that forum indicates, for the first time, I have eradicated the NSIS folder and its contents on a reboot. I'd like it to stay that way, but I still don't know where this came from in the first place. Still, this is a GOOD thing. NSIS Media EXtension is gone from my computer without the reformat I feared was coming. Fingers crossed, it stays that way.
mtaylor0617 is offline   Reply With Quote
Old 18th July 2006, 01:46   #22
DJ Egg
Techorator
Winamp & Shoutcast Team
 
Join Date: Jun 2000
Posts: 35,913
Cool. That's good to know

Looking back, neither of those two files showed up in any of the logs either, heh.
But at least we now know what the source files are, and how to fully remove it.
Was there any reference to krnsvr32.dll & wmdmb32.dll anywhere in the registry?

So... did you work out where you got it from then?
ie. Did you maybe also install that Foxie Browser extension thing,
or maybe some other bogus ff extension from the evil dnscaching.net?
DJ Egg is offline   Reply With Quote
Old 18th July 2006, 14:16   #23
mtaylor0617
Junior Member
 
Join Date: Jul 2006
Posts: 11
I recall being suspicious of krnsvr32.dll at some point in my weeks of dealing with this but I'm not sure in what context. I remember googling it, and think I saw it in filemon or some other running-process explorer in connection with svchost.exe, which always somehow seemed related to the problem, although it's a viable system file. Anyway, I moved on from there, and this other guy ID'd it correctly as the malevolent file.

As to where I got it? - Phhhhf!

At the time I had Windows Firewall running (have since disabled and moved to ZA) and AVG, plus all ad-blocking features in my Maxthon browser enabled, including the ActiveX blocker. I guess I could have ok'd a bad ActiveX in a haze, but I really don't know.

Just prior to this problem, I had a glitch with my IE browser, which translated somewhat to the Maxthon only not as bad. While I was troubleshooting that, I did download Firefox (not Foxie) and use it for a bit in case I lost IE (and Maxthon as it operates on the IE engine.) It was around this time that I caught this thing, and from what I've been reading from others also infected, it seems that most have caught it with Firefox. I'm not saying that's the case, mind, but I NEVER getting anything worse than a bad cookie and it seems that most people who have caught this have similar stories about "running clean," and don't sound like the type of folks to power up with open ports exposed, if you get my meaning.

As I understand it from another forum, this problem has been submitted to Symantec and other spyware/virus people and they are reportedly "working on it."
Maybe they will get a definitive answer one day.

As for me, I wonder how long it will take me to NOT immediately check Program Files\Common Files for the existence of the NSIS folder. Probably a while.
mtaylor0617 is offline   Reply With Quote
Old 22nd July 2006, 17:20   #24
hedehode
Junior Member
 
Join Date: Jul 2006
Posts: 2
NSIS so far

I keep getting those NSIS Media advertisement popups for the last few days. The only new thing I have installed is the latest version of eMule. By the way, I am a very careful user, and very very picky about what I install to my machine. I always have anti-virus, firewall and anti-spyware active and do regular checks.

Anyway you know the story, this NSIS thing is very sneaky, and does not show up in any protection software. I only fear that it may be a ticking time bomb and may have more serious effects after some time.

I tried everything mentioned in this forum so far. Here are the results:

1) Deleting or changing the permissions of the Common Files/NSIS directory and contents does not work, one has to find the original source.

2) Removing the signature from Firefox chrome or removing the shell extension from explorer does not work, after restart they are installed right back.

3) krnsvr32.dll & wmdmb32.dll are not always the source. I, for example, do not have neither. I've also checked for any other suspicious dll files in system32 dir. Comparing the contents with a previous snapshot does not reveal any suspicious dlls.

4) uninstall.exe in the NSIS dir will not do anything either. I actually did not click it at all for a while, but cleared all suspicious files/registry entries etc. Since NSIS kept coming back, I tried the "uninstall" and "hard reboot" technique mentioned in many posts. Yes, it does work for the very first boot after the "hard reboot" (meaning you will not see the NSIS directory or the registry entries you have cleaned), but reboot your computer once again using regular method and NSIS will show up.

5) SpySweep, AdAware or SpyBot does not find anything at all.

6) RegSrch, FindIt and lm2fix logs (carried out as mentioned in this thread) does not reveal any suspicious entries (there are of course registry entries but when deleted they come back the next time I reboot). Neither does DLLCompare.

7) The ClassID and nsxx.dll names do not reveal any other entry in the registry (other than the ones already mentioned in the posts above).

8) I make sure I work in safe mode, clear all caches, clear the recycle bin and disable system restore. So any backdoors are already closed.

9) And of course my WindowsXP, Office, etc are all up-to-date with security patches.

So, there is no solution for me right now. It is driving me crazy but I don't think I can spend more time on this. Just hoping that it does not do anything other than the popups.

Here are two other things I think may be related but still a long shot:

a. I've been using LiteStep for a long time now. The reason we are experiencing a very small number of infections may be the fact that it is only affecting LiteStep users. Are the other people suffering in this forum using LiteStep or just plain old Explorer?

b. My Nero Burning Rom has not been working for the last few days. The timing coincides with NSIS popups. Everything other than Burning Rom (Nero Express or other Nero software that came with the same package) is working fine. Burning Rom crashes right after the splash screen. I tried repair option and since it did not work I re-installed Nero. Still the same problem... Since it has problems even after a re-install I suspect it is clashing with something at the runtime. That is why I think this symptom may be related to NSIS...

c. My wife has a separate administrative login on this same machine, but she is not using LiteStep. Nero Burning ROM runs fine when I log into her account. I did not work long enough in her account to see any NSIS popups, so do not know if her account is also affected (should be, she is using the very same Firefox installation).

As I have stated, LiteStep and Nero Burning Rom cross-diagnostics may be totally unrelated. It may very well be coincidence.

Let's keep posting...
hedehode is offline   Reply With Quote
Old 24th July 2006, 15:39   #25
mtaylor0617
Junior Member
 
Join Date: Jul 2006
Posts: 11
I don't know if you want to give this a try hedehode, but this virus checker software is supposed to look specifically for NSIS:

http://www.sophos.com/virusinfo/anal..._J1u0jKFl.html

There is a 30 day free trial, apparently, but I don't know if certain features are disabled or what. Someone in another forum who has the infection is going to try this package and report back. It seems that others have been completely unable to remove this from their systems, even using the methodology that worked for others, including me. The damn thing almost appears to mutate on different machines.

When I was fiddling around a couple of weeks ago, trying to get rid of the NS**.dll file by renaming or deleting it, I found that one time the dll that replaced it was timestamped as being installed at shutdown, but this wasn't consistent. Then next one, a few days later, was stamped at boot.

I'm pretty sure I've eliminated most of the files that are capable of executing or self-replicating on their own, so I'll leave well-enough alone until (and if) someone comes up with a NSIS removal tool that scans for and zaps all associated files. Good luck.
mtaylor0617 is offline   Reply With Quote
Old 28th July 2006, 20:58   #26
hedehode
Junior Member
 
Join Date: Jul 2006
Posts: 2
finally removed NSIS Media

I've posted before with all the steps I have tried and how I was unsuccessful after all. I actually chose to live with it for a while and see if someone comes up with a solution. However weird things kept happening on my computer without any new installs:

1. Nero Burning ROM still did not work after a complete reinstall.
2. HP Quick Play service gave an error after each restart: It says it has to terminate.
3. I realized that my virus signatures for McAffee Enterprise 8.0i were not getting updated regularly. When I ran the update tool by hand, it crashed.
4. And of course, I kept getting those NSIS Media popups once in a while.

The problem with anti-virus was the top priority, although I found a way to fix it by googling the problem. (I had to reregister a DLL to repopulate the registry, which means something went wrong with the registry, I think NSIS was growing its roots into the registry and it resulted in errors with killed QPService execution and McAffee Framework Service).

Finally, I tried TrojanHunter. It did not find anything in the memory, yet it found the CommonFiles\NSIS\uninst.exe as usual and another DLL in the Windows\System32. That DLL (named mssvide.dll) was marked with Adware.Cydoor.100 and was the key to NSIS removal. Looks like the DLL files may have different names and can mutate under different systems. So best way is to run TrojanHunter under system32 and delete any suspicious DLLs.

After I removed the DLL file with TrojanHunter, I went through the regular list of precautions:
- Clear caches, clear cookies
- Turn off system restore
- Clear NSIS directory
- Clean Registry from NSIS related entries and the shell execute hook
- Empty Trash Can
- Boot into safe mode once more
- Reboot

I tested the system by going through a number of reboots, surfing with Firefox and IE, and running all the programs I regularly run. So far, after like 10-15 reboots and 4 hours of normal operation, NSIS did not come back.

Looks like the very new version of TrojanHunter can clean this thing. Thanks for the hint in the Zeropaid forums!
hedehode is offline   Reply With Quote
Old 29th July 2006, 11:04   #27
belink
Junior Member
 
Join Date: Jul 2006
Posts: 2
Sorry if I bumped this, but the newest TrojanHunter (V 4.5 build 924) hasnt found anything! Im still getting NSIS Media Popups, and was wondering if anyone could write a reg/bat file to get rid of this. Or if anyone has a different antivirus other then Sohphos (I havent got an email back from them) or Trojanhunter. ZA still cant pick up anything, nor Ad-Aware. I belive it has spread also through Adblock, a firefox plugin.
belink is offline   Reply With Quote
Old 7th August 2006, 01:24   #28
torpark
Senior Member
 
Join Date: Apr 2006
Posts: 113
Actually, I know what is doing this and where it comes from. It is from the NSIS compiler software at sourceforge. If you install it, this adware worm comes with it.

Winamp needs to address this immediately. It is adware they are forcing on people.
torpark is offline   Reply With Quote
Old 7th August 2006, 10:05   #29
DJ Egg
Techorator
Winamp & Shoutcast Team
 
Join Date: Jun 2000
Posts: 35,913
Umm, no. It isn't coming from Winamp and it isn't coming from Nullsoft or the official NSIS.
We've already established this, so please do not post misinformation.
DJ Egg is offline   Reply With Quote
Reply
Go Back   Winamp & Shoutcast Forums > Winamp > Winamp Technical Support

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump