44 replies to this topic

[DemonX]

Please take a look and tell me how can i fix this.
My connection running slower den usual.
Thanks.


Logfile of HijackThis v1.99.1
Scan saved at 20:06:35, on 2006-11-27
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\USER\Desktop\RuneScape.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\ACD Systems\ACDSee\7.0\ACDSee7.exe
C:\Program Files\Winamp\Winamp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\USER\Desktop\Spyware Cleaner\HJT\HijackThis.exe

O1 - Hosts: 125.91.14.230 www.kzdh.com
O1 - Hosts: 125.91.14.230 www.7255.com
O1 - Hosts: 125.91.14.230 www.7322.com
O1 - Hosts: 125.91.14.230 www.7939.com
O1 - Hosts: 125.91.14.230 www.piaoxue.com
O1 - Hosts: 125.91.14.230 www.feixu.net
O1 - Hosts: 125.91.14.230 www.6781.com
O1 - Hosts: 125.91.14.230 www.7b.com.cn
O1 - Hosts: 125.91.14.230 7b.com.cn
O1 - Hosts: 125.91.14.230 www.918188.com
O1 - Hosts: 125.91.14.230 hao.allxue.com
O1 - Hosts: 125.91.14.230 good.allxue.com
O1 - Hosts: 125.91.14.230 baby.allxue.com
O1 - Hosts: 125.91.14.230 www.allxue.com
O1 - Hosts: 125.91.14.230 about.lank.la
O1 - Hosts: 125.91.14.230 www.x114x.com
O1 - Hosts: 125.91.14.230 www.37ss.com
O1 - Hosts: 125.91.14.230 www.7k.cc
O1 - Hosts: 125.91.14.230 www.73ss.com
O1 - Hosts: 125.91.14.230 www.hao123.com
O1 - Hosts: 125.91.14.230 www.81915.com
O1 - Hosts: 125.91.14.230 222.88.90.22
O1 - Hosts: 125.91.14.230 www.9991.com
O1 - Hosts: 125.91.14.230 www.my123.com
O1 - Hosts: 125.91.14.230 www.haokan123.com
O1 - Hosts: 125.91.14.230 www.5566.net
O1 - Hosts: 125.91.14.230 www.gjj.cc
O1 - Hosts: 125.91.14.230 www.2345.com
O1 - Hosts: 125.91.14.230 dl.hao318.com
O1 - Hosts: 125.91.14.230 www.123wa.com
O1 - Hosts: 125.91.14.230 www.ku886.com
O1 - Hosts: 125.91.14.230 www.5icrack.com
O1 - Hosts: 125.91.14.230 www.jjol.cn
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: EyeOnIE - {C14393E1-95FF-4DFF-9BE0-EA008D4EF930} - C:\PROGRA~1\test\BHOPLU~1.DLL
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [5x] C:\WINDOWS\system32\rundll32.exe f7znf.dll Rundll32
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: PC Alert 4.lnk = C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: 上传到QQ网络硬盘 - C:\Program Files\Tencent\QQ\AddToNetDisk.htm
O8 - Extra context menu item: 欢迎访问中国CS联盟 - c:\windows\cschina.htm
O8 - Extra context menu item: 添加到QQ自定义面板 - C:\Program Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - C:\Program Files\Tencent\QQ\SendMMS.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE (file missing)
O9 - Extra 'Tools' menuitem: 腾讯QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE (file missing)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{6AC11894-B744-4342-9436-BB584724872F}: NameServer = 203.153.16.40,203.153.16.41
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe

[DemonX]

Bumpie~

[DemonX]

Bump Again~

[DemonX]

Bump =)

[TonyKlein]

You have a browser plugin which is a close relative of this "Banker trojan": http://www.trendmicro.com/vinfo/grayware/v...%5FBANKER%2EABM

In Hijack This, check all of the following lines, then press "Fix Checked":

ALL O1 - Hosts entries!

O2 - BHO: EyeOnIE - {C14393E1-95FF-4DFF-9BE0-EA008D4EF930} - C:\PROGRA~1\test\BHOPLU~1.DLL

O4 - HKLM\..\Run: [5x] C:\WINDOWS\system32\rundll32.exe f7znf.dll Rundll32

O8 - Extra context menu item: ???QQ???? - C:\Program Files\Tencent\QQ\AddToNetDisk.htm
O8 - Extra context menu item: ??????CS?? - c:\windows\cschina.htm
O8 - Extra context menu item: ???QQ????? - C:\Program Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: ???QQ?? - C:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: ?QQ??????? - C:\Program Files\Tencent\QQ\SendMMS.htm

O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE (file missing)
O9 - Extra 'Tools' menuitem: ??QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE (file missing)


After you've had HijackThis fix the lines, close the application, and go to download Killbox.
Click killbox.exe.
Select the option "Delete on reboot".
Click the button: All Files (!important!)

Next, copy the following lines in bold:

C:\Program Files\test\BhoPlugin.dll
C:\WINDOWS\system32\f7znf.dll

Open 'file' in the killboxmenu on top and choose Paste from clipboard

Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click YES
If you don't get that message, reboot manually.

Your computer should reboot now.

Now find and delete the C:\Program Files\Test folder

Next, temporarily shut down your antivirus' real time monitoring, and go HERE to run Panda's ActiveScan

• Once you are on the Panda site click the Scan your PC button
  
• A new window will open...click the Check Now button
  
• Enter your Country
  
• Enter your State/Province
  
• Enter your e-mail address and click send
  
• Select either Home User or Company
  
• Click the big Scan Now button
  
• If it wants to install an ActiveX component allow it
  
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  
• When download is complete, click on My Computer to start the scan
  
• When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
  
• Post the contents of the ActiveScan report in your reply. Also run HijackThis once again, and post a fresh log from that as well

[DemonX]

Aight i will post the log again after i finsih scanning.
=)

[TonyKlein]

Allrighty; it is however important that you do ALL of the above in that exact order.

There may be additional aspects to this infection, and if we're unlucky we'll be at it for some time...

[DemonX]

Still scanning but so far..

34 Spyware and 6 Suspision Files dectected.

[DemonX]

Finish scanning.
Heres the report.


Incident Status Location

Adware:adware/diytoolbar Not disinfected Windows Registry
Adware:adware/iebar Not disinfected Windows Registry
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\USER\Cookies\user@2o7[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\USER\Cookies\user@ad.yieldmanager[2].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\USER\Cookies\user@ads.pointroll[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\USER\Cookies\user@advertising[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\USER\Cookies\user@atdmt[2].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\USER\Cookies\user@azjmp[2].txt
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\USER\Cookies\user@bravenet[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\USER\Cookies\user@burstnet[2].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\USER\Cookies\user@c5.zedo[2].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\USER\Cookies\user@casalemedia[1].txt
Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\USER\Cookies\user@cs.sexcounter[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\USER\Cookies\user@doubleclick[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\USER\Cookies\user@fastclick[2].txt
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\USER\Cookies\user@gostats[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\USER\Cookies\user@hitbox[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\USER\Cookies\user@mediaplex[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\USER\Cookies\user@perf.overture[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\USER\Cookies\user@questionmarket[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\USER\Cookies\user@realmedia[2].txt
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\USER\Cookies\user@revenue[2].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\USER\Cookies\user@searchportal.information[1].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\USER\Cookies\user@server.iad.liveperson[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\USER\Cookies\user@serving-sys[2].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\USER\Cookies\user@sextracker[1].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\USER\Cookies\user@statcounter[1].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\USER\Cookies\user@statse.webtrendslive[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\USER\Cookies\user@tribalfusion[1].txt
Spyware:Cookie/WebPower Not disinfected C:\Documents and Settings\USER\Cookies\user@webpower[1].txt
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\USER\Cookies\user@z1.adserver[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\USER\Cookies\user@zedo[2].txt
Possible Virus. Not disinfected C:\Documents and Settings\USER\Local Settings\Temp\mylove.bat
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\USER\Local Settings\Temporary Internet Files\Content.IE5\94CRL1GT\popup[1].htm
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\USER\Local Settings\Temporary Internet Files\Content.IE5\94CRL1GT\popup[2].htm
Possible Virus. Not disinfected C:\Documents and Settings\USER\Local Settings\Temporary Internet Files\Content.IE5\ANU3E9UZ\jh[1].exe
Possible Virus. Not disinfected C:\Documents and Settings\USER\Local Settings\Temporary Internet Files\Content.IE5\ANU3E9UZ\jh[2].exe
Possible Virus. Not disinfected C:\Documents and Settings\USER\Local Settings\Temporary Internet Files\Content.IE5\ANU3E9UZ\jh[3].exe
Possible Virus. Not disinfected C:\Documents and Settings\USER\Local Settings\Temporary Internet Files\Content.IE5\ANU3E9UZ\jh[4].exe
Possible Virus. Not disinfected C:\Documents and Settings\USER\Local Settings\Temporary Internet Files\Content.IE5\ANU3E9UZ\jh[5].exe
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\USER\Local Settings\Temporary Internet Files\Content.IE5\ORJZEKL1\popup[1].htm
Possible Virus. Not disinfected C:\Documents and Settings\USER\Local Settings\Temporary Internet Files\Content.IE5\SXC5MFCL\jh[1].exe
Possible Virus. Not disinfected C:\Documents and Settings\USER\Local Settings\Temporary Internet Files\Content.IE5\SXC5MFCL\jh[2].exe
Possible Virus. Not disinfected C:\Documents and Settings\USER\Local Settings\Temporary Internet Files\Content.IE5\SXC5MFCL\jh[3].exe
Possible Virus. Not disinfected C:\Documents and Settings\USER\Local Settings\Temporary Internet Files\Content.IE5\SXC5MFCL\jh[4].exe
Possible Virus. Not disinfected C:\Documents and Settings\USER\Local Settings\Temporary Internet Files\Content.IE5\SXC5MFCL\jh[5].exe
Possible Virus. Not disinfected C:\Documents and Settings\USER\Local Settings\Temporary Internet Files\Content.IE5\SXC5MFCL\jh[6].exe
Possible Virus. Not disinfected C:\Documents and Settings\USER\Local Settings\Temporary Internet Files\Content.IE5\SXC5MFCL\jh[7].exe
Possible Virus. Not disinfected C:\Documents and Settings\USER\Local Settings\Temporary Internet Files\Content.IE5\SXC5MFCL\jh[8].exe
Possible Virus. Not disinfected C:\Documents and Settings\USER\Local Settings\Temporary Internet Files\Content.IE5\SXC5MFCL\windows[1].exe
Possible Virus. Not disinfected C:\Documents and Settings\USER\Local Settings\Temporary Internet Files\Content.IE5\UT0NUX25\jh[10].exe
Possible Virus. Not disinfected C:\Documents and Settings\USER\Local Settings\Temporary Internet Files\Content.IE5\UT0NUX25\jh[1].exe
Possible Virus. Not disinfected C:\Documents and Settings\USER\Local Settings\Temporary Internet Files\Content.IE5\UT0NUX25\jh[2].exe
Possible Virus. Not disinfected C:\Documents and Settings\USER\Local Settings\Temporary Internet Files\Content.IE5\UT0NUX25\jh[3].exe
Possible Virus. Not disinfected C:\Documents and Settings\USER\Local Settings\Temporary Internet Files\Content.IE5\UT0NUX25\jh[4].exe
Possible Virus. Not disinfected C:\Documents and Settings\USER\Local Settings\Temporary Internet Files\Content.IE5\UT0NUX25\jh[5].exe
Possible Virus. Not disinfected C:\Documents and Settings\USER\Local Settings\Temporary Internet Files\Content.IE5\UT0NUX25\jh[6].exe
Possible Virus. Not disinfected C:\Documents and Settings\USER\Local Settings\Temporary Internet Files\Content.IE5\UT0NUX25\jh[7].exe
Possible Virus. Not disinfected C:\Documents and Settings\USER\Local Settings\Temporary Internet Files\Content.IE5\UT0NUX25\jh[8].exe
Possible Virus. Not disinfected C:\Documents and Settings\USER\Local Settings\Temporary Internet Files\Content.IE5\UT0NUX25\jh[9].exe
Possible Virus. Not disinfected C:\Documents and Settings\USER\Local Settings\Temporary Internet Files\Content.IE5\WDK3G7KB\jh[10].exe
Possible Virus. Not disinfected C:\Documents and Settings\USER\Local Settings\Temporary Internet Files\Content.IE5\WDK3G7KB\jh[1].exe
Possible Virus. Not disinfected C:\Documents and Settings\USER\Local Settings\Temporary Internet Files\Content.IE5\WDK3G7KB\jh[2].exe
Possible Virus. Not disinfected C:\Documents and Settings\USER\Local Settings\Temporary Internet Files\Content.IE5\WDK3G7KB\jh[3].exe
Possible Virus. Not disinfected C:\Documents and Settings\USER\Local Settings\Temporary Internet Files\Content.IE5\WDK3G7KB\jh[4].exe
Possible Virus. Not disinfected C:\Documents and Settings\USER\Local Settings\Temporary Internet Files\Content.IE5\WDK3G7KB\jh[5].exe
Possible Virus. Not disinfected C:\Documents and Settings\USER\Local Settings\Temporary Internet Files\Content.IE5\WDK3G7KB\jh[6].exe
Possible Virus. Not disinfected C:\Documents and Settings\USER\Local Settings\Temporary Internet Files\Content.IE5\WDK3G7KB\jh[7].exe
Possible Virus. Not disinfected C:\Documents and Settings\USER\Local Settings\Temporary Internet Files\Content.IE5\WDK3G7KB\jh[8].exe
Possible Virus. Not disinfected C:\Documents and Settings\USER\Local Settings\Temporary Internet Files\Content.IE5\WDK3G7KB\jh[9].exe
Possible Virus. Not disinfected C:\Game\Gravity\RO\eAthena\eASVN7887trunkSQL.rar[plugins\.svn\text-base\exchndl.dll.svn-base]
Possible Virus. Not disinfected C:\Game\Gravity\RO\eAthena\eASVN7887trunkSQL.rar[plugins\exchndl.dll]
Possible Virus. Not disinfected C:\Game\Gravity\RO\eAthena\plugins\.svn\text-base\exchndl.dll.svn-base
Possible Virus. Not disinfected C:\Game\Gravity\RO\eAthena\plugins\exchndl.dll
Possible Virus. Not disinfected C:\WINDOWS\system32\wdfmgr32.exe
Possible Virus. Not disinfected D:\eAthena.rar[eAthena\eASVN7887stableSQL.rar][plugins\.svn\text-base\exchndl.dll.svn-base]
Possible Virus. Not disinfected D:\eAthena.rar[eAthena\eASVN7887stableSQL.rar][plugins\exchndl.dll]
Possible Virus. Not disinfected D:\eAthena.rar[eAthena\eASVN7887stableTXT.rar][plugins\.svn\text-base\exchndl.dll.svn-base]
Possible Virus. Not disinfected D:\eAthena.rar[eAthena\eASVN7887stableTXT.rar][plugins\exchndl.dll]
Possible Virus. Not disinfected D:\eAthena.rar[eAthena\eASVN7887trunkSQL.rar][plugins\.svn\text-base\exchndl.dll.svn-base]
Possible Virus. Not disinfected D:\eAthena.rar[eAthena\eASVN7887trunkSQL.rar][plugins\exchndl.dll]
Possible Virus. Not disinfected D:\eAthena.rar[eAthena\eASVN7887trunkTXT.rar][plugins\.svn\text-base\exchndl.dll.svn-base]
Possible Virus. Not disinfected D:\eAthena.rar[eAthena\eASVN7887trunkTXT.rar][plugins\exchndl.dll]
Possible Virus. Not disinfected D:\eAthena.rar[eAthena\eASVN7887trunkTXT.rar][eASVN7887trunkSQL.rar][plugins\.svn\text-base\exchndl.dll.svn-base]
Possible Virus. Not disinfected D:\eAthena.rar[eAthena\eASVN7887trunkTXT.rar][eASVN7887trunkSQL.rar][plugins\exchndl.dll]
Possible Virus. Not disinfected D:\eAthena.rar[eAthena\eASVN7916trunkSQL.rar][plugins\.svn\text-base\exchndl.dll.svn-base]
Possible Virus. Not disinfected D:\eAthena.rar[eAthena\eASVN7916trunkSQL.rar][plugins\exchndl.dll]
Possible Virus. Not disinfected D:\eAthena.rar[eAthena\eASVN7916trunkTXT.rar][plugins\.svn\text-base\exchndl.dll.svn-base]
Possible Virus. Not disinfected D:\eAthena.rar[eAthena\eASVN7916trunkTXT.rar][plugins\exchndl.dll]
Possible Virus. Not disinfected D:\eAthena.rar[eAthena\EASVN7918stableSQL.rar][plugins\.svn\text-base\exchndl.dll.svn-base]
Possible Virus. Not disinfected D:\eAthena.rar[eAthena\EASVN7918stableSQL.rar][plugins\exchndl.dll]


Hijackthis Log.

Logfile of HijackThis v1.99.1
Scan saved at 0:27:59, on 2006-11-28
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\USER\Desktop\RuneScape.exe
C:\Documents and Settings\USER\Desktop\Spyware Cleaner\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: PC Alert 4.lnk = C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6AC11894-B744-4342-9436-BB584724872F}: NameServer = 203.153.16.40,203.153.16.41
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe

[TonyKlein]

OK, your log looks much better.

Please download ATF Cleaner by Atribune.

Next, close all browser winndows

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.


Next, download ComboFix.exe
Save it to the Desktop.

Open Notepad (Start > Run, type in: notepad)
Copy the following instructions to Notepad, and save them to the Desktop for use in Safe Mode.

Then, reboot to Safe Mode as follows:
-Restart your computer.
-When the machine first starts again, tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
-Select the option for Safe Mode using the arrow keys.
-Press Enter to boot into Safe Mode.

Once in Safe Mode, find and delete the C:\WINDOWS\system32\wdfmgr32.exe file

Go to Start > Run and paste in the following:

"%userprofile%\desktop\combofix.exe" /wow

Note:
Do not mouse-click the CombofFix window while it is running. That may cause the program to stall.

When finished, ComboFix produces a log.

Restart your computer normally.

Please include the following in your reply:

• The ComboFix log
  
• A new HijackThis log

Note: If the ComboFix log is too long, you may need to do more than one post to ensure the logs don't get cut off!

[DemonX]

Weird.
I cant enter safe mode.
Everytime i try to do that it just simply restart over and over again.
Any idea?

[TonyKlein]

I've seen it mentioned, but I can't quite remember where...

Try this first:

Go to Start > Run, type Msconfig and click OK.
Go to the Boot.ini tab.
In Boot Options, check "Safe Boot", and press 'OK'.

Now restart your computer. It * ought to* boot into Safe Mode.

Do what you need to do, then go back to the Boot.ini tab, and remove the check mark at "Safe Boot" again to restart normally

See whether that does the trick...

[DemonX]

Last line i saw was agp440.sys
Then the pc restart again.
Whats wrong?

[TonyKlein]

Nothing specific comes to mind right now; it could be a corrupted driver or registry key

Try running Combofix in 'normal' mode.

[TonyKlein]

... also, would you please do the following:

Go to Start > Run, and paste the following into the box, then click OK:

regedit /e C:\show.txt "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot"

That will export the contents of that registry key to a C:\show.txt file

Please copy the contents of that show.txt file, and show us its contents.


Incidentally, if Combofix is unable to complete in Safe Mode, please perform a Clean Boot as detailed here, then try running the application that way.

[TonyKlein]

I've been discussing your problem with Kimberly, a friend of mine, and she suggested you may well have been inflicted with rather recent Chinese parasite that actually deletes the SafeBoot key. In that case no, or an empty show.txt file will be created.

Due to the fact that I'm a tad out of the loop where these particular infections are concerned, as well as being out of town for the next couple of days, I've asked Kim whether she would step in and work with you. I can assure you that you'll be in the very best of hands with her!

[Kimberly]

Hello DemonX,

TonyKlein asked me if I could step over to work with you.

Leave combofix aside for the time being, we need to focus on your startup problem first.
Can you please export the SafeBoot key as requested by Tony ?

Question : do you have the XP CD or another PC with internet access and a CD burner ?

Thanks.

Kim

[DemonX]

Kimberly, on Nov 28 2006, 06:37 AM, said:

Hello DemonX,

TonyKlein asked me if I could step over to work with you.

Leave combofix aside for the time being, we need to focus on your startup problem first.
Can you please export the SafeBoot key as requested by Tony ?

Question : do you have the XP CD or another PC with internet access and a CD burner ?

Thanks.

Kim

Well i have to say sorry to TonyKlein that i leave here without giving a notice.
By the way i dont mean it cause when i follow what he said that open up msconfig and thick safeboot, and i cant even load my windows at all even safe mode.
So what i can do is turn off the pc and sleep. Its 1:30am here by that time
And today i took my pc to my friend and copy a boot.ini over so it can be start.
But im having another problem now, when i run combofix it just appear few line of cannot found something and it closed automatically.
Is it anything wrong?

[Kimberly]

Hello DemonX,

We are aware that ticking the safeboot option caused Windows to make an endless loop and that you were unable to boot. When I asked if you had a the XP CD, it was in order to restore your old boot.ini from command line so that you could boot the PC again.

Don't run combofix for the time being unless I tell you, version has been updated and furthermore it runs in a different way. We need to check and maybe repair a couple of things first.

Please perform this first :

Make sure that you can see hidden files.

• Click Start.
  
• Click My Computer.
  
• Select the Tools menu and click Folder Options.
  
• Select the View Tab.
  
• Under the Hidden files and folders heading select Show hidden files and folders.
  
• Uncheck the Hide protected operating system files (recommended) option.
  
• Click Yes to confirm.
  
• Uncheck the Hide file extensions for known file types.
  
• Click OK.

Locate C:\boot.ini.bak
Open the file with notepad.
Locate c:\boot.ini
Open the file with notepad.
Post the content of both files here.

Next ... I need an export of a key that might be damaged and that's the reason why you can't boot into safe mode.

Click Start > Run, and paste the following into the box, then click OK:

regedit /e /a C:\show.txt "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot"

That will export the contents of that registry key to C:\show.txt file.

Open c:\show.txt in Notepad and copy/paste the content as a reply.

Kim

[DemonX]

[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

I cant found boot.ini but only boot.ini.bak.

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot]
"AlternateShell"="cmd.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Base]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Boot Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Boot file system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CryptSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DcomLaunch]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmadmin]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmboot.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmio.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmload.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmserver]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\EventLog]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HelpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Netlogon]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PCI Configuration]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PlugPlay]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PNP Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Primary disk]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SCSI Class]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sermouse.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SRService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\System Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}]
@="Universal Serial Bus controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}]
@="CD-ROM Drive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}]
@="Standard floppy disk controller"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}]
@="PCMCIA Adapters"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
@="SCSIAdapter"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}]
@="Floppy disk drive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
@="Human Interface Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AFD]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AppMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Base]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Boot Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Boot file system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Browser]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\CryptSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\DcomLaunch]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Dhcp]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmadmin]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmboot.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmio.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmload.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmserver]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\DnsCache]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\EventLog]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\HelpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ip6fw.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ipnat.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\LanmanServer]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\LanmanWorkstation]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\LmHosts]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Messenger]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NDIS]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NDIS Wrapper]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Ndisuio]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetBIOS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetBIOSGroup]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetBT]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetDDEGroup]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Netlogon]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetMan]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Network]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetworkProvider]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NtLmSsp]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PCI Configuration]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PlugPlay]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PNP Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PNP_TDI]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Primary disk]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpcdd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpdd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpwd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdsessmgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SCSI Class]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sermouse.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SharedAccess]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SRService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Streams Drivers]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\System Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Tcpip]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\TDI]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\tdpipe.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\tdtcp.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\termservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WinMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WZCSVC]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{36FC9E60-C465-11CF-8056-444553540000}]
@="Universal Serial Bus controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}]
@="CD-ROM Drive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}]
@="Standard floppy disk controller"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}]
@="Net"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}]
@="NetClient"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}]
@="NetService"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}]
@="NetTrans"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}]
@="PCMCIA Adapters"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
@="SCSIAdapter"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}]
@="Floppy disk drive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
@="Human Interface Devices"

This is what in show.txt