pyru.exe

I'm having some problems with my pc.
There's something attempting to connect using a new connection called "internet ". I manually delete it, but then it always comes back.
Zone alarm asks for a strange process called pyru.exe. What is it? I deleted it using Hijack This, but after a while it returns.

This is my log file:

Logfile of HijackThis v1.99.1
Scan saved at 16.01.24, on 01/07/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\Programmi\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\VNICMon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Programmi\IPM\Adsl\DataWay\dslstat.exe
C:\WINDOWS\System32\dslagent.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programmi\WinZip\WZQKPICK.EXE
C:\Programmi\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {2B4C0EB6-D2AC-DBDE-3D8F-27D3742FE28A} - C:\WINDOWS\xhukg1.dll (file missing)
O2 - BHO: Class - {3F89486C-EA9A-3610-8D86-4F3B23E62E67} - C:\WINDOWS\xhukg1.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NIC Monitor] VNICMon.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Programmi\IPM\Adsl\DataWay\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C82 Series" /O6 "USB001" /M "Stylus C82 "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [pjru1.exe] C:\WINDOWS\Temp\pjru1.exe
O4 - HKLM\..\Run: [pjru2.exe] C:\WINDOWS\Temp\pjru2.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus C82 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /A "C:\WINDOWS\System32\E_S17.tmp "
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {8EC18CE2-D7B4-11D2-88C8-006008A717FD} (NCSView Class) - http://ww3.pcn.minambiente.it/ecwplugins/ncs.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{75930C67-DA77-4F0C-BC80-A176A289BE86}: NameServer = 85.37.17.58 85.38.28.94
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programmi\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NetJma - Unknown owner - C:\:nZs.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

 

Hi and welcome to Windows BBS Forums.

You have an odd one running here, none of the CLSIDs or files bring any hits via Google.

If you would please do the following with the file indicated:
Please go to http://virusscan.jotti.org , click on Browse, and upload the following file for analysis:

C:\:nZs.exe
C:\WINDOWS\Temp\pjru2.exe

Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see. Please be patient as the service is usually very busy.

As alernatives, pleas ealso submit the file to Norman Sandbox.

Lets try and fix things.

Below you will find my results and recommendations. Please read ALL instructions carefully BEFORE proceeding.

You may want to print these instructions, we will be working in safe mode and internet access will not be possible.

Reboot, into safe mode, this way:
Turn on the computer
Immediately begin tapping the <F8> key.
Use the arrow keys to highlight Safe Mode and press the <Enter> key.

Also, enable the 'Show Hidden Folders' option, like this:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

First thing we need to do is stop NetJma service:
Go to: Start > Run > type " services.msc ", then click OK

Scroll down to the NetJma service.

Click it to highlight it, then <right-click> and select: Properties
Select and set "Service Status" option to "Stop"
Select: "Startup type" and set it to "Disabled ", click Apply, then OK.

Run Hijackthis and look over the following entries I have listed, check the boxes next to them and press the "Fix Checked" button with HijackThis. When you are doing this, make sure you have No IE windows, or other browsers open, including this one. Reboot if I have specified below, and post a fresh HijackThis log.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R3 - Default URLSearchHook is missing


O2 - BHO: Class - {2B4C0EB6-D2AC-DBDE-3D8F-27D3742FE28A} - C:\WINDOWS\xhukg1.dll (file missing)

O2 - BHO: Class - {3F89486C-EA9A-3610-8D86-4F3B23E62E67} - C:\WINDOWS\xhukg1.dll (file missing)


O4 - HKLM\..\Run: [pjru1.exe] C:\WINDOWS\Temp\pjru1.exe

O4 - HKLM\..\Run: [pjru2.exe] C:\WINDOWS\Temp\pjru2.exe



O23 - Service: NetJma - Unknown owner - C:\:nZs.exe

Search for, and delete, if found, the following files/folders:
C:\WINDOWS\Temp<<<entire contents of this folder
C:\WINDOWS\xhukg1.dll <<<--file
C:\:nZs.exe<<<--file

Reboot into Normal mode and post a new HJT log back into this thread please.


Also please submit any findings by Norman and Joti, thanks.

 

Hi.
Thank you very much.

I tried to find these files to be scanned:

nzs.exe
windows/temp/pyru2.exe

but I didn't find them.

Then I did what you said in safe mode. This is the new HiJack log file:

Logfile of HijackThis v1.99.1
Scan saved at 21.29.43, on 01/07/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\Programmi\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\VNICMon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Programmi\IPM\Adsl\DataWay\dslstat.exe
C:\WINDOWS\System32\dslagent.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Programmi\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NIC Monitor] VNICMon.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Programmi\IPM\Adsl\DataWay\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C82 Series" /O6 "USB001" /M "Stylus C82 "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus C82 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /A "C:\WINDOWS\System32\E_S17.tmp "
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {8EC18CE2-D7B4-11D2-88C8-006008A717FD} (NCSView Class) - http://ww3.pcn.minambiente.it/ecwplugins/ncs.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programmi\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

 

Your log file appears to be clear of any infections.

However, I am a little concerned about the file found in the service entries originally.

I'd like to run an additional specialized scan to look for hidden files.

Please download RootKitRevealer from here

Unzip it to the desktop, run it, and click Scan. This will generate a log file; please post the entire log file back into this thread for me to view.

I just want to be cautious here, thanks for being patient.

 

Hi.
This is the log:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs 21/06/2006 20.35 46 bytes Windows API length not consistent with raw hive data.
HKLM\SOFTWARE\Zone Labs\ZoneAlarm\BlockCount 01/07/2006 23.34 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Zone Labs\ZoneAlarm\IncomingCount 01/07/2006 23.34 4 bytes Data mismatch between Windows API and raw hive data.
C:\$VAULT$.AVG\05879515.FIL 01/07/2006 23.38 39.48 KB Hidden from Windows API.
C:\$VAULT$.AVG\05886203.FIL 01/07/2006 23.39 102.48 KB Hidden from Windows API.
C:\$VAULT$.AVG\05890968.FIL 01/07/2006 23.39 39.48 KB Hidden from Windows API.
C:\System Volume Information\_restore{36C7A3C0-DF84-4D58-B999-8316CA751066}\RP16\A0003808.exe 20/05/2006 20.46 39.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{36C7A3C0-DF84-4D58-B999-8316CA751066}\RP16\A0003809.exe 20/05/2006 20.46 102.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{36C7A3C0-DF84-4D58-B999-8316CA751066}\RP16\A0004799.exe 20/05/2006 20.46 39.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\con.lhb 01/07/2006 23.35 126.14 KB Hidden from Windows API.
C:\WINDOWS\xhukg1.dll 01/07/2006 10.09 63.16 KB Hidden from Windows API.

 

Navigate to the following files and delete them:
C:\WINDOWS\con.lhb
C:\WINDOWS\xhukg1.dll

Let me know if you have any troubles doing so.

 

Hi.
I tried to delete those files, but they don't exist...

 

Sorry, but with rootkitrevealer I just can scan, I don't think I can delete anything..
I tried to search those files, but they don't appear anywhere.

 

Please be sure you still have the 'hidden files and folders' option enabled.

Is your machine behaving ok now? Let me know, thanks.

 

I checked again, but can't find those files both in normal and in safe mode..

 

It's odd that RKR sees them bnut they are not there. Lets try another rootkit tool.

Download the free beta trial of this tool from F-Secure called Blacklight
F-Secure Blacklight, and save it to your desktop.
http://www.f-secure.com/exclude/blacklight/index.shtml

Doubleclick on bibeta.exe to run it.
Accept the agreement
Select scan then wait for it to complete
There will be a new text file near blacklite. Post it here for me to review.

 

Hi.
I downloaded that program but when I try to run, it says:

F-secure Blacklight could not acquire necessary privileges (SeDebugPrivilege)

 

OK, I'm awaiting some consultation on this, the error may indicate a hidden infection, but I want to verify before I have you run any more tools, thanks for being patient.

 

OK, lets run a special too and see what it finds. Either the infection is well hidden or something messed with those privileges and we need to fix them.

You have the latest version of VX2. Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so! This Fix must NOT be run in safe mode for it to work.

if you receive, while running option #1, an error similar like: ''C:\windows\system32\cmd.exe
C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application.. "...then please use option 5 or the web page link in the l2mfix folder to solve this error condition. do not run the fix portion without fixing this first.

 

Hi.
This is the first part of the log file:

L2MFIX find log 051206
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName "= "Ati2evxx.dll "
"Asynchronous "=dword:00000000
"Impersonate "=dword:00000001
"Lock "= "AtiLockEvent "
"Logoff "= "AtiLogoffEvent "
"Logon "= "AtiLogonEvent "
"Disconnect "= "AtiDisConnectEvent "
"Reconnect "= "AtiReConnectEvent "
"Safe "=dword:00000000
"Shutdown "= "AtiShutdownEvent "
"StartScreenSaver "= "AtiStartScreenSaverEvent "
"StartShell "= "AtiStartShellEvent "
"Startup "= "AtiStartupEvent "
"StopScreenSaver "= "AtiStopScreenSaverEvent "
"Unlock "= "AtiUnLockEvent "

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous "=dword:00000000
"Impersonate "=dword:00000000
"DllName "=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff "= "ChainWlxLogoffEvent "

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous "=dword:00000000
"Impersonate "=dword:00000000
"DllName "=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff "= "CryptnetWlxLogoffEvent "

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName "= "cscdll.dll "
"Logon "= "WinlogonLogonEvent "
"Logoff "= "WinlogonLogoffEvent "
"ScreenSaver "= "WinlogonScreenSaverEvent "
"Startup "= "WinlogonStartupEvent "
"Shutdown "= "WinlogonShutdownEvent "
"StartShell "= "WinlogonStartShellEvent "
"Impersonate "=dword:00000000
"Asynchronous "=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName "= "wlnotify.dll "
"Logon "= "SCardStartCertProp "
"Logoff "= "SCardStopCertProp "
"Lock "= "SCardSuspendCertProp "
"Unlock "= "SCardResumeCertProp "
"Enabled "=dword:00000001
"Impersonate "=dword:00000001
"Asynchronous "=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous "=dword:00000000
"DllName "=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate "=dword:00000000
"StartShell "= "SchedStartShell "
"Logoff "= "SchedEventLogOff "

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff "= "WLEventLogoff "
"Impersonate "=dword:00000000
"Asynchronous "=dword:00000001
"DllName "=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName "= "WlNotify.dll "
"Lock "= "SensLockEvent "
"Logon "= "SensLogonEvent "
"Logoff "= "SensLogoffEvent "
"Safe "=dword:00000001
"MaxWait "=dword:00000258
"StartScreenSaver "= "SensStartScreenSaverEvent "
"StopScreenSaver "= "SensStopScreenSaverEvent "
"Startup "= "SensStartupEvent "
"Shutdown "= "SensShutdownEvent "
"StartShell "= "SensStartShellEvent "
"PostShell "= "SensPostShellEvent "
"Disconnect "= "SensDisconnectEvent "
"Reconnect "= "SensReconnectEvent "
"Unlock "= "SensUnlockEvent "
"Impersonate "=dword:00000001
"Asynchronous "=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous "=dword:00000000
"DllName "=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate "=dword:00000000
"Logoff "= "TSEventLogoff "
"Logon "= "TSEventLogon "
"PostShell "= "TSEventPostShell "
"Shutdown "= "TSEventShutdown "
"StartShell "= "TSEventStartShell "
"Startup "= "TSEventStartup "
"MaxWait "=dword:00000258
"Reconnect "= "TSEventReconnect "
"Disconnect "= "TSEventDisconnect "

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName "= "wlnotify.dll "
"Logon "= "RegisterTicketExpiredNotificationEvent "
"Logoff "= "UnregisterTicketExpiredNotificationEvent "
"Impersonate "=dword:00000001
"Asynchronous "=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

 

and the second part:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046} "= "Propriet… dei file Multimedia "
"{176d6597-26d3-11d1-b350-080036a75b03} "= "Gestore scanner ICM "
"{1F2E5C40-9550-11CE-99D2-00AA006E086C} "= "Pagina di protezione NTFS "
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32} "= "Pagina di propriet… di Docfile OLE "
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6} "= "Estensioni shell per la condivisione "
"{41E300E0-78B6-11ce-849B-444553540000} "= "PlusPack CPL Extension "
"{42071712-76d4-11d1-8b24-00a0c9068ff3} "= "Estensione scheda video del Pannello di controllo "
"{42071713-76d4-11d1-8b24-00a0c9068ff3} "= "Estensione monitor del Pannello di controllo "
"{42071714-76d4-11d1-8b24-00a0c9068ff3} "= "Estensione panoramica video del Pannello di controllo "
"{4E40F770-369C-11d0-8922-00A024AB2DBB} "= "Pagina di protezione DS "
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8} "= "Pagina compatibilit… "
"{56117100-C0CD-101B-81E2-00AA004AE837} "= "Gestore dati dei ritagli di shell "
"{59099400-57FF-11CE-BD94-0020AF85B590} "= "Estensione copia dischi "
"{59be4990-f85c-11ce-aff7-00aa003ca9f6} "= "Estensioni shell per oggetti Rete Microsoft Windows "
"{5DB2625A-54DF-11D0-B6C4-0800091AA605} "= "Gestore monitor ICM "
"{675F097E-4C4D-11D0-B6C1-0800091AA605} "= "Gestore stampante ICM "
"{77597368-7b15-11d0-a0c2-080036af3f03} "= "Estensione shell per la stampante Web "
"{7988B573-EC89-11cf-9C00-00AA00A14F56} "= "Disk Quota UI "
"{85BBD920-42A0-1069-A2E4-08002B30309D} "= "Sincronia file "
"{88895560-9AA2-1069-930E-00AA0030EBC8} "= "Estensione di icona di HyperTerminal "
"{BD84B380-8CA2-1069-AB1D-08000948F534} "= "Tipi di carattere "
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27} "= "Profilo ICC "
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723} "= "Pagina di protezione della stampante "
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} "= "Estensioni shell per la condivisione "
"{f92e8c40-3d33-11d2-b1aa-080036a75b03} "= "Display TroubleShoot CPL Extension "
"{7444C717-39BF-11D1-8CD9-00C04FC29D45} "= "Estensione Crypto PKO "
"{7444C719-39BF-11D1-8CD9-00C04FC29D45} "= "Estensione firma crittografata "
"{7007ACC7-3202-11D1-AAD2-00805FC1270E} "= "Connessioni di rete "
"{992CFFA0-F557-101A-88EC-00DD010CCC48} "= "Connessioni di rete "
"{E211B736-43FD-11D1-9EFB-0000F8757FCD} "= "Scanner e fotocamere digitali "
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD} "= "Scanner e fotocamere digitali "
"{905667aa-acd6-11d2-8080-00805f6596d2} "= "Scanner e fotocamere digitali "
"{3F953603-1008-4f6e-A73A-04AAC7A992F1} "= "Scanner e fotocamere digitali "
"{83bbcbf3-b28a-4919-a5aa-73027445d672} "= "Scanner e fotocamere digitali "
"{F0152790-D56E-4445-850E-4F3117DB740C} "= "Remote Sessions CPL Extension "
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED} "= "Auto Update Property Sheet Extension "
"{60254CA5-953B-11CF-8C96-00AA00B8708C} "= "Estensione shell per Windows Script Host "
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829} "= "Microsoft Data Link "
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF} "= "Tasks Folder Icon Handler "
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF} "= "Tasks Folder Shell Extension "
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF} "= "Operazioni pianificate "
"{0DF44EAA-FF21-4412-828E-260A8728E7F1} "= "Barra delle applicazioni e menu di avvio "
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0} "= "Cerca "
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0} "= "Guida in linea e supporto tecnico "
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0} "= "Guida in linea e supporto tecnico "
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0} "= "Esegui... "
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0} "= "Internet "
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0} "= "Posta elettronica "
"{D20EA4E1-3957-11d2-A40B-0C5020524152} "= "Tipi di carattere "
"{D20EA4E1-3957-11d2-A40B-0C5020524153} "= "Strumenti di amministrazione "
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78} "= "Audio Media Properties Handler "
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817} "= "Video Media Properties Handler "
"{E4B29F9D-D390-480b-92FD-7DDB47101D71} "= "Wav Properties Handler "
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E} "= "Avi Properties Handler "
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9} "= "Midi Properties Handler "
"{c5a40261-cd64-4ccf-84cb-c394da41d590} "= "Video Thumbnail Extractor "
"{5E6AB780-7743-11CF-A12B-00AA004AE837} "= "Barra degli strumenti Microsoft Internet "
"{22BF0C20-6DA7-11D0-B373-00A0C9034938} "= "Stato del download "
"{91EA3F8B-C99B-11d0-9815-00C04FD91972} "= "Shell Folder accresciuto "
"{6413BA2C-B461-11d1-A18A-080036B11A03} "= "Shell Folder 2 accresciuto "
"{F61FFEC1-754F-11d0-80CA-00AA005B4383} "= "BandProxy "
"{7BA4C742-9E81-11CF-99D3-00AA004AE837} "= "Microsoft BrowserBand "
"{30D02401-6A81-11d0-8274-00C04FD5AE38} "= "SearchBand "
"{32683183-48a0-441b-a342-7c2a440a9478} "= "Media Band "
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13} "= "Ricerca all'interno "
"{07798131-AF23-11d1-9111-00A0C98BA67D} "= "Ricerca Web "
"{AF4F6510-F982-11d0-8595-00AA004CD6D8} "= "Utilit… opzioni della struttura del Registro di sistema "
"{01E04581-4EEE-11d0-BFE9-00AA005B4383} "= "&Indirizzo "
"{A08C11D2-A228-11d0-825B-00AA005B4383} "= "Address EditBox "
"{00BB2763-6A77-11D0-A535-00C04FD7D062} "= "Completamento automatico Microsoft "
"{7376D660-C583-11d0-A3A5-00C04FD706EC} "= "TridentImageExtractor "
"{6756A641-DE71-11d0-831B-00AA005B4383} "= "Elenco di Completamento automatico MRU "
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A} "= "Elenco di Completamento automatico MRU personalizzato "
"{7e653215-fa25-46bd-a339-34a2790f3cb7} "= "Accessibile "
"{acf35015-526e-4230-9596-becbe19f0ac9} "= "Indicatore di avanzamento popup "
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2} "= "Parser della barra degli indirizzi "
"{00BB2764-6A77-11D0-A535-00C04FD7D062} "= "Elenco di Completamento automatico della Cronologia di Microsoft "
"{03C036F1-A186-11D0-824A-00AA005B4383} "= "Elenco di Completamento automatico di Shell Folder di Microsoft "
"{00BB2765-6A77-11D0-A535-00C04FD7D062} "= "Contenitore dell'elenco di Completamento automatico multiplo Microsoft "
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1} "= "Shell Band Site Menu "
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF} "= "Shell DeskBarApp "
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1} "= "Shell DeskBar "
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1} "= "Shell Rebar BandSite "
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C} "= "Assistenza utente "
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11} "= "Impostazioni cartella globale "
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E} "= "Favorites Band "
"{0A89A860-D7B1-11CE-8350-444553540000} "= "Shell Automation Inproc Service "
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837} "= "Shell DocObject Viewer "
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61} "= "Microsoft Browser Architecture "
"{FBF23B40-E3F0-101B-8488-00AA003E56F8} "= "InternetShortcut "
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE} "= "Servizio Cronologia Url Microsoft "
"{FF393560-C2A7-11CF-BFF4-444553540000} "= "Cronologia "
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933} "= "File temporanei Internet "
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933} "= "File temporanei Internet "
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497} "= "Hook per la ricerca di URL Microsoft "
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC} "= "Schermata iniziale applicazioni Internet Explorer 4 "
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13} "= "CDF Extension Copy Hook "
"{131A6951-7F78-11D0-A979-00C04FD705A2} "= "ISFBand OC "
"{9461b922-3c5a-11d2-bf8b-00c04fb93661} "= "Search Assistant OC "
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837} "= "Internet "
"{871C5380-42A0-1069-A2EA-08002B30309D} "= "Internet Name Space "
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E} "= "Explorer Band "
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE} "= "Sendmail service "
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE} "= "Sendmail service "
"{88C6C381-2E85-11D0-94DE-444553540000} "= "Cartella cache ActiveX "
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED} "= "WebCheck "
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE} "= "Subscription Mgr "
"{F5175861-2688-11d0-9C5E-00AA00A45957} "= "Cartella Subscription "
"{08165EA0-E946-11CF-9C87-00AA005127ED} "= "WebCheckWebCrawler "
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB} "= "WebCheckChannelAgent "
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7} "= "TrayAgent "
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02} "= "Code Download Agent "
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE} "= "ConnectionAgent "
"{D8BD2030-6FC9-11D0-864F-00AA006809D9} "= "PostAgent "
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB} "= "WebCheck SyncMgr Handler "
"{352EC2B7-8B9A-11D1-B8AE-006008059382} "= "Gestione applicazioni shell "
"{0B124F8F-91F0-11D1-B8B5-006008059382} "= "Enumeratore applicazioni installate "
"{CFCCC7A0-A282-11D1-9082-006008059382} "= "Darwin App Publisher "
"{e84fda7c-1d6a-45f6-b725-cb260c236066} "= "Shell Image Verbs "
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178} "= "Shell Image Data Factory "
"{3F30C968-480A-4C6C-862D-EFC0897BB84B} "= "GDI + programma di estrazione file in anteprima "
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC} "= "Summary Info Thumbnail handler (DOCFILES) "
"{EAB841A0-9550-11cf-8C16-00805F1408F3} "= "Programma di estrazione pagine HTML in anteprima "
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe} "= "Shell Image Property Handler "
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D} "= "Pubblicazione guidata sul Web "
"{add36aa8-751a-4579-a266-d66f5202ccbb} "= "Ordinazione di stampe tramite Web "
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1} "= "Oggetto Pubblicazione guidata sul Web "
"{58f1f272-9240-4f51-b6d4-fd63d1618591} "= "Creazione guidata profilo Passport "
"{7A9D77BD-5403-11d2-8785-2E0420524153} "= "Account utente "
"{BD472F60-27FA-11cf-B8B4-444553540000} "= "Compressed (zipped) Folder Right Drag Handler "
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062} "= "Compressed (zipped) Folder SendTo Target "
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433} "= "File del canale "
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434} "= "Collegamento al canale "
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435} "= "Channel Handler Object "
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437} "= "Channel Menu "
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438} "= "Channel Properties "
"{63da6ec0-2e98-11cf-8d82-444553540000} "= "FTP Folders Webview "
"{883373C3-BF89-11D1-BE35-080036B11A03} "= "Microsoft DocProp Shell Ext "
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D} "= "Microsoft DocProp Inplace Edit Box Control "
"{8EE97210-FD1F-4B19-91DA-67914005F020} "= "Microsoft DocProp Inplace ML Edit Box Control "
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB} "= "Microsoft DocProp Inplace Droplist Combo Control "
"{6A205B57-2567-4A2C-B881-F787FAB579A3} "= "Microsoft DocProp Inplace Calendar Control "
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33} "= "Microsoft DocProp Inplace Time Control "
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB} "= "Directory Query UI "
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86} "= "Shell properties for a DS object "
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB} "= "Directory Object Find "
"{F020E586-5264-11d1-A532-0000F8757D7E} "= "Directory Start/Search Find "
"{0D45D530-764B-11d0-A1CA-00AA00C16E65} "= "Directory Property UI "
"{62AE1F9A-126A-11D0-A14B-0800361B1103} "= "Directory Context Menu Verbs "
"{ECF03A33-103D-11d2-854D-006008059367} "= "MyDocs Copy Hook "
"{ECF03A32-103D-11d2-854D-006008059367} "= "MyDocs Drop Target "
"{4a7ded0a-ad25-11d0-98a8-0800361b1103} "= "MyDocs Properties "
"{750fdf0e-2a26-11d1-a3ea-080036587f03} "= "Offline Files Menu "
"{10CFC467-4392-11d2-8DB4-00C04FA31A66} "= "Offline Files Folder Options "
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E} "= "Cartella file non in linea "
"{143A62C8-C33B-11D1-84FE-00C04FA34A14} "= "Microsoft Agent Character Property Sheet Handler "
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6} "= "DfsShell "
"{60fd46de-f830-4894-a628-6fa81bc0190d} "= "%DESC_PublishDropTarget% "
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717} "= "MMC Icon Handler "
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262} "= ".CAB file viewer "
"{32714800-2E5F-11d0-8B85-00AA0044F941} "= "&Contatti... "
"{8DD448E6-C188-4aed-AF92-44956194EB1F} "= "Windows Media Player Play as Playlist Context Menu Handler "
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C} "= "Windows Media Player Burn Audio CD Context Menu Handler "
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD} "= "Windows Media Player Add to Playlist Context Menu Handler "
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} "= "AVG7 Shell Extension "
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3} "= "AVG7 Find Extension "
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F} "= "Cartelle Web "
"{0006F045-0000-0000-C000-000000000046} "= "Microsoft Outlook Custom Icon Handler "
"{42042206-2D85-11D3-8CFF-005004838597} "= "Microsoft Office HTML Icon Handler "
"{E0D79304-84BE-11CE-9641-444553540000} "= "WinZip "
"{E0D79305-84BE-11CE-9641-444553540000} "= "WinZip "
"{E0D79306-84BE-11CE-9641-444553540000} "= "WinZip "
"{E0D79307-84BE-11CE-9641-444553540000} "= "WinZip "
"{640167b4-59b0-47a6-b335-a6b3c0695aea} "= "Portable Media Devices "
"{cc86590a-b60a-48e6-996b-41d25ed39a1e} "= "Portable Media Devices Menu "

**********************************************************************************
HKEY ROOT CLASSIDS:
**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
divx.dll Thu 15 Jun 2006 23.55.04 A.... 620.180 605,64 K
divxwm~1.dll Wed 19 Apr 2006 2.04.54 A.... 12.288 12,00 K
divx_x~1.dll Thu 15 Jun 2006 23.55.04 A.... 778.240 760,00 K
divx_x~2.dll Thu 15 Jun 2006 23.55.04 A.... 778.240 760,00 K
divx_x~3.dll Thu 15 Jun 2006 23.55.04 A.... 761.856 744,00 K
dpl100.dll Thu 25 May 2006 0.46.44 A.... 90.112 88,00 K
dpu10.dll Thu 25 May 2006 0.46.44 A.... 294.912 288,00 K
dpu11.dll Thu 25 May 2006 0.46.44 A.... 294.912 288,00 K
dpugui10.dll Thu 25 May 2006 0.46.52 A.... 53.248 52,00 K
dpugui11.dll Thu 25 May 2006 0.46.44 A.... 593.920 580,00 K
dpus11.dll Thu 25 May 2006 0.46.44 A.... 344.064 336,00 K
dpv11.dll Thu 25 May 2006 0.46.44 A.... 57.344 56,00 K
dtu100.dll Thu 25 May 2006 0.46.44 A.... 200.704 196,00 K
ggaa.dll Fri 30 Jun 2006 10.20.12 A.... 9.728 9,50 K
libdivx.dll Thu 25 May 2006 0.43.44 A.... 1.044.480 1020,00 K
msvcp71.dll Sat 20 May 2006 17.27.00 A.... 499.712 488,00 K
msvcr71.dll Sat 20 May 2006 17.27.00 A.... 348.160 340,00 K
px.dll Fri 2 Jun 2006 0.11.08 ..... 372.736 364,00 K
pxdrv.dll Fri 2 Jun 2006 0.11.08 ..... 421.888 412,00 K
pxmas.dll Fri 2 Jun 2006 0.11.08 ..... 172.032 168,00 K
pxwave.dll Fri 2 Jun 2006 0.11.08 ..... 339.968 332,00 K
qt-dx331.dll Thu 25 May 2006 0.47.12 A.... 3.596.288 3,43 M
ssldivx.dll Thu 25 May 2006 0.43.44 A.... 200.704 196,00 K
vxblock.dll Fri 2 Jun 2006 0.11.08 ..... 28.672 28,00 K

24 items found: 24 files, 0 directories.
Total of file sizes: 11.914.388 bytes 11,36 M
Locate .tmp files:

C:\WINDOWS\SYSTEM32\
e_s17.tmp Fri 9 Jun 2006 11.23.18 A.... 60 0,06 K

1 item found: 1 file, 0 directories.
Total of file sizes: 60 bytes 0,06 K
**********************************************************************************
Directory Listing of system files:
Il volume nell'unit… C non ha etichetta.
Numero di serie del volume: 78F2-D1F0

Directory di C:\WINDOWS\System32

02/07/2006 20.18 <DIR> dllcache
20/05/2006 17.07 <DIR> Microsoft
0 File 0 byte
2 Directory 62.369.615.872 byte disponibili

 

OK not enough to give us what we were really looking for.

Below is a tool which will reset the priviledges we need.

DL VX2Finder from here

Run the exe, click 'restore policy' and reboot.

Then try and run Blacklight again please, thanks.

 

Ok..now it's functioning.
This is the Blbeta log:

07/04/06 12:56:35 [Info]: BlackLight Engine 1.0.42 initialized
07/04/06 12:56:35 [Info]: OS: 5.1 build 2600 (Service Pack 1)
07/04/06 12:56:35 [Note]: 7019 4
07/04/06 12:56:35 [Note]: 7005 0
07/04/06 12:56:39 [Note]: 7006 0
07/04/06 12:56:40 [Note]: 7011 1480
07/04/06 12:56:40 [Note]: 7026 0
07/04/06 12:56:40 [Note]: 7026 0
07/04/06 12:56:44 [Note]: FSRAW library version 1.7.1019
07/04/06 12:57:13 [Info]: Hidden file: c:\WINDOWS\con.lhb
07/04/06 12:57:13 [Note]: 7002 0
07/04/06 12:57:13 [Note]: 7003 1
07/04/06 12:57:13 [Note]: 10002 1
07/04/06 12:57:14 [Info]: Hidden file: c:\WINDOWS\xhukg1.dll
07/04/06 12:57:14 [Note]: 10002 1
07/04/06 12:59:02 [Note]: 7007 0

 

Could I fix those hidden files using BlBeta?