My response to urdvxc / irdvxc
|
Jon Nileprecinct Feline
2008jul26
|
Ive now spent two full working days shooting one of the most insidious invasions my WinXP box has yet experienced: the urdvxc / irdvxc or allaple worm. These are a few reflections concerning what happened.
Preparedness
The key to shooting a bug like this in a timely fashion is preparedness. These things proved to be paramount:
1. When the WinXP box is received it is necessary to inventory the executing tasks visible in the Windoze taskmanager & look each one up on the Web by name. The necessity of each runtime task must be clearly demonstrable & their origin precisely known. A close familiarity with the executing tasks is what made possible the immediate identification of urdvxc.exe & irdvxc.exe as obviously foreign intruders.
2. All user data should be backed up at least weekly to CD or a flash device. The urdvxc / irdvxc invasion is the first time I have seen a program actually fry the source to literally thousands of decks of interperable code throughout the system. Nonetheless, those of my own HTML decks which had been compromised were easily restored from the most recent backup.
3. Adherence to a creative coding standard can serve to insulate some data from attack. Every deck of HTML in the system incurred an <OBJECT> line after the first occurrence of <HTML> with the notable exceptions of my most active projects coded <HTML dir=ltr> & a few dozen pages in pcHealth whose headers read (sic) <HTML >.
Incipience
When I heard the feed from my WinAmp playlist cutting out in the early morning I got up to shut it off. Once it was down, however, the dialup traffic remained active in both directions as indicated by the connection icon, & the harddisk was spinning madly away per the red indicator light. This was clearly a data mining infection & I perused the TaskManager list to see if something was immediately obvious. It was. Although wishing I had the luxury of addresing the situation in a controlled, scientific manner, I came out swinging. These are the actions to take in the proper order:
1. Cancel both urdvxc.exe & irdvxc.exe via TaskManager, repeatedly if necessary. Shut down the internet connection. Run a scan on the entire harddisk for files bearing these names. I use 2xExplorer which immediately forked over:
irdvxc.exe
urdvxc.exe
in \WINDOWS\system32 and:
IRDVXC.EXE-1CBEF45D.pf
URDVXC.EXE-079A7CB0.pf
in \WINDOWS\Prefetch. All four of these I moved to a neutral directory for safe keeping. The next step is to place stubs in the vacated places in system32, set to readonly via ATTRIB, ie:
Volume in drive C is CircleOmega
Volume Serial Number is E8C8-C412
Directory of C:\WINDOWS\system32
2008-07-25 06:30 5 IRDVXC.EXE
2008-07-25 06:31 5 URDVXC.EXE
2 File(s) 10 bytes
0 Dir(s) 22,496,702,464 bytes free
2. Get to the Web & search for these horrendous beasts via AltaVista. Some of the most useful information is at:
(*) = (www) Network Worm Allaple.B - Softpanorama
(*) = (www) Problem? - Suggestafix
(*) = (www) Win32 / Mallar family - ca.com
(*) = (www) Worm allaple.c - TrendMicro
Scary stuff. It goes without saying these folks have done an exceptionally fine job. There were then five issues to address. Firstly, the presence of a Windoze "service" which is causing the program to be initiated at startup. Secondly, the existence of the registry keys referencing the primary EXEs & in part supporting the existence of the "service". Third, the cloned executables throughout the disk, one for every HTML deck which has been spotted & infected. Fourth, the registry entries referenced by the lines in the compromised HTML which themselves point to the cloned executables, & finally the <OBJECT> lines which have been inserted into HTML throughout the system. In my case the spawned clones of urdvxc.exe were 94890 bytes long & dated 2008-07-25 am03:32 or somewhat just thereafter.
Action
1. Offline, I immediately ran Spybot & my old version of AdAwareSE which saw nothing even with current updates. As per suggestafix above, the next step is downloading HijackThis & letting it attempt to retire the urdvxc "service" from Windoze. This pulls you into the "safe" mode / msConfig loop which isnt a great deal of help. As in the writeups, the registry keys for MSDISK (irdvxc) & MSWINDOWS (urdvxc) have got to be taken out via regedit.
2. A careful look at the posts reveals an additional registry key referencing the base module. In my case it was indeed:
HKEY_CLASSES_ROOT\CLSID\{D2CDEB42-C034-80D1-8096-BFD48620F496}\
LocalServer32(Default) = "%System%\urdvxc.exe"
which also requires explicit deletion via regedit.
3. Removing the hundreds of spawned executables is the next paramount step. Theres one for each infected HTML deck (in the same directory), so I started by using 2xExplorer to search for files with names of the form *.HTM* containing the string "CLSID", then sorted the result by date to isolate only the damaged files. Of course "legitimate" use of an "x-oleobject" to reference a Windoze registry key is particularly ill-advised hence rare. The search in \WINDOWS turns up 237 instances particularly throughout the "help" system, pcHealth, & the OOBE. The search in \ProgramFiles yields 430 items mostly in the Adobe reader, the Java JDK, Netscape, RealPlayer & the MicroSloth office templates, only one of which is unrelated to the assault. For the record, my own core data had 125 infected decks of HTML, roughly half of which are in the distribution copies of software such as W32 Lynx, but all of which were restorable from backup. In a separate area I also have 1800 HTML files in 3 directories from an automated save from the UCPD Berkeley website which I dont keep backed up. This means a total of nearly 3000 instances of the 94890 byte cloned EXE (yes, 300M), associated registry keys, & compromised HTML.
Although I started clearing the UCPD & Windoze directories by hand, I quickly realised the most expeditious way to perform an automated delete of the EXEs throughout the system was to use pkZip to create a recursive archive (pkzip -arPt [file01] \????????.EXE) & then list its directory contents to a textfile (pkZip -v [file01] >[file02]) whose lines I could sort by filesize & then massage into batchfile delete commands as they specify the complete paths, viz:
@echo off
del DOCUME~1\XPNODE\LOCALS~1\TEMP\CLLXNXKK.EXE
del DOCUME~1\XPNODE\LOCALS~1\TEMP\CNJHRHNW.EXE
del DOCUME~1\XPNODE\MYDOCU~1\JRJVHHSK.EXE
del KPGLOBAL\VIRUS\HTM\BLEJKSHT.EXE
del KPGLOBAL\VIRUS\HTM\BNWSTBHL.EXE
del KPGLOBAL\VIRUS\HTM\HBBEWJHE.EXE
del KPGLOBAL\VIRUS\HTM\HRBRERHS.EXE
del KPGLOBAL\VIRUS\HTM\JBJESTER.EXE
del KPGLOBAL\VIRUS\HTM\JNWQCJJN.EXE
del KPGLOBAL\VIRUS\HTM\KHVBHCNS.EXE
del KPGLOBAL\VIRUS\HTM\KRSNVEXB.EXE
del KPGLOBAL\VIRUS\HTM\LLEBHNTK.EXE
del KPGLOBAL\VIRUS\HTM\LVLKSBKN.EXE
del KPGLOBAL\VIRUS\HTM\RHKEBKRX.EXE
del KPGLOBAL\VIRUS\HTM\RNQRBCXL.EXE
del KPGLOBAL\VIRUS\HTM\RNRKNBKH.EXE
del KPGLOBAL\VIRUS\HTM\SCBEBEET.EXE
del KPGLOBAL\VIRUS\HTM\TKEJJLKX.EXE
del KPGLOBAL\VIRUS\HTM\TLLNNEKB.EXE
del KPGLOBAL\VIRUS\HTM\XETHXRQQ.EXE
del KPGLOBAL\VIRUS\HTM\ZJETJEHS.EXE
del KPGLOBAL\VIRUS\HTM\ZTNKZBSL.EXE
del KPZONE\KDATA\BUD\$DATABOD\SLKJELCJ.EXE
del KPZONE\KDATA\BUD\$DATABOD\SRJTLQTL.EXE
del KPZONE\KDATA\BUD\$DATAZHO\JKTNKEWJ.EXE
del KPZONE\KDATA\CJK\$DATAZHO\HKELVQJH.EXE
del KPZONE\KDATA\CJK\$DATAZHO\NBESJEVT.EXE
del KPZONE\KDATA\HTM\BONSAIBF\HKNBCRWQ.EXE
del KPZONE\KDATA\HTM\BONSAIBF\NHZHJEBV.EXE
del KPZONE\KDATA\HTM\BONSAIBF\RNZTLLSR.EXE
del KPZONE\KDATA\HTM\BONSAIBF\TJWEXEBS.EXE
del KPZONE\KDATA\HTM\BONSAIBF\XCEVHHRR.EXE
del KPZONE\KDATA\HTM\PRINTER\BLBNWKLJ.EXE
del KPZONE\KDATA\HTM\PRINTER\BNVXRKNJ.EXE
del KPZONE\KDATA\HTM\PRINTER\BWXTSWLL.EXE
del KPZONE\KDATA\HTM\PRINTER\BZEEQEBE.EXE
del KPZONE\KDATA\HTM\PRINTER\EXSVJLKR.EXE
del KPZONE\KDATA\HTM\PRINTER\JBCRJQHL.EXE
del KPZONE\KDATA\HTM\PRINTER\JJRRQETL.EXE
del KPZONE\KDATA\HTM\PRINTER\JNLWEJTQ.EXE
del KPZONE\KDATA\HTM\PRINTER\JVTVEHWL.EXE
del KPZONE\KDATA\HTM\PRINTER\KVCHJBTV.EXE
del KPZONE\KDATA\HTM\PRINTER\NHBQBKXK.EXE
del KPZONE\KDATA\HTM\PRINTER\NKLTXLHJ.EXE
del KPZONE\KDATA\HTM\PRINTER\NRHCXNTJ.EXE
del KPZONE\KDATA\HTM\PRINTER\RJELKZEQ.EXE
del KPZONE\KDATA\HTM\PRINTER\SJTHZQEL.EXE
del KPZONE\KDATA\HTM\PRINTER\SZSEEHXN.EXE
del KPZONE\KDATA\HTM\PRINTER\TSKSNLBW.EXE
del KPZONE\KDATA\HTM\PRINTER\WJQZBBRL.EXE
del KPZONE\KDATA\HTM\PRINTER\WNVCTTKH.EXE
del KPZONE\KDATA\HTM\PRINTER\ZNSNNTZL.EXE
del KPZONE\KDATA\NET\HTM\ABB\TTSHQRNQ.EXE
del KPZONE\KDATA\NET\HTM\EUR\THSKJNTT.EXE
del KPZONE\KDATA\NET\HTM\MAY\BBBHWQLS.EXE
del KPZONE\KDATA\NET\HTM\MAY\HJVRWSNH.EXE
del KPZONE\KDATA\NET\HTM\MAY\JCVVHSBC.EXE
del KPZONE\KDATA\NET\HTM\MAY\LSTKBWNC.EXE
del KPZONE\KDATA\NET\HTM\MAY\QBXNLLNN.EXE
del KPZONE\KDATA\NET\HTM\MAY\THEJHLHN.EXE
del KPZONE\KDATA\NET\HTM\MAY\TNQQKNWE.EXE
del KPZONE\KDATA\NET\HTM\MAY\TTVHSXHZ.EXE
del KPZONE\KDATA\NET\HTM\MAY\VRZWVCHX.EXE
del KPZONE\KDATA\NET\HTM\MAY\XKQNCJNW.EXE
del KPZONE\KDATA\NET\HTM\MAY\XXBZKEKB.EXE
del KPZONE\KDATA\NET\HTM\WTC\BLHRHSSL.EXE
del KPZONE\KDATA\NET\HTM\WTC\HLBJWJJH.EXE
del KPZONE\KDATA\NET\HTM\WTC\KZQHEECB.EXE
del KPZONE\KDATA\NET\HTM\WTC\558172~1\LJJLECKS.EXE
del KPZONE\KDATA\NET\HTM\WTC\558288~1\SBCEWHEW.EXE
del KPZONE\KDATA\NET\HTM\WTC\558595~1\SWKRCSWJ.EXE
del KPZONE\KDATA\NET\SYS\SLBTJZSS.EXE
del KPZONE\KDATA\NET\SYS\TKSTNRHH.EXE
del KPZONE\SOFT\ANAGEN\KKHRXSHR.EXE
del KPZONE\SOFT\ANAGEN\LNXRVERT.EXE
del KPZONE\SOFT\ANAGEN\LTTRTBBB.EXE
del KPZONE\SOFT\ANAGEN\QTSVWZTT.EXE
del KPZONE\SOFT\ANAGEN\SNTWBJTH.EXE
del KPZONE\SOFT\ANAGEN\SVHRXCSB.EXE
del KPZONE\SOFT\ANAGEN\VZEHTBTH.EXE
del KPZONE\SOFT\ANAGEN\WSJJNJCL.EXE
del KPZONE\SOFT\ANAGEN\WSJLRESK.EXE
del KPZONE\SOFT\EUDORA71\JEQTTSXE.EXE
del KPZONE\SOFT\JIKES\DOC\JIKES-1.22\KSJEJBJB.EXE
del KPZONE\SOFT\JIKES\DOC\JIKES-1.22\SNERKTEB.EXE
del KPZONE\SOFT\LYNX_W32\HELP\BNSTHVLJ.EXE
del KPZONE\SOFT\LYNX_W32\HELP\EBBKJEHV.EXE
del KPZONE\SOFT\LYNX_W32\HELP\TWJVWZLZ.EXE
del KPZONE\SOFT\LYNX_W32\HELP\WRKCBEEZ.EXE
del KPZONE\SOFT\LYNX_W32\HELP\ZXLLBZKZ.EXE
del KPZONE\SOFT\LYNX_W32\HELP\KEYSTR~1\BRJERBXZ.EXE
del KPZONE\SOFT\LYNX_W32\HELP\KEYSTR~1\BSWBHWBL.EXE
del KPZONE\SOFT\LYNX_W32\HELP\KEYSTR~1\JHHZJQRE.EXE
del KPZONE\SOFT\LYNX_W32\HELP\KEYSTR~1\JNELWSXJ.EXE
del KPZONE\SOFT\LYNX_W32\HELP\KEYSTR~1\JVNTLLSZ.EXE
del KPZONE\SOFT\LYNX_W32\HELP\KEYSTR~1\LVETHNLH.EXE
del KPZONE\SOFT\LYNX_W32\HELP\KEYSTR~1\NCSKJBJC.EXE
del KPZONE\SOFT\LYNX_W32\HELP\KEYSTR~1\QQJWQEET.EXE
del KPZONE\SOFT\LYNX_W32\HELP\KEYSTR~1\SEQBXRKL.EXE
del KPZONE\SOFT\LYNX_W32\HELP\KEYSTR~1\SLTLSHNR.EXE
del KPZONE\SOFT\LYNX_W32\HELP\KEYSTR~1\SQZLHXJH.EXE
del KPZONE\SOFT\LYNX_W32\HELP\KEYSTR~1\SRQBRCLJ.EXE
del KPZONE\SOFT\LYNX_W32\HELP\KEYSTR~1\TJHHXKKV.EXE
del KPZONE\SOFT\LYNX_W32\HELP\KEYSTR~1\TLWHSNVN.EXE
del KPZONE\SOFT\LYNX_W32\HELP\KEYSTR~1\TRCEEZLZ.EXE
del KPZONE\SOFT\LYNX_W32\HELP\KEYSTR~1\VTQRRQBQ.EXE
del KPZONE\SOFT\LYNX_W32\HELP\KEYSTR~1\WJXHHSTB.EXE
del KPZONE\SOFT\LYNX_W32\HELP\KEYSTR~1\XSVVBNBR.EXE
del KPZONE\SOFT\LYNX_W32\HELP\KEYSTR~1\ZCKESHSB.EXE
del KPZONE\SOFT\POSTIE\KBCXCRJX.EXE
del KPZONE\SOFT\RD\HTM\HE88B8~1\HSEJJQSB.EXE
del KPZONE\SOFT\RD\HTM\HE88B8~1\LTTXSJKV.EXE
del KPZONE\SOFT\RD\HTM\HE88B8~1\NSKKJEBT.EXE
del KPZONE\SOFT\RD\HTM\HELPRU~1\LBKHRLES.EXE
del KPZONE\SOFT\RD\HTM\HELPRU~1\NXNNTJJQ.EXE
del KPZONE\SOFT\RD\HTM\HELPRU~2\LJHKBRBE.EXE
del KPZONE\SOFT\RD\HTM\HELPRU~2\RBLJRBEB.EXE
del KPZONE\SOFT\RD\HTM\HELPRU~3\HBTZHTEH.EXE
del KPZONE\SOFT\RD\HTM\HELPRU~3\QVNJEJNS.EXE
del KPZONE\SOFT\RD\HTM\HELPRU~4\JWSQSXTC.EXE
del KPZONE\SOFT\RD\HTM\HELPRU~4\VKKTJHQJ.EXE
del KPZONE\SOFT\RD\HTM\PRODUC~1\HCBKXBJE.EXE
del KPZONE\SOFT\RD\HTM\PRODUC~1\JTQTXVEJ.EXE
del KPZONE\SOFT\RD\HTM\PRODUC~1\WLKREHZH.EXE
del KPZONE\SOFT\WP2HTML\TBBLHKBT.EXE
del KPZONE\SOFT\WP2HTML\TJBTSESS.EXE
del KPZONE\SOFT\WP2HTML\TTTKNBKS.EXE
del PROGRA~1\ADOBE\ACROBA~1.0\READER\ZKSKJRRC.EXE
del PROGRA~1\ADOBE\ACROBA~1.0\READER\HOWTO\ENU\BJKBJKLX.EXE
del PROGRA~1\ADOBE\ACROBA~1.0\READER\HOWTO\ENU\BKHHBTSB.EXE
del PROGRA~1\ADOBE\ACROBA~1.0\READER\HOWTO\ENU\BRLZTHCJ.EXE
del PROGRA~1\ADOBE\ACROBA~1.0\READER\HOWTO\ENU\BVNHJSJL.EXE
del PROGRA~1\ADOBE\ACROBA~1.0\READER\HOWTO\ENU\CJVLECBK.EXE
del PROGRA~1\ADOBE\ACROBA~1.0\READER\HOWTO\ENU\CKHTWBWC.EXE
del PROGRA~1\ADOBE\ACROBA~1.0\READER\HOWTO\ENU\EKZRXQTJ.EXE
del PROGRA~1\ADOBE\ACROBA~1.0\READER\HOWTO\ENU\HBJCNQLV.EXE
del PROGRA~1\ADOBE\ACROBA~1.0\READER\HOWTO\ENU\HELTRTZJ.EXE
del PROGRA~1\ADOBE\ACROBA~1.0\READER\HOWTO\ENU\HHQBKRLT.EXE
del PROGRA~1\ADOBE\ACROBA~1.0\READER\HOWTO\ENU\HHSEQBTB.EXE
del PROGRA~1\ADOBE\ACROBA~1.0\READER\HOWTO\ENU\HSSKJBSX.EXE
del PROGRA~1\ADOBE\ACROBA~1.0\READER\HOWTO\ENU\HZRLJXBZ.EXE
del PROGRA~1\ADOBE\ACROBA~1.0\READER\HOWTO\ENU\JRCXWRRZ.EXE
del PROGRA~1\ADOBE\ACROBA~1.0\READER\HOWTO\ENU\JRTVTQSL.EXE
del PROGRA~1\ADOBE\ACROBA~1.0\READER\HOWTO\ENU\JSXLREJT.EXE
del PROGRA~1\ADOBE\ACROBA~1.0\READER\HOWTO\ENU\KBWRRWSK.EXE
del PROGRA~1\ADOBE\ACROBA~1.0\READER\HOWTO\ENU\KZTCEVNK.EXE
del PROGRA~1\ADOBE\ACROBA~1.0\READER\HOWTO\ENU\LBNLEVZK.EXE
del PROGRA~1\ADOBE\ACROBA~1.0\READER\HOWTO\ENU\LHTVLQEE.EXE
del PROGRA~1\ADOBE\ACROBA~1.0\READER\HOWTO\ENU\LHWHLBRZ.EXE
del PROGRA~1\ADOBE\ACROBA~1.0\READER\HOWTO\ENU\LTHKXTHK.EXE
del PROGRA~1\ADOBE\ACROBA~1.0\READER\HOWTO\ENU\LXNZJSXB.EXE
del PROGRA~1\ADOBE\ACROBA~1.0\READER\HOWTO\ENU\NJESHESB.EXE
del PROGRA~1\ADOBE\ACROBA~1.0\READER\HOWTO\ENU\NKLTLJXE.EXE
del PROGRA~1\ADOBE\ACROBA~1.0\READER\HOWTO\ENU\NWQKCKBS.EXE
del PROGRA~1\ADOBE\ACROBA~1.0\READER\HOWTO\ENU\QJXJNBTJ.EXE
del PROGRA~1\ADOBE\ACROBA~1.0\READER\HOWTO\ENU\QNLRSKHE.EXE
del PROGRA~1\ADOBE\ACROBA~1.0\READER\HOWTO\ENU\QQNNVHKB.EXE
del PROGRA~1\ADOBE\ACROBA~1.0\READER\HOWTO\ENU\QVBXLZHS.EXE
del PROGRA~1\ADOBE\ACROBA~1.0\READER\HOWTO\ENU\REJRLCRS.EXE
del PROGRA~1\ADOBE\ACROBA~1.0\READER\HOWTO\ENU\RLSWBVKL.EXE
del PROGRA~1\ADOBE\ACROBA~1.0\READER\HOWTO\ENU\RLWNHQBV.EXE
del PROGRA~1\ADOBE\ACROBA~1.0\READER\HOWTO\ENU\RREREWLE.EXE
del PROGRA~1\ADOBE\ACROBA~1.0\READER\HOWTO\ENU\SHHSVKQW.EXE
del PROGRA~1\ADOBE\ACROBA~1.0\READER\HOWTO\ENU\SKEEQLRH.EXE
del PROGRA~1\ADOBE\ACROBA~1.0\READER\HOWTO\ENU\SLENVQER.EXE
del PROGRA~1\ADOBE\ACROBA~1.0\READER\HOWTO\ENU\SNLWLLEE.EXE
del PROGRA~1\ADOBE\ACROBA~1.0\READER\HOWTO\ENU\SVHESQJL.EXE
del PROGRA~1\ADOBE\ACROBA~1.0\READER\HOWTO\ENU\THHQRLHT.EXE
del PROGRA~1\ADOBE\ACROBA~1.0\READER\HOWTO\ENU\TLSLKELK.EXE
del PROGRA~1\ADOBE\ACROBA~1.0\READER\HOWTO\ENU\TVBWRKTK.EXE
del PROGRA~1\ADOBE\ACROBA~1.0\READER\HOWTO\ENU\TVZBEWRK.EXE
del PROGRA~1\ADOBE\ACROBA~1.0\READER\HOWTO\ENU\TXSHJNCS.EXE
del PROGRA~1\ADOBE\ACROBA~1.0\READER\HOWTO\ENU\VCJQRESH.EXE
del PROGRA~1\ADOBE\ACROBA~1.0\READER\HOWTO\ENU\VENVZEQW.EXE
del PROGRA~1\ADOBE\ACROBA~1.0\READER\HOWTO\ENU\VQVTLWRH.EXE
del PROGRA~1\ADOBE\ACROBA~1.0\READER\HOWTO\ENU\VSCRBNZR.EXE
del PROGRA~1\ADOBE\ACROBA~1.0\READER\HOWTO\ENU\WBSLHNBR.EXE
del PROGRA~1\ADOBE\ACROBA~1.0\READER\HOWTO\ENU\WHKLTTWR.EXE
del PROGRA~1\ADOBE\ACROBA~1.0\READER\HOWTO\ENU\WXLJRTTQ.EXE
del PROGRA~1\ADOBE\ACROBA~1.0\READER\HOWTO\ENU\ZBHSSXLK.EXE
del PROGRA~1\ADOBE\ACROBA~1.0\READER\HOWTO\ENU\ZCEELEKJ.EXE
del PROGRA~1\AHEAD\NERO\CDI\ZNNJTKEE.EXE
del PROGRA~1\ANVILS~1\HTML\BBLVCKVT.EXE
del PROGRA~1\ANVILS~1\HTML\BNBXXRRS.EXE
del PROGRA~1\ANVILS~1\HTML\BVEVSSEK.EXE
del PROGRA~1\ANVILS~1\HTML\CENZXHSX.EXE
del PROGRA~1\ANVILS~1\HTML\EELJJKBB.EXE
del PROGRA~1\ANVILS~1\HTML\EHBBTZBT.EXE
del PROGRA~1\ANVILS~1\HTML\EKNVKKJB.EXE
del PROGRA~1\ANVILS~1\HTML\ERLZREBH.EXE
del PROGRA~1\ANVILS~1\HTML\HEVQLBNE.EXE
del PROGRA~1\ANVILS~1\HTML\HEWLLLKV.EXE
del PROGRA~1\ANVILS~1\HTML\HSBTLVLR.EXE
del PROGRA~1\ANVILS~1\HTML\HXQCSJKC.EXE
del PROGRA~1\ANVILS~1\HTML\JBVSCBKX.EXE
del PROGRA~1\ANVILS~1\HTML\JRLRKHHK.EXE
del PROGRA~1\ANVILS~1\HTML\KRLTXTEX.EXE
del PROGRA~1\ANVILS~1\HTML\KRWSEWHV.EXE
del PROGRA~1\ANVILS~1\HTML\LHCQJWQE.EXE
del PROGRA~1\ANVILS~1\HTML\LHHLESNS.EXE
del PROGRA~1\ANVILS~1\HTML\LJWRBLRV.EXE
del PROGRA~1\ANVILS~1\HTML\LRTQSHLJ.EXE
del PROGRA~1\ANVILS~1\HTML\NLBXNVSB.EXE
del PROGRA~1\ANVILS~1\HTML\QNCHSSEH.EXE
del PROGRA~1\ANVILS~1\HTML\QTNLHRNC.EXE
del PROGRA~1\ANVILS~1\HTML\RSZENKJE.EXE
del PROGRA~1\ANVILS~1\HTML\RXWEHLNT.EXE
del PROGRA~1\ANVILS~1\HTML\SBRZZVHR.EXE
del PROGRA~1\ANVILS~1\HTML\SWNVJSJN.EXE
del PROGRA~1\ANVILS~1\HTML\TEEJQEKC.EXE
del PROGRA~1\ANVILS~1\HTML\TKRTNZZT.EXE
del PROGRA~1\ANVILS~1\HTML\TLLNSLHN.EXE
del PROGRA~1\ANVILS~1\HTML\TQVXSBBE.EXE
del PROGRA~1\ANVILS~1\HTML\VLNLRTSH.EXE
del PROGRA~1\ANVILS~1\HTML\WEKWQKKZ.EXE
del PROGRA~1\ANVILS~1\HTML\WQZHXRVN.EXE
del PROGRA~1\ANVILS~1\HTML\WSNTJHSE.EXE
del PROGRA~1\ANVILS~1\HTML\XEHHWHBR.EXE
del PROGRA~1\ANVILS~1\HTML\XRKNJRTE.EXE
del PROGRA~1\ANVILS~1\HTML\XWXBJQWE.EXE
del PROGRA~1\CLYSMIC\LUNARA~1\REFERE~1\KKNRJLRW.EXE
del PROGRA~1\CLYSMIC\LUNARA~1\REFERE~1\KRLEBLBT.EXE
del PROGRA~1\CLYSMIC\LUNARA~1\REFERE~1\LHBENWEH.EXE
del PROGRA~1\CLYSMIC\LUNARA~1\REFERE~1\WSXSCKKZ.EXE
del PROGRA~1\COMMON~1\MICROS~1\STATIO~1\BCWVZWBH.EXE
del PROGRA~1\COMMON~1\MICROS~1\STATIO~1\BHRHNKHT.EXE
del PROGRA~1\COMMON~1\MICROS~1\STATIO~1\BNBTZWXT.EXE
del PROGRA~1\COMMON~1\MICROS~1\STATIO~1\BRVRJRKE.EXE
del PROGRA~1\COMMON~1\MICROS~1\STATIO~1\BZQLKHRH.EXE
del PROGRA~1\COMMON~1\MICROS~1\STATIO~1\CZJEVCET.EXE
del PROGRA~1\COMMON~1\MICROS~1\STATIO~1\EHBEBSRN.EXE
del PROGRA~1\COMMON~1\MICROS~1\STATIO~1\ELWTJNBJ.EXE
del PROGRA~1\COMMON~1\MICROS~1\STATIO~1\NJBSVTLL.EXE
del PROGRA~1\COMMON~1\MICROS~1\STATIO~1\NSQJTTKV.EXE
del PROGRA~1\COMMON~1\MICROS~1\STATIO~1\QJLLSJHL.EXE
del PROGRA~1\COMMON~1\MICROS~1\STATIO~1\TLCWJRWT.EXE
del PROGRA~1\COMMON~1\MICROS~1\STATIO~1\VKJLJZRN.EXE
del PROGRA~1\COMMON~1\MICROS~1\STATIO~1\XRLJQJZN.EXE
del PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\50\BIN\ETEWQSWB.EXE
del PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\50\BIN\TRNSLNRC.EXE
del PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\50\BIN\1033\XWJSTCHE.EXE
del PROGRA~1\COMMON~1\REAL\UPDATE~1\UI\NTXETEJC.EXE
del PROGRA~1\COMMON~1\SYSTEM\ADO\TSEKTJKJ.EXE
del PROGRA~1\CQUICK~1\HELPFI~1\JQJJLRQC.EXE
del PROGRA~1\CQUICK~1\HELPFI~1\VHESVCNV.EXE
del PROGRA~1\D-LUSION\RD\BKHCRLJX.EXE
del PROGRA~1\D-LUSION\RD\CETCBXTB.EXE
del PROGRA~1\D-LUSION\RD\HELP\HE88B8~1\CTHCLHEV.EXE
del PROGRA~1\D-LUSION\RD\HELP\HE88B8~1\HBBSVSQH.EXE
del PROGRA~1\D-LUSION\RD\HELP\HE88B8~1\RLLQJNHN.EXE
del PROGRA~1\D-LUSION\RD\HELP\HELPRU~1\RJWVTTSH.EXE
del PROGRA~1\D-LUSION\RD\HELP\HELPRU~1\STZSTCRK.EXE
del PROGRA~1\D-LUSION\RD\HELP\HELPRU~2\EVXSXXLL.EXE
del PROGRA~1\D-LUSION\RD\HELP\HELPRU~2\EWNTKRCH.EXE
del PROGRA~1\D-LUSION\RD\HELP\HELPRU~3\LNHWSSJT.EXE
del PROGRA~1\D-LUSION\RD\HELP\HELPRU~3\TNBHJRKV.EXE
del PROGRA~1\D-LUSION\RD\HELP\HELPRU~4\BNHQBWQN.EXE
del PROGRA~1\D-LUSION\RD\HELP\HELPRU~4\HRETLNSK.EXE
del PROGRA~1\D-LUSION\RD\HELP\PRODUC~1\KXTEBSLL.EXE
del PROGRA~1\D-LUSION\RD\HELP\PRODUC~1\LRVQJKTJ.EXE
del PROGRA~1\D-LUSION\RD\HELP\PRODUC~1\LSKBKHNS.EXE
del PROGRA~1\EDITPL~1\LJCNBCKC.EXE
del PROGRA~1\FFDSHOW\HELP\BVLQHRLJ.EXE
del PROGRA~1\FFDSHOW\HELP\RJLKJHWW.EXE
del PROGRA~1\FFDSHOW\HELP\XZSXJSSQ.EXE
del PROGRA~1\IMAGE-~1\FLSTUD~1\SYSTEM\HARDWA~1\PCR_FL~1\SZLNKWTE.EXE
del PROGRA~1\IMAGE-~1\FLSTUD~1\SYSTEM\HARDWA~1\PCR_FL~1\PARAML~1\QTVCBBHL.EXE
del PROGRA~1\IMAGE-~1\FLSTUD~1\SYSTEM\TEXTS\ABOUT\JLHNRLJX.EXE
del PROGRA~1\IRFANV~1\HTML\ELEBTWRX.EXE
del PROGRA~1\IRFANV~1\HTML\KTBQTEWH.EXE
del PROGRA~1\IRFANV~1\HTML\QHZERZSH.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\CZEKVXHZ.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\RJHKEKHX.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\APPLETS\ANIMATOR\HCRLRWSR.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\APPLETS\ANIMATOR\NREHRVZH.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\APPLETS\ANIMATOR\RECHJLXH.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\APPLETS\ANIMATOR\STBTRSJC.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\APPLETS\ANIMATOR\ZSTEJZHC.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\APPLETS\ARCTEST\HJVTLBST.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\APPLETS\BARCHART\LJTKBEBJ.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\APPLETS\BLINK\HLRBVBNL.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\APPLETS\CARDTEST\RJESJHHQ.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\APPLETS\CLOCK\HBTVTKQS.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\APPLETS\DITHER~1\ZVSHBCKR.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\APPLETS\DRAWTEST\VWRLCTBT.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\APPLETS\FRACTAL\TEQJTSJB.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\APPLETS\GRAPHI~1\VBESSSJJ.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\APPLETS\GRAPHL~1\CWBTRJZL.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\APPLETS\GRAPHL~1\CXEQJKEN.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\APPLETS\GRAPHL~1\KJSZWRNJ.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\APPLETS\GRAPHL~1\STCJTBCW.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\APPLETS\IMAGEMAP\KKREZJRH.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\APPLETS\IMAGEMAP\STWLVJNT.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\APPLETS\IMAGEMAP\ZRJLKTQS.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\APPLETS\JUMPIN~1\BKHHBCWE.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\APPLETS\MOLECU~1\ESEJJXNC.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\APPLETS\MOLECU~1\SBTHKSSH.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\APPLETS\MOLECU~1\TNHQKWBV.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\APPLETS\SIMPLE~1\SBBVBREL.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\APPLETS\SORTDEMO\JSRKKJRR.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\APPLETS\SPREAD~1\SHTKNNXH.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\APPLETS\TICTAC~1\BWWLJCNE.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\APPLETS\WIREFR~1\BSEXKZEB.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\APPLETS\WIREFR~1\NKZKQZJN.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\APPLETS\WIREFR~1\QQSSSCZN.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\APPLETS\WIREFR~1\TRXNHZKJ.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\JFC\CODEPO~1\ENQNRJLT.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\JFC\CODEPO~1\TNBVKCHR.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\JFC\FONT2D~1\SNNKXTXW.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\JFC\JAVA2D\LCSTJRQT.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\JFC\METALW~1\HELPFI~1\CRJWWKKN.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\JFC\METALW~1\HELPFI~1\JKXKBKRR.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\JFC\METALW~1\HELPFI~1\JLTHSSLB.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\JFC\METALW~1\HELPFI~1\TLRRBVTJ.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\JFC\METALW~1\HELPFI~1\VXTEHHNB.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\JFC\SWINGA~1\KHRCLLCN.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\JFC\SWINGS~1\JBHSXJHZ.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\JVMTI\TQWJRJCL.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\JVMTI\HPROF\SRC\BTHKLZSS.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\MANAGE~1\QZLVNHBS.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\PLUGIN\VNJBNNVB.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\PLUGIN\APPLETS\ANIMATOR\CNETTKVR.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\PLUGIN\APPLETS\ANIMATOR\HJTNBVZR.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\PLUGIN\APPLETS\ANIMATOR\LRJBLTKN.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\PLUGIN\APPLETS\ANIMATOR\WJRBSJWS.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\PLUGIN\APPLETS\ANIMATOR\XWZWRQJE.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\PLUGIN\APPLETS\ARCTEST\RKBSKCTL.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\PLUGIN\APPLETS\BARCHART\TKEHSEVE.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\PLUGIN\APPLETS\BLINK\STLRZQRL.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\PLUGIN\APPLETS\CARDTEST\ENHLHJET.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\PLUGIN\APPLETS\CLOCK\QHWNSXTW.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\PLUGIN\APPLETS\DITHER~1\RXQCCSQH.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\PLUGIN\APPLETS\DRAWTEST\TNNQKBRE.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\PLUGIN\APPLETS\FRACTAL\HBNQKHHH.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\PLUGIN\APPLETS\GRAPHI~1\BTTHLBBB.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\PLUGIN\APPLETS\GRAPHL~1\KEJNRKLS.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\PLUGIN\APPLETS\GRAPHL~1\LNTHXLJB.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\PLUGIN\APPLETS\GRAPHL~1\RRHKJZZB.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\PLUGIN\APPLETS\GRAPHL~1\ZSSBEJTC.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\PLUGIN\APPLETS\IMAGEMAP\JNXJVVQJ.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\PLUGIN\APPLETS\IMAGEMAP\KLHHRJBV.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\PLUGIN\APPLETS\IMAGEMAP\XSNKQJXB.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\PLUGIN\APPLETS\JUMPIN~1\SQRJSSJT.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\PLUGIN\APPLETS\MOLECU~1\EJHTVRSE.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\PLUGIN\APPLETS\MOLECU~1\HQHRTXQT.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\PLUGIN\APPLETS\MOLECU~1\JJQVRZNK.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\PLUGIN\APPLETS\SIMPLE~1\ZSLXLTKK.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\PLUGIN\APPLETS\SORTDEMO\QLBBLEXW.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\PLUGIN\APPLETS\SPREAD~1\TWLLRENC.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\PLUGIN\APPLETS\TICTAC~1\NLJSTWTJ.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\PLUGIN\APPLETS\WIREFR~1\HRXKBBHJ.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\PLUGIN\APPLETS\WIREFR~1\KHEZNJRT.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\PLUGIN\APPLETS\WIREFR~1\NTSTREHB.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\PLUGIN\APPLETS\WIREFR~1\REREXSQQ.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\PLUGIN\JFC\CODEPO~1\BTJKBTJE.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\PLUGIN\JFC\CODEPO~1\HTRRJLZT.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\PLUGIN\JFC\FONT2D~1\LHTJTCLJ.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\PLUGIN\JFC\JAVA2D\BRBKQXRE.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\PLUGIN\JFC\METALW~1\HELPFI~1\EEZQJLWN.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\PLUGIN\JFC\METALW~1\HELPFI~1\QLSKKZKS.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\PLUGIN\JFC\METALW~1\HELPFI~1\RBBBEVEJ.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\PLUGIN\JFC\METALW~1\HELPFI~1\TBWJRQHN.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\PLUGIN\JFC\METALW~1\HELPFI~1\ZLBCHHTB.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\PLUGIN\JFC\SWINGA~1\SHKCLNJR.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\DEMO\PLUGIN\JFC\SWINGS~1\JXEBLSVK.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\JRE\XXESLTCT.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\SAMPLE\JNLP\CORBA\WAR\XKZQCVNX.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\SAMPLE\JNLP\RAF\WAR\RRTSSBKT.EXE
del PROGRA~1\JAVA\JDK15~1.0_0\SAMPLE\JNLP\WEBPAD\WAR\RHKXNSLW.EXE
del PROGRA~1\JAVA\JRE15~1.0_0\LNTSBCVH.EXE
del PROGRA~1\MICROS~2\OFFICE10\KSNLLSZB.EXE
del PROGRA~1\MICROS~2\OFFICE10\1033\HRECSXRV.EXE
del PROGRA~1\MICROS~2\OFFICE10\1033\HSSVHCNQ.EXE
del PROGRA~1\MICROS~2\OFFICE10\1033\JSKTJLBE.EXE
del PROGRA~1\MICROS~2\OFFICE10\1033\KHSSSESN.EXE
del PROGRA~1\MICROS~2\OFFICE10\1033\LRKLQBNH.EXE
del PROGRA~1\MICROS~2\OFFICE10\1033\RKKRTTWS.EXE
del PROGRA~1\MICROS~2\OFFICE10\1033\SRRLXENK.EXE
del PROGRA~1\MICROS~2\OFFICE10\1033\TLJRJSVS.EXE
del PROGRA~1\MICROS~2\OFFICE10\1033\TVKSTWTZ.EXE
del PROGRA~1\MICROS~2\OFFICE10\1033\VKEHTNBN.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\FRAMES\BANTOC.TEM\CRVEENKJ.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\FRAMES\FOOTER.TEM\RKBHJHBH.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\FRAMES\FOOTNOTE.TEM\EKSKCSRS.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\FRAMES\HEADER.TEM\XREJJZEK.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\FRAMES\HORZSPLT.TEM\JTZKKZNL.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\FRAMES\NAVWTOC.TEM\SJBNQHSL.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\FRAMES\THREELEV.TEM\HTEEKJJN.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\FRAMES\TOC.TEM\KESKCHXJ.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\FRAMES\TOPDOWN.TEM\RNNXNRBE.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\FRAMES\VERTSPLT.TEM\HSNKWBBB.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\PAGES\1CENTER.TEM\RTLLKJSB.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\PAGES\1CHEADS.TEM\RJKRETCL.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\PAGES\1CLEFT.TEM\RTNTVKBZ.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\PAGES\1CRIGHT.TEM\VZNJRSTT.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\PAGES\2CEVEN.TEM\HNSHBTTN.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\PAGES\2CMENUL.TEM\NRRJETBJ.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\PAGES\2CMENUR.TEM\JSSEWCLR.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\PAGES\2CSTAGR.TEM\HWREKXNS.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\PAGES\3C2STAGL.TEM\STJRSLSN.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\PAGES\3CEVEN.TEM\BSEVLEKN.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\PAGES\3CMENUC.TEM\QVKSCWBB.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\PAGES\3CMENUL.TEM\SXSRCRRJ.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\PAGES\3CSIDBAR.TEM\CRNLTHQL.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\PAGES\4CCENTER.TEM\EXXETVTR.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\PAGES\4CSTAGC.TEM\WJNJJHNN.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\PAGES\4CSTAGL.TEM\ZWEKNNNL.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\PAGES\BIBLIO.TEM\LQSNTCKH.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\PAGES\CONFIRM.TEM\WXJSSRHQ.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\PAGES\FAQ.TEM\HQCNBTKB.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\PAGES\FEEDBACK.TEM\JESBXSSN.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\PAGES\GUESTBK.TEM\HBJHLHEW.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\PAGES\GUESTBK.TEM\ZLBSHVKH.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\PAGES\NORMAL.TEM\RKNBRNBL.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\PAGES\PHOTO.TEM\CTBJJLLN.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\PAGES\PHOTO.TEM\LQRNBTLE.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\PAGES\PHOTO.TEM\NWBZNTZR.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\PAGES\REGUSER.TEM\BKJEZQRE.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\PAGES\SEARCH.TEM\LKRHXLSR.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\PAGES\TOC.TEM\JRJTNRHL.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\WEBS\CUSTSUPP.TEM\BNLNTSLJ.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\WEBS\CUSTSUPP.TEM\BREJJKEJ.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\WEBS\CUSTSUPP.TEM\BTQNBCET.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\WEBS\CUSTSUPP.TEM\BXZRZNJN.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\WEBS\CUSTSUPP.TEM\EEBBHTKJ.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\WEBS\CUSTSUPP.TEM\ESVSLBVS.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\WEBS\CUSTSUPP.TEM\ETKHRBRH.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\WEBS\CUSTSUPP.TEM\EVWHHTJH.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\WEBS\CUSTSUPP.TEM\EWQRLLBZ.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\WEBS\CUSTSUPP.TEM\KEBKEJBX.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\WEBS\CUSTSUPP.TEM\LJJKKNWK.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\WEBS\CUSTSUPP.TEM\NHTNNRVR.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\WEBS\CUSTSUPP.TEM\NJBNRKWZ.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\WEBS\CUSTSUPP.TEM\REKLJLJV.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\WEBS\CUSTSUPP.TEM\RKRCSWHE.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\WEBS\CUSTSUPP.TEM\RVVKSKRJ.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\WEBS\CUSTSUPP.TEM\TQQXXLZS.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\WEBS\CUSTSUPP.TEM\TXVSBKHJ.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\WEBS\CUSTSUPP.TEM\WSNECLSS.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\WEBS\CUSTSUPP.TEM\ZCEBXKRH.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\WEBS\CUSTSUPP.TEM\ZSNWTHJN.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\WEBS\CUSTSUPP.TEM\ZSWHKJNX.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\WEBS\CUSTSUPP.TEM\ZTKEHJST.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\WEBS\NORMAL.TEM\ETJEQLEH.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\WEBS\PERSONAL.TEM\BBCLJBLT.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\WEBS\PERSONAL.TEM\EVWJLTEK.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\WEBS\PERSONAL.TEM\EZLEWHRQ.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\WEBS\PERSONAL.TEM\HVSJLBHB.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\WEBS\PERSONAL.TEM\RVKVSNNE.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\WEBS\PERSONAL.TEM\WKWSKHZT.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\WEBS\PERSONAL.TEM\XZRJLNVT.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\WEBS\PERSONAL.TEM\ZEHTVTSJ.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\WEBS\PROJECT.TEM\BJLLVQHH.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\WEBS\PROJECT.TEM\BLNRLZLN.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\WEBS\PROJECT.TEM\CHJHSBKR.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\WEBS\PROJECT.TEM\CZRCRRTE.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\WEBS\PROJECT.TEM\ERBRKHQH.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\WEBS\PROJECT.TEM\ETBBTQST.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\WEBS\PROJECT.TEM\HKNTLERJ.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\WEBS\PROJECT.TEM\HZEJNESL.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\WEBS\PROJECT.TEM\JWXSRJLS.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\WEBS\PROJECT.TEM\KBREZWET.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\WEBS\PROJECT.TEM\LBNBZHRB.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\WEBS\PROJECT.TEM\LTJELQRT.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\WEBS\PROJECT.TEM\NSBKHTJT.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\WEBS\PROJECT.TEM\RNJSNCTH.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\WEBS\PROJECT.TEM\SJLSJELQ.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\WEBS\PROJECT.TEM\SKBRQJKS.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\WEBS\PROJECT.TEM\SNZTRJNS.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\WEBS\PROJECT.TEM\SSTRBZBW.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\WEBS\PROJECT.TEM\THCTZEJS.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\WEBS\PROJECT.TEM\TJHRSXRL.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\WEBS\PROJECT.TEM\TJRXNKCT.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\WEBS\PROJECT.TEM\VJJBZVNN.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\WEBS\PROJECT.TEM\VTZLNKQJ.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\WEBS\PROJECT.TEM\VZLEBQJQ.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\WEBS\PROJECT.TEM\WBNNLXRN.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\WEBS\PROJECT.TEM\WRNBBKSL.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\WEBS\PROJECT.TEM\XEHRWBJK.EXE
del PROGRA~1\MICROS~2\TEMPLA~1\1033\WEBS\PROJECT.TEM\XNQETLLR.EXE
del PROGRA~1\MOZILL~1\RES\JKKBJQER.EXE
del PROGRA~1\MURASU~1\ANJAL2~1\ESNTRKZZ.EXE
del PROGRA~1\MURASU~1\ANJAL2~1\JHKRKXJS.EXE
del PROGRA~1\NETMEE~1\RSEWZJQN.EXE
del PROGRA~1\NETSCAPE\NETSCAPE\DEFAULTS\MESSEN~1\LHNRLZVV.EXE
del PROGRA~1\NETSCAPE\NETSCAPE\RES\SAMPLES\BKSRBHSL.EXE
del PROGRA~1\NETSCAPE\NETSCAPE\RES\SAMPLES\BNWXJWNN.EXE
del PROGRA~1\NETSCAPE\NETSCAPE\RES\SAMPLES\BZKEZTQR.EXE
del PROGRA~1\NETSCAPE\NETSCAPE\RES\SAMPLES\CVKRLJCS.EXE
del PROGRA~1\NETSCAPE\NETSCAPE\RES\SAMPLES\ELBBJKCJ.EXE
del PROGRA~1\NETSCAPE\NETSCAPE\RES\SAMPLES\JENTHKNE.EXE
del PROGRA~1\NETSCAPE\NETSCAPE\RES\SAMPLES\JRQJJSSL.EXE
del PROGRA~1\NETSCAPE\NETSCAPE\RES\SAMPLES\JRRTBQLT.EXE
del PROGRA~1\NETSCAPE\NETSCAPE\RES\SAMPLES\KRESHVNJ.EXE
del PROGRA~1\NETSCAPE\NETSCAPE\RES\SAMPLES\KSJZJBJB.EXE
del PROGRA~1\NETSCAPE\NETSCAPE\RES\SAMPLES\LLKCRXNL.EXE
del PROGRA~1\NETSCAPE\NETSCAPE\RES\SAMPLES\LXXJENNL.EXE
del PROGRA~1\NETSCAPE\NETSCAPE\RES\SAMPLES\NETRNLKS.EXE
del PROGRA~1\NETSCAPE\NETSCAPE\RES\SAMPLES\NEVCEKLS.EXE
del PROGRA~1\NETSCAPE\NETSCAPE\RES\SAMPLES\NEVRNBHB.EXE
del PROGRA~1\NETSCAPE\NETSCAPE\RES\SAMPLES\NQRNCBSN.EXE
del PROGRA~1\NETSCAPE\NETSCAPE\RES\SAMPLES\NRHRRNRB.EXE
del PROGRA~1\NETSCAPE\NETSCAPE\RES\SAMPLES\NZLWTSWN.EXE
del PROGRA~1\NETSCAPE\NETSCAPE\RES\SAMPLES\QELNBHZW.EXE
del PROGRA~1\NETSCAPE\NETSCAPE\RES\SAMPLES\QTTBQKJS.EXE
del PROGRA~1\NETSCAPE\NETSCAPE\RES\SAMPLES\RHBTNJHK.EXE
del PROGRA~1\NETSCAPE\NETSCAPE\RES\SAMPLES\RJRVSERT.EXE
del PROGRA~1\NETSCAPE\NETSCAPE\RES\SAMPLES\RKJHKZNJ.EXE
del PROGRA~1\NETSCAPE\NETSCAPE\RES\SAMPLES\RNNCBLLC.EXE
del PROGRA~1\NETSCAPE\NETSCAPE\RES\SAMPLES\SLSVHXTE.EXE
del PROGRA~1\NETSCAPE\NETSCAPE\RES\SAMPLES\TBHRTCNK.EXE
del PROGRA~1\NETSCAPE\NETSCAPE\RES\SAMPLES\TETHLKKL.EXE
del PROGRA~1\NETSCAPE\NETSCAPE\RES\SAMPLES\TLNNZTET.EXE
del PROGRA~1\NETSCAPE\NETSCAPE\RES\SAMPLES\TNVBBRWW.EXE
del PROGRA~1\NETSCAPE\NETSCAPE\RES\SAMPLES\TREREECJ.EXE
del PROGRA~1\NETSCAPE\NETSCAPE\RES\SAMPLES\VKQBNCXR.EXE
del PROGRA~1\NETSCAPE\NETSCAPE\RES\SAMPLES\XERCTSHB.EXE
del PROGRA~1\NETSCAPE\NETSCAPE\RES\SAMPLES\XHETBCBR.EXE
del PROGRA~1\NETSCAPE\NETSCAPE\RES\SAMPLES\XQLCHRQH.EXE
del PROGRA~1\NETSCAPE\NETSCAPE\RES\SAMPLES\ZEREJBSE.EXE
del PROGRA~1\NETSCAPE\NETSCAPE\RES\SAMPLES\ZQERHJBT.EXE
del PROGRA~1\PDF995\KKKLHEKL.EXE
del PROGRA~1\PDF995\RES\HQBJQHQK.EXE
del PROGRA~1\PDF995\RES\DRIVEDIR\XSJNKBRJ.EXE
del PROGRA~1\REAL\REALPL~1\BHLTWCTR.EXE
del PROGRA~1\REAL\REALPL~1\SHKZRLHB.EXE
del PROGRA~1\REAL\REALPL~1\SVTWKHJE.EXE
del PROGRA~1\REAL\REALPL~1\DATACA~1\DEVICES\BSERBKTR.EXE
del PROGRA~1\REAL\REALPL~1\DATACA~1\DEVICES\VWKKWXNN.EXE
del PROGRA~1\REAL\REALPL~1\DATACA~1\GETMEDIA\BNSNXTNK.EXE
del PROGRA~1\REAL\REALPL~1\DATACA~1\GETMEDIA\EHLXBKWT.EXE
del PROGRA~1\REAL\REALPL~1\DATACA~1\GETMEDIA\HENNNKRS.EXE
del PROGRA~1\REAL\REALPL~1\DATACA~1\GETMEDIA\HETHLTHC.EXE
del PROGRA~1\REAL\REALPL~1\DATACA~1\GETMEDIA\KJBNSLLN.EXE
del PROGRA~1\REAL\REALPL~1\DATACA~1\GETMEDIA\SZEEKRKB.EXE
del PROGRA~1\REAL\REALPL~1\DATACA~1\GETMEDIA\TZKLJCNZ.EXE
del PROGRA~1\REAL\REALPL~1\DATACA~1\GETMEDIA\ZSHKZXCL.EXE
del PROGRA~1\REAL\REALPL~1\DATACA~1\LOGIN\BCXVJXKB.EXE
del PROGRA~1\REAL\REALPL~1\DATACA~1\LOGIN\JJZNRWQT.EXE
del PROGRA~1\REAL\REALPL~1\DATACA~1\LOGIN\VNLBSNCW.EXE
del PROGRA~1\REAL\REALPL~1\FIRSTRUN\CLCEEXVR.EXE
del PROGRA~1\REAL\REALPL~1\FIRSTRUN\TKJJNWWT.EXE
del PROGRA~1\REAL\REALPL~1\FIRSTRUN\ZBRRKTLH.EXE
del PROGRA~1\SAFARI\PUBSUB~1.RES\BJWHLKQB.EXE
del PROGRA~1\SAFARI\PUBSUB~1.RES\XJWHQHCL.EXE
del PROGRA~1\SAFARI\SAFARI~1.RES\HELP\BNLBKKLE.EXE
del PROGRA~1\SAFARI\SAFARI~1.RES\HELP\ENBEFF~1.LPR\LLNHJJEW.EXE
del PROGRA~1\SAFARI\SAFARI~1.RES\HELP\ENBEFF~1.LPR\TTNJLEHZ.EXE
del PROGRA~1\SIMSYNTH\EWBHTJHT.EXE
del PROGRA~1\SIMSYNTH\HRELLQEE.EXE
del PROGRA~1\SIMSYNTH\RBSBJLKQ.EXE
del PROGRA~1\VIDEOLAN\VLC\HTTP\OLD\WJNHTLJE.EXE
del PROGRA~1\VIDEOLAN\VLC\HTTP\OLD\ADMIN\LZNELKSN.EXE
del PROGRA~1\WINAMP\XKCHLKHN.EXE
del PROGRA~1\WINAMP\PLUGINS\BHREKZNN.EXE
del PROGRA~1\WWAYM\NWEQ_V~1\CEQEBZSL.EXE
del WINDOWS\HELP\TOURS\WINDOW~1\AUDIO\LLLKNBLJ.EXE
del WINDOWS\HELP\TOURS\WINDOW~1\CNT\TJNBZHBH.EXE
del WINDOWS\SYSTEM32\OOBE\HTML\DSLMAIN\NEVTTBLH.EXE
del WINDOWS\SYSTEM32\OOBE\HTML\DSLMAIN\QXZTLLWJ.EXE
del WINDOWS\SYSTEM32\OOBE\HTML\DSLMAIN\SLHCEZWB.EXE
del WINDOWS\SYSTEM32\OOBE\HTML\ICONNECT\JSNSLJZH.EXE
del WINDOWS\SYSTEM32\OOBE\HTML\ICONNECT\SHRTRSBS.EXE
del WINDOWS\SYSTEM32\OOBE\HTML\ISPTYPE\LNVLNZBQ.EXE
del WINDOWS\SYSTEM32\OOBE\HTML\MOUSE\BCCXEJNC.EXE
del WINDOWS\SYSTEM32\OOBE\HTML\MOUSE\BZRBBSRN.EXE
del WINDOWS\SYSTEM32\OOBE\HTML\MOUSE\CJXSJLBR.EXE
del WINDOWS\SYSTEM32\OOBE\HTML\MOUSE\HCVXRTWZ.EXE
del WINDOWS\SYSTEM32\OOBE\HTML\MOUSE\JJLHKNHH.EXE
del WINDOWS\SYSTEM32\OOBE\HTML\MOUSE\JLKSHLVL.EXE
del WINDOWS\SYSTEM32\OOBE\HTML\MOUSE\KHKVHHSB.EXE
del WINDOWS\SYSTEM32\OOBE\HTML\MOUSE\KLKHKRTS.EXE
del WINDOWS\SYSTEM32\OOBE\HTML\MOUSE\LBZCXVER.EXE
del WINDOWS\SYSTEM32\OOBE\HTML\MOUSE\NRLCNZSH.EXE
del WINDOWS\SYSTEM32\OOBE\HTML\MOUSE\QETVQLNW.EXE
del WINDOWS\SYSTEM32\OOBE\HTML\MOUSE\RBNRNNXT.EXE
del WINDOWS\SYSTEM32\OOBE\HTML\SCONNECT\JKHJLHBB.EXE
del WINDOWS\SYSTEM32\OOBE\HTML\SCONNECT\VZNNEBET.EXE
4. That pretty much removed the threat, but its still necessary to clean up the mess. A few downloads & I acquired a registry cleaner (Wise Registry Cleaner 3 Free) which can excise the now unresolved HKCR:CLSID entries. It recognised 3074 such CLSIDs of which 2956 it viewed as safely removable. Thats right in the ballpark considering Ive not had a registry cleaner before.
5. Cleaning up the HTML is the final issue. The 2xExplorer scan of all HTML for CLSID spits out 2915 decks of which 30 or so have timestamps prior to the mornings assault. The backup of my own data allowed me to restore my 5 dozen or so self-authored decks which had incurred damage. The rest I can either leave the way they are, referencing nonexistent registry keys (which may have an adverse effect on performance), or I may ultimately run a batch global change on them & invalidate the syntax of the <OBJECT> lines themselves. This barring discovery of an actual tool on the Web somewhere capable of automating the task.
Its also useful to do a little reading on what an "application/x-oleobject" actually is. That immediately leads to the Windoze:ControlPanel:InternetOptions:Security:CustomLevel tab where it is -- shall we say -- less than imprudent to set to *DISABLE* the 5 (five & 00/100) switches pertaining to ActiveX & also to disable the Scripting:ActiveScripting switch as well (in all "zones" present). As a non-techie Im still unclear what effect that has on a FireFox user who only invokes iExplorer in absolute emergencies, however. Maybe Ill look that up too.
(*) = (www) ActiveX - FireFox Knowledge Base
As one may guess, the next morning the connection was once again pegged with 2way traffic, this time with no (obvious) evidence of a running module, a started "service", or spawned EXEs with 8-character random names. Nonetheless the celebrated ".exe" (sic) file was present in system32, datestamped at around pm1500 the previous day. I moved it to a safe place & began a DownloadExpress restartable download of the current version of AdAware2008, necessary because the dialup (which had become successfully quiescent the evening before) was now disconnecting every five minutes or so. The current AdAware was unable to use the connection to refresh its definition files until *after* its first complete system scan, during which it spotted almost 400 significant objects including my saved copy of irdvxc.exe which I let it delete. That is to say, it is clear that it had more to fix & that indeed, the issue of viruses is of necessity the provence of AV software suppliers (pardon my French).
Notwithstanding which I clearly had some more research to do. I did fire up regedit & do one more find throughout the keys, values & data for another instance of the string "rdvxc" which indeed turned up one final spurious key among the CLSIDs, now harmless as it references a 5-byte text stub in WINDOWS\system32, but which I deleted anyway. It also looks like theres hundreds of additional CLSIDs with pseudorandom values parked in there as well, which a registry cleaner cant recognise as superfluous. I hope theyre not encoded binary executable to be reassembled at a later date.
So the only thing left was to run thru the TaskManager tasks & look them all up on AltaVista & compare them to the WP51 document I created when I took delivery of the XP box. Oops. Heres lsas.exe (*not* lsass.exe) sitting in the WINDOWS\system directory created this morning at am0100 length 61952. Terminating its executable freed the dialup at last. Then I moved it & rewrote it with a readonly stub, found it in the registry in HKLM\software\MS\Windoze\currentversion\run where itz called "Windows Logistics", & blasted it. Ya know, that takes it out of msConfig:startup pretty painlessly. Considering its a genuine nobrainer, explicitly documented on the Web, its still unclear why AdAware, HijackThis, & SpyBot dont recognise it (Ill leave this as an exercise for the reader).
(*) = (www) lsas.exe - file.net
Finally, of course theres no sense in making a post like this without a HijackThis log ...
Logfile of HijackThis v1.99.1
Scan saved at 15:03:23, on 2008-07-26
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Anyway, Im still confused. Can anyone help me? Maybe I should google around a bit & find out how to reformat my harddisk. & why do I hang around with that weird woman?
Conclusion
Thatz the scoop. If someone had died because my machine was compromised, my time was monopolised, & hence my money was being stolen then it would be a capital offence. Death to all virus engineers. Period.
|