# Solved: I think someone is hijacking my PC, please help!



## sparsby (Apr 10, 2006)

http://www.pctools.com/spyware-doctor/?ref=google_hj

That program says I have 77 infections!

Earlier someone helped me "clean" my PC. I have Ewido anti-spyware, AVG free edition, and windows defender (Some others to). Twice now, once when I started typing this and once during the day when I wasnt here and left my PC on, Ewido's protection was turned to "inactive" and the little icon in the bottom right turned grey. The first time I had hundreds, maybe more (if its even possible ) of pop ups, nothing would usually load in them but if it did it was poker stuff. I managed to get them to stop or it happened on its on but either way I dont have any more of those dastardly non-stop pop ups. Every now and then when Im working in a window it will just go dead untill I click the window again, sometimes I hear clicking noises when I have the sound turned on while Im working. While playing Battlefield it returns me to the desktop but nothing is there. Other times the process explorer.exe gets up to 99% practically freezing my system untill the spasm is over. Alot of the time the system usage percent spikes to about 50 then goes back down to around 10 and spikes again.

Here is a HJT log but I dont think it will really help.

Logfile of HijackThis v1.99.1
Scan saved at 3:08:03 PM, on 6/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Hijack This\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

PLEASE HELP ME


----------



## sparsby (Apr 10, 2006)

Can anyone please help me? Or can point me to something that could help?


----------



## sparsby (Apr 10, 2006)

I found 2 explorer.exe files, I scanned them with Ewido and it said they were alright. Should I delete them so that Explorer.exe process wont ever run at 99% CPU usage?

IM DESPERATE, PLEASE HELP


----------



## cybertech (Apr 16, 2002)

What version of Ewido do you have?


----------



## sparsby (Apr 10, 2006)

4.0, if you can help that would be great! Sorry I started another topic but I always lose track of them 

I have done everything else you told me to in the other topics


----------



## cybertech (Apr 16, 2002)

Please run Ewido in safe mode and post the report back here so I can look at it.


----------



## sparsby (Apr 10, 2006)

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at:	2:27:30 PM 6/29/2006

+ Scan result:

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\CXALB9S5\new[1].htm -> Not-A-Virus.Constructor.Perl.Msdds.b : Cleaned.

::Report end

Only thing it found


----------



## cybertech (Apr 16, 2002)

OK what's the status now?


----------



## sparsby (Apr 10, 2006)

I have something to do, I will get back to you later today/night. Thanks


----------



## cybertech (Apr 16, 2002)

ok sounds good


----------



## sparsby (Apr 10, 2006)

Alright, there is still somerthing that won't give my windows a rest. It happens quite often and is VERY annoying. You are working in a window then all of a sudden you have to reclick it to finish your work. When playing full screen games it collapses to the desktop, during MSN messenger conversations you will have to constantly be clicking the window to finish your message. Everytime it happens I hear clicking noises if I have the sound on.

Explorer.exe hasnt spiked a whole lot yet, only to about 30 then back down to around 6.

Windows Defender just detected a program called Exploit:Win32/Wmfap, I told WD to remove all. AVG found C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\IKM68EUM\xpl[1].wmf
May be infected by unknown virus Exploit.WMF

EDIT: explorer.exe went to 99 for a while. I'm still getting redirect to bad site request things


----------



## cybertech (Apr 16, 2002)

http://safety.live.com/site/en-US/virusenc/virusencinfo.htm?virusid=301512#more

It appears both are finding the same thing and it's not unusual for one AV to call it one thing and another to call it something else. (alias)


----------



## sparsby (Apr 10, 2006)

Well, everything is still happening and there are some processes that Im not familiar with, running. I tried ending a few of those processes last night but everything still happened  Could this stuff be fixed?

I also noticed a little white line at the very top left corner that weren't there last week. I don't think they are dead pixels though.


----------



## cybertech (Apr 16, 2002)

You can look up processes here: http://www.liutilities.com/products/wintaskspro/processlibrary/


----------



## sparsby (Apr 10, 2006)

Ugg, I dont get it, everything says my system is fine but Im still having troubles. The window thing is really starting to wreak havoc with my nerves. Having to reclick windows in order to start using them again is VERY ANNOYING 

Heres another HijackThis log just incase theres something wrong now:

Logfile of HijackThis v1.99.1
Scan saved at 10:45:20 AM, on 6/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Hijack This\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.1.87.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe


----------



## cybertech (Apr 16, 2002)

Have you tried to disconnect or stop the NintendoWFCReg.exe to see if that's causing the problem?


----------



## sparsby (Apr 10, 2006)

No, thats not it. Could it be an infected explorer.exe or svchost.exe process?


----------



## cybertech (Apr 16, 2002)

sparsby said:


> I found 2 explorer.exe files, I scanned them with Ewido and it said they were alright. Should I delete them so that Explorer.exe process wont ever run at 99% CPU usage?
> 
> IM DESPERATE, PLEASE HELP


What is the location of the 2 Explorer.exe files. Also right click and look at the properties of each, Version tab, what's there?


----------



## sparsby (Apr 10, 2006)

They are both in C:\WINDOWS 

First one(application): version 6.0.2900.2180

Second one (Windows Explorer Command): no version...its 80 bytes though


Theres a third that I found thats in C:\WINDOWS\ServicePackFiles\i386
Version: 6.0.2900.2180


----------



## cybertech (Apr 16, 2002)

Submit the second one here: http://www.kaspersky.com/remoteviruschk.html

Please Copy/paste the information back here.


----------



## sparsby (Apr 10, 2006)

This was the one in the service pack files area, all of them were deemed clean

Known viruses: 203859 
Updated: 30-06-2006 
File size (Kb): 1008 
Virus bodies: 0 
Files: 1 
Warnings: 0 
Archives: 0 
Suspicious: 0


Is it normal for Ewido's resident shield to be turned inactive? It's happened quite a bit now.


----------



## cybertech (Apr 16, 2002)

Please upload that Windows Explorer Command file to http://www.thespykiller.co.uk/forum/index.php?board=1.0 so it can by examined.

Just press new topic, fill in the needed details and post a link to your post here & then press the browse button and then navigate to & select the files on your computer, When the file is listed in the window press send to upload the file.


----------



## sparsby (Apr 10, 2006)

http://www.thespykiller.co.uk/forum/index.php?topic=2000.new#new

Is that good?


----------



## cybertech (Apr 16, 2002)

Yes, file received. It's legit.


----------



## cybertech (Apr 16, 2002)

Post your current HJT log and let's remove some of the overhead.


----------



## sparsby (Apr 10, 2006)

Sorry for the longish reply, had some trip planning stuff to do

Logfile of HijackThis v1.99.1
Scan saved at 2:25:33 PM, on 6/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijack This\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.1.87.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe


----------



## cybertech (Apr 16, 2002)

I see you have already removed some of anti malware programs you had running and that is what I was going to suggest.

I'll ask for the other Mods to look at this thread because I have no idea what could be causing this.


----------



## sparsby (Apr 10, 2006)

After a long time with explorer.exe running the way it is a security warning popped up

"The current Web page is trying to open a site on the Internet.
Do you want to allow this?

Current site: ad.bannerconnect.net
Internet site: ad.yieldmanager.com"


----------



## dvk01 (Dec 14, 2002)

Download *WinPFind*
*Right Click* the Zip Folder and Select "*Extract All*"
Extract it somewhere you will remember like the *Desktop*
Dont do anything with it yet!

Reboot into Safe Mode
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Doubleclick *WinPFind.exe*
Now Click "*Start Scan*"
*It will scan the entire System, so please be patient!*
Once the Scan is Complete
Reboot back to Normal Mode!
Go to the *WinPFind folder*
Locate *WinPFind.txt*
Place those results in the next post!.


----------



## sparsby (Apr 10, 2006)

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
qoologic 6/26/2006 9:04:50 AM 12243523 C:\AVG7QT.DAT
urllogic 6/26/2006 9:04:50 AM 12243523 C:\AVG7QT.DAT
UPX! 6/25/2006 4:59:38 PM 299030 C:\combofix.exe
qoologic 6/30/2006 6:07:58 PM 204131 C:\WinPFind.zip

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
aspack 3/18/2005 5:19:58 PM 2337488 C:\WINDOWS\SYSTEM32\d3dx9_25.dll
PEC2 8/16/2003 1:40:04 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
aspack 2/17/2005 3:10:14 PM 702464 C:\WINDOWS\SYSTEM32\Incinerator.dll
PTech 5/17/2006 11:23:38 AM 579888 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL
PECompact2 6/8/2006 7:19:50 PM 5967776 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 6/8/2006 7:19:50 PM 5967776 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 1:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/4/2004 1:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
UPX! 4/27/2006 5:49:30 PM 288417 C:\WINDOWS\SYSTEM32\SrchSTS.exe
UPX! 1/9/2006 10:36:04 AM 42496 C:\WINDOWS\SYSTEM32\swreg.exe
UPX! 1/9/2006 10:36:06 AM 40960 C:\WINDOWS\SYSTEM32\swsc.exe
aspack 6/12/2006 6:18:42 PM 307200 C:\WINDOWS\SYSTEM32\trjscan.trb
aspack 6/17/2006 1:46:58 AM 345088 C:\WINDOWS\SYSTEM32\trupd.trb
winsync 8/15/2003 8:41:44 PM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
UPX! 6/26/2006 9:03:30 AM 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
FSG! 6/26/2006 9:03:30 AM 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PEC2 6/26/2006 9:03:30 AM 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
aspack 6/26/2006 9:03:30 AM 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PTech 8/3/2004 11:41:38 PM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\Hosts
127.0.0.1 www.qoologic.com
127.0.0.1 www.urllogic.com

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
6/30/2006 6:10:28 PM S 2048 C:\WINDOWS\bootstat.dat
6/27/2006 7:09:06 PM H 54156 C:\WINDOWS\QTFont.qfn
5/4/2006 9:18:46 PM HS 7168 C:\WINDOWS\Thumbs.db
5/4/2006 9:15:44 PM RH 0 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\index38.dat
5/9/2006 6:37:24 PM RH 0 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\index40.dat
6/16/2006 9:20:00 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\8ecdf17e5a787c02ac0ed596ff4900f3\BIT4A.tmp
5/30/2006 7:31:54 AM RHS 56 C:\WINDOWS\system32\00370CD73E.sys
5/30/2006 7:31:54 AM HS 1682 C:\WINDOWS\system32\KGyGaAvL.sys
6/22/2006 5:18:30 AM S 13309 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB911280.cat
5/5/2006 8:22:46 AM S 12227 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB914389.cat
5/29/2006 10:16:00 AM S 23751 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB916281.cat
5/18/2006 1:15:12 AM S 10925 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB917344.cat
5/4/2006 6:37:36 PM S 7898 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB917734.cat
6/1/2006 2:28:56 PM S 11043 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB918439.cat
6/30/2006 6:10:34 PM H 12288 C:\WINDOWS\system32\config\default.LOG
5/23/2006 6:20:32 PM H 0 C:\WINDOWS\system32\config\default_TU_72001.LOG
6/30/2006 6:10:34 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
5/23/2006 6:20:32 PM H 0 C:\WINDOWS\system32\config\SAM_TU_47360.LOG
6/30/2006 6:10:30 PM H 16384 C:\WINDOWS\system32\config\SECURITY.LOG
5/23/2006 6:20:32 PM H 0 C:\WINDOWS\system32\config\SECURITY_TU_50084.LOG
6/30/2006 6:10:38 PM H 57344 C:\WINDOWS\system32\config\software.LOG
5/23/2006 6:20:32 PM H 0 C:\WINDOWS\system32\config\software_TU_58035.LOG
6/30/2006 6:09:48 PM H 1024 C:\WINDOWS\system32\config\system.LOG
5/23/2006 6:20:32 PM H 0 C:\WINDOWS\system32\config\system_TU_79929.LOG
6/30/2006 9:15:30 AM H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
5/9/2006 6:57:36 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\b67ba2ae-0372-4e38-bedc-e1aa55f9fcd6
5/9/2006 6:57:36 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
6/30/2006 6:13:44 PM H 330 C:\WINDOWS\Tasks\MP Scheduled Scan.job
6/30/2006 6:09:38 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/4/2004 1:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Realtek Semiconductor Corp. 9/20/2004 3:20:44 PM 16121856 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL
Microsoft Corporation 8/4/2004 1:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 5/3/2006 2:56:54 AM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/15/2003 7:49:58 PM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/15/2003 7:57:52 PM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 12/14/2003 6:20:50 PM 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/15/2003 8:04:26 PM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 68608 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 549888 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 110592 C:\WINDOWS\SYSTEM32\dllcache\bthprops.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 135168 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 80384 C:\WINDOWS\SYSTEM32\dllcache\firewall.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 155136 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 358400 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 129536 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 380416 C:\WINDOWS\SYSTEM32\dllcache\irprops.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 68608 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 8/15/2003 7:49:58 PM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 618496 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 8/15/2003 7:57:52 PM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 25600 C:\WINDOWS\SYSTEM32\dllcache\netsetup.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 257024 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 32768 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 114688 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 155648 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 298496 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 8/15/2003 8:04:26 PM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 94208 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 148480 C:\WINDOWS\SYSTEM32\dllcache\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl
Intel Corporation 2/10/2004 7:53:24 PM 94208 C:\WINDOWS\SYSTEM32\ReinstallBackups\0001\DriverFiles\igfxcpl.cpl
Realtek Semiconductor Corp. 2/10/2004 2:19:32 AM 14224384 C:\WINDOWS\SYSTEM32\ReinstallBackups\0018\DriverFiles\ALSNDMGR.CPL


----------



## sparsby (Apr 10, 2006)

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
6/22/2006 5:29:20 PM 994 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
4/2/2004 1:55:28 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
12/31/2005 5:35:28 PM 807 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Run Nintendo Wi-Fi USB Connector Registration Tool.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
4/2/2004 5:46:32 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
4/2/2004 1:55:28 PM HS 84 C:\Documents and Settings\Owner\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
4/2/2004 5:46:32 AM HS 62 C:\Documents and Settings\Owner\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
sv1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido anti-spyware
{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Trojan Remover
{52B87208-9CCF-42C9-B88E-069281105805} = C:\PROGRA~1\TROJAN~1\Trshlex.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Trojan Remover
{52B87208-9CCF-42C9-B88E-069281105805} = C:\PROGRA~1\TROJAN~1\Trshlex.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido anti-spyware
{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
SSVHelper Class = C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console	: C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger	: C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
= 
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links	: %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = : 
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links	: %SystemRoot%\system32\SHELL32.dll
{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} = : 
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address	: %SystemRoot%\System32\browseui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
AVG7_CC	C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
Windows Defender	"C:\Program Files\Windows Defender\MSASCui.exe" -hide
QuickTime Task	"C:\Program Files\QuickTime\qttask.exe" -atboottime
SunJavaUpdateSched	C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
TrojanScanner	C:\Program Files\Trojan Remover\Trjscan.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\ExpandFrom

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\ExpandTo

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services
ose	3
License Management Service ESD	3
C-DillaSrv	2
Adobe LM Service	3

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk
path	C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup	C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup
location	Common Startup
command	C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE 
item	Adobe Gamma Loader
path	C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup	C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup
location	Common Startup
command	C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE 
item	Adobe Gamma Loader

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk
backup	C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkCommon Startup
location	Common Startup
item	MyWebSearch Email Plugin
backup	C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkCommon Startup
location	Common Startup
item	MyWebSearch Email Plugin

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk
backup	C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkStartup
location	Startup
item	MyWebSearch Email Plugin
backup	C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkStartup
location	Startup
item	MyWebSearch Email Plugin

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AGRSMMSG
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	AGRSMMSG
hkey	HKLM
command	AGRSMMSG.exe
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	AGRSMMSG
hkey	HKLM
command	AGRSMMSG.exe
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AlcxMonitor
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	ALCXMNTR
hkey	HKLM
command	ALCXMNTR.EXE
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	ALCXMNTR
hkey	HKLM
command	ALCXMNTR.EXE
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\avnort
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	msmbw
hkey	HKLM
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	msmbw
hkey	HKLM
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\googletalk
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	googletalk
hkey	HKCU
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	googletalk
hkey	HKCU
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\HP Component Manager
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	hpcmpmgr
hkey	HKLM
command	"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	hpcmpmgr
hkey	HKLM
command	"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\HPDJ Taskbar Utility
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	hpztsb10
hkey	HKLM
command	C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	hpztsb10
hkey	HKLM
command	C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\hpsysdrv
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	hpsysdrv
hkey	HKLM
command	c:\windows\system\hpsysdrv.exe
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	hpsysdrv
hkey	HKLM
command	c:\windows\system\hpsysdrv.exe
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\KBD
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	KBD
hkey	HKLM
command	C:\HP\KBD\KBD.EXE
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	KBD
hkey	HKLM
command	C:\HP\KBD\KBD.EXE
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ltwob
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	msmbw
hkey	HKLM
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	msmbw
hkey	HKLM
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Microsoft Service Controller
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	services
hkey	HKCU
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	services
hkey	HKCU
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MsnMsgr
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	msnmsgr
hkey	HKCU
command	"C:\Program Files\MSN Messenger\msnmsgr.exe" /background
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	msnmsgr
hkey	HKCU
command	"C:\Program Files\MSN Messenger\msnmsgr.exe" /background
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\PS2
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	ps2
hkey	HKLM
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	ps2
hkey	HKLM
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\pxtO
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	tqsry
hkey	HKLM
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	tqsry
hkey	HKLM
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	qttask
hkey	HKLM
command	"C:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	qttask
hkey	HKLM
command	"C:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Recguard
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	RECGUARD
hkey	HKLM
command	C:\WINDOWS\SMINST\RECGUARD.EXE
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	RECGUARD
hkey	HKLM
command	C:\WINDOWS\SMINST\RECGUARD.EXE
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\RecordNow!
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	
hkey	HKCU
command	
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	
hkey	HKCU
command	
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\secure
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	Hhhegu
hkey	HKLM
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	Hhhegu
hkey	HKLM
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\serpe
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	formatsys
hkey	HKLM
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	formatsys
hkey	HKLM
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SunJavaUpdateSched
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	jusched
hkey	HKLM
command	C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	jusched
hkey	HKLM
command	C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\version
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	Loetmn
hkey	HKLM
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	Loetmn
hkey	HKLM
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\VTTimer
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	VTTimer
hkey	HKLM
command	VTTimer.exe
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	VTTimer
hkey	HKLM
command	VTTimer.exe
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Windows Authority Service
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	lsass
hkey	HKLM
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	lsass
hkey	HKLM
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\winupdates
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	winupdates
hkey	HKLM
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	winupdates
hkey	HKLM
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Á³# L"h'þ9Óœð3rÅWC:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Á³# L"h'þ9Óœð3rÅWC:\Program Files

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini	0
win.ini	0
bootini	2
services	2
startup	2

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Attachments
ScanWithAntiVirus	2

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoCDBurning	0
NoLowDiskSpaceChecks	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} = 
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername	0
legalnoticecaption	
legalnoticetext	
shutdownwithoutlogon	1
undockwithoutlogon	1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun	145

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
DisableRegistryTools	0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit	= userinit.exe
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui
= igfxsrvc.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier
= WRLogonNTF.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif
= wzcdlg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1	- Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 6/30/2006 6:16:21 PM


----------



## sparsby (Apr 10, 2006)

Windows Defender has the same virus listed 4 times in the quarintined section, why does it keep coming back?

Exploit:Win32/Wmfap High risk 7/1/2006/10:52AM

Exploit:Win32/Wmfap High risk 6/29/2006/4:59PM

Exploit:Win32/Wmfap High risk 6/29/2006/11:58AM

Exploit:Win32/Wmfap High risk 6/27/2006/1:33PM

Resources: 
file:
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\IKM68EUM\xpl[1].wmf

Spy Audit Results from Webroot Spy Sweeper, if it helps

http://img204.imageshack.us/img204/588/spyauditresults9tf.jpg


----------



## dvk01 (Dec 14, 2002)

loads of rubbish hidden in msconfig so

You have disabled lots of things from starting at boot time with MSconfig

doing that doesn't stop them running or being started by something else on the computer

At least one item there is known malware

go to start/run and type msconfig, press ok & on the start up tab enable *EVERYTHING *
Then on the general tab select normal astart up all drivers & services
press ok & reboot

post a new HJT log please


----------



## sparsby (Apr 10, 2006)

Logfile of HijackThis v1.99.1
Scan saved at 12:24:55 PM, on 7/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Webroot\Desktop Firewall\webrootdesktopfirewall.exe
C:\WINDOWS\system32\VTTimer.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Webroot\Desktop Firewall\WDFDataService.exe
C:\Program Files\Webroot\Desktop Firewall\FirewallNTService.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\Webroot\POP-UP~1\PopUpWasher.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\Program Files\Hijack This\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Popup Killer - {4A3A071E-F913-4eee-AE15-AEFFA16FB6BC} - C:\PROGRA~1\Webroot\POP-UP~1\VAPopupKiller.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [WebrootDesktopFirewall] C:\Program Files\Webroot\Desktop Firewall\webrootdesktopfirewall.exe -t
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKCU\..\Run: [PopUpWasher] C:\PROGRA~1\Webroot\POP-UP~1\PopUpWasher.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.1.87.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: License Management Service ESD - element5 - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: Webroot Desktop Firewall Data Service (WebrootDesktopFirewallDataService) - Webroot Software, Inc. - C:\Program Files\Webroot\Desktop Firewall\WDFDataService.exe
O23 - Service: Webroot Desktop Firewall (WebrootFirewall) - Unknown owner - C:\Program Files\Webroot\Desktop Firewall\FirewallNTService.exe

I downloaded the webroot firewall and it has pretty much stopped everything from happening, 30 day trial along with the pop up washer. I have my own firewall program sitting on the desk. ZoneAlarm Pro 4. Why does everything have to cost money?!?


----------



## dvk01 (Dec 14, 2002)

just blocking with a firewall isn't curing the problem completely 
we need to remove all teh crap from teh computer


do what I said in nprevious post about msconfig so we can remove properly all the junk


----------



## sparsby (Apr 10, 2006)

It has been done, what is your second wish?


----------



## dvk01 (Dec 14, 2002)

post the new HJT log then so we can clean up


----------



## sparsby (Apr 10, 2006)

Thats what was in my second last post. Heres one I just did though

Logfile of HijackThis v1.99.1
Scan saved at 4:57:28 PM, on 7/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Webroot\Desktop Firewall\webrootdesktopfirewall.exe
C:\WINDOWS\system32\VTTimer.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Webroot\Desktop Firewall\WDFDataService.exe
C:\Program Files\Webroot\Desktop Firewall\FirewallNTService.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\Webroot\POP-UP~1\PopUpWasher.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijack This\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Popup Killer - {4A3A071E-F913-4eee-AE15-AEFFA16FB6BC} - C:\PROGRA~1\Webroot\POP-UP~1\VAPopupKiller.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [WebrootDesktopFirewall] C:\Program Files\Webroot\Desktop Firewall\webrootdesktopfirewall.exe -t
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKCU\..\Run: [PopUpWasher] C:\PROGRA~1\Webroot\POP-UP~1\PopUpWasher.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.1.87.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: License Management Service ESD - element5 - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: Webroot Desktop Firewall Data Service (WebrootDesktopFirewallDataService) - Webroot Software, Inc. - C:\Program Files\Webroot\Desktop Firewall\WDFDataService.exe
O23 - Service: Webroot Desktop Firewall (WebrootFirewall) - Unknown owner - C:\Program Files\Webroot\Desktop Firewall\FirewallNTService.exe


----------



## dvk01 (Dec 14, 2002)

nothing showing theere so what has happened to all the entriies taht wpfind was showing me were disabled by msconfog 

please run wpfind again & post it's log


----------



## sparsby (Apr 10, 2006)

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
qoologic 6/26/2006 9:04:50 AM 12243523 C:\AVG7QT.DAT
urllogic 6/26/2006 9:04:50 AM 12243523 C:\AVG7QT.DAT
UPX! 6/25/2006 4:59:38 PM 299030 C:\combofix.exe
qoologic 6/30/2006 6:07:58 PM 204131 C:\WinPFind.zip

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
aspack 3/18/2005 5:19:58 PM 2337488 C:\WINDOWS\SYSTEM32\d3dx9_25.dll
PEC2 8/16/2003 1:40:04 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
aspack 2/17/2005 3:10:14 PM 702464 C:\WINDOWS\SYSTEM32\Incinerator.dll
PTech 5/17/2006 11:23:38 AM 579888 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL
PECompact2 6/8/2006 7:19:50 PM 5967776 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 6/8/2006 7:19:50 PM 5967776 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 1:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/4/2004 1:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
UPX! 4/27/2006 5:49:30 PM 288417 C:\WINDOWS\SYSTEM32\SrchSTS.exe
UPX! 1/9/2006 10:36:04 AM 42496 C:\WINDOWS\SYSTEM32\swreg.exe
UPX! 1/9/2006 10:36:06 AM 40960 C:\WINDOWS\SYSTEM32\swsc.exe
winsync 8/15/2003 8:41:44 PM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
UPX! 6/26/2006 9:03:30 AM 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
FSG! 6/26/2006 9:03:30 AM 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PEC2 6/26/2006 9:03:30 AM 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
aspack 6/26/2006 9:03:30 AM 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PTech 8/3/2004 11:41:38 PM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\Hosts
127.0.0.1 www.qoologic.com
127.0.0.1 www.urllogic.com

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
7/2/2006 12:23:56 PM S 2048 C:\WINDOWS\bootstat.dat
6/30/2006 6:41:28 PM H 54156 C:\WINDOWS\QTFont.qfn
5/9/2006 6:37:24 PM RH 0 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\index40.dat
6/16/2006 9:20:00 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\8ecdf17e5a787c02ac0ed596ff4900f3\BIT4A.tmp
5/30/2006 7:31:54 AM RHS 56 C:\WINDOWS\system32\00370CD73E.sys
5/30/2006 7:31:54 AM HS 1682 C:\WINDOWS\system32\KGyGaAvL.sys
6/22/2006 5:18:30 AM S 13309 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB911280.cat
5/29/2006 10:16:00 AM S 23751 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB916281.cat
5/18/2006 1:15:12 AM S 10925 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB917344.cat
6/1/2006 2:28:56 PM S 11043 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB918439.cat
7/4/2006 8:21:06 AM H 1024 C:\WINDOWS\system32\config\default.LOG
5/23/2006 6:20:32 PM H 0 C:\WINDOWS\system32\config\default_TU_72001.LOG
7/2/2006 12:23:58 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
5/23/2006 6:20:32 PM H 0 C:\WINDOWS\system32\config\SAM_TU_47360.LOG
7/4/2006 3:32:38 PM H 1024 C:\WINDOWS\system32\config\SECURITY.LOG
5/23/2006 6:20:32 PM H 0 C:\WINDOWS\system32\config\SECURITY_TU_50084.LOG
7/4/2006 4:38:08 PM H 1024 C:\WINDOWS\system32\config\software.LOG
5/23/2006 6:20:32 PM H 0 C:\WINDOWS\system32\config\software_TU_58035.LOG
7/4/2006 4:00:56 PM H 1024 C:\WINDOWS\system32\config\system.LOG
5/23/2006 6:20:32 PM H 0 C:\WINDOWS\system32\config\system_TU_79929.LOG
7/4/2006 2:16:02 AM H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
5/9/2006 6:57:36 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\b67ba2ae-0372-4e38-bedc-e1aa55f9fcd6
5/9/2006 6:57:36 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
7/4/2006 2:14:38 AM H 330 C:\WINDOWS\Tasks\MP Scheduled Scan.job
7/2/2006 12:24:00 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/4/2004 1:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Realtek Semiconductor Corp. 9/20/2004 3:20:44 PM 16121856 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL
Microsoft Corporation 8/4/2004 1:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 5/3/2006 2:56:54 AM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/15/2003 7:49:58 PM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/15/2003 7:57:52 PM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 12/14/2003 6:20:50 PM 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/15/2003 8:04:26 PM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM  94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 68608 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 549888 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 110592 C:\WINDOWS\SYSTEM32\dllcache\bthprops.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 135168 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 80384 C:\WINDOWS\SYSTEM32\dllcache\firewall.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 155136 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 358400 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 129536 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 380416 C:\WINDOWS\SYSTEM32\dllcache\irprops.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 68608 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 8/15/2003 7:49:58 PM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 618496 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 8/15/2003 7:57:52 PM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 25600 C:\WINDOWS\SYSTEM32\dllcache\netsetup.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 257024 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 32768 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 114688 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 155648 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 298496 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 8/15/2003 8:04:26 PM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 94208 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 148480 C:\WINDOWS\SYSTEM32\dllcache\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl
Intel Corporation 2/10/2004 7:53:24 PM 94208 C:\WINDOWS\SYSTEM32\ReinstallBackups\0001\DriverFiles\igfxcpl.cpl
Realtek Semiconductor Corp. 2/10/2004 2:19:32 AM 14224384 C:\WINDOWS\SYSTEM32\ReinstallBackups\0018\DriverFiles\ALSNDMGR.CPL


----------



## sparsby (Apr 10, 2006)

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
8/4/2005 6:54:54 PM 994 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
4/2/2004 1:55:28 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
12/31/2005 5:35:28 PM 807 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Run Nintendo Wi-Fi USB Connector Registration Tool.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
4/2/2004 5:46:32 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
4/2/2004 1:55:28 PM HS 84 C:\Documents and Settings\Owner\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
4/2/2004 5:46:32 AM HS 62 C:\Documents and Settings\Owner\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
sv1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido anti-spyware
{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Trojan Remover
{52B87208-9CCF-42C9-B88E-069281105805} = C:\PROGRA~1\TROJAN~1\Trshlex.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Trojan Remover
{52B87208-9CCF-42C9-B88E-069281105805} = C:\PROGRA~1\TROJAN~1\Trshlex.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido anti-spyware
{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4A3A071E-F913-4eee-AE15-AEFFA16FB6BC}
Popup Killer = C:\PROGRA~1\Webroot\POP-UP~1\VAPopupKiller.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
SSVHelper Class = C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console	: C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger	: C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
= 
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links	: %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = : 
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links	: %SystemRoot%\system32\SHELL32.dll
{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} = : 
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address	: %SystemRoot%\System32\browseui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
AVG7_CC	C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
Windows Defender	"C:\Program Files\Windows Defender\MSASCui.exe" -hide
QuickTime Task	"C:\Program Files\QuickTime\qttask.exe" -atboottime
SunJavaUpdateSched	C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
WebrootDesktopFirewall	C:\Program Files\Webroot\Desktop Firewall\webrootdesktopfirewall.exe -t
VTTimer	VTTimer.exe
Recguard	C:\WINDOWS\SMINST\RECGUARD.EXE
KBD	C:\HP\KBD\KBD.EXE
hpsysdrv	c:\windows\system\hpsysdrv.exe
HPDJ Taskbar Utility	C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
HP Component Manager	"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
AlcxMonitor	ALCXMNTR.EXE
AGRSMMSG	AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
PopUpWasher	C:\PROGRA~1\Webroot\POP-UP~1\PopUpWasher.exe
RecordNow!	
MsnMsgr	"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\ExpandFrom

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\ExpandTo

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services
ose	3
C-DillaSrv	2

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk
backup	C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkCommon Startup
location	Common Startup
item	MyWebSearch Email Plugin
backup	C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkCommon Startup
location	Common Startup
item	MyWebSearch Email Plugin

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk
backup	C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkStartup
location	Startup
item	MyWebSearch Email Plugin
backup	C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkStartup
location	Startup
item	MyWebSearch Email Plugin

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\avnort
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	msmbw
hkey	HKLM
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	msmbw
hkey	HKLM
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\googletalk
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	googletalk
hkey	HKCU
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	googletalk
hkey	HKCU
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ltwob
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	msmbw
hkey	HKLM
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	msmbw
hkey	HKLM
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Microsoft Service Controller
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	services
hkey	HKCU
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	services
hkey	HKCU
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\PS2
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	ps2
hkey	HKLM
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	ps2
hkey	HKLM
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\pxtO
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	tqsry
hkey	HKLM
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	tqsry
hkey	HKLM
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\secure
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	Hhhegu
hkey	HKLM
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	Hhhegu
hkey	HKLM
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\serpe
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	formatsys
hkey	HKLM
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	formatsys
hkey	HKLM
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\version
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	Loetmn
hkey	HKLM
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	Loetmn
hkey	HKLM
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Windows Authority Service
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	lsass
hkey	HKLM
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	lsass
hkey	HKLM
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\winupdates
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	winupdates
hkey	HKLM
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	winupdates
hkey	HKLM
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Á³# L"h'þ9Óœð3rÅWC:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Á³# L"h'þ9Óœð3rÅWC:\Program Files

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini	0
win.ini	0
bootini	0
services	0
startup	0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Attachments
ScanWithAntiVirus	2

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
 NoCDBurning	0
NoLowDiskSpaceChecks	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} = 
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername	0
legalnoticecaption	
legalnoticetext	
shutdownwithoutlogon	1
undockwithoutlogon	1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun	145

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
DisableRegistryTools	0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit	= userinit.exe
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui
= igfxsrvc.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier
= WRLogonNTF.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif
= wzcdlg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1	- Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 7/4/2006 4:41:33 PM


----------



## dvk01 (Dec 14, 2002)

lots of things arew still being shown as disabled in msconfig

please do this

You have disabled lots of things from starting at boot time with MSconfig

doing that doesn't stop them running or being started by something else on the computer

At least one item there is known malware

go to start/run and type msconfig, press ok & on the start up tab enable *EVERYTHING *
Then on the general tab select normal start up all drivers & services
press ok & reboot

post a new HJT log please


----------



## sparsby (Apr 10, 2006)

I dont know why but everything is checked in every tab except for boot.ini
AVG found some new things this morning aswell in C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-2b98ddc6-543dd54a.zip
AND
Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-74b2599d-2071cb07.zip

Virus Identified Java/ByteVerify

4 of each of those file names

Goes like this:
(at the end of .zip)
:\BlackBox.class
:\VerifierBug.class
:\Beyond.class

:\BlackBox.class
:\VerifierBug.class
:\Beyond.class

the blank spaces at the end of each section has a status of Infected, Archive while the rest are Infected, Embedded object

None were healed

Ran Hijack this after startup:

Logfile of HijackThis v1.99.1
Scan saved at 8:43:35 AM, on 7/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Webroot\Desktop Firewall\webrootdesktopfirewall.exe
C:\WINDOWS\system32\VTTimer.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\Webroot\POP-UP~1\PopUpWasher.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Desktop Firewall\WDFDataService.exe
C:\Program Files\Webroot\Desktop Firewall\FirewallNTService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijack This\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Popup Killer - {4A3A071E-F913-4eee-AE15-AEFFA16FB6BC} - C:\PROGRA~1\Webroot\POP-UP~1\VAPopupKiller.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [WebrootDesktopFirewall] C:\Program Files\Webroot\Desktop Firewall\webrootdesktopfirewall.exe -t
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKCU\..\Run: [PopUpWasher] C:\PROGRA~1\Webroot\POP-UP~1\PopUpWasher.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.1.87.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: License Management Service ESD - element5 - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: Webroot Desktop Firewall Data Service (WebrootDesktopFirewallDataService) - Webroot Software, Inc. - C:\Program Files\Webroot\Desktop Firewall\WDFDataService.exe
O23 - Service: Webroot Desktop Firewall (WebrootFirewall) - Unknown owner - C:\Program Files\Webroot\Desktop Firewall\FirewallNTService.exe


----------



## dvk01 (Dec 14, 2002)

the java problems are easy to fix

Removing Java trojans That your antivirus has found 
If you still are using JAVA 1.4 or earlier 
open control panel, select java plug in control panel, select cache and then press clear cache

That gets rid of the trojans 
If you are using 1.5 version it's slightly different so read here

http://www.java.com/en/download/help/5000020300.xml

I'll get back to you about teh others


----------



## dvk01 (Dec 14, 2002)

download the attached remove.zip & unzip it to desktop

it will have a remove .reg file there 

double click it & say yes to teh prompts to merge with registry 

that will remove the entries we were worried about


----------



## sparsby (Apr 10, 2006)

Java stuff is gone


used the remove thing, do you want a new hjt log or anything?

PC still takes focus I guess off of my windows when I turned the firewall off.


----------



## dvk01 (Dec 14, 2002)

can you be a bit more specific about exactly what is happening

what do you mean by _"PC still takes focus I guess off of my windows when I turned the firewall off."_


----------



## sparsby (Apr 10, 2006)

Its hard to explain 


When you are using a window, like internet explorer, there is a dark grey bar at the top that shows that you are using it. For explanation purposes lets say this window is not maximized so you can see the desktop behind it. If you were to click on the desktop that grey bar at the top of the internet explorer window turns into an unshaded version and is very light grey. Thats what happens when I turn the firewall off (I didn't click anything, this just happens on its own) and is what happened at the beginning of this whole mess. During a full screen game though the situation changes a bit, instead of a bar turning colors notifying me of it no longer being used, the game closes to the desktop (it's still running and everything but now Im at the desktop).

There we go, explained


----------



## dvk01 (Dec 14, 2002)

the changes when you click on desktop is supposed to happen and the bar on open window changes to tell you that you no longer have focus on that window

But if games are crashing out & closing that sounds like a bug in the game

I don't think it's a security related problem but just in case

go to here and download 'Startup list V2.

Save it to the desktop or other suitable place.

Double click it to start it and when it has finished scanning press file/save as and save it's report

post that report back here for us to analyse

You will need to attach the file as contains too much to post in the thread

DO NOT panic there will be a lot of needed entries so we will need a short while to look through it and see if there are any unwanted or dangerous ones

and

download gmer from http://www.gmer.net

save it somewhere safe & unzip it to desktop

double click the gmer.exe to run it and select the rootkit tab, press scan & when it has finished press save & copy the log back here


----------



## sparsby (Apr 10, 2006)

the changes when you click on desktop is supposed to happen and the bar on open window changes to tell you that you no longer have focus on that window 

I know thats supposed to happen but the problem is that it happens even if Im not doing anything or in the middle of typing a message whenever I have the firewall off.

About games, it has never happened before and only happens while the firewall is off. Its like it doesn't have a bar so it just goes to desktop kind of thing.


----------



## dvk01 (Dec 14, 2002)

gmer is seeing everything as hidden and misidentifying lots of valid services as rootkits because of that

I am going to ask it's developer to look at this and see what he thinks but I suspect it's one of your security softwares causing the problem

I've never seen it list ntoskernal before and all the system files


----------



## sparsby (Apr 10, 2006)

Could be, I disabled all the stuff I could in the task tray while running it. (Fire wall and pop up washer thing)


----------



## dvk01 (Dec 14, 2002)

The most likely cause was you had enabled the show all button and that can cause that behaviour 

I can't see anything in start up list either so I really don't know what is causing the problem


----------



## sparsby (Apr 10, 2006)

GMER 1.0.10.10122 - http://www.gmer.net
Rootkit 2006-07-07 17:16:12
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.10 ----

SSDT \??\C:\Program Files\ewido anti-spyware 4.0\guard.sys ZwOpenProcess
SSDT \??\C:\Program Files\ewido anti-spyware 4.0\guard.sys ZwTerminateProcess

---- Devices - GMER 1.0.10 ----

Device \Driver\pwipf2 \Device\pwipf2 IRP_MJ_SHUTDOWN [F7A4185A] avgtdi.sys

---- EOF - GMER 1.0.10 ----

Double checked that the show all button wasnt checked, must have hit it last time trying to start the scan


----------



## dvk01 (Dec 14, 2002)

As I said I can't see anything so I have absolutely no idea


----------



## sparsby (Apr 10, 2006)

And if you have no idea, I have no idea


----------



## dvk01 (Dec 14, 2002)

I've asked other mods to look at it in case they can see something


----------



## Cookiegal (Aug 27, 2003)

Did you ever download the patch for the WMF exploit?

I'd like to try a couple of things. First, let's do this:

Disable Ewidos and Windows Defender realtime protection as they may be blocking the changes to the registry:


Open Ewido by double-clicking the yellow 'E' icon in the system tray. 
In the 'Your security status' section, toggle the Ewido Guard realtime protection 'off' by clicking 'active' which will then change the protection status to 'inactive'. 
When you reboot, Ewido will prompt you as to whether you would like to "Restart the guard?". 
Reply 'no' and set it to 'inactive' for the duration of your cleanup.

Do the same with Windows Defender:


Click on "Tools" 
Click on "General Settings" 
Scroll down to "Real-time protection options" 
Uncheck "Turn on Real-time protection (recommended)" 
Click "Save"

Then run dvk01s remove.reg file again and allow it to enter into the registry.

Reboot and run a new WinpFind log and post that log please.


----------



## sparsby (Apr 10, 2006)

Thank you for taking over cookiegal. The white mark that I had in the top left corner is also gone.

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
qoologic 6/26/2006 9:04:50 AM 12243523 C:\AVG7QT.DAT
urllogic 6/26/2006 9:04:50 AM 12243523 C:\AVG7QT.DAT
UPX! 6/25/2006 4:59:38 PM 299030 C:\combofix.exe
qoologic 6/30/2006 6:07:58 PM 204131 C:\WinPFind.zip

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
aspack 3/18/2005 5:19:58 PM 2337488 C:\WINDOWS\SYSTEM32\d3dx9_25.dll
PEC2 8/16/2003 1:40:04 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
aspack 2/17/2005 3:10:14 PM 702464 C:\WINDOWS\SYSTEM32\Incinerator.dll
PTech 6/19/2006 4:19:42 PM 571184 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
PECompact2 6/8/2006 7:19:50 PM 5967776 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 6/8/2006 7:19:50 PM 5967776 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 1:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/4/2004 1:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
UPX! 4/27/2006 5:49:30 PM 288417 C:\WINDOWS\SYSTEM32\SrchSTS.exe
UPX! 1/9/2006 10:36:04 AM 42496 C:\WINDOWS\SYSTEM32\swreg.exe
UPX! 1/9/2006 10:36:06 AM 40960 C:\WINDOWS\SYSTEM32\swsc.exe
winsync 8/15/2003 8:41:44 PM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
PTech 6/19/2006 4:19:26 PM 304944 C:\WINDOWS\SYSTEM32\WgaTray.exe

Checking %System%\Drivers folder and sub-folders...
UPX! 6/26/2006 9:03:30 AM 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
FSG! 6/26/2006 9:03:30 AM 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PEC2 6/26/2006 9:03:30 AM 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
aspack 6/26/2006 9:03:30 AM 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PTech 8/3/2004 11:41:38 PM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\Hosts
127.0.0.1 www.qoologic.com
127.0.0.1 www.urllogic.com

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
7/10/2006 11:08:16 AM S 2048 C:\WINDOWS\bootstat.dat
7/5/2006 12:56:58 PM H 54156 C:\WINDOWS\QTFont.qfn
6/16/2006 9:20:00 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\8ecdf17e5a787c02ac0ed596ff4900f3\BIT4A.tmp
5/30/2006 7:31:54 AM RHS 56 C:\WINDOWS\system32\00370CD73E.sys
5/30/2006 7:31:54 AM HS 1682 C:\WINDOWS\system32\KGyGaAvL.sys
6/22/2006 5:18:30 AM S 13309 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB911280.cat
5/29/2006 10:16:00 AM S 23751 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB916281.cat
5/18/2006 1:15:12 AM S 10925 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB917344.cat
6/1/2006 2:28:56 PM S 11043 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB918439.cat
6/19/2006 4:20:58 PM S 7160 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\WgaNotify.cat
7/10/2006 11:08:46 AM H 1024 C:\WINDOWS\system32\config\default.LOG
5/23/2006 6:20:32 PM H 0 C:\WINDOWS\system32\config\default_TU_72001.LOG
7/10/2006 11:08:16 AM H 1024 C:\WINDOWS\system32\config\SAM.LOG
5/23/2006 6:20:32 PM H 0 C:\WINDOWS\system32\config\SAM_TU_47360.LOG
7/10/2006 11:12:26 AM H 1024 C:\WINDOWS\system32\config\SECURITY.LOG
5/23/2006 6:20:32 PM H 0 C:\WINDOWS\system32\config\SECURITY_TU_50084.LOG
7/10/2006 11:09:30 AM H 1024 C:\WINDOWS\system32\config\software.LOG
5/23/2006 6:20:32 PM H 0 C:\WINDOWS\system32\config\software_TU_58035.LOG
7/10/2006 11:09:16 AM H 1024 C:\WINDOWS\system32\config\system.LOG
5/23/2006 6:20:32 PM H 0 C:\WINDOWS\system32\config\system_TU_79929.LOG
7/10/2006 1:47:30 AM H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
7/9/2006 9:39:00 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\c6d568a4-a4b4-48cd-a445-08b6d7558879
7/9/2006 9:39:00 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\Preferred
7/10/2006 11:11:20 AM H 330 C:\WINDOWS\Tasks\MP Scheduled Scan.job
7/10/2006 11:08:18 AM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/4/2004 1:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Realtek Semiconductor Corp. 9/20/2004 3:20:44 PM 16121856 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL
Microsoft Corporation 8/4/2004 1:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 5/3/2006 2:56:54 AM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/15/2003 7:49:58 PM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/15/2003 7:57:52 PM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 12/14/2003 6:20:50 PM 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/15/2003 8:04:26 PM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 68608 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 549888 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 110592 C:\WINDOWS\SYSTEM32\dllcache\bthprops.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 135168 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 80384 C:\WINDOWS\SYSTEM32\dllcache\firewall.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 155136 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 358400 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 129536 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 380416 C:\WINDOWS\SYSTEM32\dllcache\irprops.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 68608 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 8/15/2003 7:49:58 PM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 618496 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 8/15/2003 7:57:52 PM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 25600 C:\WINDOWS\SYSTEM32\dllcache\netsetup.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 257024 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 32768 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 114688 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 155648 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 298496 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 8/15/2003 8:04:26 PM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 94208 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 148480 C:\WINDOWS\SYSTEM32\dllcache\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl
Intel Corporation 2/10/2004 7:53:24 PM 94208 C:\WINDOWS\SYSTEM32\ReinstallBackups\0001\DriverFiles\igfxcpl.cpl
Realtek Semiconductor Corp. 2/10/2004 2:19:32 AM 14224384 C:\WINDOWS\SYSTEM32\ReinstallBackups\0018\DriverFiles\ALSNDMGR.CPL

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
8/4/2005 6:54:54 PM 994 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
4/2/2004 1:55:28 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
12/31/2005 5:35:28 PM 807 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Run Nintendo Wi-Fi USB Connector Registration Tool.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
4/2/2004 5:46:32 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
4/2/2004 1:55:28 PM HS 84 C:\Documents and Settings\Owner\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
4/2/2004 5:46:32 AM HS 62 C:\Documents and Settings\Owner\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
sv1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido anti-spyware
{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Trojan Remover
{52B87208-9CCF-42C9-B88E-069281105805} = C:\PROGRA~1\TROJAN~1\Trshlex.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Trojan Remover
{52B87208-9CCF-42C9-B88E-069281105805} = C:\PROGRA~1\TROJAN~1\Trshlex.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido anti-spyware
{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4A3A071E-F913-4eee-AE15-AEFFA16FB6BC}
Popup Killer = C:\Program Files\Webroot\Pop-Up Washer\VAPopupKiller.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
SSVHelper Class = C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console	: C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger	: C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
= 
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links	: %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = : 
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links	: %SystemRoot%\system32\SHELL32.dll
{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} = : 
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address	: %SystemRoot%\System32\browseui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
AVG7_CC	C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
Windows Defender	"C:\Program Files\Windows Defender\MSASCui.exe" -hide
QuickTime Task	"C:\Program Files\QuickTime\qttask.exe" -atboottime
SunJavaUpdateSched	C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
WebrootDesktopFirewall	C:\Program Files\Webroot\Desktop Firewall\webrootdesktopfirewall.exe -t
VTTimer	VTTimer.exe
Recguard	C:\WINDOWS\SMINST\RECGUARD.EXE
KBD	C:\HP\KBD\KBD.EXE
hpsysdrv	c:\windows\system\hpsysdrv.exe
HPDJ Taskbar Utility	C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
HP Component Manager	"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
AlcxMonitor	ALCXMNTR.EXE
AGRSMMSG	AGRSMMSG.exe


----------



## sparsby (Apr 10, 2006)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
PopUpWasher	C:\PROGRA~1\Webroot\POP-UP~1\PopUpWasher.exe
RecordNow!	
MsnMsgr	"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\ExpandFrom

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\ExpandTo

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services
ose	3
C-DillaSrv	2

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk
backup	C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkCommon Startup
location	Common Startup
item	MyWebSearch Email Plugin
backup	C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkCommon Startup
location	Common Startup
item	MyWebSearch Email Plugin

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk
backup	C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkStartup
location	Startup
item	MyWebSearch Email Plugin
backup	C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkStartup
location	Startup
item	MyWebSearch Email Plugin

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\avnort
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	msmbw
hkey	HKLM
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	msmbw
hkey	HKLM
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Á³# L"h'þ9Óœð3rÅWC:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Á³# L"h'þ9Óœð3rÅWC:\Program Files

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini	0
win.ini	0
bootini	0
services	0
startup	0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Attachments
ScanWithAntiVirus	2

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoCDBurning	0
NoLowDiskSpaceChecks	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} = 
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername	0
legalnoticecaption	
legalnoticetext	
shutdownwithoutlogon	1
undockwithoutlogon	1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun	145

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
DisableRegistryTools	0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit	= userinit.exe
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui
= igfxsrvc.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon
= WgaLogon.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier
= WRLogonNTF.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif
= wzcdlg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1	- Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 7/10/2006 11:12:43 AM


----------



## Cookiegal (Aug 27, 2003)

I'm attaching a Remove2.zip file. Unzip it to your desktop. Double click the Remove2.reg file and allow it to enter into the registry.

Go to Start - Run and copy and paste then click OK:

*shell:cache\content.ie5*

This should open your content.ie5 folder. Select everything in there and click delete. You will not be able to delete the index.bat file and thats normal.

Go to the following link and upload each of the following files for analysis and let me know what the results are please:

http://virusscan.jotti.org/

*C:\WINDOWS\system32\00370CD73E.sys*

Reboot and scan again with WinpFind and post the log please.


----------



## sparsby (Apr 10, 2006)

I couldnt delete any of content ie5 folder and the file was deemed OK.

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
qoologic 6/26/2006 9:04:50 AM 12243523 C:\AVG7QT.DAT
urllogic 6/26/2006 9:04:50 AM 12243523 C:\AVG7QT.DAT
UPX! 6/25/2006 4:59:38 PM 299030 C:\combofix.exe
qoologic 6/30/2006 6:07:58 PM 204131 C:\WinPFind.zip

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
aspack 3/18/2005 5:19:58 PM 2337488 C:\WINDOWS\SYSTEM32\d3dx9_25.dll
PEC2 8/16/2003 1:40:04 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
aspack 2/17/2005 3:10:14 PM 702464 C:\WINDOWS\SYSTEM32\Incinerator.dll
PTech 6/19/2006 4:19:42 PM 571184 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
PECompact2 6/8/2006 7:19:50 PM 5967776 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 6/8/2006 7:19:50 PM 5967776 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 1:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/4/2004 1:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
UPX! 4/27/2006 5:49:30 PM 288417 C:\WINDOWS\SYSTEM32\SrchSTS.exe
UPX! 1/9/2006 10:36:04 AM 42496 C:\WINDOWS\SYSTEM32\swreg.exe
UPX! 1/9/2006 10:36:06 AM 40960 C:\WINDOWS\SYSTEM32\swsc.exe
winsync 8/15/2003 8:41:44 PM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
PTech 6/19/2006 4:19:26 PM 304944 C:\WINDOWS\SYSTEM32\WgaTray.exe

Checking %System%\Drivers folder and sub-folders...
UPX! 6/26/2006 9:03:30 AM 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
FSG! 6/26/2006 9:03:30 AM 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PEC2 6/26/2006 9:03:30 AM 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
aspack 6/26/2006 9:03:30 AM 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PTech 8/3/2004 11:41:38 PM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\Hosts
127.0.0.1 www.qoologic.com
127.0.0.1 www.urllogic.com

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
7/10/2006 7:42:46 PM S 2048 C:\WINDOWS\bootstat.dat
7/5/2006 12:56:58 PM H 54156 C:\WINDOWS\QTFont.qfn
6/16/2006 9:20:00 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\8ecdf17e5a787c02ac0ed596ff4900f3\BIT4A.tmp
5/30/2006 7:31:54 AM RHS 56 C:\WINDOWS\system32\00370CD73E.sys
5/30/2006 7:31:54 AM HS 1682 C:\WINDOWS\system32\KGyGaAvL.sys
6/22/2006 5:18:30 AM S 13309 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB911280.cat
5/29/2006 10:16:00 AM S 23751 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB916281.cat
5/18/2006 1:15:12 AM S 10925 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB917344.cat
6/1/2006 2:28:56 PM S 11043 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB918439.cat
6/19/2006 4:20:58 PM S 7160 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\WgaNotify.cat
7/10/2006 7:43:22 PM H 1024 C:\WINDOWS\system32\config\default.LOG
5/23/2006 6:20:32 PM H 0 C:\WINDOWS\system32\config\default_TU_72001.LOG
7/10/2006 7:42:48 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
5/23/2006 6:20:32 PM H 0 C:\WINDOWS\system32\config\SAM_TU_47360.LOG
7/10/2006 7:46:10 PM H 1024 C:\WINDOWS\system32\config\SECURITY.LOG
5/23/2006 6:20:32 PM H 0 C:\WINDOWS\system32\config\SECURITY_TU_50084.LOG
7/10/2006 7:44:24 PM H 1024 C:\WINDOWS\system32\config\software.LOG
5/23/2006 6:20:32 PM H 0 C:\WINDOWS\system32\config\software_TU_58035.LOG
7/10/2006 7:43:50 PM H 1024 C:\WINDOWS\system32\config\system.LOG
5/23/2006 6:20:32 PM H 0 C:\WINDOWS\system32\config\system_TU_79929.LOG
7/10/2006 1:47:30 AM H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
7/9/2006 9:39:00 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\c6d568a4-a4b4-48cd-a445-08b6d7558879
7/9/2006 9:39:00 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\Preferred
7/10/2006 7:45:50 PM H 330 C:\WINDOWS\Tasks\MP Scheduled Scan.job
7/10/2006 7:42:50 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/4/2004 1:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Realtek Semiconductor Corp. 9/20/2004 3:20:44 PM 16121856 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL
Microsoft Corporation 8/4/2004 1:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 155136  C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 5/3/2006 2:56:54 AM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/15/2003 7:49:58 PM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/15/2003 7:57:52 PM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 12/14/2003 6:20:50 PM 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/15/2003 8:04:26 PM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 68608 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 549888 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 110592 C:\WINDOWS\SYSTEM32\dllcache\bthprops.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 135168 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 80384 C:\WINDOWS\SYSTEM32\dllcache\firewall.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 155136 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 358400 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 129536 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 380416 C:\WINDOWS\SYSTEM32\dllcache\irprops.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 68608 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 8/15/2003 7:49:58 PM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 618496 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 8/15/2003 7:57:52 PM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 25600 C:\WINDOWS\SYSTEM32\dllcache\netsetup.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 257024 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 32768 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 114688 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 155648 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 298496 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 8/15/2003 8:04:26 PM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 94208 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 148480 C:\WINDOWS\SYSTEM32\dllcache\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl
Intel Corporation 2/10/2004 7:53:24 PM 94208 C:\WINDOWS\SYSTEM32\ReinstallBackups\0001\DriverFiles\igfxcpl.cpl
Realtek Semiconductor Corp. 2/10/2004 2:19:32 AM 14224384 C:\WINDOWS\SYSTEM32\ReinstallBackups\0018\DriverFiles\ALSNDMGR.CPL

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
8/4/2005 6:54:54 PM 994 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
4/2/2004 1:55:28 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
12/31/2005 5:35:28 PM 807 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Run Nintendo Wi-Fi USB Connector Registration Tool.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
4/2/2004 5:46:32 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
4/2/2004 1:55:28 PM HS 84 C:\Documents and Settings\Owner\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
4/2/2004 5:46:32 AM HS 62 C:\Documents and Settings\Owner\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
sv1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido anti-spyware
{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Trojan Remover
{52B87208-9CCF-42C9-B88E-069281105805} = C:\PROGRA~1\TROJAN~1\Trshlex.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Trojan Remover
{52B87208-9CCF-42C9-B88E-069281105805} = C:\PROGRA~1\TROJAN~1\Trshlex.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido anti-spyware
{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll


----------



## sparsby (Apr 10, 2006)

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4A3A071E-F913-4eee-AE15-AEFFA16FB6BC}
Popup Killer = C:\Program Files\Webroot\Pop-Up Washer\VAPopupKiller.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
SSVHelper Class = C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console	: C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger	: C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
= 
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links	: %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = : 
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links	: %SystemRoot%\system32\SHELL32.dll
{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} = : 
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address	: %SystemRoot%\System32\browseui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
AVG7_CC	C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
Windows Defender	"C:\Program Files\Windows Defender\MSASCui.exe" -hide
QuickTime Task	"C:\Program Files\QuickTime\qttask.exe" -atboottime
SunJavaUpdateSched	C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
WebrootDesktopFirewall	C:\Program Files\Webroot\Desktop Firewall\webrootdesktopfirewall.exe -t
VTTimer	VTTimer.exe
Recguard	C:\WINDOWS\SMINST\RECGUARD.EXE
KBD	C:\HP\KBD\KBD.EXE
hpsysdrv	c:\windows\system\hpsysdrv.exe
HPDJ Taskbar Utility	C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
HP Component Manager	"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
AlcxMonitor	ALCXMNTR.EXE
AGRSMMSG	AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
PopUpWasher	C:\PROGRA~1\Webroot\POP-UP~1\PopUpWasher.exe
RecordNow!	
MsnMsgr	"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\ExpandFrom

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\ExpandTo

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services
ose	3
C-DillaSrv	2

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk
backup	C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkStartup
location	Startup
item	MyWebSearch Email Plugin

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\avnort
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	msmbw
hkey	HKLM
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	msmbw
hkey	HKLM
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Á³# L"h'þ9Óœð3rÅWC:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Á³# L"h'þ9Óœð3rÅWC:\Program Files

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini	0
win.ini	0
bootini	0
services	0
startup	0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Attachments
ScanWithAntiVirus	2

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoCDBurning	0
NoLowDiskSpaceChecks	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} = 
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername	0
legalnoticecaption	
legalnoticetext	
shutdownwithoutlogon	1
undockwithoutlogon	1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun	145

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
DisableRegistryTools	0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit	= userinit.exe
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui
= igfxsrvc.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon
= WgaLogon.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier
= WRLogonNTF.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif
= wzcdlg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1	- Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 7/10/2006 7:46:56 PM


----------



## Cookiegal (Aug 27, 2003)

Go to Start - Run - type in regedit and click OK to open the registry editor.

Expand each key by clicking on the + sign to the left of the name:

+HKEY_LOCAL_MACHINE
+SOFTWARE
+Microsoft
+Shared Tools
+MSConfig

right click (but do not expand) *startupfolder*, then select "export" and save it on your desktop. Right click on the file and select "open with" and choose Notepad. Copy and paste the contents here please.

Also, right click (but do not expand) *startupreg*, then select "export" and save it on your desktop. Right click on the file and select "open with" and choose Notepad. Copy and paste the contents here please.


----------



## sparsby (Apr 10, 2006)

Startupfolder

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
"backup"="C:\\WINDOWS\\pss\\MyWebSearch Email Plugin.lnkStartup"
"location"="Startup"
"item"="MyWebSearch Email Plugin"

startupreg

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\avnort]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmbw"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Á³#*L"h'þ9Óœð3rÅWC:]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Á³#*L"h'þ9Óœð3rÅWC:\Program Files]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Á³#*L"h'þ9Óœð3rÅWC:\Program Files\ISTsvc]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Á³#*L"h'þ9Óœð3rÅWC:\Program Files\ISTsvc\istsvc.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="tqsry"
"hkey"="HKLM"
"inimapping"="0"


----------



## Cookiegal (Aug 27, 2003)

Please follow the instructions in the following link to run this removal tool:

http://securityresponse.symantec.com/avcenter/venc/data/w32.serflog.removal.tool.html

Please download *LQfix.exe* and save it to your desktop.

Double-Click *LQfix.exe* and click Next > Next > Install.
Leave the default settings, if you change them, the fix will *Fail!*
Now make sure the "*Launch LQfix*" box is checked.
Click the *Finish* button, after clicking the Finish button the fix will start.
Follow the on-screen prompts.
Your system will now reboot afterwards.
Please be patient after the reboot, there is a script running in the background that needs to complete.

*Click Here* and download Killbox and save it to your desktop.

Then boot to safe mode:

 *How to restart to safe mode*

Double-click on Killbox.exe to run it. 

Put a tick by *Standard File Kill*. 
In the "Full Path of File to Delete" box, copy and paste the following line:

* C:\Documents and Settings\Owner\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
*

Click on the button that has the red circle with the X in the middle after you enter each file. 
It will ask for confirmation to delete the file. 
Click Yes. 
Continue with that procedure until you have pasted all of these in the "Paste Full Path of File to Delete" box.
Killbox may tell you that one or more files do not exist. 
If that happens, just continue on with all the files. Be sure you don't miss any.
Next in Killbox go to *Tools > Delete Temp Files*
In the window that pops up, put a check by *ALL* the options there *except* these three:
XP Prefetch
Recent
History

Now click the *Delete Selected Temp Files* button.
Exit the Killbox.

Boot back to Windows normally and post another HijackThis log along with a new WinpFind log please.


----------



## sparsby (Apr 10, 2006)

Kill box and the first thing you linked me to didnt work, neither of the files could be found so I guess thats good 

Logfile of HijackThis v1.99.1
Scan saved at 1:16:51 PM, on 7/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Webroot\Desktop Firewall\webrootdesktopfirewall.exe
C:\WINDOWS\system32\VTTimer.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\Webroot\POP-UP~1\PopUpWasher.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Webroot\Desktop Firewall\WDFDataService.exe
C:\Program Files\Webroot\Desktop Firewall\FirewallNTService.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijack This\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Popup Killer - {4A3A071E-F913-4eee-AE15-AEFFA16FB6BC} - C:\Program Files\Webroot\Pop-Up Washer\VAPopupKiller.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [WebrootDesktopFirewall] C:\Program Files\Webroot\Desktop Firewall\webrootdesktopfirewall.exe -t
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKCU\..\Run: [PopUpWasher] C:\PROGRA~1\Webroot\POP-UP~1\PopUpWasher.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.1.87.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: License Management Service ESD - element5 - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: Webroot Desktop Firewall Data Service (WebrootDesktopFirewallDataService) - Webroot Software, Inc. - C:\Program Files\Webroot\Desktop Firewall\WDFDataService.exe
O23 - Service: Webroot Desktop Firewall (WebrootFirewall) - Unknown owner - C:\Program Files\Webroot\Desktop Firewall\FirewallNTService.exe


----------



## sparsby (Apr 10, 2006)

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
qoologic 6/26/2006 9:04:50 AM 12243523 C:\AVG7QT.DAT
urllogic 6/26/2006 9:04:50 AM 12243523 C:\AVG7QT.DAT
UPX! 6/25/2006 4:59:38 PM 299030 C:\combofix.exe
qoologic 6/30/2006 6:07:58 PM 204131 C:\WinPFind.zip

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
aspack 3/18/2005 5:19:58 PM 2337488 C:\WINDOWS\SYSTEM32\d3dx9_25.dll
PEC2 8/16/2003 1:40:04 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
aspack 2/17/2005 3:10:14 PM 702464 C:\WINDOWS\SYSTEM32\Incinerator.dll
PTech 6/19/2006 4:19:42 PM 571184 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
PECompact2 6/8/2006 7:19:50 PM 5967776 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 6/8/2006 7:19:50 PM 5967776 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 1:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/4/2004 1:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
UPX! 4/27/2006 5:49:30 PM 288417 C:\WINDOWS\SYSTEM32\SrchSTS.exe
UPX! 1/9/2006 10:36:04 AM 42496 C:\WINDOWS\SYSTEM32\swreg.exe
UPX! 1/9/2006 10:36:06 AM 40960 C:\WINDOWS\SYSTEM32\swsc.exe
winsync 8/15/2003 8:41:44 PM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
PTech 6/19/2006 4:19:26 PM 304944 C:\WINDOWS\SYSTEM32\WgaTray.exe

Checking %System%\Drivers folder and sub-folders...
UPX! 6/26/2006 9:03:30 AM 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
FSG! 6/26/2006 9:03:30 AM 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PEC2 6/26/2006 9:03:30 AM 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
aspack 6/26/2006 9:03:30 AM 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PTech 8/3/2004 11:41:38 PM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\Hosts
127.0.0.1 www.qoologic.com
127.0.0.1 www.urllogic.com

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
7/11/2006 1:11:24 PM S 2048 C:\WINDOWS\bootstat.dat
7/5/2006 12:56:58 PM H 54156 C:\WINDOWS\QTFont.qfn
6/16/2006 9:20:00 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\8ecdf17e5a787c02ac0ed596ff4900f3\BIT4A.tmp
5/30/2006 7:31:54 AM RHS 56 C:\WINDOWS\system32\00370CD73E.sys
5/30/2006 7:31:54 AM HS 1682 C:\WINDOWS\system32\KGyGaAvL.sys
6/22/2006 5:18:30 AM S 13309 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB911280.cat
5/29/2006 10:16:00 AM S 23751 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB916281.cat
5/18/2006 1:15:12 AM S 10925 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB917344.cat
6/1/2006 2:28:56 PM S 11043 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB918439.cat
6/19/2006 4:20:58 PM S 7160 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\WgaNotify.cat
7/11/2006 1:12:10 PM H 1024 C:\WINDOWS\system32\config\default.LOG
5/23/2006 6:20:32 PM H 0 C:\WINDOWS\system32\config\default_TU_72001.LOG
7/11/2006 1:11:26 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
5/23/2006 6:20:32 PM H 0 C:\WINDOWS\system32\config\SAM_TU_47360.LOG
7/11/2006 1:21:52 PM H 1024 C:\WINDOWS\system32\config\SECURITY.LOG
5/23/2006 6:20:32 PM H 0 C:\WINDOWS\system32\config\SECURITY_TU_50084.LOG
7/11/2006 1:21:16 PM H 1024 C:\WINDOWS\system32\config\software.LOG
5/23/2006 6:20:32 PM H 0 C:\WINDOWS\system32\config\software_TU_58035.LOG
7/11/2006 1:12:28 PM H 1024 C:\WINDOWS\system32\config\system.LOG
5/23/2006 6:20:32 PM H 0 C:\WINDOWS\system32\config\system_TU_79929.LOG
7/11/2006 1:50:52 AM H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
7/9/2006 9:39:00 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\c6d568a4-a4b4-48cd-a445-08b6d7558879
7/9/2006 9:39:00 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\Preferred
7/11/2006 1:14:28 PM H 330 C:\WINDOWS\Tasks\MP Scheduled Scan.job
7/11/2006 1:11:28 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/4/2004 1:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Realtek Semiconductor Corp. 9/20/2004 3:20:44 PM 16121856 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL
Microsoft Corporation 8/4/2004 1:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 5/3/2006 2:56:54 AM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/15/2003 7:49:58 PM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/15/2003 7:57:52 PM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 12/14/2003 6:20:50 PM 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/15/2003 8:04:26 PM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 68608 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 549888 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 110592 C:\WINDOWS\SYSTEM32\dllcache\bthprops.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 135168 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 80384 C:\WINDOWS\SYSTEM32\dllcache\firewall.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 155136 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 358400 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 129536 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 380416 C:\WINDOWS\SYSTEM32\dllcache\irprops.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 68608 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 8/15/2003 7:49:58 PM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 618496 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 8/15/2003 7:57:52 PM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 25600 C:\WINDOWS\SYSTEM32\dllcache\netsetup.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 257024 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 32768 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 114688 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 155648 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 298496 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 8/15/2003 8:04:26 PM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 94208 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 148480 C:\WINDOWS\SYSTEM32\dllcache\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl
Intel Corporation 2/10/2004 7:53:24 PM 94208 C:\WINDOWS\SYSTEM32\ReinstallBackups\0001\DriverFiles\igfxcpl.cpl
Realtek Semiconductor Corp. 2/10/2004 2:19:32 AM 14224384 C:\WINDOWS\SYSTEM32\ReinstallBackups\0018\DriverFiles\ALSNDMGR.CPL

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
8/4/2005 6:54:54 PM 994 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
4/2/2004 1:55:28 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
12/31/2005 5:35:28 PM 807 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Run Nintendo Wi-Fi USB Connector Registration Tool.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
4/2/2004 5:46:32 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
4/2/2004 1:55:28 PM HS 84 C:\Documents and Settings\Owner\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
4/2/2004 5:46:32 AM HS 62 C:\Documents and Settings\Owner\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
sv1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido anti-spyware
{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Trojan Remover
{52B87208-9CCF-42C9-B88E-069281105805} = C:\PROGRA~1\TROJAN~1\Trshlex.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Trojan Remover
{52B87208-9CCF-42C9-B88E-069281105805} = C:\PROGRA~1\TROJAN~1\Trshlex.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido anti-spyware
{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4A3A071E-F913-4eee-AE15-AEFFA16FB6BC}
Popup Killer = C:\Program Files\Webroot\Pop-Up Washer\VAPopupKiller.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
SSVHelper Class = C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console	: C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger	: C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
= 
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links	: %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = : 
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links	: %SystemRoot%\system32\SHELL32.dll
{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} = : 
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address	: %SystemRoot%\System32\browseui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
AVG7_CC	C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
Windows Defender	"C:\Program Files\Windows Defender\MSASCui.exe" -hide
QuickTime Task	"C:\Program Files\QuickTime\qttask.exe" -atboottime
SunJavaUpdateSched	C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
WebrootDesktopFirewall	C:\Program Files\Webroot\Desktop Firewall\webrootdesktopfirewall.exe -t
VTTimer	VTTimer.exe
Recguard	C:\WINDOWS\SMINST\RECGUARD.EXE
KBD	C:\HP\KBD\KBD.EXE
hpsysdrv	c:\windows\system\hpsysdrv.exe
HPDJ Taskbar Utility	C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
HP Component Manager	"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
AlcxMonitor	ALCXMNTR.EXE
AGRSMMSG	AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
PopUpWasher	C:\PROGRA~1\Webroot\POP-UP~1\PopUpWasher.exe
RecordNow!	
MsnMsgr	"C:\Program Files\MSN Messenger\msnmsgr.exe" /background


----------



## sparsby (Apr 10, 2006)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\ExpandFrom

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\ExpandTo

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services
ose	3
C-DillaSrv	2

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk
backup	C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkStartup
location	Startup
item	MyWebSearch Email Plugin

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\avnort
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	msmbw
hkey	HKLM
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	msmbw
hkey	HKLM
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Á³# L"h'þ9Óœð3rÅWC:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Á³# L"h'þ9Óœð3rÅWC:\Program Files

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini	0
win.ini	0
bootini	0
services	0
startup	0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Attachments
ScanWithAntiVirus	2

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoCDBurning	0
NoLowDiskSpaceChecks	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} = 
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername	0
legalnoticecaption	
legalnoticetext	
shutdownwithoutlogon	1
undockwithoutlogon	1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun	145

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
DisableRegistryTools	0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit	= userinit.exe
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui
= igfxsrvc.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon
= WgaLogon.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier
= WRLogonNTF.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif
= wzcdlg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1	- Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 7/11/2006 1:24:21 PM

Explorer.exe keeps requesting to access the internet, I always block it using webroot firewall.


----------



## Cookiegal (Aug 27, 2003)

What do you mean they didn't work? Were you able to run the tool?


----------



## sparsby (Apr 10, 2006)

sorry, I meant it didnt find the files. Killbox couldnt find the file and the tool said it couldnt find the worm


----------



## Cookiegal (Aug 27, 2003)

How many user profiles are there on this computer?


----------



## sparsby (Apr 10, 2006)

Should only be one


----------



## Cookiegal (Aug 27, 2003)

Open HijackThis and click on the "Open the Misc Tools Section" button. Click on the "Open Uninstall Manager" button. Click the "Save List" botton. Copy and paste that list here please.


----------



## sparsby (Apr 10, 2006)

Here you are:

530809 (Shared Components)
Ad-Aware SE Personal
Adobe Photoshop 7.0
Agere Systems PCI Soft Modem
AnswerWorks Runtime
AVG Free Edition
Battlefield 1942
Compaq Connections
Compaq Instant Support
EasyCleaner
ewido anti-spyware 4.0
Forgotten Hope 0.70
Forgotten Hope FAN MAPPACK V6.0
HijackThis 1.99.1
HP Deskjet 3840
J2SE Runtime Environment 5.0 Update 7
KBD
LimeWire 4.10.9
LQfix 2.1
Macromedia Extension Manager
Macromedia Flash Player 8
Macromedia Shockwave Player
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft Works 7.0
MSN Messenger 7.0
Nintendo Wi-Fi USB Connector Registration Tool
Pop-Up Washer
QuickTime
RecordNow!
S3 S3Display
S3 S3Gamma2
S3 S3Info2
S3 S3Overlay
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
TOUCHSTONE TS-300 MP3 PLAYER
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
VIA Rhine-Family Fast Ethernet Adapter
VIA/S3G Display Driver
Webroot Desktop Firewall 1.3
Winamp (remove only)
Windows Defender
Windows Defender Signatures
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinRAR archiver
Xfire (remove only)


----------



## Cookiegal (Aug 27, 2003)

Do you recognize this?

530809 (Shared Components)


----------



## sparsby (Apr 10, 2006)

I dont know what it is but it has been on the computer for awhile, I have seen it before.


----------



## Cookiegal (Aug 27, 2003)

Can you do a search and find it? See if it's in a program file or whatever.


----------



## sparsby (Apr 10, 2006)

Its the name of a folder (the number not the whole thing):

C:\Program files\common files\element5 shared\uninstall

that and a setup information file named spuninst (there are about 50 of these)

C:\WINDOWS\$NtUninstall(theres a little code here where the last few digits arernt the same)\spunist


Thats all it found, I looked in both the C and D drives


----------



## Cookiegal (Aug 27, 2003)

Do you mean it's a folder within the element5 shared folder?


----------



## sparsby (Apr 10, 2006)

yup


----------



## Cookiegal (Aug 27, 2003)

What else is in the 530809 folder?

Right click on the 530809 folder and then properties and see when it was created.


----------



## sparsby (Apr 10, 2006)

Thursday, July 14, 2005, 9:41:42 PM

heh thats today but not the year =(


----------



## Cookiegal (Aug 27, 2003)

> What else is in the 530809 folder?


----------



## sparsby (Apr 10, 2006)

Theres another folder inside: B2CDC000

Inside that:

SCS Uninstaller.dll 2.60.30.2(System Level Service Installer)
&
UninstApplet (System Level Service Installer then underneath that it says element5)


In the Element5 folder theres another one other than uninstall:

Service and inside that is a file called License Manager ESD (System Level service Utility and then underneath that it also says element5)


Sorry for the long reply but I went out camping


----------



## Cookiegal (Aug 27, 2003)

That appears to be legit.

Since some time has elapsed, would you please post a new HijackThis log as well as a new WinpFind log.


----------



## sparsby (Apr 10, 2006)

Logfile of HijackThis v1.99.1
Scan saved at 8:40:08 AM, on 7/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\VTTimer.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijack This\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Popup Killer - {4A3A071E-F913-4eee-AE15-AEFFA16FB6BC} - C:\PROGRA~1\Webroot\POP-UP~1\VAPopupKiller.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [WebrootDesktopFirewall] C:\Program Files\Webroot\Desktop Firewall\webrootdesktopfirewall.exe -t
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKCU\..\Run: [PopUpWasher] C:\PROGRA~1\Webroot\POP-UP~1\PopUpWasher.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.1.87.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: License Management Service ESD - element5 - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: Webroot Desktop Firewall Data Service (WebrootDesktopFirewallDataService) - Webroot Software, Inc. - C:\Program Files\Webroot\Desktop Firewall\WDFDataService.exe
O23 - Service: Webroot Desktop Firewall (WebrootFirewall) - Unknown owner - C:\Program Files\Webroot\Desktop Firewall\FirewallNTService.exe

I just had a pop-up about wallpapers as soon as I turned the firewall off then I ran hijack this.

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
qoologic 6/26/2006 9:04:50 AM 12243523 C:\AVG7QT.DAT
urllogic 6/26/2006 9:04:50 AM 12243523 C:\AVG7QT.DAT
UPX! 6/25/2006 4:59:38 PM 299030 C:\combofix.exe
qoologic 6/30/2006 6:07:58 PM 204131 C:\WinPFind.zip

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
aspack 3/18/2005 5:19:58 PM 2337488 C:\WINDOWS\SYSTEM32\d3dx9_25.dll
PEC2 8/16/2003 1:40:04 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
aspack 2/17/2005 3:10:14 PM 702464 C:\WINDOWS\SYSTEM32\Incinerator.dll
PTech 6/19/2006 4:19:42 PM 571184 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
PECompact2 6/8/2006 7:19:50 PM 5967776 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 6/8/2006 7:19:50 PM 5967776 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 1:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/4/2004 1:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
UPX! 4/27/2006 5:49:30 PM 288417 C:\WINDOWS\SYSTEM32\SrchSTS.exe
UPX! 1/9/2006 10:36:04 AM 42496 C:\WINDOWS\SYSTEM32\swreg.exe
UPX! 1/9/2006 10:36:06 AM 40960 C:\WINDOWS\SYSTEM32\swsc.exe
winsync 8/15/2003 8:41:44 PM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
PTech 6/19/2006 4:19:26 PM 304944 C:\WINDOWS\SYSTEM32\WgaTray.exe

Checking %System%\Drivers folder and sub-folders...
UPX! 6/26/2006 9:03:30 AM 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
FSG! 6/26/2006 9:03:30 AM 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PEC2 6/26/2006 9:03:30 AM 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
aspack 6/26/2006 9:03:30 AM 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PTech 8/3/2004 11:41:38 PM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\Hosts
127.0.0.1 www.qoologic.com
127.0.0.1 www.urllogic.com

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
7/11/2006 1:11:24 PM S 2048 C:\WINDOWS\bootstat.dat
7/13/2006 10:46:02 AM H 54156 C:\WINDOWS\QTFont.qfn
7/14/2006 11:01:30 PM H 0 C:\WINDOWS\LastGood\INF\oem27.inf
7/14/2006 11:01:30 PM H 0 C:\WINDOWS\LastGood\INF\oem27.PNF
6/16/2006 9:20:00 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\8ecdf17e5a787c02ac0ed596ff4900f3\BIT4A.tmp
5/30/2006 7:31:54 AM RHS 56 C:\WINDOWS\system32\00370CD73E.sys
5/30/2006 7:31:54 AM HS 1682 C:\WINDOWS\system32\KGyGaAvL.sys
6/22/2006 5:18:30 AM S 13309 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB911280.cat
5/29/2006 10:16:00 AM S 23751 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB916281.cat
6/1/2006 2:28:56 PM S 11043 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB918439.cat
6/19/2006 4:20:58 PM S 7160 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\WgaNotify.cat
7/20/2006 8:21:10 AM H 1024 C:\WINDOWS\system32\config\default.LOG
5/23/2006 6:20:32 PM H 0 C:\WINDOWS\system32\config\default_TU_72001.LOG
7/11/2006 1:11:26 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
5/23/2006 6:20:32 PM H 0 C:\WINDOWS\system32\config\SAM_TU_47360.LOG
7/20/2006 6:19:36 AM H 1024 C:\WINDOWS\system32\config\SECURITY.LOG
5/23/2006 6:20:32 PM H 0 C:\WINDOWS\system32\config\SECURITY_TU_50084.LOG
7/20/2006 8:42:32 AM H 1024 C:\WINDOWS\system32\config\software.LOG
5/23/2006 6:20:32 PM H 0 C:\WINDOWS\system32\config\software_TU_58035.LOG
7/19/2006 11:18:58 PM H 1024 C:\WINDOWS\system32\config\system.LOG
5/23/2006 6:20:32 PM H 0 C:\WINDOWS\system32\config\system_TU_79929.LOG
7/16/2006 1:59:12 AM H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
7/9/2006 9:39:00 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\c6d568a4-a4b4-48cd-a445-08b6d7558879
7/9/2006 9:39:00 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\Preferred
7/16/2006 8:28:50 AM H 330 C:\WINDOWS\Tasks\MP Scheduled Scan.job
7/11/2006 1:11:28 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/4/2004 1:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Realtek Semiconductor Corp. 9/20/2004 3:20:44 PM 16121856 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL
Microsoft Corporation 8/4/2004 1:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 5/3/2006 2:56:54 AM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/15/2003 7:49:58 PM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/15/2003 7:57:52 PM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 12/14/2003 6:20:50 PM 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/15/2003 8:04:26 PM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 68608 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 549888 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 110592 C:\WINDOWS\SYSTEM32\dllcache\bthprops.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 135168 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 80384 C:\WINDOWS\SYSTEM32\dllcache\firewall.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 155136 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 358400 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 129536 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 380416 C:\WINDOWS\SYSTEM32\dllcache\irprops.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 68608 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 8/15/2003 7:49:58 PM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 618496 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 8/15/2003 7:57:52 PM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 25600 C:\WINDOWS\SYSTEM32\dllcache\netsetup.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 257024 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 32768 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 114688 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 155648 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 298496 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 8/15/2003 8:04:26 PM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 94208 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 148480 C:\WINDOWS\SYSTEM32\dllcache\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl
Intel Corporation 2/10/2004 7:53:24 PM 94208 C:\WINDOWS\SYSTEM32\ReinstallBackups\0001\DriverFiles\igfxcpl.cpl
Realtek Semiconductor Corp. 2/10/2004 2:19:32 AM 14224384 C:\WINDOWS\SYSTEM32\ReinstallBackups\0018\DriverFiles\ALSNDMGR.CPL


----------



## sparsby (Apr 10, 2006)

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
8/4/2005 6:54:54 PM 994 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
4/2/2004 1:55:28 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
12/31/2005 5:35:28 PM 807 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Run Nintendo Wi-Fi USB Connector Registration Tool.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
4/2/2004 5:46:32 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
4/2/2004 1:55:28 PM HS 84 C:\Documents and Settings\Owner\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
4/2/2004 5:46:32 AM HS 62 C:\Documents and Settings\Owner\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
sv1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido anti-spyware
{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Trojan Remover
{52B87208-9CCF-42C9-B88E-069281105805} = C:\PROGRA~1\TROJAN~1\Trshlex.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Trojan Remover
{52B87208-9CCF-42C9-B88E-069281105805} = C:\PROGRA~1\TROJAN~1\Trshlex.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido anti-spyware
{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4A3A071E-F913-4eee-AE15-AEFFA16FB6BC}
Popup Killer = C:\PROGRA~1\Webroot\POP-UP~1\VAPopupKiller.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
SSVHelper Class = C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console	: C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger	: C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
= 
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links	: %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = : 
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links	: %SystemRoot%\system32\SHELL32.dll
{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} = : 
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address	: %SystemRoot%\System32\browseui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
AVG7_CC	C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
Windows Defender	"C:\Program Files\Windows Defender\MSASCui.exe" -hide
QuickTime Task	"C:\Program Files\QuickTime\qttask.exe" -atboottime
SunJavaUpdateSched	C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
WebrootDesktopFirewall	C:\Program Files\Webroot\Desktop Firewall\webrootdesktopfirewall.exe -t
VTTimer	VTTimer.exe
Recguard	C:\WINDOWS\SMINST\RECGUARD.EXE
KBD	C:\HP\KBD\KBD.EXE
hpsysdrv	c:\windows\system\hpsysdrv.exe
HPDJ Taskbar Utility	C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
HP Component Manager	"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
AlcxMonitor	ALCXMNTR.EXE
AGRSMMSG	AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
PopUpWasher	C:\PROGRA~1\Webroot\POP-UP~1\PopUpWasher.exe
RecordNow!	
MsnMsgr	"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\ExpandFrom

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\ExpandTo

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services
ose	3
C-DillaSrv	2

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk
backup	C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkStartup
location	Startup
item	MyWebSearch Email Plugin

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\avnort
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	msmbw
hkey	HKLM
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	msmbw
hkey	HKLM
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Á³# L"h'þ9Óœð3rÅWC:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Á³# L"h'þ9Óœð3rÅWC:\Program Files

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini	0
win.ini	0
bootini	0
services	0
startup	0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Attachments
ScanWithAntiVirus	2

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoCDBurning	0
NoLowDiskSpaceChecks	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} = 
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername	0
legalnoticecaption	
legalnoticetext	
shutdownwithoutlogon	1
undockwithoutlogon	1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun	145

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
DisableRegistryTools	0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit	= userinit.exe
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui
= igfxsrvc.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon
= WgaLogon.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier
= WRLogonNTF.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif
= wzcdlg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1	- Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 7/20/2006 8:45:52 AM


----------



## Cookiegal (Aug 27, 2003)

I'm attaching a FixSparby.zip file to this post. Save it to your desktop but don't do anything with it yet.

Rescan with HijackThis and fix these entries:

*R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE*

Go to Control Panel  Add/Remove programs and remove:

*ISTSvc
MyWebSearch or MyWebSearch Email Plugin*

Go to Start - Search and under "More advanced search options". Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools - Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types". Now click "Apply to all folders"
Click "Apply" then "OK"

Now boot to safe mode and run Killbox on these:

*C:\Documents and Settings\Owner\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk

C:\Program Files\ ISTSvc

C:\WINDOWS\pss\MyWebSearch Email Plugin.lnk
*

We did this before but I don't believe we did it in safe mode so please do this again:

While still in safe mode go to Start - Run and copy and paste then click OK:

*shell:cache\content.ie5*

This should open your content.ie5 folder. Select everything in there and click delete. You will not be able to delete the index.bat file and thats normal.

Reboot and post a new WinpFind log please.


----------



## sparsby (Apr 10, 2006)

Killbox couldnt find the ISTSvc file and I couldnt find it but I deleted two mywebsearch files in the pss folder. Everything got deleted in the content.ie5 folder except a desktop.ini (or something close) and the index.bat. I couldnt find either of those entries in the add or remove programs thing and both registry deals were fixed/deleted in hijackthis.

The white in the top left hand corner has come back aswell, earlier it was fixed after another registry fix was opened. What should I do with the fixsparsby file?

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
qoologic 6/26/2006 9:04:50 AM 12243523 C:\AVG7QT.DAT
urllogic 6/26/2006 9:04:50 AM 12243523 C:\AVG7QT.DAT
UPX! 6/25/2006 4:59:38 PM 299030 C:\combofix.exe
qoologic 6/30/2006 6:07:58 PM 204131 C:\WinPFind.zip

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
aspack 3/18/2005 5:19:58 PM 2337488 C:\WINDOWS\SYSTEM32\d3dx9_25.dll
PEC2 8/16/2003 1:40:04 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
aspack 2/17/2005 3:10:14 PM 702464 C:\WINDOWS\SYSTEM32\Incinerator.dll
PTech 6/19/2006 4:19:42 PM 571184 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
PECompact2 6/8/2006 7:19:50 PM 5967776 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 6/8/2006 7:19:50 PM 5967776 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 1:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/4/2004 1:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
UPX! 4/27/2006 5:49:30 PM 288417 C:\WINDOWS\SYSTEM32\SrchSTS.exe
UPX! 1/9/2006 10:36:04 AM 42496 C:\WINDOWS\SYSTEM32\swreg.exe
UPX! 1/9/2006 10:36:06 AM 40960 C:\WINDOWS\SYSTEM32\swsc.exe
winsync 8/15/2003 8:41:44 PM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
PTech 6/19/2006 4:19:26 PM 304944 C:\WINDOWS\SYSTEM32\WgaTray.exe

Checking %System%\Drivers folder and sub-folders...
UPX! 6/26/2006 9:03:30 AM 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
FSG! 6/26/2006 9:03:30 AM 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PEC2 6/26/2006 9:03:30 AM 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
aspack 6/26/2006 9:03:30 AM 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PTech 8/3/2004 11:41:38 PM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\Hosts
127.0.0.1 www.qoologic.com
127.0.0.1 www.urllogic.com

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
7/20/2006 3:53:34 PM S 2048 C:\WINDOWS\bootstat.dat
7/13/2006 10:46:02 AM H 54156 C:\WINDOWS\QTFont.qfn
6/16/2006 9:20:00 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\8ecdf17e5a787c02ac0ed596ff4900f3\BIT4A.tmp
5/30/2006 7:31:54 AM RHS 56 C:\WINDOWS\system32\00370CD73E.sys
5/30/2006 7:31:54 AM HS 1682 C:\WINDOWS\system32\KGyGaAvL.sys
6/22/2006 5:18:30 AM S 13309 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB911280.cat
5/29/2006 10:16:00 AM S 23751 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB916281.cat
6/1/2006 2:28:56 PM S 11043 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB918439.cat
6/19/2006 4:20:58 PM S 7160 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\WgaNotify.cat
7/20/2006 3:54:04 PM H 1024 C:\WINDOWS\system32\config\default.LOG
5/23/2006 6:20:32 PM H 0 C:\WINDOWS\system32\config\default_TU_72001.LOG
7/20/2006 3:53:34 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
5/23/2006 6:20:32 PM H 0 C:\WINDOWS\system32\config\SAM_TU_47360.LOG
7/20/2006 3:59:56 PM H 1024 C:\WINDOWS\system32\config\SECURITY.LOG
5/23/2006 6:20:32 PM H 0 C:\WINDOWS\system32\config\SECURITY_TU_50084.LOG
7/20/2006 3:59:56 PM H 1024 C:\WINDOWS\system32\config\software.LOG
5/23/2006 6:20:32 PM H 0 C:\WINDOWS\system32\config\software_TU_58035.LOG
7/20/2006 3:54:42 PM H 1024 C:\WINDOWS\system32\config\system.LOG
5/23/2006 6:20:32 PM H 0 C:\WINDOWS\system32\config\system_TU_79929.LOG
7/16/2006 1:59:12 AM H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
7/9/2006 9:39:00 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\c6d568a4-a4b4-48cd-a445-08b6d7558879
7/9/2006 9:39:00 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\Preferred
7/20/2006 3:56:38 PM H 330 C:\WINDOWS\Tasks\MP Scheduled Scan.job
7/20/2006 3:53:36 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/4/2004 1:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Realtek Semiconductor Corp. 9/20/2004 3:20:44 PM 16121856 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL
Microsoft Corporation 8/4/2004 1:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 5/3/2006 2:56:54 AM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/15/2003 7:49:58 PM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/15/2003 7:57:52 PM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 12/14/2003 6:20:50 PM 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/15/2003 8:04:26 PM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 68608 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 549888 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 110592 C:\WINDOWS\SYSTEM32\dllcache\bthprops.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 135168 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 80384 C:\WINDOWS\SYSTEM32\dllcache\firewall.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 155136 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 358400 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 129536 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 380416 C:\WINDOWS\SYSTEM32\dllcache\irprops.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 68608 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 8/15/2003 7:49:58 PM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 618496 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 8/15/2003 7:57:52 PM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 25600 C:\WINDOWS\SYSTEM32\dllcache\netsetup.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 257024 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 32768 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 114688 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 155648 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 298496 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 8/15/2003 8:04:26 PM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 94208 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 148480 C:\WINDOWS\SYSTEM32\dllcache\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl
Intel Corporation 2/10/2004 7:53:24 PM 94208 C:\WINDOWS\SYSTEM32\ReinstallBackups\0001\DriverFiles\igfxcpl.cpl
Realtek Semiconductor Corp. 2/10/2004 2:19:32 AM 14224384 C:\WINDOWS\SYSTEM32\ReinstallBackups\0018\DriverFiles\ALSNDMGR.CPL

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
8/4/2005 6:54:54 PM 994 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
4/2/2004 1:55:28 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
12/31/2005 5:35:28 PM 807 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Run Nintendo Wi-Fi USB Connector Registration Tool.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
4/2/2004 5:46:32 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
4/2/2004 1:55:28 PM HS 84 C:\Documents and Settings\Owner\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
4/2/2004 5:46:32 AM HS 62 C:\Documents and Settings\Owner\Application Data\desktop.ini


----------



## sparsby (Apr 10, 2006)

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
sv1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido anti-spyware
{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Trojan Remover
{52B87208-9CCF-42C9-B88E-069281105805} = C:\PROGRA~1\TROJAN~1\Trshlex.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Trojan Remover
{52B87208-9CCF-42C9-B88E-069281105805} = C:\PROGRA~1\TROJAN~1\Trshlex.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido anti-spyware
{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4A3A071E-F913-4eee-AE15-AEFFA16FB6BC}
Popup Killer = C:\PROGRA~1\Webroot\POP-UP~1\VAPopupKiller.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
SSVHelper Class = C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console	: C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger	: C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
= 
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links	: %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = : 
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links	: %SystemRoot%\system32\SHELL32.dll
{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} = : 
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address	: %SystemRoot%\System32\browseui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
AVG7_CC	C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
Windows Defender	"C:\Program Files\Windows Defender\MSASCui.exe" -hide
QuickTime Task	"C:\Program Files\QuickTime\qttask.exe" -atboottime
SunJavaUpdateSched	C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
WebrootDesktopFirewall	C:\Program Files\Webroot\Desktop Firewall\webrootdesktopfirewall.exe -t
VTTimer	VTTimer.exe
Recguard	C:\WINDOWS\SMINST\RECGUARD.EXE
KBD	C:\HP\KBD\KBD.EXE
hpsysdrv	c:\windows\system\hpsysdrv.exe
HPDJ Taskbar Utility	C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
HP Component Manager	"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
AGRSMMSG	AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
PopUpWasher	C:\PROGRA~1\Webroot\POP-UP~1\PopUpWasher.exe
RecordNow!	
MsnMsgr	"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\ExpandFrom

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\ExpandTo

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services
ose	3
C-DillaSrv	2

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk
backup	C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkStartup
location	Startup
item	MyWebSearch Email Plugin

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\avnort
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	msmbw
hkey	HKLM
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	msmbw
hkey	HKLM
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Á³# L"h'þ9Óœð3rÅWC:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Á³# L"h'þ9Óœð3rÅWC:\Program Files

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini	0
win.ini	0
bootini	0
services	0
startup	0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Attachments
ScanWithAntiVirus	2

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoCDBurning	0
NoLowDiskSpaceChecks	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} = 
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername	0
legalnoticecaption	
legalnoticetext	
shutdownwithoutlogon	1
undockwithoutlogon	1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun	145

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
DisableRegistryTools	0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit	= userinit.exe
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui
= igfxsrvc.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon
= WgaLogon.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier
= WRLogonNTF.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif
= wzcdlg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1	- Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 7/20/2006 4:03:08 PM


----------



## Cookiegal (Aug 27, 2003)

Boot to safe mode. Unzip the FixSparby.zip file and double click on the FixSparsby.reg file and allow it to enter into the registry.

After you've done that reboot and run another WinpFind scan and post that log please.


----------



## sparsby (Apr 10, 2006)

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
qoologic 6/26/2006 9:04:50 AM 12243523 C:\AVG7QT.DAT
urllogic 6/26/2006 9:04:50 AM 12243523 C:\AVG7QT.DAT
UPX! 6/25/2006 4:59:38 PM 299030 C:\combofix.exe
qoologic 6/30/2006 6:07:58 PM 204131 C:\WinPFind.zip

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
aspack 3/18/2005 5:19:58 PM 2337488 C:\WINDOWS\SYSTEM32\d3dx9_25.dll
PEC2 8/16/2003 1:40:04 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
aspack 2/17/2005 3:10:14 PM 702464 C:\WINDOWS\SYSTEM32\Incinerator.dll
PTech 6/19/2006 4:19:42 PM 571184 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
PECompact2 6/8/2006 7:19:50 PM 5967776 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 6/8/2006 7:19:50 PM 5967776 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 1:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/4/2004 1:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
UPX! 4/27/2006 5:49:30 PM 288417 C:\WINDOWS\SYSTEM32\SrchSTS.exe
UPX! 1/9/2006 10:36:04 AM 42496 C:\WINDOWS\SYSTEM32\swreg.exe
UPX! 1/9/2006 10:36:06 AM 40960 C:\WINDOWS\SYSTEM32\swsc.exe
winsync 8/15/2003 8:41:44 PM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
PTech 6/19/2006 4:19:26 PM 304944 C:\WINDOWS\SYSTEM32\WgaTray.exe

Checking %System%\Drivers folder and sub-folders...
UPX! 6/26/2006 9:03:30 AM 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
FSG! 6/26/2006 9:03:30 AM 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PEC2 6/26/2006 9:03:30 AM 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
aspack 6/26/2006 9:03:30 AM 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PTech 8/3/2004 11:41:38 PM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\Hosts
127.0.0.1 www.qoologic.com
127.0.0.1 www.urllogic.com

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
7/20/2006 4:40:26 PM S 2048 C:\WINDOWS\bootstat.dat
7/13/2006 10:46:02 AM H 54156 C:\WINDOWS\QTFont.qfn
6/16/2006 9:20:00 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\8ecdf17e5a787c02ac0ed596ff4900f3\BIT4A.tmp
5/30/2006 7:31:54 AM RHS 56 C:\WINDOWS\system32\00370CD73E.sys
5/30/2006 7:31:54 AM HS 1682 C:\WINDOWS\system32\KGyGaAvL.sys
6/22/2006 5:18:30 AM S 13309 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB911280.cat
5/29/2006 10:16:00 AM S 23751 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB916281.cat
6/1/2006 2:28:56 PM S 11043 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB918439.cat
6/19/2006 4:20:58 PM S 7160 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\WgaNotify.cat
7/20/2006 4:41:26 PM H 1024 C:\WINDOWS\system32\config\default.LOG
5/23/2006 6:20:32 PM H 0 C:\WINDOWS\system32\config\default_TU_72001.LOG
7/20/2006 4:40:28 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
5/23/2006 6:20:32 PM H 0 C:\WINDOWS\system32\config\SAM_TU_47360.LOG
7/20/2006 4:43:52 PM H 1024 C:\WINDOWS\system32\config\SECURITY.LOG
5/23/2006 6:20:32 PM H 0 C:\WINDOWS\system32\config\SECURITY_TU_50084.LOG
7/20/2006 4:41:54 PM H 1024 C:\WINDOWS\system32\config\software.LOG
5/23/2006 6:20:32 PM H 0 C:\WINDOWS\system32\config\software_TU_58035.LOG
7/20/2006 4:41:34 PM H 1024 C:\WINDOWS\system32\config\system.LOG
5/23/2006 6:20:32 PM H 0 C:\WINDOWS\system32\config\system_TU_79929.LOG
7/16/2006 1:59:12 AM H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
7/9/2006 9:39:00 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\c6d568a4-a4b4-48cd-a445-08b6d7558879
7/9/2006 9:39:00 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\Preferred
7/20/2006 4:43:32 PM H 330 C:\WINDOWS\Tasks\MP Scheduled Scan.job
7/20/2006 4:40:30 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/4/2004 1:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Realtek Semiconductor Corp. 9/20/2004 3:20:44 PM 16121856 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL
Microsoft Corporation 8/4/2004 1:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 5/3/2006 2:56:54 AM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/15/2003 7:49:58 PM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/15/2003 7:57:52 PM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 12/14/2003 6:20:50 PM 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/15/2003 8:04:26 PM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 68608 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 549888 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 110592 C:\WINDOWS\SYSTEM32\dllcache\bthprops.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 135168 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 80384 C:\WINDOWS\SYSTEM32\dllcache\firewall.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 155136 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 358400 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 129536 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 380416 C:\WINDOWS\SYSTEM32\dllcache\irprops.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 68608 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 8/15/2003 7:49:58 PM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 618496 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 8/15/2003 7:57:52 PM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 25600 C:\WINDOWS\SYSTEM32\dllcache\netsetup.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 257024 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 32768 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 114688 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 155648 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 298496 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 8/15/2003 8:04:26 PM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 94208 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 148480 C:\WINDOWS\SYSTEM32\dllcache\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl
Intel Corporation 2/10/2004 7:53:24 PM 94208 C:\WINDOWS\SYSTEM32\ReinstallBackups\0001\DriverFiles\igfxcpl.cpl
Realtek Semiconductor Corp. 2/10/2004 2:19:32 AM 14224384 C:\WINDOWS\SYSTEM32\ReinstallBackups\0018\DriverFiles\ALSNDMGR.CPL

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
8/4/2005 6:54:54 PM 994 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
4/2/2004 1:55:28 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
12/31/2005 5:35:28 PM 807 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Run Nintendo Wi-Fi USB Connector Registration Tool.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
4/2/2004 5:46:32 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
4/2/2004 1:55:28 PM HS 84 C:\Documents and Settings\Owner\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
4/2/2004 5:46:32 AM HS 62 C:\Documents and Settings\Owner\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
sv1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido anti-spyware
{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Trojan Remover
{52B87208-9CCF-42C9-B88E-069281105805} = C:\PROGRA~1\TROJAN~1\Trshlex.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Trojan Remover
{52B87208-9CCF-42C9-B88E-069281105805} = C:\PROGRA~1\TROJAN~1\Trshlex.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido anti-spyware
{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4A3A071E-F913-4eee-AE15-AEFFA16FB6BC}
Popup Killer = C:\PROGRA~1\Webroot\POP-UP~1\VAPopupKiller.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
SSVHelper Class = C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console	: C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger	: C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
= 
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links	: %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = : 
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links	: %SystemRoot%\system32\SHELL32.dll
{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} = : 
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address	: %SystemRoot%\System32\browseui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
AVG7_CC	C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
Windows Defender	"C:\Program Files\Windows Defender\MSASCui.exe" -hide
QuickTime Task	"C:\Program Files\QuickTime\qttask.exe" -atboottime
SunJavaUpdateSched	C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
WebrootDesktopFirewall	C:\Program Files\Webroot\Desktop Firewall\webrootdesktopfirewall.exe -t
VTTimer	VTTimer.exe
Recguard	C:\WINDOWS\SMINST\RECGUARD.EXE
KBD	C:\HP\KBD\KBD.EXE
hpsysdrv	c:\windows\system\hpsysdrv.exe
HPDJ Taskbar Utility	C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
HP Component Manager	"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
AGRSMMSG	AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
PopUpWasher	C:\PROGRA~1\Webroot\POP-UP~1\PopUpWasher.exe
RecordNow!	
MsnMsgr	"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\ExpandFrom

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\ExpandTo

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services
ose	3
C-DillaSrv	2

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk
backup	C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkStartup
location	Startup
item	MyWebSearch Email Plugin

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Á³#*L"h'þ9Óœð3rÅWC:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini	0
win.ini	0
bootini	0
services	0
startup	0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Attachments
ScanWithAntiVirus	2

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoCDBurning	0
NoLowDiskSpaceChecks	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} = 
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername	0
legalnoticecaption	
legalnoticetext	
shutdownwithoutlogon	1
undockwithoutlogon	1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun	145

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
DisableRegistryTools	0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit	= userinit.exe
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui
= igfxsrvc.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon
= WgaLogon.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier
= WRLogonNTF.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif
= wzcdlg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1	- Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 7/20/2006 4:45:08 PM


----------



## Cookiegal (Aug 27, 2003)

Now we're making progress. :up:

Please do this again (we did it way back but I would like to see a new one).
Go to Start - Run - type in regedit and click OK to open the registry editor.

Expand each key by clicking on the + sign to the left of the name:

+HKEY_LOCAL_MACHINE
+SOFTWARE
+Microsoft
+Shared Tools
+MSConfig

Right click (but do not expand) *startupreg*, then select "export" and save it on your desktop. Right click on the file and select "open with" and choose Notepad. Copy and paste the contents here please.


----------



## sparsby (Apr 10, 2006)

For some reason it was already open but here you go:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Á³#*L"h'þ9Óœð3rÅWC:]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Á³#*L"h'þ9Óœð3rÅWC:\Program Files]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Á³#*L"h'þ9Óœð3rÅWC:\Program Files\ISTsvc]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Á³#*L"h'þ9Óœð3rÅWC:\Program Files\ISTsvc\istsvc.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="tqsry"
"hkey"="HKLM"
"inimapping"="0"


----------



## Cookiegal (Aug 27, 2003)

That's the same one you posted last time but it's OK.

I'm attaching a FixSparsby2.zip file to this post. Save it to your desktop.

Boot to safe mode, unzip the FixSparsby2.zip file and double click on the FixSparsby2.reg file and allow it to enter into the registry.

While in safe mode see if you have this folder and if so, delete it:

C:\PROGRAM FILES\*MYWEBSEARCH*

Reboot and then run another scan with WinpFind and post that log please.


----------



## sparsby (Apr 10, 2006)

Couldnt find the file and upon restart (out of safe mode) AVG found a virus. I dont remember anything about it though I just clicked the move to vault button.

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
qoologic 6/26/2006 9:04:50 AM 12243523 C:\AVG7QT.DAT
urllogic 6/26/2006 9:04:50 AM 12243523 C:\AVG7QT.DAT
UPX! 6/25/2006 4:59:38 PM 299030 C:\combofix.exe
qoologic 6/30/2006 6:07:58 PM 204131 C:\WinPFind.zip

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
aspack 3/18/2005 5:19:58 PM 2337488 C:\WINDOWS\SYSTEM32\d3dx9_25.dll
PEC2 8/16/2003 1:40:04 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
aspack 2/17/2005 3:10:14 PM 702464 C:\WINDOWS\SYSTEM32\Incinerator.dll
PTech 6/19/2006 4:19:42 PM 571184 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
aspack 7/6/2006 7:21:46 PM 6757792 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 1:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/4/2004 1:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
UPX! 4/27/2006 5:49:30 PM 288417 C:\WINDOWS\SYSTEM32\SrchSTS.exe
UPX! 1/9/2006 10:36:04 AM 42496 C:\WINDOWS\SYSTEM32\swreg.exe
UPX! 1/9/2006 10:36:06 AM 40960 C:\WINDOWS\SYSTEM32\swsc.exe
winsync 8/15/2003 8:41:44 PM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
PTech 6/19/2006 4:19:26 PM 304944 C:\WINDOWS\SYSTEM32\WgaTray.exe

Checking %System%\Drivers folder and sub-folders...
UPX! 6/26/2006 9:03:30 AM 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
FSG! 6/26/2006 9:03:30 AM 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PEC2 6/26/2006 9:03:30 AM 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
aspack 6/26/2006 9:03:30 AM 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PTech 8/3/2004 11:41:38 PM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\Hosts
127.0.0.1 www.qoologic.com
127.0.0.1 www.urllogic.com

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
7/21/2006 2:08:58 PM S 2048 C:\WINDOWS\bootstat.dat
7/13/2006 10:46:02 AM H 54156 C:\WINDOWS\QTFont.qfn
6/16/2006 9:20:00 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\8ecdf17e5a787c02ac0ed596ff4900f3\BIT4A.tmp
5/30/2006 7:31:54 AM RHS 56 C:\WINDOWS\system32\00370CD73E.sys
5/30/2006 7:31:54 AM HS 1682 C:\WINDOWS\system32\KGyGaAvL.sys
6/22/2006 5:18:30 AM S 13309 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB911280.cat
5/29/2006 10:16:00 AM S 23751 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB916281.cat
6/1/2006 2:28:56 PM S 11043 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB918439.cat
6/19/2006 4:20:58 PM S 7160 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\WgaNotify.cat
7/21/2006 2:09:40 PM H 1024 C:\WINDOWS\system32\config\default.LOG
5/23/2006 6:20:32 PM H 0 C:\WINDOWS\system32\config\default_TU_72001.LOG
7/21/2006 2:09:00 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
5/23/2006 6:20:32 PM H 0 C:\WINDOWS\system32\config\SAM_TU_47360.LOG
7/21/2006 2:12:42 PM H 1024 C:\WINDOWS\system32\config\SECURITY.LOG
5/23/2006 6:20:32 PM H 0 C:\WINDOWS\system32\config\SECURITY_TU_50084.LOG
7/21/2006 2:12:42 PM H 1024 C:\WINDOWS\system32\config\software.LOG
5/23/2006 6:20:32 PM H 0 C:\WINDOWS\system32\config\software_TU_58035.LOG
7/21/2006 2:10:00 PM H 1024 C:\WINDOWS\system32\config\system.LOG
5/23/2006 6:20:32 PM H 0 C:\WINDOWS\system32\config\system_TU_79929.LOG
7/21/2006 12:01:16 PM H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
7/9/2006 9:39:00 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\c6d568a4-a4b4-48cd-a445-08b6d7558879
7/9/2006 9:39:00 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\Preferred
7/21/2006 2:12:04 PM H 330 C:\WINDOWS\Tasks\MP Scheduled Scan.job
7/21/2006 2:09:02 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/4/2004 1:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Realtek Semiconductor Corp. 9/20/2004 3:20:44 PM 16121856 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL
Microsoft Corporation 8/4/2004 1:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 5/3/2006 2:56:54 AM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/15/2003 7:49:58 PM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/15/2003 7:57:52 PM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 12/14/2003 6:20:50 PM 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/15/2003 8:04:26 PM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 68608 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 549888 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 110592 C:\WINDOWS\SYSTEM32\dllcache\bthprops.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 135168 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 80384 C:\WINDOWS\SYSTEM32\dllcache\firewall.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 155136 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 358400 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 129536 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 380416 C:\WINDOWS\SYSTEM32\dllcache\irprops.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 68608 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 8/15/2003 7:49:58 PM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 618496 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 8/15/2003 7:57:52 PM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 25600 C:\WINDOWS\SYSTEM32\dllcache\netsetup.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 257024 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 32768 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 114688 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 155648 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 298496 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 8/15/2003 8:04:26 PM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 94208 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 148480 C:\WINDOWS\SYSTEM32\dllcache\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl
Intel Corporation 2/10/2004 7:53:24 PM 94208 C:\WINDOWS\SYSTEM32\ReinstallBackups\0001\DriverFiles\igfxcpl.cpl
Realtek Semiconductor Corp. 2/10/2004 2:19:32 AM 14224384 C:\WINDOWS\SYSTEM32\ReinstallBackups\0018\DriverFiles\ALSNDMGR.CPL

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
8/4/2005 6:54:54 PM 994 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
4/2/2004 1:55:28 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
12/31/2005 5:35:28 PM 807 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Run Nintendo Wi-Fi USB Connector Registration Tool.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
4/2/2004 5:46:32 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
4/2/2004 1:55:28 PM HS 84 C:\Documents and Settings\Owner\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
4/2/2004 5:46:32 AM HS 62 C:\Documents and Settings\Owner\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
sv1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido anti-spyware
{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Trojan Remover
{52B87208-9CCF-42C9-B88E-069281105805} = C:\PROGRA~1\TROJAN~1\Trshlex.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Trojan Remover
{52B87208-9CCF-42C9-B88E-069281105805} = C:\PROGRA~1\TROJAN~1\Trshlex.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido anti-spyware
{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4A3A071E-F913-4eee-AE15-AEFFA16FB6BC}
Popup Killer = C:\PROGRA~1\Webroot\POP-UP~1\VAPopupKiller.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
SSVHelper Class = C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console	: C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger	: C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
= 
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links	: %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = : 
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links	: %SystemRoot%\system32\SHELL32.dll
{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} = : 
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address	: %SystemRoot%\System32\browseui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
AVG7_CC	C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
Windows Defender	"C:\Program Files\Windows Defender\MSASCui.exe" -hide
QuickTime Task	"C:\Program Files\QuickTime\qttask.exe" -atboottime
SunJavaUpdateSched	C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
WebrootDesktopFirewall	C:\Program Files\Webroot\Desktop Firewall\webrootdesktopfirewall.exe -t
VTTimer	VTTimer.exe
Recguard	C:\WINDOWS\SMINST\RECGUARD.EXE
KBD	C:\HP\KBD\KBD.EXE
hpsysdrv	c:\windows\system\hpsysdrv.exe
HPDJ Taskbar Utility	C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
HP Component Manager	"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
AGRSMMSG	AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
PopUpWasher	C:\PROGRA~1\Webroot\POP-UP~1\PopUpWasher.exe
RecordNow!	
MsnMsgr	"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\ExpandFrom

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\ExpandTo

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services
ose	3
C-DillaSrv	2

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk
backup	C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkStartup
location	Startup
item	MyWebSearch Email Plugin

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Á³#*L"h'þ9Óœð3rÅWC:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini	0
win.ini	0
bootini	0
services	0
startup	0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Attachments
ScanWithAntiVirus	2

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoCDBurning	0
NoLowDiskSpaceChecks	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} = 
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername	0
legalnoticecaption	
legalnoticetext	
shutdownwithoutlogon	1
undockwithoutlogon	1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun	145

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
DisableRegistryTools	0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit	= userinit.exe
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui
= igfxsrvc.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon
= WgaLogon.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier
= WRLogonNTF.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif
= wzcdlg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1	- Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 7/21/2006 2:14:27 PM


----------



## Cookiegal (Aug 27, 2003)

Did you run the regfix file and did you reboot after before running the WinpFind scan?

Where did AVG find the virus? Check the log please. You need to help me so I can help you.


----------



## sparsby (Apr 10, 2006)

I ran the file then rebooted then the pop-up from AVG came up warning me about the virus, after that I went and ran WinpFind.

The virus was found in C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\8567ODQB\

It was a trojan Horse Downloader.VB.FC

File Name: ABoxInst_int15[1].exe

its 31.25KB


----------



## Cookiegal (Aug 27, 2003)

Thank you, that helps. 

Boot to safe mode and navigate to this folder:

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\*Content.IE5*

Open the Content.IE5 folder and delete its entire contents. You won't be able to delete the index.dat file and that is normal.

Are you comfortable editing the registry?


----------



## sparsby (Apr 10, 2006)

Yes, Im comfortable editing the registry. Just tell me what to do


----------



## Cookiegal (Aug 27, 2003)

First we will back up the registry in case anything goes wrong.

Go to Start > Run
Type:
*regedit*
Click OK.
On the left side, click to highlight *My Computer* at the top. 
Go up to "*File > Export*"
Make sure in that window there is a tick next to "All" under Export Branch.
Leave the "Save As Type" as "Registration Files".
Under "Filename" put *backup*

Choose to save it to *C:\* or somewhere else safe so that you will remember where you put it (don't put it on the desktop!)
Click save and then go to File > Exit.
This is so the registry can be restored to this point if we need it. It may take a minute. Just let it go until it's done.

Go to Start - Run - type in regedit and click OK to open the registry editor.

Expand each of the following keys by clicking on the + to the left of each one:

+ HKEY_LOCAL_MACHINE
+ SOFTWARE + Microsoft
+ Shared Tools 
+ MSConfig
+ startupfolder

Under startupfolder, in the left pane, do you see a sub-key that looks like the following?

*C:\Documents and Settings\Owner\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk*

Let me know please.


----------



## sparsby (Apr 10, 2006)

yup, theres a folder there with that name but instead of backslashes it has these: ^


----------



## Cookiegal (Aug 27, 2003)

OK, that's good. Right click on:

*C:^Documents and Settings^Owner^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk*

and select "delete".

Let me know if you were successful please.


----------



## sparsby (Apr 10, 2006)

All good


----------



## Cookiegal (Aug 27, 2003)

Good, one down, one to go. 

Under the same MsConfig key, probably just below *starupfolder*, you should see another sub-key called:

*startupreg*

The startupreg key has a + sign to the left of it so please click on it to expand the key:

Do you see a folder there (still in the left-hand) pane, that looks like this or some other jibberish?
*
\Á³# *L"h'þ9Óœð3rÅWC:*


----------



## sparsby (Apr 10, 2006)

Yuppers, want me to delete it?


----------



## Cookiegal (Aug 27, 2003)

Yes please and then reboot and post a new WinpFind scan log.


----------



## sparsby (Apr 10, 2006)

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
qoologic 6/26/2006 9:04:50 AM 12243523 C:\AVG7QT.DAT
urllogic 6/26/2006 9:04:50 AM 12243523 C:\AVG7QT.DAT
UPX! 6/25/2006 4:59:38 PM 299030 C:\combofix.exe
qoologic 6/30/2006 6:07:58 PM 204131 C:\WinPFind.zip

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
aspack 3/18/2005 5:19:58 PM 2337488 C:\WINDOWS\SYSTEM32\d3dx9_25.dll
PEC2 8/16/2003 1:40:04 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
aspack 2/17/2005 3:10:14 PM 702464 C:\WINDOWS\SYSTEM32\Incinerator.dll
PTech 6/19/2006 4:19:42 PM 571184 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
aspack 7/6/2006 7:21:46 PM 6757792 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 1:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/4/2004 1:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
UPX! 4/27/2006 5:49:30 PM 288417 C:\WINDOWS\SYSTEM32\SrchSTS.exe
UPX! 1/9/2006 10:36:04 AM 42496 C:\WINDOWS\SYSTEM32\swreg.exe
UPX! 1/9/2006 10:36:06 AM 40960 C:\WINDOWS\SYSTEM32\swsc.exe
winsync 8/15/2003 8:41:44 PM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
PTech 6/19/2006 4:19:26 PM 304944 C:\WINDOWS\SYSTEM32\WgaTray.exe

Checking %System%\Drivers folder and sub-folders...
UPX! 6/26/2006 9:03:30 AM 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
FSG! 6/26/2006 9:03:30 AM 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PEC2 6/26/2006 9:03:30 AM 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
aspack 6/26/2006 9:03:30 AM 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PTech 8/3/2004 11:41:38 PM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\Hosts
127.0.0.1 www.qoologic.com
127.0.0.1 www.urllogic.com

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
7/21/2006 7:02:46 PM S 2048 C:\WINDOWS\bootstat.dat
7/13/2006 10:46:02 AM H 54156 C:\WINDOWS\QTFont.qfn
6/16/2006 9:20:00 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\8ecdf17e5a787c02ac0ed596ff4900f3\BIT4A.tmp
5/30/2006 7:31:54 AM RHS 56 C:\WINDOWS\system32\00370CD73E.sys
5/30/2006 7:31:54 AM HS 1682 C:\WINDOWS\system32\KGyGaAvL.sys
6/22/2006 5:18:30 AM S 13309 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB911280.cat
5/29/2006 10:16:00 AM S 23751 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB916281.cat
6/1/2006 2:28:56 PM S 11043 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB918439.cat
6/19/2006 4:20:58 PM S 7160 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\WgaNotify.cat
7/21/2006 7:04:08 PM H 1024 C:\WINDOWS\system32\config\default.LOG
5/23/2006 6:20:32 PM H 0 C:\WINDOWS\system32\config\default_TU_72001.LOG
7/21/2006 7:02:48 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
5/23/2006 6:20:32 PM H 0 C:\WINDOWS\system32\config\SAM_TU_47360.LOG
7/21/2006 7:06:12 PM H 1024 C:\WINDOWS\system32\config\SECURITY.LOG
5/23/2006 6:20:32 PM H 0 C:\WINDOWS\system32\config\SECURITY_TU_50084.LOG
7/21/2006 7:04:58 PM H 1024 C:\WINDOWS\system32\config\software.LOG
5/23/2006 6:20:32 PM H 0 C:\WINDOWS\system32\config\software_TU_58035.LOG
7/21/2006 7:04:20 PM H 1024 C:\WINDOWS\system32\config\system.LOG
5/23/2006 6:20:32 PM H 0 C:\WINDOWS\system32\config\system_TU_79929.LOG
7/21/2006 12:01:16 PM H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
7/9/2006 9:39:00 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\c6d568a4-a4b4-48cd-a445-08b6d7558879
7/9/2006 9:39:00 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\Preferred
7/21/2006 7:05:50 PM H 330 C:\WINDOWS\Tasks\MP Scheduled Scan.job
7/21/2006 7:02:50 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/4/2004 1:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Realtek Semiconductor Corp. 9/20/2004 3:20:44 PM 16121856 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL
Microsoft Corporation 8/4/2004 1:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 5/3/2006 2:56:54 AM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/15/2003 7:49:58 PM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/15/2003 7:57:52 PM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 12/14/2003 6:20:50 PM 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/15/2003 8:04:26 PM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 68608 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 549888 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 110592 C:\WINDOWS\SYSTEM32\dllcache\bthprops.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 135168 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 80384 C:\WINDOWS\SYSTEM32\dllcache\firewall.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 155136 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 358400 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 129536 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 380416 C:\WINDOWS\SYSTEM32\dllcache\irprops.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 68608 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 8/15/2003 7:49:58 PM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 618496 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 8/15/2003 7:57:52 PM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 25600 C:\WINDOWS\SYSTEM32\dllcache\netsetup.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 257024 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 32768 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 114688 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 155648 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 298496 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 8/15/2003 8:04:26 PM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 94208 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 148480 C:\WINDOWS\SYSTEM32\dllcache\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl
Intel Corporation 2/10/2004 7:53:24 PM 94208 C:\WINDOWS\SYSTEM32\ReinstallBackups\0001\DriverFiles\igfxcpl.cpl
Realtek Semiconductor Corp. 2/10/2004 2:19:32 AM 14224384 C:\WINDOWS\SYSTEM32\ReinstallBackups\0018\DriverFiles\ALSNDMGR.CPL

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
8/4/2005 6:54:54 PM 994 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
4/2/2004 1:55:28 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
12/31/2005 5:35:28 PM 807 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Run Nintendo Wi-Fi USB Connector Registration Tool.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
4/2/2004 5:46:32 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
4/2/2004 1:55:28 PM HS 84 C:\Documents and Settings\Owner\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
4/2/2004 5:46:32 AM HS 62 C:\Documents and Settings\Owner\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
sv1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido anti-spyware
{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Trojan Remover
{52B87208-9CCF-42C9-B88E-069281105805} = C:\PROGRA~1\TROJAN~1\Trshlex.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Trojan Remover
{52B87208-9CCF-42C9-B88E-069281105805} = C:\PROGRA~1\TROJAN~1\Trshlex.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido anti-spyware
{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4A3A071E-F913-4eee-AE15-AEFFA16FB6BC}
Popup Killer = C:\PROGRA~1\Webroot\POP-UP~1\VAPopupKiller.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
SSVHelper Class = C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console	: C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger	: C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
= 
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links	: %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = : 
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links	: %SystemRoot%\system32\SHELL32.dll
{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} = : 
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address	: %SystemRoot%\System32\browseui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
AVG7_CC	C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
Windows Defender	"C:\Program Files\Windows Defender\MSASCui.exe" -hide
QuickTime Task	"C:\Program Files\QuickTime\qttask.exe" -atboottime
SunJavaUpdateSched	C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
WebrootDesktopFirewall	C:\Program Files\Webroot\Desktop Firewall\webrootdesktopfirewall.exe -t
VTTimer	VTTimer.exe
Recguard	C:\WINDOWS\SMINST\RECGUARD.EXE
KBD	C:\HP\KBD\KBD.EXE
hpsysdrv	c:\windows\system\hpsysdrv.exe
HPDJ Taskbar Utility	C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
HP Component Manager	"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
AGRSMMSG	AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
PopUpWasher	C:\PROGRA~1\Webroot\POP-UP~1\PopUpWasher.exe
RecordNow!	
MsnMsgr	"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\ExpandFrom

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\ExpandTo

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services
ose	3
C-DillaSrv	2

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini	0
win.ini	0
bootini	0
services	0
startup	0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Attachments
ScanWithAntiVirus	2

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoCDBurning	0
NoLowDiskSpaceChecks	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} = 
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername	0
legalnoticecaption	
legalnoticetext	
shutdownwithoutlogon	1
undockwithoutlogon	1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun	145

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
DisableRegistryTools	0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit	= userinit.exe
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui
= igfxsrvc.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon
= WgaLogon.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier
= WRLogonNTF.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif
= wzcdlg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1	- Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 7/21/2006 7:07:22 PM


----------



## Cookiegal (Aug 27, 2003)

Good job! That looks good now.

How are things running?


----------



## sparsby (Apr 10, 2006)

Hmm its still doing the windows thing. When restarting the white dots are there in the corner only untill I tell the firewall that EXPLORER.exe cant access the internet. Everytime I clear the content.ie5 folder(s) (theres 4 of them in different places) the same sub folders inside it come back.


----------



## Cookiegal (Aug 27, 2003)

Go to the following line and run a "full service scan" and post the results here please.

http://safety.live.com/site/en-US/default.htm


----------



## sparsby (Apr 10, 2006)

It found alot of registry things and temp internet files but no viruses. It said that it cleaned everything to.


----------



## Cookiegal (Aug 27, 2003)

Run Kaspersky online virus scan *here*.

After the updates have downloaded, click on the "Scan Settings" button.
Choose the "Extended database" for the scan.
Under "Please select a target to scan", click "My Computer".
When the scan is finished, Save the results from the scan!


----------



## sparsby (Apr 10, 2006)

I ran it again and watched it this time, before finishing up, during the scan, it shows that 7 viruses have been found. Running the Kaspersky in a minute.


----------



## sparsby (Apr 10, 2006)

C:\Documents and Settings\Owner\Desktop\Kaspersky report.html

Wait, duh, you probably cant see that  How should I get that to you?



I just got a windows security warning (I turned firewall off and everything else I could while running the scanners) and it said:

Name: Do you want to install and run "FOR ADULTS ONLY! C...

Publisher: STARNET DI ALESSANDRO CASINI

I clicked dont install. That windows thing happens still, I dont think Im going to take that firewall off anymore...


----------



## Cookiegal (Aug 27, 2003)

Please upload the report as an attachment.


----------



## sparsby (Apr 10, 2006)

It says its an invalid file type though

"Desktop\Kaspersky report.html"

nvm I got it


----------



## Cookiegal (Aug 27, 2003)

Boot to safe mode and run Killbox on these files:

*C:\WINDOWS\system32\msspool16.dll

C:\WINDOWS\system32\msspool16.ref

C:\WINDOWS\system32\mouse_drv32.ovx

C:\WINDOWS\system32\msspool32.ref

C:\WINDOWS\system32\msspool64.ref*

Reboot and let me know if there's any change.


----------



## sparsby (Apr 10, 2006)

Only the first two files werent found but the rest were


----------



## sparsby (Apr 10, 2006)

It still does the window thing >=(


----------



## Cookiegal (Aug 27, 2003)

Please do a search for: *msspool*

and let me know what files are found.


----------



## sparsby (Apr 10, 2006)

Theres two msspool64(32).ref in my !killbox folder and a msspool16.dll in C:\WINDOWS\system


----------



## Cookiegal (Aug 27, 2003)

Boot to safe mode and run Killbox on this file:

*C:\WINDOWS\system\msspool16.dll*

Reboot and let me know how things are.


----------



## sparsby (Apr 10, 2006)

It stiiiillllll happens when I take the firewall off, I dont know what to say to help anymore


----------



## Cookiegal (Aug 27, 2003)

You mean it only happens when you disable the XP firewall?

Why are you doing that?


----------



## sparsby (Apr 10, 2006)

Not the XP one, Webroot Desktop firewall, to see if anything has changed.


----------



## Cookiegal (Aug 27, 2003)

Webroot Desktop firewall keeps an activity log. Please check it and see what it has been blocking.


----------



## sparsby (Apr 10, 2006)

Only things that I cant explain are Windows Explorer attempts to connect to the internet which I have ALWAYS denied


----------



## Cookiegal (Aug 27, 2003)

That can be normal activity. You are referring to explorer.exe I assume? Where is it trying to connect to?


----------



## sparsby (Apr 10, 2006)

It has a few different source IPs and for destination IPs theres:

192.168.0.100:1493
209.139.239.118:80
192.168.0.100:1278
216.150.6.75:80
192.168.0.100:1960
192.168.0.100:1089
216.150.6.75:80
207.234.185.217:80
216.150.6.75:80

Then theres one from Windows(r) Installer and more Windows Explorer entries further on the list


Whats a remote access dialer and Userinit logon Application?


----------



## Cookiegal (Aug 27, 2003)

One of those IPs is related to ABox which is a dialer.

In the registry please expand this key by clicking on the + sign to the left.

*HKEY_LOCAL_MACHINE*

Right click on the *Software *key and select "export" and save it to your desktop.

Open the file with Notepad and copy and paste its contents here please.


----------



## sparsby (Apr 10, 2006)

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE]

[HKEY_LOCAL_MACHINE\SOFTWARE\ACE Compression Software]

[HKEY_LOCAL_MACHINE\SOFTWARE\ACE Compression Software\ActiveAce]

[HKEY_LOCAL_MACHINE\SOFTWARE\ACE Compression Software\ActiveAce\2.0]
"Count"=dword:00000000
"Name"=hex:54,2d,4b,53,78,60,79,7b,78,76,73,64,4b,26,2e,2f,2e,48,47,78,7c,72,\
7a,78,79,48,52,7a,72,65,76,7b,73,3f,62,3e,48,60,7e,63,7f,48,5e,47,44,48,71,\
7e,6f,39,6d,7e,67,39,76,74,72,17,17,17,63,d4,37,17,12,17,17,17,f6,2b,15,17,\
17,17,17,17,02,17,17,17,17,17,17,17,27,17,17,17,1c,05,10,17,11,95,17,17,30,\
6f,14,17,04,cf,17,17,81,dd,13,17,29,58,a3,13,17,17,17,17,17,17,17,17,6f,6f,\
10,2f,17,87,f7,05,17,c7,c1,1d,41,18,17,17,17,27,88,17,17,27,88,17,eb,db,17,\
17,27,bc,17,17,0f,03,17,17,a7,04,17,17,17,57,64,17,17,87,75,06,bf,31,3a,17,\
a1,b0,13,17,17,37,14,17,17,87,02,17,e8,e8,e8,e8,f3,fc,f1,f8,e8,e8,e8,e8,e8,\
e8,e8,e8,5f,19,96,1d,17,17,17,17,1f,ef,05,17,cf,2b,6a,17,ff,e0,05,17,37,17,\
17,17,3f,17,17,17,17,a7,e0,0c,17,27,8a,07,17,77,10,6b,17,97,45,65,17,17,e9,\
68,17,27,30,62,37,ef,05,17,83,fc,87,6b,c7,e0,05,17,42,d9,6a,17,17,17,17,17,\
e8,e8,e8,e8,17,17,17,17,ab,ac,79,17,43,ef,05,17,ab,ac,79,17,13,17,17,17,3f,\
17,4a,16,3f,17,4a,16,7b,d8,6a,17,83,fc,87,6b,c7,e0,05,17,17,17,17,17
"Size"=dword:000003ba

[HKEY_LOCAL_MACHINE\SOFTWARE\Adobe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Adobe\Adobe Gamma]
"WizardOrPanel"=dword:00000000
"Location"="C:\\Program Files\\Common Files\\Adobe\\Calibration\\Adobe Gamma.cpl"

[HKEY_LOCAL_MACHINE\SOFTWARE\Adobe\Color]

[HKEY_LOCAL_MACHINE\SOFTWARE\Adobe\Color\Monitor]

[HKEY_LOCAL_MACHINE\SOFTWARE\Adobe\Color\Monitor\Monitor0]
"Primary Monitor"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Adobe\Color\Monitor\Monitor1]

[HKEY_LOCAL_MACHINE\SOFTWARE\Adobe\CommonFiles]
"AdobeHome"="C:"

[HKEY_LOCAL_MACHINE\SOFTWARE\Adobe\Photoshop]

[HKEY_LOCAL_MACHINE\SOFTWARE\Adobe\Photoshop\7.0]
"AdobeCommonSupport"=dword:00000001
@="C:\\Program Files\\Adobe\\Photoshop 7.0"
"FreeBeforeSlopAdjust"=dword:1bf7b000
"FreeSpace"=dword:0ca4f5ea
"ApplicationPath"="C:\\Program Files\\Adobe\\Photoshop 7.0\\"
"PluginPath"="C:\\Program Files\\Adobe\\Photoshop 7.0\\Plug-Ins\\"

[HKEY_LOCAL_MACHINE\SOFTWARE\Adobe\Photoshop\7.0\ApplicationPath]
@="C:\\Program Files\\Adobe\\Photoshop 7.0\\"

[HKEY_LOCAL_MACHINE\SOFTWARE\Adobe\Photoshop\7.0\PluginPath]
@="C:\\Program Files\\Adobe\\Photoshop 7.0\\Plug-Ins\\"

[HKEY_LOCAL_MACHINE\SOFTWARE\Adobe\Photoshop\7.0\Registration]
"NAME"="Luc Deacu"
"SERIAL"="104512096738466876962783"

[HKEY_LOCAL_MACHINE\SOFTWARE\Adobe Systems]

[HKEY_LOCAL_MACHINE\SOFTWARE\Adobe Systems\Common Install]

[HKEY_LOCAL_MACHINE\SOFTWARE\Adobe Systems\Common Install\Shared Service]

[HKEY_LOCAL_MACHINE\SOFTWARE\Adobe Systems\Common Install\Shared Service\B2B86000]
"Adobe Photoshop"=hex(7):32,00,2e,00,36,00,37,00,2e,00,31,00,30,00,00,00,41,00,\
64,00,6f,00,62,00,65,00,20,00,53,00,79,00,73,00,74,00,65,00,6d,00,73,00,00,\
00,41,00,64,00,6f,00,62,00,65,00,20,00,4c,00,4d,00,20,00,53,00,65,00,72,00,\
76,00,69,00,63,00,65,00,00,00,41,00,64,00,6f,00,62,00,65,00,6c,00,6d,00,73,\
00,76,00,63,00,2e,00,65,00,78,00,65,00,00,00,43,00,3a,00,5c,00,50,00,72,00,\
6f,00,67,00,72,00,61,00,6d,00,20,00,46,00,69,00,6c,00,65,00,73,00,5c,00,43,\
00,6f,00,6d,00,6d,00,6f,00,6e,00,20,00,46,00,69,00,6c,00,65,00,73,00,5c,00,\
41,00,64,00,6f,00,62,00,65,00,20,00,53,00,79,00,73,00,74,00,65,00,6d,00,73,\
00,20,00,53,00,68,00,61,00,72,00,65,00,64,00,5c,00,00,00,41,00,44,00,42,00,\
45,00,4c,00,53,00,52,00,56,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Adobe Systems\Licenses]

[HKEY_LOCAL_MACHINE\SOFTWARE\Adobe Systems\Licenses\Adobe LM Service]
"Common AppData"="C:\\Documents and Settings\\All Users\\Application Data"
@=hex:7e,74,94,36,8e,c1,35,7f,dd,e6,97,78,cf,31,5c,17,0d,c8,e4,fa,d4,f3,f5,76,\
cc,4b,18,05,e8,fb,5c,f5,c9,5b,e6,2c,38,1b,f9,ee,bc,9a,1e,cd,78,99,69,d5,89,\
96,ff,4c,78,90,2b,6f,bc,84,83,4d,79,6d,33,d5,89,3e,93,4e,7b,e0,52,6f,bd,24,\
d2,52,84,ad,d0,d6,8c,be,cd,64,a8,e0,c7,74,c8,24,bc,ac,38,ad,a4,ec

[HKEY_LOCAL_MACHINE\SOFTWARE\Agere]

[HKEY_LOCAL_MACHINE\SOFTWARE\Agere\SoftModem]
"AGRSMSetup"=hex:00,04,d2,80
"CodecFlags"=hex:00,01,00,08
"Status"=hex:01,00,00,00
"ActiveModems"=hex:00,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\AKoff]

[HKEY_LOCAL_MACHINE\SOFTWARE\AKoff\Composer]
"InitialDir"="C:\\Documents and Settings\\Owner\\My Documents\\My Music"
"Sens"="-40"
"LowNote"="36"
"HighNote"="100"
"InstrPatch"="0"
"SoundType"="0"
"AutoSens"="1"
"NoOverton"="1"
"PitchBend"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\AntiSpyware]

[HKEY_LOCAL_MACHINE\SOFTWARE\AntiSpyware\Options]
"UserPath"="C:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Sunbelt Software\\CounterSpy"

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple]

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple\QuickTime32]

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple\QuickTime32\CurrentVersion]

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple\QuickTime32\CurrentVersion\SharedFiles]

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple\QuickTime32\CurrentVersion\SharedFiles\C:/WINDOWS/MCENU.HLP]
@="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple\QuickTime32\CurrentVersion\SharedFiles\C:/WINDOWS/PLAY32.EXE]
@="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple\QuickTime32\CurrentVersion\SharedFiles\C:/WINDOWS/PLAYENU.HLP]
@="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple\QuickTime32\CurrentVersion\SharedFiles\C:/WINDOWS/QTW.QTW]
@="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple\QuickTime32\CurrentVersion\SharedFiles\C:/WINDOWS/READQT32.WRI]
@="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple\QuickTime32\CurrentVersion\SharedFiles\C:/WINDOWS/SAMPLE.MOV]
@="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple\QuickTime32\CurrentVersion\SharedFiles\C:/WINDOWS/SYSINI.QTW]
@="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple\QuickTime32\CurrentVersion\SharedFiles\C:/WINDOWS/SYSTEM32/CMGR32.DLL]
@="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple\QuickTime32\CurrentVersion\SharedFiles\C:/WINDOWS/SYSTEM32/CVID32.QTC]
@="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple\QuickTime32\CurrentVersion\SharedFiles\C:/WINDOWS/SYSTEM32/DCI32.QTC]
@="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple\QuickTime32\CurrentVersion\SharedFiles\C:/WINDOWS/SYSTEM32/DHIO32.QTC]
@="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple\QuickTime32\CurrentVersion\SharedFiles\C:/WINDOWS/SYSTEM32/HNDLR32.DLL]
@="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple\QuickTime32\CurrentVersion\SharedFiles\C:/WINDOWS/SYSTEM32/IV32QT32.QTC]
@="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple\QuickTime32\CurrentVersion\SharedFiles\C:/WINDOWS/SYSTEM32/JPEG32.QTC]
@="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple\QuickTime32\CurrentVersion\SharedFiles\C:/WINDOWS/SYSTEM32/MC32.QTC]
@="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple\QuickTime32\CurrentVersion\SharedFiles\C:/WINDOWS/SYSTEM32/MCIQTENU.Q32]
@="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple\QuickTime32\CurrentVersion\SharedFiles\C:/WINDOWS/SYSTEM32/NAVG32.QTC]
@="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple\QuickTime32\CurrentVersion\SharedFiles\C:/WINDOWS/SYSTEM32/QTIM32.DLL]
@="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple\QuickTime32\CurrentVersion\SharedFiles\C:/WINDOWS/SYSTEM32/QTOLE32.DLL]
@="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple\QuickTime32\CurrentVersion\SharedFiles\C:/WINDOWS/SYSTEM32/QTW32.CPL]
@="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple\QuickTime32\CurrentVersion\SharedFiles\C:/WINDOWS/SYSTEM32/QTWCP.HLP]
@="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple\QuickTime32\CurrentVersion\SharedFiles\C:/WINDOWS/SYSTEM32/QTWMCI32.DLL]
@="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple\QuickTime32\CurrentVersion\SharedFiles\C:/WINDOWS/SYSTEM32/RAW32.QTC]
@="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple\QuickTime32\CurrentVersion\SharedFiles\C:/WINDOWS/SYSTEM32/RLE32.QTC]
@="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple\QuickTime32\CurrentVersion\SharedFiles\C:/WINDOWS/SYSTEM32/RPZA32.QTC]
@="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple\QuickTime32\CurrentVersion\SharedFiles\C:/WINDOWS/SYSTEM32/SMC32.QTC]
@="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple\QuickTime32\CurrentVersion\SharedFiles\C:/WINDOWS/VIEW32.EXE]
@="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple\QuickTime32\CurrentVersion\SharedFiles\C:/WINDOWS/VIEWENU.HLP]
@="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple\QuickTime32\CurrentVersion\SharedFiles\C:/WINDOWS/WININI.QTW]
@="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.]

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\iPod]
"HomeMachineID"=hex(b):29,a5,00,00,69,e7,4d,d3

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\iPod\RegisteredApps]

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\QuickTime]
"ProgramFolder"="QuickTime"
"InstallDir"="C:\\Program Files\\QuickTime"
"Version"=dword:06508000

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\QuickTime\ActiveX]
"QTTaskRunFlags"=dword:00000001
"UpdateXNow"=dword:00000000
"QTVersion"=dword:06000000
"QTTask"="C:\\Program Files\\QuickTime\\qttask.exe"
"AlwaysReclaimAssocations"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\QuickTime\ActiveX\Installed MIME Types]
"application/sdp"="sdp"
"application/x-sdp"="sdp"
"application/x-rtsp"="rtsp,rts"
"video/quicktime"="mov,qt"
"video/flc"="flc,fli"
"audio/x-wav"="wav,bwf"
"audio/wav"="wav,bwf"
"audio/aiff"="aiff,aif,aifc,cdda"
"audio/x-aiff"="aiff,aif,aifc,cdda"
"audio/basic"="au,snd,ulw"
"audio/mid"="mid,midi,smf,kar"
"audio/x-midi"="mid,midi,smf,kar"
"audio/midi"="mid,midi,smf,kar"
"audio/vnd.qcelp"="qcp"
"audio/AMR"="AMR"
"audio/x-gsm"="gsm"
"video/x-mpeg"="mpeg,mpg,m1s,m1v,m1a,m75,m15,mp2,mpm,mpv,mpa"
"video/mpeg"="mpeg,mpg,m1s,m1v,m1a,m75,m15,mp2,mpm,mpv,mpa"
"audio/mpeg"="mpeg,mpg,m1s,m1a,mp2,mpm,mpa"
"audio/x-mpeg"="mpeg,mpg,m1s,m1a,mp2,mpm,mpa"
"video/3gpp"="3gp,3gpp"
"audio/3gpp"="3gp,3gpp"
"video/mp4"="mp4,mpg4"
"audio/mp4"="mp4,mpg4"
"audio/x-m4a"="m4a"
"audio/x-m4p"="m4p"
"audio/x-m4b"="m4b"
"video/sd-video"="sdv"
"video/3gpp2"="3g2,3gp2"
"audio/3gpp2"="3g2,3gp2"
"image/x-macpaint"="pntg,pnt,mac"
"image/pict"="pict,pic,pct"
"image/x-pict"="pict,pic,pct"
"image/png"="png"
"image/x-png"="png"
"image/x-quicktime"="qtif,qti"
"image/x-sgi"="sgi,rgb"
"image/x-targa"="targa,tga"
"image/tiff"="tif,tiff"
"image/x-tiff"="tif,tiff"


----------



## sparsby (Apr 10, 2006)

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\QuickTime\Favorite Movies]

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\QuickTime\Installed File Types]

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\QuickTime\Installed File Types\3g2,3gp2]
"componentType"=dword:65617420
"componentSubType"=dword:33473220
"componentManufacturer"=dword:00000000
"doNotOverrideExistingApp"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\QuickTime\Installed File Types\3gp,3gpp]
"componentType"=dword:65617420
"componentSubType"=dword:33475020
"componentManufacturer"=dword:00000000
"doNotOverrideExistingApp"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\QuickTime\Installed File Types\amc]
"componentType"=dword:65617420
"componentSubType"=dword:414d4320
"componentManufacturer"=dword:00000000
"doNotOverrideExistingApp"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\QuickTime\Installed File Types\dv,dif]
"componentType"=dword:65617420
"componentSubType"=dword:64766321
"componentManufacturer"=dword:00000000
"doNotOverrideExistingApp"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\QuickTime\Installed File Types\mov,qt]
"componentType"=dword:65617420
"componentSubType"=dword:6d6f6f76
"componentManufacturer"=dword:00000000
"doNotOverrideExistingApp"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\QuickTime\Installed File Types\mp4,mpg4]
"componentType"=dword:65617420
"componentSubType"=dword:6d706734
"componentManufacturer"=dword:00000000
"doNotOverrideExistingApp"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\QuickTime\Installed File Types\pict,pic,pct]
"componentType"=dword:67726970
"componentSubType"=dword:50494354
"componentManufacturer"=dword:6170706c
"doNotOverrideExistingApp"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\QuickTime\Installed File Types\pntg,pnt,mac]
"componentType"=dword:67726970
"componentSubType"=dword:504e5447
"componentManufacturer"=dword:6170706c
"doNotOverrideExistingApp"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\QuickTime\Installed File Types\qtif,qti]
"componentType"=dword:67726970
"componentSubType"=dword:71746966
"componentManufacturer"=dword:6170706c
"doNotOverrideExistingApp"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\QuickTime\Installed File Types\qtl]
"componentType"=dword:65617420
"componentSubType"=dword:6d6f6f76
"componentManufacturer"=dword:00000000
"doNotOverrideExistingApp"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\QuickTime\Installed File Types\qup]
"componentType"=dword:61626364
"componentSubType"=dword:78797a20
"componentManufacturer"=dword:6170706c
"doNotOverrideExistingApp"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\QuickTime\Installed File Types\sd2]
"componentType"=dword:65617420
"componentSubType"=dword:53643266
"componentManufacturer"=dword:736f756e
"doNotOverrideExistingApp"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\QuickTime\Installed Files]

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\QuickTime\Installed Files\QTPlugin.ocx]
"Full Path"="C:\\Program Files\\QuickTime\\QTPlugin.ocx"
"Uninstall Action"=dword:776f6378

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\QuickTime\Installed Files\QuickTimeCheck.OCX]
"Full Path"="C:\\WINDOWS\\System32\\QuickTimeCheck.OCX"
"Uninstall Action"=dword:776f6378

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\QuickTime\Installed Files\QuickTimeUpdater.exe]
"Full Path"="C:\\Program Files\\QuickTime\\QuickTimeUpdater.exe"
"Uninstall With Apps"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\QuickTime\Installed MIME Types]
"application/sdp"="sdp"
"application/x-sdp"="sdp"
"application/x-rtsp"="rtsp,rts"
"video/quicktime"="mov,qt"
"video/flc"="flc,fli"
"audio/x-wav"="wav,bwf"
"audio/wav"="wav,bwf"
"audio/aiff"="aiff,aif,aifc,cdda"
"audio/x-aiff"="aiff,aif,aifc,cdda"
"audio/basic"="au,snd,ulw"
"audio/mid"="mid,midi,smf,kar"
"audio/x-midi"="mid,midi,smf,kar"
"audio/midi"="mid,midi,smf,kar"
"audio/vnd.qcelp"="qcp"
"audio/AMR"="AMR"
"audio/x-gsm"="gsm"
"video/x-mpeg"="mpeg,mpg,m1s,m1v,m1a,m75,m15,mp2,mpm,mpv,mpa"
"video/mpeg"="mpeg,mpg,m1s,m1v,m1a,m75,m15,mp2,mpm,mpv,mpa"
"audio/mpeg"="mpeg,mpg,m1s,m1a,mp2,mpm,mpa"
"audio/x-mpeg"="mpeg,mpg,m1s,m1a,mp2,mpm,mpa"
"video/3gpp"="3gp,3gpp"
"audio/3gpp"="3gp,3gpp"
"video/mp4"="mp4,mpg4"
"audio/mp4"="mp4,mpg4"
"audio/x-m4a"="m4a"
"audio/x-m4p"="m4p"
"audio/x-m4b"="m4b"
"video/sd-video"="sdv"
"video/3gpp2"="3g2,3gp2"
"audio/3gpp2"="3g2,3gp2"
"image/x-macpaint"="pntg,pnt,mac"
"image/pict"="pict,pic,pct"
"image/x-pict"="pict,pic,pct"
"image/png"="png"
"image/x-png"="png"
"image/x-quicktime"="qtif,qti"
"image/x-sgi"="sgi,rgb"
"image/x-targa"="targa,tga"
"image/tiff"="tif,tiff"
"image/x-tiff"="tif,tiff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\QuickTime\Installed Plugins]
"DeferredMutexName"="QTMLDeferredPluginUpdateMutex"

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\QuickTime\LocalUserPreferences]
"FolderPath"="C:\\Documents and Settings\\All Users\\Application Data\\QuickTime\\"

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\QuickTime\QuickTimeUpdateInProgress]
"QuickTimeUpdateCompletion"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\QuickTime\Recent Movies]
"no_itms8.mov"="1,http://a654.g.akamai.net/f/654/39/5m/qtpix.apple.com/qtpix/current/no_itms8.mov"
"sprsniper5nr.gif"="2,c:\\Documents and Settings\\Owner\\My Documents\\My Pictures\\sprsniper5nr.gif"
"battlefield1942.MOV"="2,c:\\Documents and Settings\\Owner\\Local Settings\\Temp\\Rar$DI00.485\\battlefield1942.MOV"
"battlefield_1942_1_hi.MOV"="2,c:\\Documents and Settings\\Owner\\Local Settings\\Temp\\Rar$DI15.766\\battlefield_1942_1_hi.MOV"

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\QuickTime\Registry Backup]

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\QuickTime\Registry Backup\Content Type]

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\QuickTime\Registry Backup\Content Type\application/sdp]
"CLSID"="{A1A41E11-91DB-4461-95CD-0C02327FD934}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\QuickTime\Registry Backup\Content Type\audio/3gpp]
"CLSID"="{CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\QuickTime\Registry Backup\Content Type\audio/aiff]
"CLSID"="{cd3afa72-b84f-48f0-9393-7edc34128127}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\QuickTime\Registry Backup\Content Type\audio/AMR]
"CLSID"="{CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\QuickTime\Registry Backup\Content Type\audio/basic]
"CLSID"="{cd3afa73-b84f-48f0-9393-7edc34128127}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\QuickTime\Registry Backup\Content Type\audio/mid]
"CLSID"="{cd3afa74-b84f-48f0-9393-7edc34128127}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\QuickTime\Registry Backup\Content Type\audio/midi]
"CLSID"="{cd3afa74-b84f-48f0-9393-7edc34128127}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\QuickTime\Registry Backup\Content Type\audio/mp4]
"CLSID"="{CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\QuickTime\Registry Backup\Content Type\audio/mpeg]
"CLSID"="{cd3afa76-b84f-48f0-9393-7edc34128127}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\QuickTime\Registry Backup\Content Type\audio/wav]
"CLSID"="{cd3afa7b-b84f-48f0-9393-7edc34128127}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\QuickTime\Registry Backup\Content Type\audio/x-aiff]
"CLSID"="{cd3afa72-b84f-48f0-9393-7edc34128127}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\QuickTime\Registry Backup\Content Type\audio/x-midi]
"CLSID"="{cd3afa74-b84f-48f0-9393-7edc34128127}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\QuickTime\Registry Backup\Content Type\audio/x-mpeg]
"CLSID"="{cd3afa76-b84f-48f0-9393-7edc34128127}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\QuickTime\Registry Backup\Content Type\audio/x-wav]
"CLSID"="{cd3afa7b-b84f-48f0-9393-7edc34128127}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\QuickTime\Registry Backup\Content Type\video/3gpp]
"CLSID"="{CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\QuickTime\Registry Backup\Content Type\video/mp4]
"CLSID"="{CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\QuickTime\Registry Backup\Content Type\video/mpeg]
"CLSID"="{cd3afa89-b84f-48f0-9393-7edc34128127}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\QuickTime\Registry Backup\Content Type\video/x-mpeg]
"CLSID"="{cd3afa89-b84f-48f0-9393-7edc34128127}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\QuickTime\Registry Backup\EmbedExtnToClsidMappings]

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\QuickTime\Registry Backup\EmbedExtnToClsidMappings\.aif]
"MIMETypeCount"=dword:00000001
@="clsid:05589fa1-c356-11ce-bf01-00aa0055595a"

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\QuickTime\Registry Backup\EmbedExtnToClsidMappings\.aifc]
"MIMETypeCount"=dword:00000001
@="clsid:05589fa1-c356-11ce-bf01-00aa0055595a"

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\QuickTime\Registry Backup\EmbedExtnToClsidMappings\.aiff]
"MIMETypeCount"=dword:00000001
@="clsid:05589fa1-c356-11ce-bf01-00aa0055595a"

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\QuickTime\Registry Backup\EmbedExtnToClsidMappings\.au]
"MIMETypeCount"=dword:00000001
@="clsid:05589fa1-c356-11ce-bf01-00aa0055595a"

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\QuickTime\Registry Backup\EmbedExtnToClsidMappings\.m1v]
"MIMETypeCount"=dword:00000001
@="clsid:05589fa1-c356-11ce-bf01-00aa0055595a"

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\QuickTime\Registry Backup\EmbedExtnToClsidMappings\.mid]
"MIMETypeCount"=dword:00000001
@="clsid:05589fa1-c356-11ce-bf01-00aa0055595a"

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\QuickTime\Registry Backup\EmbedExtnToClsidMappings\.midi]
"MIMETypeCount"=dword:00000001
@="clsid:05589fa1-c356-11ce-bf01-00aa0055595a"

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\QuickTime\Registry Backup\EmbedExtnToClsidMappings\.mp2]
"MIMETypeCount"=dword:00000001
@="clsid:05589fa1-c356-11ce-bf01-00aa0055595a"

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\QuickTime\Registry Backup\EmbedExtnToClsidMappings\.mpa]
"MIMETypeCount"=dword:00000001
@="clsid:05589fa1-c356-11ce-bf01-00aa0055595a"

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\QuickTime\Registry Backup\EmbedExtnToClsidMappings\.mpeg]
"MIMETypeCount"=dword:00000001
@="clsid:05589fa1-c356-11ce-bf01-00aa0055595a"

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\QuickTime\Registry Backup\EmbedExtnToClsidMappings\.mpg]
"MIMETypeCount"=dword:00000001
@="clsid:05589fa1-c356-11ce-bf01-00aa0055595a"

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\QuickTime\Registry Backup\EmbedExtnToClsidMappings\.snd]
"MIMETypeCount"=dword:00000001
@="clsid:05589fa1-c356-11ce-bf01-00aa0055595a"

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\QuickTime\Registry Backup\EmbedExtnToClsidMappings\.wav]
"MIMETypeCount"=dword:00000001
@="clsid:05589fa1-c356-11ce-bf01-00aa0055595a"

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\QuickTime\Registry Backup\Media]
"application/sdp"=hex:00
"audio/AMR"=hex:00
"video/3gpp"=hex:00
"audio/3gpp"=hex:00
"video/mp4"=hex:00
"audio/mp4"=hex:00
"audio/x-wav"=hex:00
"audio/wav"=hex:00
"audio/aiff"=hex:00
"audio/x-aiff"=hex:00
"audio/basic"=hex:00
"audio/mid"=hex:00
"audio/x-midi"=hex:00
"audio/midi"=hex:00
"video/x-mpeg"=hex:00
"video/mpeg"=hex:00
"audio/mpeg"=hex:00
"audio/x-mpeg"=hex:00
"video/quicktime"=hex:00
"image/x-macpaint"=hex:00
"image/x-quicktime"=hex:00
"image/tiff"=hex:00

[HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\QuickTime\SystemPreferences]
"FolderPath"="C:\\Documents and Settings\\All Users\\Application Data\\QuickTime\\"

[HKEY_LOCAL_MACHINE\SOFTWARE\Ariad]

[HKEY_LOCAL_MACHINE\SOFTWARE\Ariad\Application Libraries Log]
"Ariad Interface Components 1"="\"1.3.0149\",\"C:\\WINDOWS\\system32\\\",\"AS-IFce1.ocx\",\"N/A\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Ariad\Application Libraries Log by Title]
"Ariad Interface Components"="Ariad Interface Components 1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Ariad\Installation Paths]
"Ariad Interface Components 1"="C:\\WINDOWS\\system32\\"

[HKEY_LOCAL_MACHINE\SOFTWARE\ashampoo]

[HKEY_LOCAL_MACHINE\SOFTWARE\ashampoo\Ashampoo WinOptimizer Platinum Suite 2]
"Key"="AWPSB0-10019D-364E49"

[HKEY_LOCAL_MACHINE\SOFTWARE\Avance]

[HKEY_LOCAL_MACHINE\SOFTWARE\Avance\AC97 Audio]
"Layout"="HP"

[HKEY_LOCAL_MACHINE\SOFTWARE\Battle.net]

[HKEY_LOCAL_MACHINE\SOFTWARE\Battle.net\Configuration]
"Registration Version"=dword:00000000
"Registration Authority"=dword:00000000
"Client ID"=dword:00000000
"Client Token"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Blizzard Entertainment]

[HKEY_LOCAL_MACHINE\SOFTWARE\Blizzard Entertainment\Starcraft]
"InstallPath"="C:\\Program Files\\Starcraft"
"Program"="C:\\Program Files\\Starcraft\\Starcraft.exe"
"StarEdit"="C:\\Program Files\\Starcraft"
"StarCD"="F:"
"Recent Maps"=hex(7):43,00,3a,00,5c,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,\
00,20,00,46,00,69,00,6c,00,65,00,73,00,5c,00,53,00,74,00,61,00,72,00,63,00,\
72,00,61,00,66,00,74,00,5c,00,4d,00,61,00,70,00,73,00,5c,00,28,00,32,00,29,\
00,43,00,68,00,61,00,6c,00,6c,00,65,00,6e,00,67,00,65,00,72,00,2e,00,73,00,\
63,00,6d,00,00,00,43,00,3a,00,5c,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,\
00,20,00,46,00,69,00,6c,00,65,00,73,00,5c,00,53,00,74,00,61,00,72,00,63,00,\
72,00,61,00,66,00,74,00,5c,00,4d,00,61,00,70,00,73,00,5c,00,4c,00,61,00,64,\
00,64,00,65,00,72,00,5c,00,28,00,34,00,29,00,4c,00,6f,00,73,00,74,00,20,00,\
54,00,65,00,6d,00,70,00,6c,00,65,00,2e,00,73,00,63,00,6d,00,00,00,43,00,3a,\
00,5c,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,20,00,46,00,69,00,6c,00,\
65,00,73,00,5c,00,53,00,74,00,61,00,72,00,63,00,72,00,61,00,66,00,74,00,5c,\
00,4d,00,61,00,70,00,73,00,5c,00,28,00,35,00,29,00,53,00,68,00,65,00,72,00,\
77,00,6f,00,6f,00,64,00,20,00,46,00,6f,00,72,00,65,00,73,00,74,00,2e,00,73,\
00,63,00,6d,00,00,00,43,00,3a,00,5c,00,50,00,72,00,6f,00,67,00,72,00,61,00,\
6d,00,20,00,46,00,69,00,6c,00,65,00,73,00,5c,00,53,00,74,00,61,00,72,00,63,\
00,72,00,61,00,66,00,74,00,5c,00,4d,00,61,00,70,00,73,00,5c,00,28,00,36,00,\
29,00,4e,00,65,00,77,00,20,00,47,00,65,00,74,00,74,00,79,00,73,00,62,00,75,\
00,72,00,67,00,2e,00,73,00,63,00,6d,00,00,00,43,00,3a,00,5c,00,50,00,72,00,\
6f,00,67,00,72,00,61,00,6d,00,20,00,46,00,69,00,6c,00,65,00,73,00,5c,00,53,\
00,74,00,61,00,72,00,63,00,72,00,61,00,66,00,74,00,5c,00,4d,00,61,00,70,00,\
73,00,5c,00,28,00,38,00,29,00,47,00,72,00,65,00,65,00,6e,00,20,00,56,00,61,\
00,6c,00,6c,00,65,00,79,00,73,00,2e,00,73,00,63,00,6d,00,00,00,00,00
"Retail"="y"
"Brood War"="y"
"Gamma"=dword:00000064
"ColorCycle"=dword:00000001
"UnitPortraits"=dword:00000002
"speed"=dword:00000004
"mscroll"=dword:00000003
"kscroll"=dword:00000003
"m_mscroll"=dword:00000003
"m_kscroll"=dword:00000003
"music"=dword:00000019
"sfx"=dword:00000032
"tipnum"=dword:00000000
"intro"=dword:00000200
"introX"=dword:00000000
"unitspeech"=dword:00000001
"unitnoise"=dword:00000002
"bldgnoise"=dword:00000004
"tip"=dword:00000100
"trigtext"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Blizzard Entertainment\Starcraft\DelOpt0]
"Path0"="C:\\Program Files\\Starcraft\\characters"
"File0"="spc"
"Path1"="C:\\Program Files\\Starcraft\\characters"
"File1"="mpc"

[HKEY_LOCAL_MACHINE\SOFTWARE\Blizzard Entertainment\Starcraft\DelOpt1]
"Path0"="C:\\Program Files\\Starcraft\\save"
"File0"="sng"
"Path1"="C:\\Program Files\\Starcraft\\maps\\save"
"File1"="mlt"
"Path2"="C:\\Program Files\\Starcraft\\save"
"File2"="snx"
"Path3"="C:\\Program Files\\Starcraft\\maps\\save"
"File3"="mlx"


----------



## sparsby (Apr 10, 2006)

[HKEY_LOCAL_MACHINE\SOFTWARE\C07ft5Y]
@="SafeDisc RefCount"

[HKEY_LOCAL_MACHINE\SOFTWARE\C07ft5Y\bf1942]

[HKEY_LOCAL_MACHINE\SOFTWARE\C07ft5Y\nhl2k]

[HKEY_LOCAL_MACHINE\SOFTWARE\C07ft5Y\TP]

[HKEY_LOCAL_MACHINE\SOFTWARE\C07ft5Y\WinXP]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Chilkat Software, Inc.]

[HKEY_LOCAL_MACHINE\SOFTWARE\Chilkat Software, Inc.\ChilkatXml.ChilkatXml]
"registered_dll"="C:\\Program Files\\Spyware Doctor\\chilkatxml.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*]
"InfoTip"="prop:Type;DocAuthor;DocTitle;DocSubject;DocComments;Write;Size"
"QuickTip"="prop:Type;Size"
"AlwaysShowExt"=""
"TileInfo"="prop:Type;Size"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\OpenWithList]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\OpenWithList\Excel.exe]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\OpenWithList\IExplore.exe]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\OpenWithList\MSPaint.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\OpenWithList\Notepad.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\OpenWithList\Winword.exe]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\OpenWithList\WordPad.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\AVG7 Shell Extension]
@="{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\BriefcaseMenu]
@="{85BBD920-42A0-1069-A2E4-08002B30309D}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\ewido anti-spyware]
@="{8934FCEF-F5B8-468f-951F-78A921CD3920}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\Offline Files]
@="{750fdf0e-2a26-11d1-a3ea-080036587f03}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\Open With]
@="{09799AFB-AD67-11d1-ABCD-00C04FC30936}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\Open With EncryptionMenu]
@="{A470F8CF-A1E8-4f65-8335-227475AA5C46}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\Trojan Remover]
@="{52B87208-9CCF-42C9-B88E-069281105805}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}]
@="Start Menu Pin"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\PropertySheetHandlers]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\PropertySheetHandlers\BriefcasePage]
@="{85BBD920-42A0-1069-A2E4-08002B30309D}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\PropertySheetHandlers\CryptoSignMenu]
@="{7444C719-39BF-11D1-8CD9-00C04FC29D45}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\PropertySheetHandlers\{1F2E5C40-9550-11CE-99D2-00AA006E086C}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\PropertySheetHandlers\{3EA48300-8CF6-101B-84FB-666CCB9BCD32}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\PropertySheetHandlers\{883373C3-BF89-11D1-BE35-080036B11A03}]
@="Summary Properties Page"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.323]
@="h323file"
"Content Type"="text/h323"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.386]
@="vxdfile"
"PerceivedType"="system"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.386\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.3g2]
@="QuickTime.3g2"
"Content Type"="video/3gpp"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.3gp]
@="QuickTime.3gp"
"PerceivedType"="video"
"Content Type"="video/3gpp"
"QuickTime.bak"="RealPlayer.3GPP_AMR.10"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.3gp2]
@="QuickTime.3gp2"
"Content Type"="video/3gpp"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.3gpp]
@="QuickTime.3gpp"
"Content Type"="video/3gpp"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.669]
@="Winamp.File"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.7z]
@="WinRAR"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.8ba]
@="Photoshop.PlugIn"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.8bc]
@="Photoshop.PlugIn"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.8be]
@="Photoshop.PlugIn"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.8bf]
@="Photoshop.PlugIn"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.8bi]
@="Photoshop.PlugIn"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.8bp]
@="Photoshop.PlugIn"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.8bs]
@="Photoshop.PlugIn"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.8bx]
@="Photoshop.PlugIn"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.8by]
@="Photoshop.PlugIn"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.8li]
@="Photoshop.PlugIn"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.aa]
"Content Type"="audio/audible"
"PerceivedType"="audio"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.AAC]
@="Winamp.File"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.abr]
@="Photoshop.BrushesFile"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.aca]
@="Agent.Character.2"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.acb]
@="Photoshop.ColorBooks"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.ace]
@="WinRAR"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.acf]
@="Photoshop.CustomFilterKernel"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.aco]
@="Photoshop.SwatchesFile"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.acs]
@="Agent.Character2.2"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.act]
@="Photoshop.ColorTableFile"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.acv]
@="Photoshop.CurvesFile"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.acw]
@="acwfile"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.ado]
@="Photoshop.DuotoneSettingsFile"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.ahs]
@="Photoshop.HalftoneScreens"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.ahu]
@="Photoshop.HueSatFile"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.ai]
"Content Type"="application/postscript"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.ai\ShellEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.ai\ShellEx\IconHandler]
@="{0C5B0CED-206B-4c39-B615-0EB23C824612}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.ai\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1]
@="{0C5B0CED-206B-4c39-B615-0EB23C824612}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.ai\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}]
@="{0C5B0CED-206B-4c39-B615-0EB23C824612}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.aif]
"PerceivedType"="audio"
"Content Type"="audio/aiff"
@="Winamp.File"
"MP2.Last"="Custom"
"MPlayer2.BAK"="iTunes.aif"
"Winamp_Back"="AIFFFile"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.aif\OpenWithList]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.aif\OpenWithList\wmplayer.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.aif\OpenWithProgIds]
"AIFFFile"=hex(0):

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.aif\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.aifc]
"PerceivedType"="audio"
"Content Type"="audio/aiff"
@="AIFFFile"
"MP2.Last"="Custom"
"MPlayer2.BAK"="iTunes.aifc"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.aifc\OpenWithList]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.aifc\OpenWithList\wmplayer.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.aifc\OpenWithProgIds]
"AIFFFile"=hex(0):

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.aifc\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.aiff]
"PerceivedType"="audio"
"Content Type"="audio/aiff"
@="Winamp.File"
"MP2.Last"="Custom"
"MPlayer2.BAK"="iTunes.aiff"
"Winamp_Back"="AIFFFile"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.aiff\OpenWithList]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.aiff\OpenWithList\wmplayer.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.aiff\OpenWithProgIds]
"AIFFFile"=hex(0):

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.aiff\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.albm]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.albm\shell]
@="open"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.albm\shell\open]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.albm\shell\open\command]
@="\"C:\\Program Files\\HP\\PhotoPrinting\\hpiaprnt.exe\" \"%1\""
"command"=hex(7):74,00,28,00,7a,00,7e,00,61,00,7d,00,75,00,70,00,29,00,41,00,\
62,00,77,00,5b,00,2a,00,6e,00,2d,00,67,00,5f,00,54,00,58,00,48,00,50,00,50,\
00,68,00,6f,00,74,00,6f,00,50,00,72,00,69,00,6e,00,74,00,69,00,6e,00,67,00,\
3e,00,4a,00,67,00,62,00,4b,00,60,00,2b,00,34,00,4e,00,59,00,3f,00,6d,00,5f,\
00,50,00,69,00,76,00,36,00,59,00,24,00,54,00,6c,00,20,00,22,00,25,00,31,00,\
22,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.albm\ShellNew]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.alv]
@="Photoshop.LevelsFile"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.amc]
@="QuickTime.amc"
"Content Type"="video/3gpp"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.amf]
@="Winamp.File"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.amp]
@="Photoshop.ArbitraryMapFile"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.ams]
@="Photoshop.MonitorSetupFile"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.ani]
@="anifile"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.api]
@="Photoshop.PrintingInksFile"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.apk]
"Content Type"="application/x-gsarcade-usersvc"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.APL]
@="Winamp.File"
"Winamp_Back"="Photoshop.AdobePlugIn"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.application]
"Content Type"="application/x-ms-application"
@="Application.Manifest"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.appref-ms]
@="Application.Reference"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.aps]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.aps\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.arcade]
"Content Type"="application/x-gsarcade-launch"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.arj]
@="WinRAR"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.asa]
@="aspfile"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.ascx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.ascx\PersistentHandler]
@="{eec97550-47a9-11cf-b952-00aa0051fe20}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.asf]
"PerceivedType"="video"
"Content Type"="video/x-ms-asf"
@="Winamp.File"
"Winamp_Back"="ASFFile"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.asf\OpenWithList]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.asf\OpenWithList\wmplayer.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.asf\OpenWithProgIds]
"ASFFile"=hex(0):

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.asf\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.asf\ShellEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.asf\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}]
@="{c5a40261-cd64-4ccf-84cb-c394da41d590}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.asl]
@="Photoshop.Styles"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.asm]
"PerceivedType"="text"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.asm\PersistentHandler]
@="{5e941d80-bf96-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.asmx]
"PerceivedType"="text"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.asn]
@="GSASkin.Document"
"Content Type"="application/x-gsarcade-skinpak"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.asp]
@="aspfile"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.asp\DefaultIcon]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.asp\PersistentHandler]
@="{eec97550-47a9-11cf-b952-00aa0051fe20}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.aspx]
"PerceivedType"="text"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.aspx\PersistentHandler]
@="{eec97550-47a9-11cf-b952-00aa0051fe20}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.ast]
@="Photoshop.SepTablesFile"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.asv]
@="Photoshop.ASVColAdjFile"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.asx]
"PerceivedType"="video"
"Content Type"="video/asx"
@="Winamp.PlayList"
"Winamp_Back"="ASXFile"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.asx\OpenWithList]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.asx\OpenWithList\wmplayer.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.asx\OpenWithProgIds]
"ASXFile"=hex(0):

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.asx\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.asx\ShellEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.asx\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}]
@="{c5a40261-cd64-4ccf-84cb-c394da41d590}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.atf]
@="Photoshop.TransferFunctionsFile"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.atn]
@="Photoshop.ActionsFile"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.au]
"PerceivedType"="audio"
"Content Type"="audio/basic"
@="Winamp.File"
"Winamp_Back"="AUFile"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.au\OpenWithList]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.au\OpenWithList\wmplayer.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.au\OpenWithProgIds]
"AUFile"=hex(0):

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.au\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.AudioCD]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.AudioCD\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.ava]
@="Photoshop.VariationsFile"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.avi]
@="Winamp.File"
"PerceivedType"="video"
"Content Type"="video/avi"
"MP2.Last"="Default"
"Winamp_Back"="avifile"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.avi\OpenWithList]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.avi\OpenWithList\wmplayer.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.avi\OpenWithProgIds]
"avifile"=hex(0):

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.avi\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.avi\ShellEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.avi\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}]
@="{c5a40261-cd64-4ccf-84cb-c394da41d590}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.avr]
@="Winamp.File"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.awf]
@="Adobe.WorkFlow.Files"
"ContentType"="application/vnd.adobe.workflow"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.axt]
@="Photoshop.AXTAdjColFile"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.b4s]
@="Winamp.PlayList"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.bat]
@="batfile"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.bat\PersistentHandler]
@="{5e941d80-bf96-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.bdb]
@="MSWorks4Database"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.bdb\DefaultIcon]
@="c:\\Program Files\\Microsoft Works\\wksdb.exe,0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.bdb\ShellNew]
@="c:\\Program Files\\Microsoft Works\\wksdb.exe /n"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.bfc]
@="Briefcase"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.bfc\ShellNew]
"Command"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,72,\
00,75,00,6e,00,64,00,6c,00,6c,00,33,00,32,00,2e,00,65,00,78,00,65,00,20,00,\
25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,\
00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,00,79,00,6e,00,\
63,00,75,00,69,00,2e,00,64,00,6c,00,6c,00,2c,00,42,00,72,00,69,00,65,00,66,\
00,63,00,61,00,73,00,65,00,5f,00,43,00,72,00,65,00,61,00,74,00,65,00,20,00,\
25,00,32,00,21,00,64,00,21,00,20,00,25,00,31,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.bfc\ShellNew\Config]
"NoExtension"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.bin]
"NoOpen"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.bin\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.bkf]
@="msbackupfile"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.bkf\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.bks]
@="MSWorks4Sheet"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.bks\DefaultIcon]
@="c:\\Program Files\\Microsoft Works\\wksss.exe,0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.bks\ShellNew]
@="c:\\Program Files\\Microsoft Works\\wksss.exe /n"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.blg]
@="PerfFile"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.bmp]
"PerceivedType"="image"
"Content Type"="image/bmp"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.bmp\OpenWithList]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.bmp\OpenWithList\MSPaint.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.bmp\OpenWithProgids]
"Paint.Picture"=hex(0):

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.bmp\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.bmp\ShellNew]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.bpl]
@="Winamp.PlayList"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.bsc]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.bsc\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.bz]
@="WinRAR"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.bz2]
@="WinRAR"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.c]
"PerceivedType"="text"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.c\PersistentHandler]
@="{5e941d80-bf96-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.cab]
@="WinRAR"
"InfoTip"="Contains compressed files"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.cab\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.caf]
@="Winamp.File"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.cat]
@="CATFile"
"Content Type"="application/vnd.ms-pki.seccat"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.cbo]
@="MITrain.Document"
"Content Type"="application/sha"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.cda]
@="Winamp.File"
"MP2.Last"="Custom"
"MPlayer2.BAK"="iTunes.cda"
"Winamp_Back"="CDAFile"


----------



## sparsby (Apr 10, 2006)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.cda\OpenWithList]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.cda\OpenWithList\wmplayer.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.cda\OpenWithProgIds]
"CDAFile"=hex(0):

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.cda\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.cdf]
@="ChannelFile"
"Content Type"="application/x-cdf"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.cdx]
@="aspfile"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.cer]
@="CERFile"
"Content Type"="application/x-x509-ca-cert"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.cf]
@="dwtfile"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.cfm]
@="cfmfile"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.cfml]
@="cfmlfile"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.cgm]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.cgm\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.cha]
@="Photoshop.CHAFile"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.chk]
@="chkfile"
"PerceivedType"="system"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.chm]
@="chm.file"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.clp]
@="clpfile"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.cmd]
@="cmdfile"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.cmd\PersistentHandler]
@="{5e941d80-bf96-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.cnf]
@="ConferenceLink"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.com]
@="comfile"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.com\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.con]
@="con_auto_file"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.cov]
@="Coverpage"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.cpe]
@="Coverpage"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.cpl]
@="cplfile"
"Generic"="system"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.cpl\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.cpp]
"PerceivedType"="text"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.cpp\PersistentHandler]
@="{5e941d80-bf96-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.crl]
@="CRLFile"
"Content Type"="application/pkix-crl"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.crt]
@="CERFile"
"Content Type"="application/x-x509-ca-cert"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.csf]
@="Photoshop.ColorSettings"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.csh]
@="Photoshop.CustomShapes"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.css]
"PerceivedType"="text"
@="CSSfile"
"Content Type"="text/css"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.css\PersistentHandler]
@="{eec97550-47a9-11cf-b952-00aa0051fe20}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.CTT]
@="MessengerContactList"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.cur]
@="curfile"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.cur\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.cxx]
"PerceivedType"="text"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.cxx\PersistentHandler]
@="{5e941d80-bf96-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dat]
"NoOpen"=""
"PerceivedType"="video"
@="data-file"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.db]
@="dbfile"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dbg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dbg\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dct]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dct\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.def]
"PerceivedType"="text"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.def\PersistentHandler]
@="{5e941d80-bf96-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.der]
@="CERFile"
"Content Type"="application/x-x509-ca-cert"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.DeskLink]
@="CLSID\\{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.DeskLink\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dib]
"PerceivedType"="image"
"Content Type"="image/bmp"
@="Paint.Picture"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dib\OpenWithProgids]
"Paint.Picture"=hex(0):

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dib\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dic]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dic\PersistentHandler]
@="{5e941d80-bf96-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dif]
@="QuickTime.dif"
"Content Type"="video/x-dv"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dir]
"Content Type"="application/x-director"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.disabled]
@="SpybotSD.DisabledFile"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.diz]
"PerceivedType"="text"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dll]
@="dllfile"
"Content Type"="application/x-msdownload"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dll\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dl_]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dl_\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.doc]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.doc\PersistentHandler]
@="{98DE59A0-D175-11CD-A7BD-00006B827D94}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dos]
"NoOpen"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dot]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dot\PersistentHandler]
@="{98DE59A0-D175-11CD-A7BD-00006B827D94}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.drv]
@="drvfile"
"Generic"="system"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.drv\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dsn]
@="ODBC.FileDSN"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dun]
@="dunfile"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dv]
@="QuickTime.dv"
"Content Type"="video/x-dv"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dvd]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dvd\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dvr-ms]
@="WMP.DVR-MSFile"
"PerceivedType"="video"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dvr-ms\OpenWithList]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dvr-ms\OpenWithList\wmplayer.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dvr-ms\OpenWithProgIds]
"WMP.DVR-MSFile"=hex(0):


----------



## sparsby (Apr 10, 2006)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dwt]
@="Dreamweaver.Template"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dxr]
"Content Type"="application/x-director"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.emf]
"PerceivedType"="image"
@="emffile"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.emf\OpenWithProgids]
"emffile"=hex(0):

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.emf\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.eml]
@="Microsoft Internet Mail Message"
"Content Type"="message/rfc822"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.eps]
"PerceivedType"="Image"
@="Photoshop.EPSFile.9"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.eps\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe]
@="exefile"
"Content Type"="application/x-msdownload"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exp]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exp\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.ex_]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.ex_\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.eyb]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.eyb\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.far]
@="Winamp.File"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.ffo]
@="Photoshop.FileInfo"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.fif]
"Content Type"="application/fractals"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.fnd]
@="fndfile"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.fnd\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.fnt]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.fnt\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.Folder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.Folder\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.fon]
@="fonfile"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.fon\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.ghi]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.ghi\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.GI]
@="::RecordNow.GI"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.GI\::RecordNow.GI]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.GI\::RecordNow.GI\ShellNew]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.gif]
"PerceivedType"="image"
@="giffile"
"Content Type"="image/gif"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.gif\OpenWithProgids]
"giffile"=hex(0):

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.gif\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.gm6]
@="gm6file"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.grd]
@="Photoshop.Gradients"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.grp]
@="MSProgramGroup"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.gvp]
@="gvp_auto_file"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.gz]
"PerceivedType"="compressed"
@="WinRAR"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.gz\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.h]
"PerceivedType"="text"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.h\PersistentHandler]
@="{5e941d80-bf96-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.hhc]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.hhc\PersistentHandler]
@="{eec97550-47a9-11cf-b952-00aa0051fe20}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.hlp]
@="hlpfile"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.hpp]
"PerceivedType"="text"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.hpp\PersistentHandler]
@="{5e941d80-bf96-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.hpq1]
@="hpq_shortcut1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.hpq10]
@="hpq_shortcut10"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.hpq2]
@="hpq_shortcut2"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.hpq3]
@="hpq_shortcut3"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.hpq4]
@="hpq_shortcut4"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.hpq5]
@="hpq_shortcut5"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.hpq6]
@="hpq_shortcut6"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.hpq7]
@="hpq_shortcut7"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.hpq8]
@="hpq_shortcut8"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.hpq9]
@="hpq_shortcut9"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.hqx]
"Content Type"="application/mac-binhex40"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.hqx\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.ht]
@="htfile"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.hta]
@="htafile"
"Content Type"="application/hta"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.hta\PersistentHandler]
@="{eec97550-47a9-11cf-b952-00aa0051fe20}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.htc]
"Content Type"="text/x-component"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.htk]
@="Winamp.File"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.htm]
@="htmlfile"
"Content Type"="text/html"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.htm\OpenWithList]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.htm\OpenWithList\notepad.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.html]
@="htmlfile"
"Content Type"="text/html"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.htt]
@="HTTfile"
"Content Type"="text/webviewhtml"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.htt\PersistentHandler]
@="{eec97550-47a9-11cf-b952-00aa0051fe20}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.htw]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.htw\PersistentHandler]
@="{eec97550-47a9-11cf-b952-00aa0051fe20}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.htx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.htx\PersistentHandler]
@="{eec97550-47a9-11cf-b952-00aa0051fe20}"


----------



## sparsby (Apr 10, 2006)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.hxx]
"PerceivedType"="text"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.hxx\PersistentHandler]
@="{5e941d80-bf96-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.icc]
@="icmfile"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.icm]
@="icmfile"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.icm\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.ico]
@="icofile"
"PerceivedType"="image"
"Content Type"="image/x-icon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.ico\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.ics]
"Content Type"="text/calendar"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.idb]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.idb\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.idl]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.idl\PersistentHandler]
@="{5e941d80-bf96-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.idq]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.idq\PersistentHandler]
@="{5e941d80-bf96-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.iff]
@="Winamp.File"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.iii]
@="iiifile"
"Content Type"="application/x-iphone"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.ilk]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.ilk\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.imc]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.imc\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.inc]
"PerceivedType"="text"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.inc\PersistentHandler]
@="{5e941d80-bf96-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.inf]
@="inffile"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.inf\PersistentHandler]
@="{5e941d80-bf96-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.ini]
@="inifile"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.ini\PersistentHandler]
@="{5e941d80-bf96-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.ins]
@="x-internet-signup"
"Content Type"="application/x-internet-signup"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.inv]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.inv\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.inx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.inx\PersistentHandler]
@="{5e941d80-bf96-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.in_]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.in_\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.iros]
@="Photoshop.IRSettings"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.irs]
@="Photoshop.IRSettings"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.isa]
@="Photoshop.IRActions"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.ISO]
@="::RecordNow.ISO"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.ISO\::RecordNow.ISO]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.ISO\::RecordNow.ISO\ShellNew]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.isp]
@="x-internet-signup"
"Content Type"="application/x-internet-signup"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.it]
@="Winamp.File"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.its]
@="ITS File"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.itz]
@="Winamp.File"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.jar]
@="jarfile"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.java]
"PerceivedType"="text"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.jbf]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.jbf\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.jfif]
"PerceivedType"="image"
@="pjpegfile"
"Content Type"="image/jpeg"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.jfif\OpenWithProgids]
"pjpegfile"=hex(0):

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.jfif\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.jnlp]
@="JNLPFile"
"Content Type"="application/x-java-jnlp-file"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.job]
@="JobObject"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.jod]
@="Microsoft.Jet.OLEDB.4.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.jpe]
"PerceivedType"="image"
@="jpegfile"
"Content Type"="image/jpeg"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.jpe\OpenWithProgids]
"jpegfile"=hex(0):

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.jpe\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.jpeg]
"PerceivedType"="image"
@="jpegfile"
"Content Type"="image/jpeg"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.jpeg\OpenWithProgids]
"jpegfile"=hex(0):

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.jpeg\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.jpg]
"PerceivedType"="image"
@="jpegfile"
"Content Type"="image/jpeg"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.jpg\OpenWithProgids]
"jpegfile"=hex(0):

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.jpg\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.js]
@="JSFile"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.js\PersistentHandler]
@="{5e941d80-bf96-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.JSE]
@="JSEFile"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.jsp]
@="asafile"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.KAR]
@="Winamp.File"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.key]
@="regfile"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.latex]
"Content Type"="application/x-latex"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.latex\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.lbi]
@="Dreamweaver.Library.Item"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.lha]
@="WinRAR"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.lib]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.lib\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.lnk]
@="lnkfile"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.lnk\ShellEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.lnk\ShellEx\{000214EE-0000-0000-C000-000000000046}]
@="{00021401-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.lnk\ShellEx\{000214F9-0000-0000-C000-000000000046}]
@="{00021401-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.lnk\ShellEx\{00021500-0000-0000-C000-000000000046}]
@="{00021401-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.lnk\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}]
@="{00021401-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.lnk\ShellNew]
"Command"="rundll32.exe appwiz.cpl,NewLinkHere %1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.local]
"PerceivedType"="system"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.log]
@="txtfile"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.log\PersistentHandler]
@="{5e941d80-bf96-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.lwv]
@="LWVFile"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.lzh]
@="WinRAR"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.m14]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.m14\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.m1v]
"PerceivedType"="video"
"Content Type"="video/mpeg"
@="mpegfile"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.m1v\OpenWithList]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.m1v\OpenWithList\wmplayer.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.m1v\OpenWithProgIds]
"mpegfile"=hex(0):

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.m1v\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.M2V]
@="Winamp.File"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.m3u]
"PerceivedType"="text"
"Content Type"="audio/mpegurl"
@="Winamp.PlayList"
"MP2.Last"="Custom"
"MPlayer2.BAK"="iTunes.m3u"
"Winamp_Back"="m3ufile"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.m3u\OpenWithList]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.m3u\OpenWithList\wmplayer.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.m3u\OpenWithProgIds]
"m3ufile"=hex(0):

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.m3u\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.m4a]
@="Winamp.File"
"PerceivedType"="audio"
"Content Type"="audio/m4a"
"Winamp_Back"="iTunes.m4a"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.m4b]
@="Winamp.File"
"PerceivedType"="audio"
"Content Type"="audio/m4b"
"Winamp_Back"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.m4e]
@="RealPlayer.MP4.6"
"PerceivedType"="video"
"Content Type"="video/mpeg4"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.m4p]
@=""
"Content Type"="audio/m4p"
"PerceivedType"="audio"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.mac]
@="QuickTime.mac"
"Content Type"="image/x-macpaint"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.man]
"Content Type"="application/x-troff-man"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.manifest]
"PerceivedType"="system"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.MAPIMail]
@="CLSID\\{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.MAPIMail\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.mat]
@="Winamp.File"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.mdb]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.mdb\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.mdz]
@="Winamp.File"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.mfp]
@="MacromediaFlashPaper.MacromediaFlashPaper"
"Content Type"="application/x-shockwave-flash"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.mht]
@="mhtmlfile"
"Content Type"="message/rfc822"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.mht\OpenWithList]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.mhtml]
@="mhtmlfile"
"Content Type"="message/rfc822"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.mhtml\OpenWithList]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.mhtml\OpenWithList\WINWORD.EXE]


----------



## sparsby (Apr 10, 2006)

Thats not even an 8th of it, its 27MB big too

http://www.sparsby.com/softwarereg.txt

no spaces but it still shows the brackets and everything


----------



## Cookiegal (Aug 27, 2003)

Download the Registry Search Tool here:

http://www.billsway.com/vbspage/

Unzip it and run it. If your antivirus interferes you may have to disable script blocking in the antivirus. Copy and Paste the following in the search box:

*Abox*

Copy and paste the results here.


----------



## sparsby (Apr 10, 2006)

took 23 seconds and no instances of Abox found


----------



## Cookiegal (Aug 27, 2003)

*Click here* to download Silent Runners.
Save (do not choose open) it to the desktop.
Run SilentRunners by double clicking the "SilentRunners" icon on your desktop.
You will see a text file appear on the desktop - *it's not done, let it run (it won't appear to be doing anything!)*
Once you receive the prompt *All Done!*, open the text file on the desktop, copy that entire log, and paste it here.
**NOTE* If you receive any warning message about scripts, please choose to allow the script to run.*


----------



## sparsby (Apr 10, 2006)

"Silent Runners.vbs", revision 46, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"PopUpWasher" = "C:\PROGRA~1\Webroot\POP-UP~1\PopUpWasher.exe" ["Webroot Software, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"WebrootDesktopFirewall" = "C:\Program Files\Webroot\Desktop Firewall\webrootdesktopfirewall.exe -t" ["Webroot Software, Inc."]
"VTTimer" = "VTTimer.exe" ["S3 Graphics, Inc."]
"KBD" = "C:\HP\KBD\KBD.EXE" ["Hewlett-Packard Company"]
"hpsysdrv" = "c:\windows\system\hpsysdrv.exe" ["Hewlett-Packard Company"]
"HPDJ Taskbar Utility" = "C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe" ["HP"]
"HP Component Manager" = ""C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"" ["Hewlett-Packard Company"]
"AGRSMMSG" = "AGRSMMSG.exe" ["Agere Systems"]

HKLM\Software\Microsoft\Active Setup\Installed Components\
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express"
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]
{8b15971b-5355-4c82-8c07-7e181ea07608}\(Default) = "Fax"
\StubPath = "rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.UnInstall.PerUser" [MS]
{94de52c8-2d59-4f1b-883e-79663d2d9a8c}\(Default) = "Fax Provider"
\StubPath = "rundll32.exe C:\WINDOWS\System32\Setup\FxsOcm.dll,XP_UninstallProvider" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{4A3A071E-F913-4eee-AE15-AEFFA16FB6BC}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Popup Killer"
\InProcServer32\(Default) = "C:\PROGRA~1\Webroot\POP-UP~1\VAPopupKiller.dll" ["Webroot Software, Inc."]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{7F67036B-66F1-411A-AD85-759FB9C5B0DB}" = "SampleView"
-> {HKLM...CLSID} = "SampleView"
\InProcServer32\(Default) = "C:\WINDOWS\System32\ShellvRTF.dll" ["XSS"]
"{DEE12703-6333-4D4E-8F34-738C4DCC2E04}" = "RecordNow! SendToExt"
-> {HKLM...CLSID} = "RecordNow! SendToExt"
\InProcServer32\(Default) = "c:\Program Files\RecordNow!\shlext.dll" [null data]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {HKLM...CLSID} = "Portable Media Devices"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
-> {HKLM...CLSID} = "Shell Search Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{e82a2d71-5b2f-43a0-97b8-81be15854de8}" = "ShellLink for Application References"
-> {HKLM...CLSID} = "ShellLink for Application References"
\InProcServer32\(Default) = "C:\WINDOWS\system32\dfshim.dll" [MS]
"{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}" = "Shell Icon Handler for Application References"
-> {HKLM...CLSID} = "Shell Icon Handler for Application References"
\InProcServer32\(Default) = "C:\WINDOWS\system32\dfshim.dll" [MS]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {HKLM...CLSID} = "AVG7 Find Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "ewido anti-spyware 4.0"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll" ["Anti-Malware Development a.s."]
INFECTION WARNING! "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}" = "Microsoft AntiMalware ShellExecuteHook"
-> {HKLM...CLSID} = "Microsoft AntiMalware ShellExecuteHook"
\InProcServer32\(Default) = "C:\PROGRA~1\WINDOW~4\MpShHook.dll" [MS]

HKLM\System\CurrentControlSet\Control\Session Manager\
INFECTION WARNING! "BootExecute" = "autocheck autochk * SsiEfr.e smrgdf C:\PROGRA~1\iolo\SYSTEM~1\" [file not found], [MS], [file not found], [file not found], [null data], [file not found]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]
INFECTION WARNING! WgaLogon\DLLName = "WgaLogon.dll" [MS]
INFECTION WARNING! WRNotifier\DLLName = "WRLogonNTF.dll" [file not found]
INFECTION WARNING! wzcnotif\DLLName = "wzcdlg.dll" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

Active Desktop and Wallpaper:
-----------------------------

Active Desktop is enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Active Desktop web content:

HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\0\
"FriendlyName" = ""
"Source" = ""
"SubscribedURL" = ""

HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\1\
"FriendlyName" = ""
"Source" = "C:\Program Files\Outlook Express\nidoboxow.html"
"SubscribedURL" = ""

Startup items in "Owner" & "All Users" startup folders:
-------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"Run Nintendo Wi-Fi USB Connector Registration Tool" -> shortcut to: "C:\Program Files\WiFiConnector\NintendoWFCReg.exe" [empty string]

Enabled Scheduled Tasks:
------------------------

"1-Click Maintenance" -> launches: "C:\Program Files\TuneUp Utilities 2006\SystemOptimizer.exe /schedulestart" [file not found]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0007-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_07"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll" ["Sun Microsystems, Inc."]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

Miscellaneous IE Hijack Points
------------------------------

HKLM\Software\Microsoft\Internet Explorer\AboutURLs\

Missing lines (compared with English-language version):
HIJACK WARNING! "TuneUp" = "file://C|/Documents and Settings/All Users/Application Data/TuneUp Software/Common/base.css" [file not found]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AVG E-mail Scanner, AVGEMS, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."]
AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
ewido anti-spyware 4.0 guard, ewido anti-spyware 4.0 guard, "C:\Program Files\ewido anti-spyware 4.0\guard.exe" ["Anti-Malware Development a.s."]
Webroot Desktop Firewall, WebrootFirewall, "C:\Program Files\Webroot\Desktop Firewall\FirewallNTService.exe" [null data]
Webroot Desktop Firewall Data Service, WebrootDesktopFirewallDataService, "C:\Program Files\Webroot\Desktop Firewall\WDFDataService.exe" ["Webroot Software, Inc."]
Windows Defender Service, WinDefend, ""C:\Program Files\Windows Defender\MsMpEng.exe"" [MS]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]

Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
hpzsnt10\Driver = "hpzsnt10.dll" ["HP"]

----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 40 seconds, including 18 seconds for message boxes)


----------



## Cookiegal (Aug 27, 2003)

Please open HijackThis.
Click on *Open Misc Tools Section*
Make sure that both boxes beside "Generate StartupList Log" are checked:

*List all minor sections(Full)*
*List Empty Sections(Complete)*
Click *Generate StartupList Log*.
Click *Yes* at the prompt.
It will open a text file. Please copy the entire contents of that page and paste it here.


----------



## sparsby (Apr 10, 2006)

StartupList report, 7/27/2006, 8:27:41 AM
StartupList version: 1.52.2
Started from : C:\Program Files\Hijack This\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\VTTimer.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\Program Files\Webroot\Desktop Firewall\WebrootDesktopFirewall.exe
C:\Program Files\Webroot\Desktop Firewall\WDFDataService.exe
C:\Program Files\Webroot\Desktop Firewall\FirewallNTService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijack This\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Owner\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = userinit.exe

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
WebrootDesktopFirewall = C:\Program Files\Webroot\Desktop Firewall\webrootdesktopfirewall.exe -t
VTTimer = VTTimer.exe
KBD = C:\HP\KBD\KBD.EXE
hpsysdrv = c:\windows\system\hpsysdrv.exe
HPDJ Taskbar Utility = C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
HP Component Manager = "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
AGRSMMSG = AGRSMMSG.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

PopUpWasher = C:\PROGRA~1\Webroot\POP-UP~1\PopUpWasher.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\System32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{4b218e3e-bc98-4770-93d3-2731b9329278}] *
StubPath = %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install

[{8b15971b-5355-4c82-8c07-7e181ea07608}]
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.UnInstall.PerUser

[{94de52c8-2d59-4f1b-883e-79663d2d9a8c}]
StubPath = rundll32.exe C:\WINDOWS\System32\Setup\FxsOcm.dll,XP_UninstallProvider

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\PROGRA~1\Webroot\POP-UP~1\VAPopupKiller.dll - {4A3A071E-F913-4eee-AE15-AEFFA16FB6BC}
(no name) - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}

--------------------------------------------------

Enumerating Task Scheduler jobs:

1-Click Maintenance.job
MP Scheduled Scan.job

--------------------------------------------------

Enumerating Download Program Files:

[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\system32\legitcheckcontrol.dll
CODEBASE = http://go.microsoft.com/fwlink/?linkid=39204

[{39B0684F-D7BF-4743-B050-FDC3F48F7E3B}]
CODEBASE = http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.1.87.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------


----------



## sparsby (Apr 10, 2006)

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll
Protocol #16: C:\WINDOWS\system32\mswsock.dll
Protocol #17: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
Adobe LM Service: "C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe" (manual start)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (system)
Agere Systems Soft Modem: System32\DRIVERS\AGRSM.sys (manual start)
Service for WDM 3D Audio Driver: system32\drivers\ALCXSENS.SYS (manual start)
Service for Realtek AC97 Audio (WDM): system32\drivers\ALCXWDM.SYS (manual start)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
AMD K7 Processor Driver: System32\DRIVERS\amdk7.sys (system)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
1394 ARP Client Protocol: System32\DRIVERS\arp1394.sys (manual start)
ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
AVG7 Alert Manager Server: C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (autostart)
AVG7 Kernel: \SystemRoot\System32\Drivers\avg7core.sys (system)
AVG7 Wrap Driver: \SystemRoot\System32\Drivers\avg7rsw.sys (system)
AVG7 Resident Driver XP: \SystemRoot\System32\Drivers\avg7rsxp.sys (system)
AVG7 Update Service: C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe (autostart)
AVG E-mail Scanner: C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe (autostart)
AVG Network Redirector: \SystemRoot\System32\Drivers\avgtdi.sys (autostart)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
C-Dilla: \??\C:\WINDOWS\system32\drivers\CDANT.SYS (manual start)
Closed Caption Decoder: System32\DRIVERS\CCDECODE.sys (manual start)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
.NET Runtime Optimization Service v2.0.50727_X86: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (manual start)
COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
dmio: System32\drivers\dmio.sys (disabled)
dmload: System32\drivers\dmload.sys (disabled)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
ewido anti-spyware 4.0 driver: \??\C:\Program Files\ewido anti-spyware 4.0\guard.sys (system)
ewido anti-spyware 4.0 guard: C:\Program Files\ewido anti-spyware 4.0\guard.exe (autostart)
fasttx2k: System32\DRIVERS\fasttx2k.sys (system)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
VIA Rhine-Family Fast Ethernet Adapter Driver Service: system32\DRIVERS\fetnd5bv.sys (manual start)
VIA Rhine Family Fast Ethernet Adapter Driver Service: System32\DRIVERS\fetnd5b.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
FltMgr: system32\drivers\fltmgr.sys (system)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
Gmer: System32\DRIVERS\gmer.sys (manual start)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Microsoft HID Class Driver: system32\DRIVERS\hidusb.sys (manual start)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
ialm: System32\DRIVERS\ialmnt5.sys (manual start)
InstallDriver Table Manager: "C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe" (manual start)
CD-Burning Filter Driver: System32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)
IntelIde: System32\DRIVERS\intelide.sys (system)
Intel Processor Driver: System32\DRIVERS\intelppm.sys (system)
IPv6 Windows Firewall Driver: system32\drivers\ip6fw.sys (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
License Management Service ESD: "C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe" (manual start)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\system32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: System32\DRIVERS\mssmbios.sys (manual start)
Microsoft Streaming Tee/Sink-to-Sink Converter: system32\drivers\MSTEE.sys (manual start)
NABTS/FEC VBI Codec: System32\DRIVERS\NABTSFEC.sys (manual start)
Microsoft TV/Video Connection: System32\DRIVERS\NdisIP.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBT: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
1394 Net Driver: System32\DRIVERS\nic1394.sys (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
npkcrypt: \??\C:\Program Files\softnyx\GunBound\npkcrypt.sys (manual start)
NPPTNT2: \??\C:\WINDOWS\system32\npptNT2.sys (system)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
nv: System32\DRIVERS\nv4_mini.sys (manual start)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
VIA OHCI Compliant IEEE 1394 Host Controller: System32\DRIVERS\ohci1394.sys (system)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
PCIIde: System32\DRIVERS\pciide.sys (system)
Logitech QuickCam Pro 3000 (08B0): System32\DRIVERS\CamDrO21.sys (manual start)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Processor Driver: System32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
PS2: System32\DRIVERS\PS2.sys (manual start)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
pwipf2: \SystemRoot\system32\drivers\pwipf2.sys (system)
PxHelp20: System32\DRIVERS\PxHelp20.sys (system)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Nintendo Wi-Fi USB Connector Service: system32\DRIVERS\rt25usbap.sys (manual start)
Realtek RTL8139/810x Family Fast Ethernet NIC NT Driver: System32\DRIVERS\R8139n51.SYS (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (autostart)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
SiS315: System32\DRIVERS\sisgrp.sys (manual start)
SiS AGP Filter: System32\DRIVERS\SISAGPX.sys (system)
SiSkp: System32\DRIVERS\srvkp.sys (system)
BDA Slip De-Framer: System32\DRIVERS\SLIP.sys (manual start)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: System32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
BDA IPSink: System32\DRIVERS\StreamIP.sys (manual start)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{27F2F9F1-D427-4562-B368-0E3DDB2CAF31} (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows User Mode Driver Framework: C:\WINDOWS\system32\wdfmgr.exe (autostart)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
USB Audio Driver (WDM): system32\drivers\usbaudio.sys (manual start)
Microsoft USB Generic Parent Driver: System32\DRIVERS\usbccgp.sys (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: System32\DRIVERS\usbehci.sys (manual start)
USB2 Enabled Hub: System32\DRIVERS\usbhub.sys (manual start)
Microsoft USB Open Host Controller Miniport Driver: System32\DRIVERS\usbohci.sys (manual start)
Microsoft USB PRINTER Class: System32\DRIVERS\usbprint.sys (manual start)
USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start)
User Privilege Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)
VIA AGP Filter: System32\DRIVERS\viaagp1.sys (system)
viagfx: System32\DRIVERS\vtmini.sys (manual start)
ViaIde: System32\DRIVERS\viaide.sys (system)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Webroot Desktop Firewall Data Service: C:\Program Files\Webroot\Desktop Firewall\WDFDataService.exe (manual start)
Webroot Desktop Firewall: C:\Program Files\Webroot\Desktop Firewall\FirewallNTService.exe (manual start)
Windows Defender Service: "C:\Program Files\Windows Defender\MsMpEng.exe" (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
Windows Socket 2.0 Non-IFS Service Provider Support Environment: \SystemRoot\System32\drivers\ws2ifsl.sys (disabled)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
World Standard Teletext Codec: System32\DRIVERS\WSTCODEC.SYS (manual start)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 33,961 bytes
Report generated in 0.828 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


----------



## Cookiegal (Aug 27, 2003)

Please do another search for:

*msspool*


----------



## sparsby (Apr 10, 2006)

Theres 3, all in the C:\\!killbox folder


----------



## Cookiegal (Aug 27, 2003)

I'm afraid I don't know what else to suggest here. It may be time to back up data and reformat.


----------



## sparsby (Apr 10, 2006)

I was slightly afraid of that  oh well, thanks for helping ;D


----------



## Cookiegal (Aug 27, 2003)

You're welcome and good luck!


----------



## sparsby (Apr 10, 2006)

I found a suspicious .zip file in one of my folders called processexplorerNT

Heres a kaspersky file report thingy:

Scanned file: ProcessExplorerNt.zip 

ProcessExplorerNt.zip/procexp.chm/#BSSC - OK
ProcessExplorerNt.zip/procexp.chm/#IDXHDR - OK
ProcessExplorerNt.zip/procexp.chm/#STRINGS - OK
ProcessExplorerNt.zip/procexp.chm/#SYSTEM - OK
ProcessExplorerNt.zip/procexp.chm/#TOPICS - OK
ProcessExplorerNt.zip/procexp.chm/#URLSTR - OK
ProcessExplorerNt.zip/procexp.chm/#URLTBL - OK
ProcessExplorerNt.zip/procexp.chm/#WINDOWS - OK
ProcessExplorerNt.zip/procexp.chm/$FIftiMain - OK
ProcessExplorerNt.zip/procexp.chm/$OBJINST - OK
ProcessExplorerNt.zip/procexp.chm/$WWAssociativeLinks/Property - OK
ProcessExplorerNt.zip/procexp.chm/$WWKeywordLinks/BTree - OK
ProcessExplorerNt.zip/procexp.chm/$WWKeywordLinks/Data - OK
ProcessExplorerNt.zip/procexp.chm/$WWKeywordLinks/Map - OK
ProcessExplorerNt.zip/procexp.chm/$WWKeywordLinks/Property - OK
ProcessExplorerNt.zip/procexp.chm/Columns_and_Column_Sets.htm - OK
ProcessExplorerNt.zip/procexp.chm/eHelp.xml - OK
ProcessExplorerNt.zip/procexp.chm/ehlpdhtm.js - OK
ProcessExplorerNt.zip/procexp.chm/Finding_a_Window_s_Process.htm - OK
ProcessExplorerNt.zip/procexp.chm/Interrupts_and_DPCs.htm - OK
ProcessExplorerNt.zip/procexp.chm/Options.htm - OK
ProcessExplorerNt.zip/procexp.chm/Overview.htm - OK
ProcessExplorerNt.zip/procexp.chm/Process_Properties.htm - OK
ProcessExplorerNt.zip/procexp.chm/process_View.htm - OK
ProcessExplorerNt.zip/procexp.chm/procexp.brs - OK
ProcessExplorerNt.zip/procexp.chm/procexp.css - OK
ProcessExplorerNt.zip/procexp.chm/procexp.hhc - OK
ProcessExplorerNt.zip/procexp.chm/procexp.hhk - OK
ProcessExplorerNt.zip/procexp.chm/Reporting_Bugs.htm - OK
ProcessExplorerNt.zip/procexp.chm/RoboHHRE.lng - OK
ProcessExplorerNt.zip/procexp.chm/Running_in_the_Tray.htm - OK
ProcessExplorerNt.zip/procexp.chm/Searching.htm - OK
ProcessExplorerNt.zip/procexp.chm/System_Information.htm - OK
ProcessExplorerNt.zip/procexp.chm/The_DLL_View.htm - OK
ProcessExplorerNt.zip/procexp.chm/The_Handle_VIew.htm - OK
ProcessExplorerNt.zip/procexp.chm/The_Main_Window.htm - OK
ProcessExplorerNt.zip/procexp.chm/The_Process_Context_Menu.htm - OK
ProcessExplorerNt.zip/procexp.chm/The_Process_View.htm - OK
ProcessExplorerNt.zip/procexp.chm/The_Users_Menu.htm - OK
ProcessExplorerNt.zip/procexp.chm - OK
ProcessExplorerNt.zip/procexp.exe - OK
ProcessExplorerNt.zip/Eula.txt - OK

Could that have been what messed things up even though it says its all okay?


----------



## Cookiegal (Aug 27, 2003)

Those belong to the Sysinternals ProcessExplorerNt program and are not malicious.


----------

