# Solved: Smithfraud-C infected



## ti-gris (Apr 23, 2005)

A Spyot bot scan revealed smithfraud. Also several entries in HJT log which is attached.
Would apprecite any help. Tks in advance. 

Logfile of HijackThis v1.99.1
Scan saved at 12:23:47 PM, on 12/16/2006
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL\PERSFW.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\HP\HP SOFTWARE UPDATE\HPWUSCHD2.EXE
C:\WINDOWS\SYSTEM\PROMON.EXE
C:\PROGRAM FILES\CAERE\OMNIPAGEPRO90\OPWARE32.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\CAERE\OMNIPAGEPRO90\opware16.exe
C:\WINDOWS\SYSTEM\PELMICED.EXE
C:\IBMTOOLS\APTEZBTN\APTEZBP.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\BIN\HPQTRA08.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\BIN\HPQSTE08.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sympatico.ca
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer fourni par Service Internet Sympatico
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [OmniPage] C:\PROGRAM FILES\CAERE\OMNIPAGEPRO90\opware32.exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AEZBProc] c:\ibmtools\aptezbtn\aptezbp.exe
O4 - HKLM\..\RunServices: [PersFw] "C:\Program Files\Kerio\Personal Firewall\persfw.exe" /hide
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKLM\..\RunServices: [HP Port Resolver] $SYSTEM\hpbpro.exe
O4 - HKLM\..\RunServices: [HP Status Server] $SYSTEM\hpboid.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - Startup: SPYWAREGUARD.LNK = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sympatico.ca
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://fr.autos.sympatico.msn.ca/components/ocx/survid/MSSurVid.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_ansi.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqaio/downloads/sysinfo.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/dd/install/guidedsolutions.cab


----------



## ti-gris (Apr 23, 2005)

sorry for typo: Spybot Search and Destroy...


----------



## eddde (Dec 16, 2006)

Bad advice removed.

eddde,

Please refer to this thread that's stickied in the Security forum. You are not qualified for malware removal and the information you posted is incorrect therefore it has been removed.

Please PM me if you would like more information on becoming qualified for malware removal. 

*Log Analysis/Malware Removal* - In order to ensure that advice given to users is consistent and of the highest quality, those who wish to assist with security related matters must first graduate from one of the malware boot camp training universities or be approved by the administration as already being qualified. Those authorized to help with malware issues have a gold shield next to their name. Anyone wishing to participate in a training program should contact a Moderator for more information.

http://forums.techguy.org/security/496737-new-rules-regarding-malware-removal.html


----------



## Cookiegal (Aug 27, 2003)

ti-gris,

The SmitfraudFix tool does not run on ME. I just wanted to mention that as from your PM you did read what was posted and has since been removed.

Would you please post your SpyBot S&D log.

NOTE: Please note that Tech Support Guy is relocating its web servers this evening and therefore the site will be down starting at 7:00 p.m. Eastern time (GMT -5 hours). If you have difficulty accessing the site, this is the reason, so don't be alarmed. We don't know how long this will take but please check the following link for updates on the move and when we can expect to be back on-line, which should be sometime Sunday. Thank you for your patience and understanding.

http://status.techguy.org/


----------



## Cookiegal (Aug 27, 2003)

eddde said:


> Bad advice removed.
> 
> eddde,
> 
> ...


----------



## ti-gris (Apr 23, 2005)

Tks for reply. See you guys were very busy and i didnt certainly mean to be harsh.
Regarding Spybot S&D, sorry I looked everywhere I could think of, and cant find a log.
By the way I deleted mithfraud after the scan, but putor slow and there are perhaps leftovers??


----------



## ti-gris (Apr 23, 2005)

Cookegal:

In case you need a fresh HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 12:36:27 PM, on 12/17/2006
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL\PERSFW.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\PROGRAM FILES\HP\HP SOFTWARE UPDATE\HPWUSCHD2.EXE
C:\WINDOWS\SYSTEM\PROMON.EXE
C:\PROGRAM FILES\CAERE\OMNIPAGEPRO90\OPWARE32.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\CAERE\OMNIPAGEPRO90\opware16.exe
C:\WINDOWS\SYSTEM\PELMICED.EXE
C:\IBMTOOLS\APTEZBTN\APTEZBP.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\BIN\HPQTRA08.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\BIN\HPQSTE08.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sympatico.ca
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer fourni par Service Internet Sympatico
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [OmniPage] C:\PROGRAM FILES\CAERE\OMNIPAGEPRO90\opware32.exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AEZBProc] c:\ibmtools\aptezbtn\aptezbp.exe
O4 - HKLM\..\RunServices: [PersFw] "C:\Program Files\Kerio\Personal Firewall\persfw.exe" /hide
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKLM\..\RunServices: [HP Port Resolver] $SYSTEM\hpbpro.exe
O4 - HKLM\..\RunServices: [HP Status Server] $SYSTEM\hpboid.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - Startup: SPYWAREGUARD.LNK = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sympatico.ca
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://fr.autos.sympatico.msn.ca/components/ocx/survid/MSSurVid.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_ansi.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqaio/downloads/sysinfo.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/dd/install/guidedsolutions.cab

tks.


----------



## Cookiegal (Aug 27, 2003)

Go *here* and download Ad-Aware SE.

Install the program and launch it.

First, in the main window look in the bottom right corner and click on *Check for updates now* then click *Connect* and download the latest reference files.

From the main window, click *Start* then under *Select a scan Mode* tick *Perform full system scan*.

Next, deselect *Search for negligible risk entries*.

Now to perform a scan, click the *Next* button.

When the scan is finished, mark everything for removal and get rid of it. To do so, right-click in the window and choose *select all* from the drop down menu and then click *Next*)

Please go *HERE* to run Panda's ActiveScan
Once you are on the Panda site click the *Scan your PC* button
A new window will open...click the *Check Now* button
Enter your *Country*
Enter your *State/Province*
Enter your *e-mail address* and click *send*
Select either *Home User* or *Company*
Click the big *Scan Now* button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on *My Computer* to start the scan
When the scan completes, if anything malicious is detected, click the *See Report* button, *then Save Report* and save it to a convenient location. Post the contents of the ActiveScan report


----------



## ti-gris (Apr 23, 2005)

Cookiegal:
Updated and ran Ad-Aware SE = was already up to date, use it everyday = 99237 files = no object found.

FYI I also had run CW Shredder; Spybot S&D who deleted Smithfraud...
I also run Spyware Blaster, and Spyware Guard. Use Kerio as Firewall and Avast as AV.

Here is the Panda report as requested:

Incident Status Location

Adware:adware/ideskbar Not disinfected c:\windows\system\favset.exe 
Potentially unwanted tool:application/kill&clean Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\extensions\CmdMapping\{BF69DF00-2734-477F-8257-27CD04F88779} 
Spyware:Cookie/Atwola Not disinfected C:\Program Files\Netscape\Communicator\Users\pat\cookies.txt[.atwola.com/] 
Spyware:Cookie/Overture Not disinfected C:\Program Files\Netscape\Communicator\Users\pat\cookies.txt[.overture.com/] 
Spyware:Cookie/QkSrv  Not disinfected C:\Program Files\Netscape\Communicator\Users\pat\cookies.txt[.qksrv.net/] 
Spyware:Cookie/Tribalfusion Not disinfected C:\Program Files\Netscape\Communicator\Users\pat\cookies.txt[.tribalfusion.com/]

Paul


----------



## Cookiegal (Aug 27, 2003)

I would like to see the SpyBot log. I know you said you couldn't find it. If you are in "advanced mode" click on "tools" and "view report" and you should find it in there.

If you're not in "advanced mode" click on "mode" in the toolbar and check "advanced mode".


----------



## ti-gris (Apr 23, 2005)

Cookiegal:
looks like Ill send it in two portions.

Here is the Spybot S&D. Maybe it will be the second, but cant see the first one I sent...
BTW you learn every day, even at 78..:up: 
part 1:

--- Search result list ---
Congratulations!: No immediate threats were found. ()

--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2006-03-01 unins000.exe (51.41.0.0)
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-05-31 Update.exe (1.4.0.0)
2006-02-06 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2006-02-20 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-12-15 Includes\Cookies.sbi (*)
2006-12-08 Includes\Dialer.sbi (*)
2006-11-24 Includes\Hijackers.sbi (*)
2006-10-27 Includes\Keyloggers.sbi (*)
2006-12-15 Includes\Malware.sbi (*)
2006-12-15 Includes\Revision.sbi (*)
2006-12-08 Includes\Security.sbi (*)
2006-10-13 Includes\Spybots.sbi (*)
2006-12-08 Includes\Trojans.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2005-02-17 Includes\Tracks.uti
2006-10-20 Includes\PUPS.sbi (*)
2006-12-15 Includes\TrojansC.sbi (*)
2006-12-15 Includes\SpybotsC.sbi (*)
2006-12-15 Includes\SecurityC.sbi (*)
2006-12-15 Includes\PUPSC.sbi (*)
2006-12-15 Includes\MalwareC.sbi (*)
2006-12-15 Includes\KeyloggersC.sbi (*)
2006-12-15 Includes\HijackersC.sbi (*)
2006-12-15 Includes\DialerC.sbi (*)

--- System information ---
Windows ME (Build: 3000) 
/ DataAccess: Patch Available For XMLHTTP Vulnerability
/ DataAccess: Buffer Overrun in Microsoft Data Access Components Could Lead to Code Execution
/ DirectX: DirectX Update 819696
/ Windows Media Player: Windows Media Update 817787
/ Windows Media Player: Windows Media Update 828026

--- Startup entries list ---
Located: HK_LM:Run, AEZBProc
command: c:\ibmtools\aptezbtn\aptezbp.exe
file: c:\ibmtools\aptezbtn\aptezbp.exe
size: 402944
MD5: 22431fe9bd1899eea770a903b832be05

Located: HK_LM:Run, ashMaiSv
command: C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
file: C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
size: 251520
MD5: 30020c9fd8754f4099f9d868c6c87051

Located: HK_LM:Run, avast! Web Scanner
command: C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
file: C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
size: 370304
MD5: 165408dd1bb1cc1ac41115f906fcfacb

Located: HK_LM:Run, HP Software Update
command: C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
file: C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
size: 49152
MD5: 926a397334fe426a6c7657096fe681db

Located: HK_LM:Run, LoadPowerProfile
command: Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
file: C:\WINDOWS\Rundll32.exe
size: 24576
MD5: 208c3f7142c109f3055cb07c95af0f2e

Located: HK_LM:Run, Mouse Suite 98 Daemon
command: PELMICED.EXE
file: C:\WINDOWS\SYSTEM\PELMICED.EXE
size: 69632
MD5: d115e69dc5ba0a415b36ae319bcf2e50

Located: HK_LM:Run, OmniPage
command: C:\PROGRAM FILES\CAERE\OMNIPAGEPRO90\opware32.exe
file: C:\PROGRAM FILES\CAERE\OMNIPAGEPRO90\opware32.exe
size: 44032
MD5: 0f3b81aed601a5d281286cce5c9e99bc

Located: HK_LM:Run, PCHealth
command: C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
file: C:\WINDOWS\PCHealth\Support\PCHSchd.exe
size: 24848
MD5: 37556315e7dadd5ee414b5a438b7843d

Located: HK_LM:Run, Promon.exe
command: Promon.exe
file: C:\WINDOWS\SYSTEM\Promon.exe
size: 29184
MD5: 953d76f56c42fa1ccd6c5ceae70f9471

Located: HK_LM:Run, QuickTime Task
command: "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
file: C:\WINDOWS\SYSTEM\QTTASK.EXE
size: 77824
MD5: 4e165b34780ff2d1b405f29e3fa68df2

Located: HK_LM:Run, ScanRegistry
command: C:\WINDOWS\scanregw.exe /autorun
file: C:\WINDOWS\scanregw.exe
size: 126976
MD5: 548ae8c51870ec245dac589b9bf271fc

Located: HK_LM:Run, SystemTray
command: SysTray.Exe
file: C:\WINDOWS\SYSTEM\SysTray.Exe
size: 36864
MD5: a29d4e875bc3ed7042a9159a89b597db

Located: HK_LM:Run, TaskMonitor
command: C:\WINDOWS\taskmon.exe
file: C:\WINDOWS\taskmon.exe
size: 28672
MD5: a23bca4b69ac68fd410b6afccb11af07

Located: HK_LM:RunServices, *StateMgr
command: C:\WINDOWS\System\Restore\StateMgr.exe
file: C:\WINDOWS\System\Restore\StateMgr.exe
 size: 24848
MD5: 02282c55dc8b1bf1ff1180c98d7337d6

Located: HK_LM:RunServices, avast!
command: C:\Program Files\Alwil Software\Avast4\ashServ.exe
file: C:\Program Files\Alwil Software\Avast4\ashServ.exe
size: 108160
MD5: 1ca6d8776d4f615e7861e35221582ae0

Located: HK_LM:RunServices, HP Port Resolver
command: $SYSTEM\hpbpro.exe
file:

Located: HK_LM:RunServices, HP Status Server
command: $SYSTEM\hpboid.exe
file:

Located: HK_LM:RunServices, KB891711
command: C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
file: C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
size: 9088
MD5: cbd841775a04e82b2828fc301aafee70

Located: HK_LM:RunServices, LoadPowerProfile
command: Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
file: C:\WINDOWS\Rundll32.exe
size: 24576
MD5: 208c3f7142c109f3055cb07c95af0f2e

Located: HK_LM:RunServices, PersFw
command: "C:\Program Files\Kerio\Personal Firewall\persfw.exe" /hide
file: C:\Program Files\Kerio\Personal Firewall\persfw.exe
size: 389120
MD5: 9a0940332f74d77210185b77e22295a0

Located: HK_LM:RunServices, SchedulingAgent
command: mstask.exe
file: C:\WINDOWS\SYSTEM\mstask.exe
size: 126976
MD5: 6770eaf1dfb8d3c952dca22cd956f570

Located: HK_LM:RunServices, SSDPSRV
command: C:\WINDOWS\SYSTEM\ssdpsrv.exe
file: C:\WINDOWS\SYSTEM\ssdpsrv.exe
size: 57104
MD5: 95914d31a0b7001e99a537dc5f563f4d

Located: HK_LM:RunServices, StillImageMonitor
command: C:\WINDOWS\SYSTEM\STIMON.EXE
file: C:\WINDOWS\SYSTEM\STIMON.EXE
size: 28432
MD5: 902252f831d45763f7711b24ed430785

Located: Startup (user), HP Digital Imaging Monitor.lnk
command: C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
file: C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
size: 288472
MD5: 4543367e50bd35e7d1269d42841b156e

Located: Startup (user), SPYWAREGUARD.LNK
command: C:\Program Files\SpywareGuard\sgmain.exe
file: C:\Program Files\SpywareGuard\sgmain.exe
size: 360448
MD5: 61c028aba5e49573a6332f4a7c744e87

--- Browser helper object list ---
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
BHO name: 
CLSID name: AcroIEHlprObj Class
description: Adobe Acrobat reader
classification: Legitimate
known filename: AcroIEhelper.ocx
AcroIEhelper.dll
info link: http://www.adobe.com/products/acrobat/readstep2.html
info source: TonyKlein
Path: C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\
Long name: AcroIEHelper.ocx
Short name: ACROIE~1.OCX
Date (created): 12/9/2002 11:07:24 PM
Date (last access): 12/17/2006
Date (last write): 3/2/2001 12:02:04 PM
Filesize: 37808
Attributes: 
MD5: 8394ABFC1BE196A62C9F532511936DF7
CRC32: 71D6E350
Version: 1.0.0.1

{53707962-6F74-2D53-2644-206D7942484F} ()
BHO name: 
CLSID name: 
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: C:\PROGRA~1\SPYBOT~1\
Long name: SDHelper.dll
Short name: SDHELPER.DLL
Date (created): 3/1/2006 2:48:08 PM
Date (last access): 12/17/2006
Date (last write): 5/31/2005 1:04:00 AM
Filesize: 853672
Attributes: 
MD5: 250D787A5712D7768DDC133B3E477759
CRC32: D4589A41
Version: 1.4.0.0

{4A368E80-174F-4872-96B5-0B27DDD11DB2} (SpywareGuard Download Protection)
BHO name: SpywareGuard Download Protection
CLSID name: SpywareGuardDLBLOCK.CBrowserHelper
description: SpywareGuard download protection
classification: Legitimate
known filename: dlprotect.dll
info link: http://www.wilderssecurity.net/spywareguard.html
info source: TonyKlein
Path: C:\PROGRAM FILES\SPYWAREGUARD\
Long name: dlprotect.dll
Short name: DLPROT~1.DLL
Date (created): 8/2/2003 11:24:00 PM
Date (last access): 12/17/2006
Date (last write): 8/2/2003 11:24:02 PM
Filesize: 192512
Attributes: 
MD5: 964621E8B2415FEAA99026ED4F29D198
CRC32: DC8CF59D
Version: 2.2.0.0

--- ActiveX list ---
Microsoft XML Parser for Java (Microsoft XML Parser for Java)
DPF name: Microsoft XML Parser for Java
CLSID name: 
Installer: 
Codebase: file://C:\WINDOWS\Java\classes\xmldso.cab
description: 
classification: Legitimate
known filename: %WINDIR%\Java\classes\xmldso.cab
info link: 
info source: Patrick M. Kolla

DirectAnimation Java Classes (DirectAnimation Java Classes)
DPF name: DirectAnimation Java Classes
CLSID name: 
Installer: 
Codebase: file://C:\WINDOWS\SYSTEM\dajava.cab
description: 
classification: Legitimate
known filename: %WINDIR%\Java\classes\dajava.cab
info link: 
info source: Patrick M. Kolla

{32564D57-0000-0010-8000-00AA00389B71} ()
DPF name: 
CLSID name: 
Installer: C:\WINDOWS\Downloaded Program Files\wmv8ax.inf
Codebase: http://codecs.microsoft.com/codecs/i386/wmv8ax.cab
description: 
classification: Legitimate
known filename: 
info link: 
info source: Safer Networking Ltd.

{CEBC955E-58AF-11D2-A30A-00A0C903492B} (CV3 Class)
DPF name: 
CLSID name: CV3 Class
Installer: C:\WINDOWS\Downloaded Program Files\actsetup.inf
Codebase: http://windowsupdate.microsoft.com/R1044/V31Controls/x86/mil/en/actsetup.cab
description: Windows Update
classification: Legitimate
known filename: WUV3IS.DLL
info link: 
info source: Patrick M. Kolla
Path: C:\WINDOWS\SYSTEM\
Long name: wuv3is.dll
Short name: WUV3IS.DLL
Date (created): 6/20/2002 2:57:52 PM
Date (last access): 12/17/2006
Date (last write): 6/20/2002 2:57:52 PM
Filesize: 221184
Attributes: 
MD5: 7D1FE2201906594E17147E02A208DBD4
CRC32: 8B1A367E
Version: 5.4.5440.0

{9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class)
DPF name: 
CLSID name: Update Class
Installer: C:\WINDOWS\Downloaded Program Files\iuctl.inf
Codebase: http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37865.5433912037
description: Windows Update
classification: Legitimate
known filename: %WINDIR%\System32\iuctl.dll,iuengine.dll
info link: 
info source: Patrick M. Kolla
Path: C:\WINDOWS\SYSTEM\
Long name: IUCTL.DLL
Short name: 
Date (created): 8/21/2003 4:47:54 PM
Date (last access): 12/17/2006
Date (last write): 8/21/2003 4:47:54 PM
Filesize: 162400
Attributes: 
MD5: DB2F1F57D3057FEBC19C61AB9AA77198
CRC32: 5A03D776
Version: 5.3.3790.13

{A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class)
DPF name: 
CLSID name: ScorchPlugin Class
Installer: C:\WINDOWS\Downloaded Program Files\setup.inf
Codebase: http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
description: 
classification: Legitimate
known filename: NPSibelius.dll
info link: 
info source: Safer Networking Ltd.
Path: C:\WINDOWS\DOWNLOADED PROGRAM FILES\
Long name: NPSibelius.dll
Short name: NPSIBE~1.DLL
Date (created): 3/25/2003 4:42:02 PM
Date (last access): 12/17/2006
Date (last write): 3/25/2003 4:42:02 PM
Filesize: 2535562
Attributes: 
MD5: 882AD0CAD66FF01D718F5C1199A300C5
CRC32: 844F8358
Version: 2.8.0.3

{74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support)
DPF name: 
CLSID name: IBM Access Support
Installer: C:\WINDOWS\Downloaded Program Files\IbmEgath.inf
Codebase: http://www-307.ibm.com/pc/support/IbmEgath.cab
description: 
classification: Legitimate
known filename: IbmEgath.dll
info link: 
info source: Safer Networking Ltd.
Path: C:\WINDOWS\DOWNLOADED PROGRAM FILES\
Long name: IbmEgath.dll
Short name: IBMEGATH.DLL
Date (created): 2/18/2004 2:32:46 PM
Date (last access): 12/17/2006
Date (last write): 2/18/2004 2:32:46 PM
Filesize: 172032
Attributes: 
MD5: F51AC631E62B3DF12AE74CFE6D8B1831
CRC32: A12613C4
Version: 3.0.0.9

{D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)
DPF name: 
CLSID name: Shockwave Flash Object
Installer: C:\WINDOWS\Downloaded Program Files\swflash.inf
Codebase: http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
description: Macromedia Shockwave Flash Player
classification: Legitimate
known filename: 
info link: 
info source: Patrick M. Kolla
Path: C:\WINDOWS\SYSTEM\MACROMED\FLASH\
Long name: Flash8a.ocx
Short name: FLASH8A.OCX
Date (created): 3/30/2006 11:34:06 AM
Date (last access): 12/17/2006
Date (last write): 1/12/2006 10:42:54 AM
Filesize: 1443464
Attributes: 
MD5: 3066BB99502AE33AE44F17954AF56B8F
CRC32: 658FAE72
Version: 8.0.24.0

{33564D57-9980-0010-8000-00AA00389B71} ()
DPF name: 
CLSID name: 
Installer: C:\WINDOWS\Downloaded Program Files\wmv9dmo.inf
Codebase: http://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
description: Microsoft WMV Video Codec
classification: Legitimate
known filename: WMV9DMO.CAB
info link: 
info source: Patrick M. Kolla

{928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object)
DPF name: 
CLSID name: SurroundVideoCtrl Object
Installer: C:\WINDOWS\Downloaded Program Files\MSSurVid.inf
Codebase: http://fr.autos.sympatico.msn.ca/components/ocx/survid/MSSurVid.cab
description: 
classification: Legitimate
known filename: MSSurVid.ocx
info link: 
info source: Safer Networking Ltd.
Path: C:\WINDOWS\DOWNLOADED PROGRAM FILES\
Long name: MSSurVid.ocx
Short name: MSSURVID.OCX
Date (created): 6/13/2000 2:13:36 PM
Date (last access): 12/17/2006
Date (last write): 6/13/2000 2:13:36 PM
Filesize: 110592
Attributes: 
MD5: BE894FC2AC628CC5A2D8560884D87E9A
CRC32: 830DDAE7
Version: 1.2.0.10

{30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class)
DPF name: 
CLSID name: YInstStarter Class
Installer: C:\WINDOWS\Downloaded Program Files\yinst.inf
Codebase: http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
description: Yahoo! Installation helper
classification: Legitimate
known filename: %SystemRoot%\Downloaded Program Files\yinsthelper.dll
info link: 
info source: Patrick M. Kolla
Path: C:\WINDOWS\DOWNLOADED PROGRAM FILES\
Long name: yinsthelper.dll
Short name: YINSTH~1.DLL
Date (created): 1/26/2004 6:40:04 PM
Date (last access): 12/17/2006
Date (last write): 1/26/2004 6:40:04 PM
Filesize: 133120
Attributes: 
MD5: E1FBF33D995C89583A36F461EC2879FF
CRC32: 1592E04B
Version: 2004.1.26.1

{33564D57-0000-0010-8000-00AA00389B71} ()
DPF name: 
CLSID name: 
Installer: C:\WINDOWS\Downloaded Program Files\WMV9VCM.inf
Codebase: http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
description: 
classification: Legitimate
known filename: 
info link: 
info source: Safer Networking Ltd.

{3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine)
DPF name: 
CLSID name: Office Update Installation Engine
Installer: C:\WINDOWS\Downloaded Program Files\opuc.inf
Codebase: http://office.microsoft.com/officeupdate/content/opuc3.cab
description: 
classification: Legitimate
known filename: opuc.dll
info link: 
info source: Safer Networking Ltd.
Path: C:\WINDOWS\
Long name: OPUC.DLL
Short name: 
Date (created): 11/17/2005 11:12:26 PM
Date (last access): 12/17/2006
Date (last write): 11/17/2005 11:12:26 PM
Filesize: 533504
Attributes: 
MD5: 24F3058766D5FC3FD0F37F6D6EE6FE9B
CRC32: F1FAEDE3
Version: 12.0.3208.1014

{0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object)
DPF name: 
CLSID name: CKAVWebScan Object
Installer: C:\WINDOWS\Downloaded Program Files\kavwebscan.inf
Codebase: http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_ansi.cab
description: 
classification: Legitimate
known filename: 
info link: 
info source: Safer Networking Ltd.
Path: C:\WINDOWS\SYSTEM\KASPERSKY LAB\KASPERSKY ONLINE SCANNER\
Long name: kavwebscan.dll
Short name: KAVWEB~1.DLL
Date (created): 3/20/2006 1:16:18 PM
Date (last access): 12/17/2006
Date (last write): 3/20/2006 1:16:18 PM
Filesize: 790528
Attributes: 
MD5: 18A743EBF05BD2E8D6004E1EFEA4E2A8
CRC32: 4259AC71
Version: 5.0.83.0

{49232000-16E4-426C-A231-62846947304B} ()
DPF name: 
CLSID name: 
Installer: C:\WINDOWS\Downloaded Program Files\sysinfo.inf
Codebase: http://ipgweb.cce.hp.com/rdqaio/downloads/sysinfo.cab
description: 
classification: Legitimate
known filename: SysInfo.dll
info link: 
info source: Safer Networking Ltd.

{9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class)
DPF name: 
CLSID name: HPObjectInstaller Class
Installer: C:\WINDOWS\Downloaded Program Files\GuidedSolutions.inf
Codebase: http://h30155.www3.hp.com/ediags/dd/install/guidedsolutions.cab
description: 
classification: Legitimate
known filename: HPCommunication.dll
info link: 
info source: Safer Networking Ltd.
Path: C:\PROGRAM FILES\HEWLETT-PACKARD\ESUPPORTDIAGS\
Long name: HPCommunication.dll
Short name: HPCOMM~1.DLL
Date (created): 7/21/2006 12:30:38 PM
Date (last access): 12/17/2006
Date (last write): 7/21/2006 12:30:38 PM
Filesize: 221184
Attributes: 
MD5: B0DE681F4E4577B957AF4AAD5789D83A
CRC32: D799366D
Version: 1.0.10.0

{9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class)
DPF name: 
CLSID name: ActiveScan Installer Class
Installer: C:\WINDOWS\Downloaded Program Files\CONFLICT.1\asinst.inf
Codebase: http://acs.pandasoftware.com/activescan/as5free/asinst.cab
description: 
classification: Legitimate
known filename: ASINST.DLL
info link: 
info source: Safer Networking Ltd.
Path: C:\WINDOWS\DOWNLOADED PROGRAM FILES\CONFLICT.1\
Long name: asinst.dll
Short name: ASINST.DLL
Date (created): 8/24/2006 8:28:54 AM
Date (last access): 12/17/2006
Date (last write): 8/24/2006 8:28:54 AM
Filesize: 141424
Attributes: 
MD5: CB0EBD772D7D003BD11A999FF515A89A
CRC32: 3CFE74C1
Version: 58.6.0.0

--- Process list ---
PID: -1095319 (2120173749) C:\WINDOWS\SYSTEM\KERNEL32.DLL
size: 536576
MD5: 629E271A615588E918D6B27D5E4A5265
PID: -64895 (-1095319) C:\WINDOWS\SYSTEM\MSGSRV32.EXE
size: 11776
MD5: 4B7546E40EA1EACEEB330CB4D259265A
PID: -7435 (-64895) C:\WINDOWS\SYSTEM\mmtask.tsk
size: 1184
MD5: 269231E21D558D468CFC1C03FB463768
PID: -1871 (-64895) C:\WINDOWS\SYSTEM\MPREXE.EXE
size: 28672
MD5: 207AA0E020D4DE978F459B3AC11AC230
PID: -22471 (-1871) C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL\PERSFW.EXE
size: 389120
MD5: 9A0940332F74D77210185B77E22295A0
PID: -26871 (-1871) C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
size: 108160
MD5: 1CA6D8776D4F615E7861E35221582AE0
PID: -124171 (-1871) C:\WINDOWS\SYSTEM\STIMON.EXE
size: 28432
MD5: 902252F831D45763F7711B24ED430785
PID: -126039 (-1871) C:\WINDOWS\SYSTEM\MSTASK.EXE
size: 126976
MD5: 6770EAF1DFB8D3C952DCA22CD956F570
PID: -118911 (-1871) C:\WINDOWS\SYSTEM\SSDPSRV.EXE
size: 57104
MD5: 95914D31A0B7001E99A537DC5F563F4D
P


----------



## ti-gris (Apr 23, 2005)

Cookiegal:

Heres part 2
PID: -76203 (-1871) C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
size: 9088
MD5: CBD841775A04E82B2828FC301AAFEE70
PID: -91107 (-64895) C:\WINDOWS\EXPLORER.EXE
size: 225280
MD5: 872F3BA51320560952DBA06CC66FEBF6
PID: -185079 (-124171) C:\WINDOWS\SYSTEM\RPCSS.EXE
size: 20480
MD5: 4B2B2C8D58E36EFEDFFA8D96DCF07089
PID: -155495 (-19535) C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
size: 61712
MD5: 2D4F40BBF88E1A131DEE7DABBE61E4B6
PID: -369475 (-91107) C:\WINDOWS\SYSTEM\SYSTRAY.EXE
size: 36864
MD5: A29D4E875BC3ED7042A9159A89B597DB
PID: -392271 (-91107) C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
size: 370304
MD5: 165408DD1BB1CC1AC41115F906FCFACB
PID: -377531 (-91107) C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
size: 251520
MD5: 30020C9FD8754F4099F9D868C6C87051
PID: -237579 (-369475) C:\WINDOWS\SYSTEM\WMIEXE.EXE
size: 16384
MD5: EA853F9A2653506A4653BD0C056D21A8
PID: -358431 (-91107) C:\PROGRAM FILES\HP\HP SOFTWARE UPDATE\HPWUSCHD2.EXE
size: 49152
MD5: 926A397334FE426A6C7657096FE681DB
PID: -452087 (-91107) C:\WINDOWS\SYSTEM\PROMON.EXE
size: 29184
MD5: 953D76F56C42FA1CCD6C5CEAE70F9471
PID: -406847 (-91107) C:\PROGRAM FILES\CAERE\OMNIPAGEPRO90\OPWARE32.EXE
size: 44032
MD5: 0F3B81AED601A5D281286CCE5C9E99BC
PID: -394659 (-91107) C:\WINDOWS\TASKMON.EXE
size: 28672
MD5: A23BCA4B69AC68FD410B6AFCCB11AF07
PID: -396043 (-406847) C:\PROGRAM FILES\CAERE\OMNIPAGEPRO90\opware16.exe
size: 50384
MD5: 742783D4059BFDEF5A606FBCBCECC450
PID: -417155 (-91107) C:\WINDOWS\SYSTEM\PELMICED.EXE
size: 69632
MD5: D115E69DC5BA0A415B36AE319BCF2E50
PID: -507443 (-91107) C:\IBMTOOLS\APTEZBTN\APTEZBP.EXE
size: 402944
MD5: 22431FE9BD1899EEA770A903B832BE05
PID: -515855 (-91107) C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
size: 360448
MD5: 61C028ABA5E49573A6332F4A7C744E87
PID: -473651 (-91107) C:\PROGRAM FILES\HP\DIGITAL IMAGING\BIN\HPQTRA08.EXE
size: 288472
MD5: 4543367E50BD35E7D1269D42841B156E
PID: -487395 (-515855) C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
size: 233472
MD5: A80D0704537C0EF97DB2BEF24B99AF1A
PID: -562339 (-473651) C:\WINDOWS\SYSTEM\SPOOL32.EXE
size: 45056
MD5: A20122F5905AB2845D97DCB933912DC4
PID: -530887 (-473651) C:\PROGRAM FILES\HP\DIGITAL IMAGING\BIN\HPQSTE08.EXE
size: 239320
MD5: 88029974B1C9995CFA3BD9560BBA2EEF
PID: -594875 (-91107) C:\WINDOWS\SYSTEM\DDHELP.EXE
size: 31744
MD5: F62F3495C1E013A63698D556C80E1B62
PID: -716119 (-91107) C:\WINDOWS\NOTEPAD.EXE
size: 53248
MD5: A0E240A517FC49E6A83A1C00B46461C9
PID: -268243 (-91107) C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
size: 91136
MD5: 6D5884C13D655DD1C9E65AFCC19A8D5C
PID: -673823 (-91107) C:\WINDOWS\NOTEPAD.EXE
size: 53248
MD5: A0E240A517FC49E6A83A1C00B46461C9
PID: -728851 (-91107) C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\SPYBOTSD.EXE
size: 4393096
MD5: 09CA174A605B480318731E691DC98539

--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 12/17/2006 5:14:08 PM

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\SYSTEM\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://sympatico.msn.ca/
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\@
http://home.microsoft.com/access/autosearch.asp?p=%s
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\SYSTEM\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.sympatico.ca
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm

--- Winsock Layered Service Provider list ---
Protocol 0: MS.w95.spi.tcp
GUID: {FF017DE0-CAE9-11CF-8A99-00AA0062C609}
Filename: C:\WINDOWS\SYSTEM\msafd.dll
Description: Microsoft Windows 9x/ME network protocol
DB filename: %windir%\system\msafd.dll
DB protocol: MS.w95.spi.*

Protocol 1: MS.w95.spi.udp
GUID: {FF017DE0-CAE9-11CF-8A99-00AA0062C609}
Filename: C:\WINDOWS\SYSTEM\msafd.dll
Description: Microsoft Windows 9x/ME network protocol
DB filename: %windir%\system\msafd.dll
DB protocol: MS.w95.spi.*

Protocol 2: MS.w95.spi.raw
GUID: {FF017DE0-CAE9-11CF-8A99-00AA0062C609}
Filename: C:\WINDOWS\SYSTEM\msafd.dll
Description: Microsoft Windows 9x/ME network protocol
DB filename: %windir%\system\msafd.dll
DB protocol: MS.w95.spi.*

Protocol 3: MS.w95.spi.rsvptcp
GUID: {ECBDCBA0-334A-11D0-BD88-0000C082E69A}
Filename: C:\WINDOWS\SYSTEM\rsvpsp.dll
Description: Microsoft Windows 9x/ME network protocol
DB filename: %windir%\system\rsvoso.dll
DB protocol: MS.w95.spi.*

Protocol 4: MS.w95.spi.rsvpudp
GUID: {ECBDCBA0-334A-11D0-BD88-0000C082E69A}
Filename: C:\WINDOWS\SYSTEM\rsvpsp.dll
Description: Microsoft Windows 9x/ME network protocol
DB filename: %windir%\system\rsvoso.dll
DB protocol: MS.w95.spi.*

Namespace Provider 0: DNS Name Space Provider.
GUID: {FF017DE2-CAE9-11CF-8A99-00AA0062C609}
Filename: C:\WINDOWS\SYSTEM\rnr20.dll
Description: Microsoft Windows 9x/ME name space provider
DB filename: %windir%\system\rnr20.dll
DB protocol: DNS Name Space Provider.

--- Uninstall list ---
(DXM_Runtime)

(ICW)

Microsoft Internet Explorer*6 Service Pack 1 et Outils Internet (IE40)
uninstall cmd: rundll32 setupwbv.dll,IE6Maintenance C:\Program Files\Internet Explorer\Uninstall Information\W2KEXCP.EXE /u

(DirectDrawEx)

(Fontcore)

(IE5BAKEX)

(SchedulingAgent)

(MobileOptionPack)

(IEData)

(MSJavaVM)

(MSTASK)

(IE4Data)

(PCHealth)
uninstall cmd: rundll.exe setupx.dll,InstallHinfSection Uninstall 132 C:\WINDOWS\INF\PCHealth.inf

NetMeeting 3.01 (NetMeeting)

Microsoft Outlook Express 6 (OutlookExpress)
uninstall cmd: "C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /UNINSTALL /PROMPT

(AddressBook)
uninstall cmd: "C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /UNINSTALL /PROMPT

(Branding)

Intel(R) PRO Ethernet Adapter and Software (PROSet)
uninstall cmd: 8255xDel.exe

Access IBM (Access IBM)
uninstall cmd: C:\WINDOWS\uninst.exe -f"C:\Ibmtools\Access IBM\DeIsL1.isu" -c"C:\Ibmtools\Access IBM\bin\AccUtils.dll

Boot Manager Diskette (Boot Manager Diskette)
uninstall cmd: C:\WINDOWS\IsUninst.exe -fc:\IBMTOOLS\Uninst.isu

Mouse Suite (MouseSuite98)
uninstall cmd: PMUninst.exe MouseSuite98

SoundMAXWDM (SoundMAXWDM)
uninstall cmd: C:\WINDOWS\SYSTEM\ADIOUT.BAT

IBM Rapid Access Keyboard (IBM Rapid Access Keyboard)
uninstall cmd: C:\WINDOWS\uninst.exe -fC:\ibmtools\DeIsL1.isu -c"c:\ibmtools\aptezbtn\uninst.dll

IBM Screen Saver (IBM Screen Saver)
uninstall cmd: C:\WINDOWS\uninst.exe -fC:\WINDOWS\DeIsL1.isu

IBM Wallpapers (IBM Wallpapers)
uninstall cmd: C:\WINDOWS\uninst.exe -fC:\WINDOWS\DeIsL2.isu

QuickTime (QuickTime)
uninstall cmd: C:\WINDOWS\unvise32qt.exe C:\WINDOWS\SYSTEM\QuickTime\Uninstall.log

Lotus SmartSuite Release 9.5 (SmartSuite V99.0)
uninstall cmd: C:\WINDOWS\lunin11.exe /T SmartSuite /V 99.0 /I "c:\lotus\suit.inf" /C "c:\lotus\cinstall.ini" /O /L EN

InternetClient 2.3 ({F9CB12E0-E3DD-11D4-B8ED-0001031A61FE})
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\ENGINE\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F9CB12E0-E3DD-11D4-B8ED-0001031A61FE}\setup.exe" -uninst

ImpôtRapide de Luxe 2000 ({CD07A69D-9ECA-11D4-B8ED-0001031A61FE})
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\ENGINE\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CD07A69D-9ECA-11D4-B8ED-0001031A61FE}\SETUP.EXE" -uninst

NetQuest ({02633449-DA49-11D3-A2E3-0050BAA19EBB})
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\ENGINE\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{02633449-DA49-11D3-A2E3-0050BAA19EBB}\setup.exe"

(ThyJay)

Conexant HCF V90 56K Data Fax PCI Modem (Uninstall) (Conexant)
uninstall cmd: C:\WINDOWS\SYSTEM\Conexant\setup.exe -u -sd

(expinst)

(IEREADME)

Sympatico 4.75 (Sympatico 4.75)
uninstall cmd: C:\WINDOWS\cd32.exe 4.75 (en)

IBM Update Connector 4.50 ({31C2FBAC-67CF-4093-8F36-15A146613747})
version: 70385664
version (major): 4
version (minor): 50
estimated size: 30657
install date: 20020329
install source: D:\DATA\WINMM\US\UPDATER\
uninstall cmd: MsiExec.exe /X{31C2FBAC-67CF-4093-8F36-15A146613747}
publisher: IBM

Warcraft II BNE (Warcraft II BNE)
uninstall cmd: C:\WINDOWS\W2BNEUnin.exe C:\WINDOWS\W2BNEUnin.dat

Scan Manager 5.2 5.2 ({E0A1559B-9886-11D4-8D06-0050DA284A39})
version: 84017152
version (major): 5
version (minor): 2
estimated size: 3938
install date: 20020920
install source: D:\OMNIPAGE\ENGLISH\SCANMGR\
uninstall cmd: MsiExec.exe /I{E0A1559B-9886-11D4-8D06-0050DA284A39}
publisher: ScanSoft, Inc.

RealPlayer 7 Basic (RealPlayer 6.0)
uninstall cmd: C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0

Shockwave (Shockwave)
uninstall cmd: C:\WINDOWS\SYSTEM\MACROMED\SHOCKW~1\UNWISE.EXE C:\WINDOWS\SYSTEM\MACROMED\SHOCKW~1\INSTALL.LOG

Adobe Acrobat 5.0 5.0 (Adobe Acrobat 5.0)
version (major): 5
install location: C:\Program Files\Adobe\Acrobat 5.0
install source: C:\WINDOWS\TEMP\pft6225~TMP\
uninstall cmd: C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\ME\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\ME\Uninst.dll"
publisher: Adobe Systems, Inc.
help link: http://www.adobe.com/prodindex/acrobat/main.html

({D41FAAA9-8048-4906-86B2-9AADEA1FA0B7})

OmniPage Pro 9.0 (OmniPagePro9.0DeinstKey)
uninstall cmd: C:\Program Files\Caere\OmniPagePro90\Deinstall.exe "C:\Program Files\Caere\OmniPagePro90\uninstall.exe -f'C:\Program Files\Caere\OmniPagePro90\DeIsL1.isu'"

Windows Millennium Edition Q823559 Update (Q823559)
uninstall cmd: RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\QFE\WinME\823559UN.INF

ArcSoft Panorama Maker 3.0 ({1CABB679-3958-44AA-BFFF-4E68A2684255})
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\ENGINE\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1CABB679-3958-44AA-BFFF-4E68A2684255}\SETUP.EXE" -l0x9 -uninst

Macromedia Flash Player 8 8 (ShockwaveFlash)
uninstall cmd: C:\WINDOWS\SYSTEM\Macromed\Flash\UninstFl.exe
publisher: Macromedia
help link: http://www.macromedia.com/go/flashplayer_support/

Nikon View 6 ({AAB84E83-C8DF-4752-9DFC-2E2A48EE5E9F})
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\ENGINE\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AAB84E83-C8DF-4752-9DFC-2E2A48EE5E9F}\setup.exe" UNINSTALL

Adobe Photoshop Elements 2.0 2.0 (Adobe Photoshop Elements 2.0)
version (major): 2
install location: C:\Program Files\Adobe\Photoshop Elements 2
install source: D:\Adobe Photoshop Elements\
uninstall cmd: C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop Elements 2\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop Elements 2\Uninst.dll"
publisher: Adobe Systems, Inc.

ArcSoft PhotoBase (ArcSoft PhotoBase)
uninstall cmd: C:\WINDOWS\IsUninst.exe -f"C:\Program Files\ArcSoft\PhotoBase\Uninst.isu"

Microsoft Backup (Microsoft Backup)
uninstall cmd: C:\WINDOWS\rundll.exe setupx.dll,InstallHinfSection msbackup_remove 132 C:\WINDOWS\INF\msbackup.inf

Yahoo! Photos Easy Upload Tool 1v4 (Yahoo! Photos Drag-Drop Uploader 1v4)
uninstall cmd: C:\WINDOWS\SYSTEM\regsvr32 /u /s "C:\WINDOWS\DOWNLOADED PROGRAM FILES\YDROPPERCA.DLL"
publisher: Yahoo! Inc.

IrfanView (remove only) (IrfanView)
uninstall cmd: C:\PROGRAM FILES\IRFANVIEW\iv_uninstall.exe

(InstallShield Uninstall Information)

Microsoft Office XP Professional with FrontPage 10.0.2627.0 ({90280409-6000-11D3-8CFE-0050048383C9})
version: 167774787
version (major): 10
estimated size: 345512
install date: 20050202
install location: INSTALLLOCATION
install source: D:\
uninstall cmd: MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
publisher: Microsoft Corporation
help link: http://www.microsoft.com/support
readme: C:\Program Files\Microsoft Office\Office10\1033\OFREAD10.HTM

Microsoft FrontPage 2002 SBS Files (Microsoft FrontPage 2002 SBS Files)
uninstall cmd: C:\WINDOWS\MSPUNIN.EXE `C:\SBS\FrontPage` Microsoft FrontPage 2002 SBS Files

JGsoft EditPad Lite 5.4.3 5.4.3 (EditPad Lite)
estimated size: 1996
install date: 20050325
install location: C:\Program Files\JGsoft\EditPadLite
uninstall cmd: C:\WINDOWS\UnDeploy.exe "C:\Program Files\JGsoft\EditPadLite\Deploy.log"
publisher: JGsoft
help link: http://www.editpadlite.com/editpadlite.html

EVEREST Home Edition v2.01 2.01 (EVEREST Home Edition_is1)
install location: C:\Program Files\Lavalys\EVEREST Home Edition\
uninstall cmd: "C:\Program Files\Lavalys\EVEREST Home Edition\unins000.exe"
publisher: Lavalys Inc
help link: http://www.lavalys.com

Ad-Aware SE Personal 1.06 (Ad-Aware SE Personal)
uninstall cmd: C:\PROGRA~1\LAVASOFT\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\LAVASOFT\AD-AWA~1\INSTALL.LOG
publisher: Lavasoft
help link: http://www.lavasoft.com

Internet Explorer Q891781 (ieupdate)
uninstall cmd: C:\WINDOWS\ieuninst.exe C:\WINDOWS\INF\Q891781.inf

Internet Explorer Q903235 (Q903235)
uninstall cmd: C:\WINDOWS\ieuninst.exe C:\WINDOWS\INF\Q903235.inf
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=903235

Windows Millennium Edition KB891711 Update (891711)
uninstall cmd: RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\QFE\WinME\891711UN.INF

SpywareBlaster v3.5.1 3.5.1 (SpywareBlaster_is1)
install location: C:\Program Files\SpywareBlaster\
uninstall cmd: "C:\Program Files\SpywareBlaster\unins000.exe"
publisher: Javacool Software LLC

(IE_EXTRA)

(VGX)

(ADIELangPack)
uninstall cmd: RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\AD.inf, Uninstall

(Microsoft NetShow Player 2.0)

Efficient Networks SpeedStream DSL (EfntSSDSL)
uninstall cmd: C:\Program Files\Efficient Networks\SpeedStream DSL\setup.exe -uninstall

Spybot - Search & Destroy 1.4 1.4 (Spybot - Search & Destroy_is1)
install location: C:\Program Files\Spybot - Search & Destroy\
uninstall cmd: "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
publisher: Safer Networking Limited

avast! Antivirus 4.7 (avast!)
version (major): 4
version (minor): 7
install location: C:\PROGRA~1\ALWILS~1\AVAST4
install source: C:\PROGRA~1\ALWILS~1\AVAST4\SETUP
uninstall cmd: rundll32 C:\PROGRA~1\ALWILS~1\AVAST4\SETUP\SETIFACE.DLL,RunSetup
publisher: Alwil Software
help link: http://www.avast.com

Kerio Personal Firewall 2.1.5 ({51C8741C-4A91-42A6-B6A2-CB891F7398A1})
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\ENGINE\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{51C8741C-4A91-42A6-B6A2-CB891F7398A1}\SETUP.EXE" -removeall

SpywareGuard v2.2 2.2 (SpywareGuard_is1)
uninstall cmd: "C:\Program Files\SpywareGuard\unins000.exe"
publisher: Javacool Software LLC

Microsoft PowerPoint Viewer 97 (PPTView97)
uninstall cmd: C:\Program Files\PowerPoint Viewer\setup\setup.exe

MWSnap 3 3.0.0.74 (MWSnap 3)
uninstall cmd: "C:\Program Files\MWSnap\uninstall.exe"
publisher: Mirek Wojtowicz

VMN Toolbar (vmntoolbar)
uninstall cmd: C:\Program Files\vmntoolbar\uninstall.exe -uninstall -prompt

CCleaner (remove only) (CCleaner)
uninstall cmd: "C:\Program Files\CCleaner\uninst.exe"

Kaspersky Online Scanner 5.0.83.0 (Kaspersky Online Scanner)
estimated size: 6040
install location: C:\WINDOWS\SYSTEM\KASPER~1\KASPER~2
uninstall cmd: C:\WINDOWS\SYSTEM\KASPER~1\KASPER~2\kavuninstall.exe
publisher: Kaspersky Lab
contact: Customer Support Department
help link: http://www.kaspersky.com/support.asp

Microsoft Age of Empires (Age of Empires)
uninstall cmd: C:\Program Files\Microsoft Games\Age of Empires\Uninstal.exe /uninstall

(MPlayer2)

(ABBYY FineReader 5.0 Sprint)

70.0.170.000 ({66910000-8B30-4973-A159-6371345AFFA5})
version: 1174405290
version (major): 70
estimated size: 609
install date: 20061212
install source: D:\setup\WebReg\
publisher: Hewlett-Packard

HijackThis 1.99.1 1.99.1 (HijackThis)
uninstall cmd: C:\WINDOWS\DESKTOP\HijackThis.exe /uninstall
publisher: Soeperman Enterprises Ltd.

HP Photosmart, Officejet and Deskjet 7.0.A ({BDBE2F3E-42DB-4d4a-8CB1-19BA765DBC6C})
uninstall cmd: C:\Program Files\HP\Digital Imaging\{BDBE2F3E-42DB-4d4a-8CB1-19BA765DBC6C}\setup\hpzscr01.exe -datfile hposcr11.dat
publisher: HP
help link: http://www.hp.com/support

70.0.231.000 ({C8753E28-2680-49BF-BD48-DD38FD086EFE})
version: 1174405351
version (major): 70
estimated size: 3081
install date: 20061215
install source: D:\setup\AiO_Scan\
publisher: Hewlett-Packard

70.0.231.000 ({68763C27-235D-4165-A961-FDEA228CE504})
version: 1174405351
version (major): 70
estimated size: 4356
install date: 20061215
install source: D:\setup\AiOSoftwarenpi\
publisher: Hewlett-Packard

70.0.231.000 ({F6076EF9-08E1-442F-B6A2-BFB61B295A14})
version: 1174405351
version (major): 70
estimated size: 24555
install date: 20061215
install source: D:\setup\fax\
publisher: Hewlett-Packard

7.0.0.0 ({F3760724-B29D-465B-BC53-E5D72095BCC4})
version: 117440512
version (major): 7
estimated size: 18114
install date: 20061215
install source: D:\setup\Scan\
publisher: Hewlett-Packard
comments: 0
contact: 0
help link: 0
help telephone: 0
readme: 0

70.0.231.000 ({736C803C-DD3B-4015-BC51-AFB9E67B9076})
version: 1174405351
version (major): 70
estimated size: 64
install date: 20061215
install source: D:\setup\readme\
publisher: Hewlett-Packard

70.0.231.000 ({FBB980B0-63F8-4B48-8D65-90F1D9F81D9F})
version: 1174405351
version (major): 70
estimated size: 3257
install date: 20061215
install source: D:\setup\newcopy\
publisher: Hewlett-Packard

3.0.7.009 ({8ADC27DB-E2C8-446C-A576-166C05C2DD24})
version: 50331655
version (major): 3
install date: 20061215
install source: D:\setup\HPSoftwareUpdate\
publisher: Hewlett-Packard

HP Software Update 3.0.7.014 ({BB85ED9C-AFC9-43BD-B8DC-258C3C7DF72E})
version: 50331655
version (major): 3
estimated size: 2913
install date: 20061215
install source: D:\setup\HPSoftwareUpdate\
uninstall cmd: MsiExec.exe /X{BB85ED9C-AFC9-43BD-B8DC-258C3C7DF72E}
publisher: HEWLET~1|Hewlett-Packard
contact: http://www.hp.com/support

1.00.0000 ({66E6CE0C-5A1E-430C-B40A-0C90FF1804A8})
version: 16777216
version (major): 1
install date: 20061215
install source: D:\setup\QFolder\
publisher: Hewlett-Packard

70.0.170.000 ({4EA684E9-5C81-4033-A696-3019EC57AC3A})
version: 1174405290
version (major): 70
estimated size: 4629
install date: 20061215
install source: D:\setup\hpproductassistant\
publisher: Hewlett-Packard

70.0.170.000 ({C7F54CF8-D6FB-4E0A-93A3-E68AE0D6C476})
version: 1174405290
version (major): 70
estimated size: 11385
install date: 20061215
install source: D:\setup\SolutionCenter\
publisher: Hewlett-Packard

70.0.170.000 ({45B8A76B-57EC-4242-B019-066400CD8428})
version: 1174405290
version (major): 70
estimated size: 2529
install date: 20061215
install source: D:\setup\BufferChm\
publisher: Hewlett-Packard

HP Solution Center 7.0 7.0 (HP Solution Center & Imaging Support Tools)
uninstall cmd: C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
publisher: HP
help link: http://www.hp.com/support

1.00.0000 ({AB5D51AE-EBC3-438D-872C-705C7C2084B0})
version: 16777216
version (major): 1
install date: 20061215
install source: D:\setup\QFolder\
publisher: Hewlett-Packard

70.0.170.000 ({FB15E224-67C3-491F-9F5C-F257BC418412})
version: 1174405290
version (major): 70
estimated size: 20083
install date: 20061215
install source: D:\setup\Destinations\
publisher: Hewlett-Packard

70.0.170.000 ({DBC20735-34E6-4E97-A9E5-2066B66B243D})
version: 1174405290
version (major): 70
estimated size: 939
install date: 20061215
install source: D:\setup\TrayApp\
publisher: Hewlett-Packard

70.0.170.000 ({8331C3EA-0C91-43AA-A4D4-27221C631139})
version: 1174405290
version (major): 70
estimated size: 4187
install date: 20061215
install source: D:\setup\Status\
publisher: Hewlett-Packard

70.0.170.000 ({2376813B-2E5A-4641-B7B3-A0D5ADB55229})
version: 1174405290
version (major): 70
estimated size: 17319
install date: 20061215
install source: D:\setup\HPPhotoSmartExpress\
publisher: Hewlett-Packard

70.0.170.000 ({F157460F-720E-482f-8625-AD7843891E5F})
version: 1174405290
version (major): 70
estimated size: 6594
install date: 20061215
install source: D:\setup\InstantShareDevicesMFC\
publisher: Hewlett-Packard

7.0.0.0 ({996512CF-F35B-48DE-9291-557FA5316967})
version: 117440512
version (major): 7
estimated size: 4836
install date: 20061215
install source: D:\setup\ScannerCopy\
publisher: Hewlett-Packard
comments: 0
contact: 0
help link: 0
help telephone: 0
readme: 0

70.0.170.000 ({6909F917-5499-482e-9AA1-FAD06A99F231})
version: 1174405290
version (major): 70
estimated size: 5889
install date: 20061215
install source: D:\setup\Toolbox\
publisher: Hewlett-Packard

HP Imaging Device Functions 7.0 7.0 (HP Imaging Device Functions)
uninstall cmd: C:\Program Files\HP\Digital Imaging\DeviceManagement\hpzscr01.exe -datfile hpqbud01.dat
publisher: HP
help link: http://www.hp.com/support

HP Photosmart Essential 1.9.1.3 ({6994491D-D491-48F1-AE1F-E179C1FFFC2F})
version: 17367041
version (major): 1
version (minor): 9
estimated size: 13291
install date: 20061215
install location: C:\Program Files\HP\Photosmart Essential\
install source: D:\setup\ImageZoneExpress\
uninstall cmd: MsiExec.exe /X{6994491D-D491-48F1-AE1F-E179C1FFFC2F}
publisher: HP

70.0.231.000 ({7E7B7865-6C80-4373-8BC1-C2EB9431F9DE})
version: 1174405351
version (major): 70
estimated size: 802
install date: 20061215
install source: C:\Program Files\HP\Digital Imaging\{BDBE2F3E-42DB-4d4a-8CB1-19BA765DBC6C}\
publisher: Hewlett-Packard

70.0.231.000 ({E5966E4C-0A93-4F59-A981-BD3173D4799F})
version: 1174405351
version (major): 70
estimated size: 5569
install date: 20061215
install source: D:\Setup\AiOHelp\
publisher: Hewlett-Packard

70.0.231.000 ({05C56753-F144-44BC-BA67-83CC5DBF395C})
version: 1174405351
version (major): 70
estimated size: 164
install date: 20061215
install source: C:\Program Files\HP\Digital Imaging\{BDBE2F3E-42DB-4d4a-8CB1-19BA765DBC6C}\Product\
publisher: Hewlett-Packard

Panda ActiveScan (Panda ActiveScan)
uninstall cmd: C:\WINDOWS\SYSTEM\ASUninst.exe Panda ActiveScan
publisher: Panda Software S.L.

--- System Services ---
Service (registry key): Class
Start: 0
Type: 0
Error Control: 0

Service (registry key): VxD
Start: 0
Type: 0
Error Control: 0

Service (registry key): Winsock
Start: 0
Type: 0
Error Control: 0

Service (registry key): rt
Image path: \SystemRoot\system32\drivers\rt.sys
Start: 0
 Type: 0
Error Control: 0

Service (registry key): WDMFS
Display name: WDM Windows File System Mapper
Image path: \SystemRoot\System32\Drivers\wdmfs.sys
Start: 0
Type: 0
Error Control: 0

Service (registry key): RemoteAccess
Start: 0
Type: 0
Error Control: 0

Service (registry key): ATMARPC
Display name: ATM ARP Module
Image path: \SystemRoot\System\atmarpc.sys
Start: 0
Type: 0
Error Control: 0

Service (registry key): USB
Start: 0
Type: 0
Error Control: 0

Service (registry key): StiSvc
Start: 0
Type: 0
Error Control: 0

Service (registry key): EventLog
Start: 0
Type: 0
Error Control: 0

Service (registry key): ProtectedStorage
Start: 0
Type: 0
Error Control: 0

Service (registry key): W3SVC
Start: 0
Type: 0
Error Control: 0

Service (registry key): wdmaud
Image path: \SystemRoot\system32\drivers\wdmaud.sys
Start: 0
Type: 0
Error Control: 0

Service (registry key): redbook
Image path: \SystemRoot\system32\drivers\redbook.sys
Start: 0
Type: 0
Error Control: 0

Service (registry key): sbemul
Image path: \SystemRoot\system32\drivers\sbemul.sys
Start: 0
Type: 0
Error Control: 0

Service (registry key): Arbitrators
Start: 0
Type: 0
Error Control: 0

Service (registry key): ACPI
Start: 0
Type: 0
Error Control: 0

Service (registry key): Winsock2
Start: 0
Type: 0
Error Control: 0

Service (registry key): MSNP32
Start: 0
Type: 0
Error Control: 0

Service (registry key): NPSTUB
Start: 0
Type: 0
Error Control: 0

Service (registry key): aswRdr
Start: 0
Type: 0
Error Control: 0

Service (registry key): Cdr4vsd
Start: 0
Type: 0
Error Control: 0


----------



## Cookiegal (Aug 27, 2003)

I see SpyBot is no longer detecting anything, is that right?

I'm attaching a Fixti-gris.zip file to this post. Save it to your desktop. Unzip it and double clickthe Fixti-gris.reg file and allow it to enter into the registry.

*Click Here* and download Killbox and save it to your desktop but dont run it yet.

Then boot to safe mode:

 *How to restart to safe mode*

Double-click on Killbox.exe to run it. 

Put a tick by *Standard File Kill*. 
In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time:

* c:\windows\system\favset.exe*

Click on the button that has the red circle with the X in the middle after you enter each file. 
It will ask for confirmation to delete the file. 
Click Yes. 
Continue with that procedure until you have pasted all of these in the "Paste Full Path of File to Delete" box.
Killbox may tell you that one or more files do not exist. 
If that happens, just continue on with all the files. Be sure you don't miss any.
Next in Killbox go to *Tools > Delete Temp Files*
In the window that pops up, put a check by *ALL* the options there *except* these three:
XP Prefetch
Recent
History

Now click the *Delete Selected Temp Files* button.
Exit the Killbox.

Reboot and post another Panda scan please.


----------



## ti-gris (Apr 23, 2005)

Cookiegal
Ran kilbox ok. Ran another Panda, attached log.

Incident Status Location

Potentially unwanted tool:application/kill&clean Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\extensions\CmdMapping\{BF69DF00-2734-477F-8257-27CD04F88779} 
Spyware:Cookie/Atwola Not disinfected C:\Program Files\Netscape\Communicator\Users\pat\cookies.txt[.atwola.com/] 
Spyware:Cookie/Overture Not disinfected C:\Program Files\Netscape\Communicator\Users\pat\cookies.txt[.overture.com/] 
Spyware:Cookie/QkSrv Not disinfected C:\Program Files\Netscape\Communicator\Users\pat\cookies.txt[.qksrv.net/] 
Spyware:Cookie/Tribalfusion Not disinfected C:\Program Files\Netscape\Communicator\Users\pat\cookies.txt[.tribalfusion.com/] 
Virus:Trj/Small.TA Disinfected C:\!KillBox\favset.exe 
p.s. Panda takes well over an hour.


----------



## Cookiegal (Aug 27, 2003)

Are you comfortable editing the registry manually?


----------



## ti-gris (Apr 23, 2005)

Cookiegal:

Yes, Spybot is not detecting Smithfraud anymore.
There are just the 4 stubborn Spywares left.

Bty I ran Avast AV who reports a virus (type: malware/worm) PSKAAVS.dll. The log is attached. It was successfully to the chest and later removed.

*12:27 PM 12/18/2006
* Task 'Simple user interface' used
* Started on Monday, December 18, 2006 10:35:52 AM
* VPS: 0650-1, 11/22/2006
*

c:\WINDOWS\SYSTEM\ActiveScan\pskavs.dll [L] Win32:CTX (0)
File was successfully moved to chest...
c:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC.zip\PMUNINST.EXE [E] Archive is password protected. (42056)
c:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC.zip\sbRecovery.ini [E] Archive is password protected. (42056)
Infected files: 1
Total files: 111125
Total folders: 2984
Total size: 5.0 GB

*
* Task stopped: Monday, December 18, 2006 12:22:01 PM
* Run-time was 1 hour(s), 46 minute(s), 9 second(s)
*

Tks for your help thus far.


----------



## ti-gris (Apr 23, 2005)

Never did, but willing.


----------



## ti-gris (Apr 23, 2005)

Cookiegal,

you asked "Are you comfortable editing the registry manually?

I'm not sure if I pressed the button, here is my answer again jut in case:
Never did, but willing.


----------



## Cookiegal (Aug 27, 2003)

That is a false positive. The file belongs to Panda and there is a conflict between Panda and Avast.

Go to Start > Run
Type:
*regedit*
Click OK.
On the left side, click to highlight *My Computer* at the top. 
Go up to "*File > Export*"
Make sure in that window there is a tick next to "All" under Export Branch.
Leave the "Save As Type" as "Registration Files".
Under "Filename" put *backup*

Choose to save it to *C:\* or somewhere else safe so that you will remember where you put it (don't put it on the desktop!)
Click save and then go to File > Exit.
This is so the registry can be restored to this point if we need it. It may take a minute. Just let it go until it's done.

Go to Start - Run - type in regedit and click OK to open the registry editor.

Expand each of the following keys/sub-keys by clicking on the + that you see to their left:

HKEY_CURRENT_USER
Software
Microsoft
Internet Explorer
extensions

Then click on *CmdMapping* and you will see several listingsin the right-hand pane.

Find the following and right-click on it and then select "delete". Be sure all the numbers are identical.

*{BF69DF00-2734-477F-8257-27CD04F88779} *

Close the registry editor.

Reboot and run another Panda scan please. You may get another alert from Avast about a virus when running the scan.


----------



## ti-gris (Apr 23, 2005)

Cookiegal:
Panda ok. Dont see any report so I cut and paste:

No viruses or other malicious software have been found! Scan again 
See report 
Scan finished Stop 
Scanning processes in memory  Scan report Save report 
Scan again 
Send to laboratory 
Save report 
Scan again 
ActiveScan only disinfects viruses. To disinfect all threats, buy or try a recommended security product. ActiveScan gives you a deep second opinion analysis of the security level of your PC. Detected Disinfected 
Virus 0 0 
Spyware 0 0 
Hacking tools and rootkits 0 0 
Dialers 0 0 
Security Risks 0 0 
Suspicious files 0 0

Looks like its ok.

By the way did you see my post #16? :

Yes, Spybot is not detecting Smithfraud anymore.
There are just the 4 stubborn Spywares left.

Bty I ran Avast AV who reports a virus (type: malware/worm) PSKAAVS.dll. The log is attached. It was successfully to the chest and later removed.

*12:27 PM 12/18/2006
* Task 'Simple user interface' used
* Started on Monday, December 18, 2006 10:35:52 AM
* VPS: 0650-1, 11/22/2006
*

c:\WINDOWS\SYSTEM\ActiveScan\pskavs.dll [L] Win32:CTX (0)
File was successfully moved to chest...
c:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC.zip\PMUNINST.EXE [E] Archive is password protected. (42056)
c:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC.zip\sbRecovery.ini [E] Archive is password protected. (42056)
Infected files: 1
Total files: 111125
Total folders: 2984
Total size: 5.0 GB

*
* Task stopped: Monday, December 18, 2006 12:22:01 PM
* Run-time was 1 hour(s), 46 minute(s), 9 second(s)
*

Tks for your help thus far.

Thanks lot for your patience, I just missed you this haf, and if the above is nothing to be bothered about, have a nice holiday. Greetings.

__________________
____________________________
cogito ergo sum


----------



## Cookiegal (Aug 27, 2003)

Yes, I replied above that it was a false positive.

What are the 4 spyware? I only see the Panda false positive and two items that were deleted by SpyBot?


----------



## Cookiegal (Aug 27, 2003)

Let's run SmitRem for good measure. It will run on ME.

*Click here* to download smitRem.exe. 
Save the file to your desktop. 
It is a self extracting file.
Double click the smitRem.exe and it will extract the files to a smitRem folder on your desktop. 

Now boot to safe mode.

Open the *smitRem* folder, then double click the *RunThis.bat* file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log in your next reply.


----------



## ti-gris (Apr 23, 2005)

Cookiegal

I followed your instructions to the letter. Once in Safe Mode and double clic on RunThis.bat file, the tool start in DOS and following the prompts, its says "click on any key" but nothing happens.

As for the 4 spywares:

post # 15 (Panda scan)
Adware:adware/ideskbar Not disinfected c:\windows\system\favset.exe 
Potentially unwanted tool:application/kill&clean Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\extensions\CmdMapping\{BF69DF00-2734-477F-8257-27CD04F88779} 
Spyware:Cookie/Atwola Not disinfected C:\Program Files\Netscape\Communicator\Users\pat\cookies.txt[.atwola.com/] 
Spyware:Cookie/Overture Not disinfected C:\Program Files\Netscape\Communicator\Users\pat\cookies.txt[.overture.com/] 
Spyware:Cookie/QkSrv Not disinfected C:\Program Files\Netscape\Communicator\Users\pat\cookies.txt[.qksrv.net/] 
Spyware:Cookie/Tribalfusion Not disinfected C:\Program Files\Netscape\Communicator\Users\pat\cookies.txt[.tribalfusion.com/]

Post # 16 
Yes, Spybot is not detecting Smithfraud anymore.
There are just the 4 stubborn Spywares left.

It might be nothing??? your suggestions pls...


----------



## Cookiegal (Aug 27, 2003)

I think you've got your wires crossed.  

The Panda scan you referred to (post 15 is incorrect) is an older one. You have since ran a scan that came up clean.

I still don't know what the 4 spyware are that you say SpyBot is finding though. I see two items that are in it's backups (recovery) so they are no threat.

Please clarify what the 4 spyware are.


----------



## ti-gris (Apr 23, 2005)

Sorry, my bad. Should have read post #14: which read:

Ran kilbox ok. Ran another Panda, attached log.

Incident Status Location

Potentially unwanted tool:application/kill&clean Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\extensions\CmdMapping\{BF69DF00-2734-477F-8257-27CD04F88779} 
Spyware:Cookie/Atwola Not disinfected C:\Program Files\Netscape\Communicator\Users\pat\cookies.txt[.atwola.com/] 
Spyware:Cookie/Overture Not disinfected C:\Program Files\Netscape\Communicator\Users\pat\cookies.txt[.overture.com/] 
Spyware:Cookie/QkSrv Not disinfected C:\Program Files\Netscape\Communicator\Users\pat\cookies.txt[.qksrv.net/] 
Spyware:Cookie/Tribalfusion Not disinfected C:\Program Files\Netscape\Communicator\Users\pat\cookies.txt[.tribalfusion.com/] 
Virus:Trj/Small.TA Disinfected C:\!KillBox\favset.exe

I was refering to these Spyware: Cookies- Atwola, Overture, QkSrv, Tribalfusion.

I guess those cookies are harmless?
Just ran scan with: Ad-Aware;
CWShredder;
Spybot S&D;
Panda: nothing found!: Cookiegal
Ran kilbox ok. Ran another Panda, attached log.

Sorry if you had to put up with an old nut. Have a Merry Holiday. Marking this as Solved.


----------



## Cookiegal (Aug 27, 2003)

You need to delete those cookies and be sure to block them.

Now I'm confused.  


We deleted this key from the registry:

Potentially unwanted tool:application/kill&clean Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\extensions\CmdMapping\{BF69DF00-2734-477F-8257-27CD04F88779} 

Panda came up clean.

and now Panda shows this registry key again?


----------



## ti-gris (Apr 23, 2005)

Cookiegal: No confusion = 
Please see my post # 20. I did remove the BF69 etc. but forgot to tell you. Just confirmed that in the registry right now. Then I reported:
Panda ok. Dont see any report so I cut and paste:

No viruses or other malicious software have been found! Scan again 
See report 
Scan finished Stop 
Scanning processes in memory  Scan report Save report 
Scan again 
Send to laboratory 
Save report 
Scan again 
ActiveScan only disinfects viruses. To disinfect all threats, buy or try a recommended security product. ActiveScan gives you a deep second opinion analysis of the security level of your PC. Detected Disinfected 
Virus 0 0 
Spyware 0 0 
Hacking tools and rootkits 0 0 
Dialers 0 0 
Security Risks 0 0 
Suspicious files 0 0

Will try to get rid of those four Spyware cookies.

Allis well that ends well, nite  :up:


----------



## Cookiegal (Aug 27, 2003)

That's great! 

Now you should turn system restore off to flush out all previous system restore points, then turn it back on and create a new restore point:

First, click on Start, go to Programs, then System Tools, and click on System Restore.

The System Restore window will open and give you a brief description of what the System Restore utility does.

Click on Create a Restore Point and then click Next.

It will ask you to give a Restore Point description. Give it a description that will be easy to identify in case you need to restore the computer in the future. It automatically records the date and time that the restore point was created so there is no need to include that in the description.

When finished click Next.

It will take you to a screen asking you to confirm the new Restore Point. Click OK. 
The System Restore window will close and you are now finished.

I also recommend downloading  *SPYWAREBLASTER* for added protection.

*Read here* for info on how to tighten your security.

DELETE YOUR TEMPORARY FILES:

Go to Start - Run and type *%temp%* in the Run box. The Temp folder will open. Click *Edit - Select All* then hit *Delete* to delete the entire contents of the Temp folder.

Also go to Control Panel - Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


----------



## ti-gris (Apr 23, 2005)

Cookiegal:
Thanks for feedback. Did all you asked. However out of 1479 temp files These 3 wont be deleted: DF6FEB, DFBFE5, hpcdr09 (a windows log file).

As for SPYWAREBLASTER I had it along with SPYWAREGUARD for some time.

will ck for the 4 spyware cookies (if I can). Will run Panda, might be a good place to see if still there?

I can recognize professionalism when I see it'
Joyeux Noel et Bonne Année. :up:


----------



## Cookiegal (Aug 27, 2003)

It's normal that a few temp files can't be deleted as they are probably in use so nothing to worry about.


In Netscape, go into Tasks - Privacy and Security - Cookie Manager and you should be able to delete the cookies from there.


Joyeux Noël et Bonne Année !


----------

