# Solved: Help, being held captive by the evil Zlob.



## bandyandy (Aug 26, 2006)

Hi folks, got home last night to my teenage son looking sheepish and telling me he had downloaded some video codec and ended up with loads of pop ups trying to get him to buy dodgy antispyware programs. Anyway, long story short, the evil Zlob has taken over. I seem to have got rid of its babies but SpyHunter tells me i have 53 Zlob.Trojan registry entries and 2 Zlob.VideoAccess registry entries along with an Activity Logger 2.0 registry entry. Anyway, hope some kind soul out there will rescue me (or at least, help me to rescue myself). HJT log follows.
Cheers,
Andy

Logfile of HijackThis v1.99.1
Scan saved at 23:40:13, on 04/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Bandwidth\BandMon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Creative\MediaSource\CTCMS.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SWEETIE - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - C:\PROGRA~1\MACROG~1\SWEETI~1\toolbar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (disabled by BHODemon)
O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [BatchBandwidth] C:\Program Files\Bandwidth\BandMon.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - 
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} - 
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - 
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - 
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - 
O17 - HKLM\System\CCS\Services\Tcpip\..\{3FC7A7DE-D4FA-47A2-BAAC-2507077E503E}: NameServer = 84.203.254.34,84.203.255.34
O17 - HKLM\System\CCS\Services\Tcpip\..\{F97CD4AF-2BC6-4C6A-8182-E544357D0C97}: NameServer = 84.203.254.34,84.203.255.34
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: CwWLEvent - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


----------



## Cheeseball81 (Mar 3, 2004)

Please download *SmitfraudFix* (by *S!Ri*)
Extract the content (a folder named *SmitfraudFix*) to your Desktop.

Open the *SmitfraudFix* folder and double-click *smitfraudfix.cmd*
Select option #1 - *Search* by typing *1* and press "*Enter*"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

*Note* : *process.exe* is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm


----------



## bandyandy (Aug 26, 2006)

Thanks Cheeseball, SmitFraudFix Log Follows.

SmitFraudFix v2.164

Scan done at 11:17:15.84, 05/04/2007
Run from C:\Documents and Settings\Log In\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Bandwidth\BandMon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

hosts file corrupted !

127.0.0.1 microsoft.com.org #[IE-SpyAd]
127.0.0.1 www.www.microsoft.com.org
127.0.0.1	www.legal-at-spybot.info
127.0.0.1	legal-at-spybot.info

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Log In

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Log In\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\LOGIN~1\FAVORI~1

C:\DOCUME~1\LOGIN~1\FAVORI~1\Online Security Test.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: SiS 900 PCI Fast Ethernet Adapter - Packet Scheduler Miniport
DNS Server Search Order: 84.203.254.34
DNS Server Search Order: 84.203.255.34

HKLM\SYSTEM\CCS\Services\Tcpip\..\{3FC7A7DE-D4FA-47A2-BAAC-2507077E503E}: NameServer=84.203.254.34,84.203.255.34
HKLM\SYSTEM\CCS\Services\Tcpip\..\{F97CD4AF-2BC6-4C6A-8182-E544357D0C97}: NameServer=84.203.254.34,84.203.255.34
HKLM\SYSTEM\CS1\Services\Tcpip\..\{3FC7A7DE-D4FA-47A2-BAAC-2507077E503E}: NameServer=84.203.254.34,84.203.255.34
HKLM\SYSTEM\CS1\Services\Tcpip\..\{F97CD4AF-2BC6-4C6A-8182-E544357D0C97}: NameServer=84.203.254.34,84.203.255.34
HKLM\SYSTEM\CS3\Services\Tcpip\..\{3FC7A7DE-D4FA-47A2-BAAC-2507077E503E}: NameServer=84.203.254.34,84.203.255.34
HKLM\SYSTEM\CS3\Services\Tcpip\..\{F97CD4AF-2BC6-4C6A-8182-E544357D0C97}: NameServer=84.203.254.34,84.203.255.34

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End


----------



## Cheeseball81 (Mar 3, 2004)

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in *Safe Mode* by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
Once in Safe Mode, open the *SmitfraudFix* folder again and double-click *smitfraudfix.cmd*
Select option #2 - *Clean* by typing *2* and press "*Enter*" to delete infected files.

You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer "Yes" by typing *Y* and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if *wininet.dll* is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing *Y* and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.

The report can also be found at the root of the system drive, usually at *C:\rapport.txt*

Warning: running option #2 on a non infected computer will remove your Desktop background.


----------



## bandyandy (Aug 26, 2006)

Hey Cheeseball,thanks for getting back to me. smitfraudfix log attached.


----------



## bandyandy (Aug 26, 2006)

Ok, it would appear that the SmitFraudFix log is too big to attach (536kb) and would need to be split into about 18 messages. It is almost entirely made up of the hosts file (99%+) so i shall post the log minus the hosts section.

SmitFraudFix v2.164

Scan done at 23:42:23.85, 05/04/2007
Run from C:\Documents and Settings\Log In\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

*****MISSING*****

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\DOCUME~1\LOGIN~1\FAVORI~1\Online Security Test.url Deleted

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{3FC7A7DE-D4FA-47A2-BAAC-2507077E503E}: NameServer=84.203.254.34,84.203.255.34
HKLM\SYSTEM\CCS\Services\Tcpip\..\{F97CD4AF-2BC6-4C6A-8182-E544357D0C97}: NameServer=84.203.254.34,84.203.255.34
HKLM\SYSTEM\CS1\Services\Tcpip\..\{3FC7A7DE-D4FA-47A2-BAAC-2507077E503E}: NameServer=84.203.254.34,84.203.255.34
HKLM\SYSTEM\CS1\Services\Tcpip\..\{F97CD4AF-2BC6-4C6A-8182-E544357D0C97}: NameServer=84.203.254.34,84.203.255.34
HKLM\SYSTEM\CS3\Services\Tcpip\..\{3FC7A7DE-D4FA-47A2-BAAC-2507077E503E}: NameServer=84.203.254.34,84.203.255.34
HKLM\SYSTEM\CS3\Services\Tcpip\..\{F97CD4AF-2BC6-4C6A-8182-E544357D0C97}: NameServer=84.203.254.34,84.203.255.34

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End


----------



## Cheeseball81 (Mar 3, 2004)

Run *ActiveScan* online virus scan:
http://www.pandasoftware.com/products/activescan.htm

Once you are on the Panda site click the Scan your PC button.
A new window will open...click the Check Now button.
Enter your Country.
Enter your State/Province.
Enter your e-mail address and click send.
Select either Home User or Company.
Click the big Scan Now button.
If it wants to install an ActiveX component allow it.
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan.
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. 
Post the contents of the ActiveScan report along with a new Hijack This log.


----------



## bandyandy (Aug 26, 2006)

Hey Cheeseball,
I use Firefox as my default browser. Clicked Active scan link in your reply and page opened in firefox. Clicked 'Scan Your PC Now' and a window opened telling me my browser is not compatible. Reloaded page using IETab plug in for firefox and clicked 'Scan Your PC Now' - no response. Opened Internet Explorer and loaded page, clicked 'Scan Your PC Now' - again no response. Right clicked link and all the Open Link options are greyed out.

Where too next my man???


----------



## Cheeseball81 (Mar 3, 2004)

Download the *HostsXpert 3.8 - Hosts File Manager*.

Unzip HostsXpert 3.8 - Hosts File Manager to a convenient folder such as *C:\HostsXpert*
Click *HostsXpert.exe * to Run HostsXpert 3.8 - Hosts File Manager from its new home
Click *"Make Hosts Writable?" * in the upper right corner (If available).
Click *Restore Microsoft's Hosts file * and then click OK.
Click the *X* to exit the program.
Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

Post a new Hijack This log.


----------



## bandyandy (Aug 26, 2006)

HijackThis Log follows:

Logfile of HijackThis v1.99.1
Scan saved at 20:50:21, on 06/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Bandwidth\BandMon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SWEETIE - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - C:\PROGRA~1\MACROG~1\SWEETI~1\toolbar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (disabled by BHODemon)
O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [BatchBandwidth] C:\Program Files\Bandwidth\BandMon.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PCPitstop Disk MD Registration Reminder] C:\Program Files\PCPitstop\Disk MD\Reminder.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - 
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} - 
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/pcpitstop.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - 
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - 
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://pcpitstop.com/mhLbl.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - 
O17 - HKLM\System\CCS\Services\Tcpip\..\{3FC7A7DE-D4FA-47A2-BAAC-2507077E503E}: NameServer = 84.203.254.34,84.203.255.34
O17 - HKLM\System\CCS\Services\Tcpip\..\{F97CD4AF-2BC6-4C6A-8182-E544357D0C97}: NameServer = 84.203.254.34,84.203.255.34
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: CwWLEvent - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


----------



## Cheeseball81 (Mar 3, 2004)

Rescan with Hijack This.
Close all browser windows except Hijack This.
Put a check mark beside these entries and click "Fix Checked".

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (disabled by BHODemon)

Reboot - post a new log.


----------



## bandyandy (Aug 26, 2006)

Ok, did as directed. Rebooted computer. Got to Windows XP logo with the 3blue dots moving from right to left below the logo and it stayed that way. Hit reset - chose 'start windows normally' - same story. Pulled plug, waited for an hour, booted up - chose 'last known good configuration' - rescanned with Hijack This. Log follows.

Logfile of HijackThis v1.99.1
Scan saved at 23:07:11, on 06/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Bandwidth\BandMon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SWEETIE - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - C:\PROGRA~1\MACROG~1\SWEETI~1\toolbar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [BatchBandwidth] C:\Program Files\Bandwidth\BandMon.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PCPitstop Disk MD Registration Reminder] C:\Program Files\PCPitstop\Disk MD\Reminder.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - 
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} - 
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/pcpitstop.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - 
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - 
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://pcpitstop.com/mhLbl.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - 
O17 - HKLM\System\CCS\Services\Tcpip\..\{3FC7A7DE-D4FA-47A2-BAAC-2507077E503E}: NameServer = 84.203.254.34,84.203.255.34
O17 - HKLM\System\CCS\Services\Tcpip\..\{F97CD4AF-2BC6-4C6A-8182-E544357D0C97}: NameServer = 84.203.254.34,84.203.255.34
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: CwWLEvent - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


----------



## Cheeseball81 (Mar 3, 2004)

SpywareTerminator is an iffy program. The rest of the log looks okay. Are you still having problems?


----------



## bandyandy (Aug 26, 2006)

Hi Cheeseball,
Computer seems fine but am hurrying off to work so will have a more thorough look later.

I note that
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
remains in the HJT Log. Any notion why that might be?

Also, what is it about Spyware Terminator that makes you say it is iffy? As far as i am aware it has served me well but if it is sitting there using up precious resources unneccesarily......................

Thankyou for your help.


----------



## bandyandy (Aug 26, 2006)

Ok, back again, going to be late for work, ah well.

Was running spyhunter, the scan that told me about the registry entries in my first post and it tells me they are still there.
I d/lded spyhunter after doing a web search for the Zlob virus as Spybot kept crashing and saying something about an error reading Zlob.***something or other***.
It claims to be specific to the Zlob Virus.
It appeared to be legit but do you think it could be another dodgy antispyware program trying to get me to buy it with false positives?


----------



## h0MbrE (Apr 6, 2007)

Hey Andy have you tried SuperAntiSpyware? I had Zlob once and it helped get rid of it (what SpyHunter missed) and it's free. It seemed that the two found and removed different parts but got it all, never came back... although please understand that I am not the expert that Cheeseball is but I do know Zlob can regenerate itself if all parts aren't removed and it generally has 44-55 or so registry files associated with it. It installed a rogue program on my computer called "Spydawn" that kept popping up on me alerting me that I was at risk and tried to terrorize me into purchasing the software to "protect" my computer. There was even an icon running in my system tray. Does this sound familiar? Just curious. Same as you, my search led me to Spyhunter which I still keep around in case Zlob ever finds its way back but I don't rely wholly on it. It seems to zero in on Zlob pretty good but left a few things for SuperAntiSpyware to clean up. Like I said though, I'm by no means an expert so please don't consider it a solution. Just a tip on a good free antispyware. Listen to what Cheeseball says.


----------



## Cheeseball81 (Mar 3, 2004)

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) seems to be a Windows Live Messenger remnant. 

Spyware Terminator was once a rogue program. It's not on the rogue list anymore. I just don't know how much it's been improved.

Please post a new Hijack This log.


----------



## bandyandy (Aug 26, 2006)

I got Spyware Terminator on the recommendation of another TSG moderator a few months ago and it seems to be a good first line of defense with its realtime protection. I also still have SuperAntiSpyware on the recommendation of the same fella and it has been coming up clean.

Have just run a Spybot scan and it threw up SpyHunter as spyware so i have deleted it. (SpyHunter that is, not Spybot) However, spybot is terminating its scan early and giving an error message - "Error during check!: Zlob.ZipCodec (Ungültiger Datentyp für)"

Anyway, HJT Log Follows.

Logfile of HijackThis v1.99.1
Scan saved at 20:44:35, on 07/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Bandwidth\BandMon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SWEETIE - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - C:\PROGRA~1\MACROG~1\SWEETI~1\toolbar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [BatchBandwidth] C:\Program Files\Bandwidth\BandMon.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PCPitstop Disk MD Registration Reminder] C:\Program Files\PCPitstop\Disk MD\Reminder.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - 
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} - 
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/pcpitstop.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - 
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - 
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://pcpitstop.com/mhLbl.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - 
O17 - HKLM\System\CCS\Services\Tcpip\..\{3FC7A7DE-D4FA-47A2-BAAC-2507077E503E}: NameServer = 84.203.254.34,84.203.255.34
O17 - HKLM\System\CCS\Services\Tcpip\..\{F97CD4AF-2BC6-4C6A-8182-E544357D0C97}: NameServer = 84.203.254.34,84.203.255.34
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: CwWLEvent - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


----------



## bandyandy (Aug 26, 2006)

Been doing a bit of research.

There is a Spware Terminator listed on Spyware Warriors 'Rogue' list but i suspect it is a different program to the one by Crawler that i have and which has been given the green light by McAfee.

No longer on the same 'Rogue' list is SpyHunter but a little searching has lead me to mistrust this application (not least the fact that both Spybot and Ad-Aware both identify it as spyware) and i suspect that it has thrown up false positives re Zlob.

Also, i have upgraded to Spybot 1.4 and run a scan and it no longer throws up the Zlob error.

Fingers crossed we could be back on dry land.

Hows the HJT log looking Cheeseball?

And thanks Hombre for your input - i'd be inclined to ditch SpyHunter if i were you.


----------



## Cheeseball81 (Mar 3, 2004)

Looks fine :up:

Now turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Restart your computer.

Turn System Restore back on and create a restore point.

To create a restore point:

Single-click Start and point to All Programs.
Mouse over Accessories, then System Tools, and select System Restore.
In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click Create and you're done.

You can mark your thread "Solved" from the *Thread Tools* drop down menu.


----------



## bandyandy (Aug 26, 2006)

Hey Cheeseball,
Many many thanks for your help, the web is a much better place for sites like this and people like yourself. However, i am not sure that i am ready to mark this as solved quite yet as this process has brought up some as yet unresolved issues. Although i quite understand if you would rather say 'My work here is done' and walk off into the sunset. In case you feel like sticking around a little longer the unresolved issues are as follows :

How come i can not get any online scanners to work? I have tried Panda (Scan Now links are not linking), eTrust (page loads but nothing happens when i click scan), BitDefender (when i get to 'I Agree' i click and nothing happens), Trend Micro House Call (worked once, came up with a couple of things which i got it to delete and now comes up with "Warning, the House Call API did not define a native boundary" and then sits there doing nothing).
I had two versions of JAVA in my add/remove programs list so i uninstalled both and reinstalled the most recent version and it made no difference.

Also, having deleted SpyHunter i note that it still exists in my Spybot start up list (although the program itself is no longer where it was) and if i try to disable it the Tea Timer dialogue box opens with all the options messed up and the only way to close the window is to X out of it thus denying the change.
I also note that, in the Spybot start up list, there is a HK_CU:Run entry that is blank. Spybot says that it is added by the AGOBOT-KU Worm and refers to the file system32.exe. When i go to disable it Tea Timer behaves as above. I have disabled both start up entries by disabling Tea Timer but that is not really a desirable solution.

I have run Spybot and AdAware scans having booted up with both the above start up items enabled and they have come up clean. I have also run AVG which tells me 

"General properties";""
"Report name";"Complete Test"
"Start time";"08/04/2007 16:03:41"
"End time";"08/04/2007 17:01:08 (total: 57:25.3 Min)"
"Launch method";"Scanning launched manually"
"Scanning result";"No threats found"
"Report status";"Scanning completed successfully"
" ";""
"Object summary";""
"Scanned";"59132"
"Threats Found";"0"
"Cleaned";"0"
"Moved to vault";"0"
"Deleted";"0"
"Errors";"0"
"C:\WINDOWS\system32\user32.dll";"Change";"Changed"
"C:\WINDOWS\system32\ntoskrnl.exe";"Change";"Changed"
"C:\WINDOWS\system32\drivers\etc\hosts";"Change";"Changed"

I also note that, on start up, there is alot of CPU activity for about two minutes longer than usual (it used to take about 2 minutes to settle, now it takes 4). The most hungry process during this time is svchost.exe being run by SYSTEM and using 20,000+K of memory. I realise this is likely normal but in my searching about AGOBOT-KU i found an association with the svchost virus and fear they may be connected.

There is definitely something suspicious going on and i would really like to get to the bottom of it.

Thanks again,

Andy


----------



## Cheeseball81 (Mar 3, 2004)

Are you trying these online scanners with Internet Explorer? (not Firefox because they do not work with Firefox.)

Those changes with AVG are normal and nothing to worry about.


----------



## bandyandy (Aug 26, 2006)

Tried with IE and eTrust scanner is working (i am convinced i tried it in IE before and it didnt work but hey ho its working now). Am ignoring AVG results. What about the spyhunter and agobot-ku stuff? I would really like to turn Tea Timer back on.

Thanks again for your help.


----------



## Cheeseball81 (Mar 3, 2004)

What shows up in SpyBot? 

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\system32\blank.htm

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
%SystemRoot%\system32\blank.htm

Is it similar to those?


----------



## bandyandy (Aug 26, 2006)

Hey Cheeseball,

No that is not what shows up in Spybot. I cant be specific at the moment as i have the Panda Active Scan running (it is at about 25% and has found 2 viruses, 6 spyware and 3 Hacking Tools and Rootkits) and i have managed to delete the dodgy startup entries by disabling Tea Timer so i would have to reboot to get them to show up again. In researching the AGOBOT-KU virus that spybot says is responsible for the blank HK_CU:Run entry i discovered that it runs a process called RASMNGR.EXE so i looked in Spybots Process List and....... it wasnt there. So i decided to check out all the processes that were running and they all appear to be legit.......except one, smss.exe. According to www.answersthatwork.com's Task List Programs page if smss.exe is not running from C:\Windows\System32\smss.exe then i have a virus and Spybot tells me it is running from \SystemRoot\System32\smss.exe and when i right click on it and tell it to 'Show file in Explorer' it tells me "the path \SystemRoot\System32\smss.exe does not exist or is not a directory" so i reckon that means i have a virus. Also, earlier i discovered that my firewall had been turned off and it certainly wasnt by me and i dont think anyone else who uses this computer would even know how or have reason to do so. 
Anyway, i am thinking that i may be suffering from the 'a little knowledge is a dangerous thing' syndrome and getting overly paranoid and should just let someone who knows more than I check out the Panda Scan log------ you up for it?


----------



## bandyandy (Aug 26, 2006)

Ok, scan finished.

The dodgy startup entries are:

Located: HK_LM:Run, SpyHunter
command: 
file:

with the following in the right hand column when highlighted
Current filename:

Database status: Typically not required
Value: SpyHunter
Filename: SpyHunter.exe

Description
SpyHunter - spyware remover of somewhat dubious repute, see _note_

Source: Paul Collins Startup list
____________________

and:

Located: HK_CU:Run, 
command: 
file:

with the following in the right hand column when highlighted

Current filename:

Database status: Not required - virus, spyware, malware or other resource hog
Value: 
Filename: system32.exe

Description
Added by the _AGOBOT-KU_ WORM! Note - has a blank entry under the Startup Item/Name field

Source: Paul Collins Startup list
____________________

The contents of the Panda scan log follows:

Incident Status Location

Adware:Adware/SweetBar Not disinfected C:\PROGRA~1\MACROG~1\SWEETI~1\toolbar.dll 
Adware:adware program Not disinfected c:\windows\ss3unstl.exe 
Potentially unwanted tool:application/funweb Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} 
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Log In\Application Data\Mozilla\Firefox\Profiles\qxqtdh74.default\cookies.txt[ad.yieldmanager.com/] 
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Log In\Application Data\Mozilla\Firefox\Profiles\qxqtdh74.default\cookies.txt[.zedo.com/] 
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Log In\Application Data\Mozilla\Firefox\Profiles\qxqtdh74.default\cookies.txt[c5.zedo.com/] 
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Log In\Desktop\SmitfraudFix\Process.exe 
Virus:Trj/Shutdown.Z Disinfected C:\Documents and Settings\Log In\Desktop\SmitfraudFix\restart.exe 
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Log In\Desktop\SmitfraudFix.zip[SmitfraudFix/Process.exe] 
Virus:Trj/Shutdown.Z Disinfected C:\Documents and Settings\Log In\Desktop\SmitfraudFix.zip[SmitfraudFix/restart.exe] 
Adware:Adware/SweetBar Not disinfected C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll

HJT Log follows:

Logfile of HijackThis v1.99.1
Scan saved at 00:14:51, on 10/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Bandwidth\BandMon.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SWEETIE - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - C:\PROGRA~1\MACROG~1\SWEETI~1\toolbar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [BatchBandwidth] C:\Program Files\Bandwidth\BandMon.exe
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - 
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} - 
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/pcpitstop.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - 
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - 
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://pcpitstop.com/mhLbl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - 
O17 - HKLM\System\CCS\Services\Tcpip\..\{3FC7A7DE-D4FA-47A2-BAAC-2507077E503E}: NameServer = 84.203.254.34,84.203.255.34
O17 - HKLM\System\CCS\Services\Tcpip\..\{F97CD4AF-2BC6-4C6A-8182-E544357D0C97}: NameServer = 84.203.254.34,84.203.255.34
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: CwWLEvent - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


----------



## bandyandy (Aug 26, 2006)

Ok, just confirmed with Program Checker that the smss.exe file i was stressing about is totally legit and running from where it should. Phew. So, the questions remain - Why do i have two seemingly unnecessary start up items that are determined to stick around and look menacing? Why is Tea Timer messed up? and are these two related? AAARRRGGGHHH my head. Gotta go to bed.


----------



## Cheeseball81 (Mar 3, 2004)

1. Please *download* *The Avenger* by Swandog46 to your *Desktop*.
Click on Avenger.zip to open the file
Extract *avenger.exe* to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (*Ctrl+C*):



> Files to delete:
> c:\windows\ss3unstl.exe
> 
> Folders to delete:
> C:\Program Files\Macrogaming\SweetIMBarForIE


_*
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.*_

3. Now, *start The Avenger program* by clicking on its icon on your desktop.
 Under "*Script file to execute*" choose "*Input Script Manually*".
Now click on the *Magnifying Glass icon* which will open a new window titled "*View/edit script*" 
 Paste the text copied to clipboard into this window by pressing (*Ctrl+V*).
 Click *Done* 
 Now click on the *Green Light* to begin execution of the script 
 Answer "*Yes*" twice when prompted.
4. *The Avenger will automatically do the following*:
It will *Restart your computer*. ( In cases where the code to execute contains "*Drivers to Unload*", The Avenger will actually *restart your system twice.*) 
On reboot, it will briefly *open a black command window* on your desktop, this is normal.
After the restart, it *creates a log file* that should open with the results of Avengers actions. This log file will be located at *C:\avenger.txt*
 The Avenger will also have *backed up all the files, etc., that you asked it to delete*, and will have zipped them and moved the zip archives to *C:\avenger\backup.zip*.
5. Please *copy/paste* the content of *c:\avenger.txt* into your reply.

Rescan with Hijack This, close all browser windows except Hijack This, put a checkmark beside these entries and click *fix checked*.

*R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll

O2 - BHO: SWEETIE - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - C:\PROGRA~1\MACROG~1\SWEETI~1\toolbar.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)

O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll

O20 - Winlogon Notify: CwWLEvent - C:\WINDOWS\*

Reboot and post another Hijack This log please.


----------



## bandyandy (Aug 26, 2006)

Hey Cheeseball,

Did as you said. All went well except slight deviation from the Avenger process you described. On reboot the black cmd window appeared and also a Windows dialogue box asaying "There is no disc in the drive" and giving three options "Try Again", "Cancel" and "Continue". Tried "Continue" - Dialogue box came back. Tried "Try Again" - Dialogue box came back. Tried "Cancel" - It took three clicks before box didnt return.

Avenger log follows:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ntobmcgy

*******************

Script file located at: \??\C:\WINDOWS\system32\enlsngwx.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File c:\windows\ss3unstl.exe deleted successfully.
Folder C:\Program Files\Macrogaming\SweetIMBarForIE deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

HJT Log follows:

Logfile of HijackThis v1.99.1
Scan saved at 11:42:54, on 10/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Bandwidth\BandMon.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [BatchBandwidth] C:\Program Files\Bandwidth\BandMon.exe
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - 
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} - 
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/pcpitstop.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - 
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - 
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://pcpitstop.com/mhLbl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - 
O17 - HKLM\System\CCS\Services\Tcpip\..\{3FC7A7DE-D4FA-47A2-BAAC-2507077E503E}: NameServer = 84.203.254.34,84.203.255.34
O17 - HKLM\System\CCS\Services\Tcpip\..\{F97CD4AF-2BC6-4C6A-8182-E544357D0C97}: NameServer = 84.203.254.34,84.203.255.34
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ProgramCheckerPro (sassvc) - Unknown owner - C:\Program Files\Zenturi\ProgramChecker\sassvc.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


----------



## bandyandy (Aug 26, 2006)

Scrap that - didnt reboot before last HJT scan.

Back in a mo.


----------



## bandyandy (Aug 26, 2006)

Ok, rebooted. Noted that reboot took about 1min. less than it has been.

HJT log follows:

Logfile of HijackThis v1.99.1
Scan saved at 11:55:37, on 10/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Bandwidth\BandMon.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [BatchBandwidth] C:\Program Files\Bandwidth\BandMon.exe
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - 
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} - 
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/pcpitstop.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - 
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - 
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://pcpitstop.com/mhLbl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - 
O17 - HKLM\System\CCS\Services\Tcpip\..\{3FC7A7DE-D4FA-47A2-BAAC-2507077E503E}: NameServer = 84.203.254.34,84.203.255.34
O17 - HKLM\System\CCS\Services\Tcpip\..\{F97CD4AF-2BC6-4C6A-8182-E544357D0C97}: NameServer = 84.203.254.34,84.203.255.34
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ProgramCheckerPro (sassvc) - Unknown owner - C:\Program Files\Zenturi\ProgramChecker\sassvc.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


----------



## bandyandy (Aug 26, 2006)

Ok, both dodgy startup items remain. Tea Timer still corrupted. Boot up time almost back to the 2min it used to take, with no cpu hungry svchost hogging resources.

Progress has been made but we are not out of the woods yet.

Thanks for sticking in there.


----------



## bandyandy (Aug 26, 2006)

New Panda scan log follows:

Incident Status Location

Adware:adware program Not disinfected Windows Registry 
Potentially unwanted tool:application/funweb Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} 
Adware:Adware/SweetBar Not disinfected C:\avenger\backup.zip[avenger/SweetIMBarForIE/toolbar.dll]  
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Log In\Desktop\SmitfraudFix\Process.exe 
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Log In\Desktop\SmitfraudFix.zip[SmitfraudFix/Process.exe]

Obviously the Last 3 are ok but what about the first 2?


----------



## Cheeseball81 (Mar 3, 2004)

The first two are just orphaned entries, nothing to worry about. How are things now?


----------



## bandyandy (Aug 26, 2006)

Am still concerned by the two dodgy startup items and the fact that tea timer is corrupted.


----------



## Cheeseball81 (Mar 3, 2004)

What dodgy startup item?
Are you still referring to C:\WINDOWS\System32\smss.exe?


----------



## bandyandy (Aug 26, 2006)

Hey Cheeseball, This is Spybots System Start Up Report. I Have put asterisks around the two 'dodgy' items

--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2007-04-07 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-01-15 advcheck.dll (1.2.1.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2007-01-02 Tools.dll (2.0.1.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-04-04 Includes\Cookies.sbi
2006-12-08 Includes\Dialer.sbi
2007-04-04 Includes\DialerC.sbi
2007-04-04 Includes\Hijackers.sbi
2007-04-04 Includes\HijackersC.sbi
2006-10-27 Includes\Keyloggers.sbi
2007-04-04 Includes\KeyloggersC.sbi
2007-03-21 Includes\Malware.sbi
2007-04-04 Includes\MalwareC.sbi
2007-03-21 Includes\PUPS.sbi
2007-04-04 Includes\PUPSC.sbi
2007-04-04 Includes\Revision.sbi
2006-12-08 Includes\Security.sbi
2007-04-04 Includes\SecurityC.sbi
2007-03-21 Includes\Spybots.sbi
2007-04-04 Includes\SpybotsC.sbi
2005-02-17 Includes\Tracks.uti
2007-04-04 Includes\Trojans.sbi
2007-04-04 Includes\TrojansC.sbi

Located: HK_LM:Run, AVG7_CC
command: C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
file: C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
size: 411648
MD5: 2a62570d13f14f49218ce7b03caa9cb2

Located: HK_LM:Run, BatchBandwidth
command: C:\Program Files\Bandwidth\BandMon.exe
file: C:\Program Files\Bandwidth\BandMon.exe
size: 237568
MD5: b021171c0e68fc21554c57ccacedb46d

Located: HK_LM:Run, CTHelper
command: CTHELPER.EXE
file: C:\WINDOWS\system32\CTHELPER.EXE
size: 28672
MD5: df01b97932ea31b4ba14c733a77d0973

Located: HK_LM:Run, KernelFaultCheck
command: %systemroot%\system32\dumprep 0 -k
file: C:\WINDOWS\system32\dumprep.exe
size: 10752
MD5: 13922eb54890c77005268882629a31fe

Located: HK_LM:Run, NeroCheck
command: C:\WINDOWS\system32\NeroCheck.exe
file: C:\WINDOWS\system32\NeroCheck.exe
size: 155648
MD5: 3e4c03cefad8de135263236b61a49c90
***************************
*Located: HK_LM:Run, SpyHunter *
*command: *
* file: *
***************************
Located: HK_LM:Run, SpywareTerminator
command: "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
file: C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
size: 2903040
MD5: 154d2dd0c0b797506d733ed0c2ed1d03

Located: HK_LM:Run, SunJavaUpdateSched
command: "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
file: C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
size: 75520
MD5: edf5d27c6d244740418903626df5741a

Located: HK_LM:Run, Zone Labs Client
command: "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
file: C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
size: 968696
MD5: 71514e2c74d554f5902dc184046eca3b

Located: HK_LM:Run, BigDogPath (DISABLED)
command: C:\WINDOWS\VM_STI.EXE Vimicro USB PC Camera (ZC0301PL)
file: C:\WINDOWS\VM_STI.EXE
size: 40960
MD5: 0c18cf0d16418e9fb7069abb75860028

Located: HK_LM:Run, cwcptray (DISABLED)
command: C:\Program Files\ContentWatch\Internet Protection\gui\cwcptray.exe
file: 

Located: HK_LM:Run, Jet Detection (DISABLED)
command: "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
file: C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe
size: 28672
MD5: 7df5f447de9e4600f8c77a00d86d210b

Located: HK_LM:Run, NeroCheck (DISABLED)
command: C:\WINDOWS\system32\NeroCheck.exe
file: C:\WINDOWS\system32\NeroCheck.exe
size: 155648
MD5: 3e4c03cefad8de135263236b61a49c90

Located: HK_LM:Run, NeroFilterCheck (DISABLED)
command: C:\WINDOWS\system32\NeroCheck.exe
file: C:\WINDOWS\system32\NeroCheck.exe
size: 155648
MD5: 3e4c03cefad8de135263236b61a49c90

Located: HK_LM:Run, PC Pitstop Optimize Scheduler (DISABLED)
command: C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe -boot
file: 

Located: HK_LM:Run, QuickTime Task (DISABLED)
command: "C:\Program Files\QuickTime\qttask.exe" -atboottime
file: 

Located: HK_LM:Run, RemoteControl (DISABLED)
command: "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
file: C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
size: 32768
MD5: 8fb740d758b14b1bc950cc347c21e461

Located: HK_LM:Run, SiS KHooker (DISABLED)
command: C:\WINDOWS\system32\khooker.exe
file: C:\WINDOWS\system32\khooker.exe
size: 290816
MD5: dae84a06fe63a6c105b30b919da8cdf6

Located: HK_LM:Run, SunJavaUpdateSched (DISABLED)
command: "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
file: C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
size: 75520
MD5: edf5d27c6d244740418903626df5741a

Located: HK_LM:Run, TkBellExe (DISABLED)
command: "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
file: C:\Program Files\Common Files\Real\Update_OB\realsched.exe
size: 180269
MD5: 1ac2c58b587c70de64582ad41ee79fba

Located: HK_LM:Run, Ulead AutoDetector (DISABLED)
command: C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
file: C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
size: 45056
MD5: 01f76899c49d3e4b355ed2d78e34c866

Located: HK_LM:Run, UpdReg (DISABLED)
command: C:\WINDOWS\UpdReg.EXE
file: C:\WINDOWS\UpdReg.EXE
size: 90112
MD5: c419df63e0121d72411285780c2fc6cc
******************
*Located: HK_CU:Run, * 
*command: *
* file: *
******************
Located: HK_CU:Run, Creative Detector
command: "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
file: C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
size: 102400
MD5: c744293dfbe1a3347fec5dbfe3fd123e

Located: HK_CU:Run, FreeRAM XP
command: "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
file: C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
size: 1591808
MD5: 667f078955a93fe382f74d5f109dfe31

Located: HK_CU:Run, msnmsgr (DISABLED)
command: "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
file: C:\Program Files\MSN Messenger\msnmsgr.exe
size: 5674352
MD5: c4281ad865739e71fd1e4dac19a68d60

Located: Startup (disabled), Adobe Reader Speed Launch (DISABLED)
command: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" 
file: C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
size: 29696
MD5: 43362b96870ce8649f4f2ec893da93f0

Located: Startup (disabled), Microsoft Office (DISABLED)
command: "C:\Program Files\Microsoft Office\Office\OSA9.EXE" -b -l
file: C:\Program Files\Microsoft Office\Office\OSA9.EXE
size: 65588
MD5: f7d6fc2cc9886f34b986986db1b7c06b

Located: System.ini, !SASWinLogon
command: C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
file: C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
size: 282624
MD5: f6597f9f732453daf4d3a86170da63d5

Located: System.ini, crypt32chain
command: crypt32.dll
file: crypt32.dll

Located: System.ini, cryptnet
command: cryptnet.dll
file: cryptnet.dll

Located: System.ini, cscdll
command: cscdll.dll
file: cscdll.dll

Located: System.ini, CwWLEvent
command: 
file: 

Located: System.ini, ScCertProp
command: wlnotify.dll
file: wlnotify.dll

Located: System.ini, Schedule
command: wlnotify.dll
file: wlnotify.dll

Located: System.ini, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll

Located: System.ini, SensLogn
command: WlNotify.dll
file: WlNotify.dll

Located: System.ini, termsrv
command: wlnotify.dll
file: wlnotify.dll

Located: System.ini, WgaLogon
command: WgaLogon.dll
file: WgaLogon.dll

Located: System.ini, wlballoon
command: wlnotify.dll
file: wlnotify.dll

Log Ends

In Spybot you can activate a column to the right of the startup list that gives specific information about the highlighted item. If i highlight the SpyHunter Item it gives this info.

Current filename:

Database status: Typically not required
Value: SpyHunter
Filename: SpyHunter.exe

Description
SpyHunter - spyware remover of somewhat dubious repute, see _note_

Source: Paul Collins Startup list

If I highlight the blank HK_CU:Run entry it gives this info.

Current filename:

Database status: Not required - virus, spyware, malware or other resource hog
Value:
Filename: system32.exe

Description
Added by the _AGOBOT-KU_ WORM! Note - has a blank entry under the Startup Item/Name field

Source: Paul Collins Startup list
____________________

If i disable either of these then Tea Timer opens a dialogue box that is all messed up and the only option is to X out of it thus denying the change and leaving the item in the startup list. If i disable Tea Timer i can disable the items but as soon as i re-enable Tea Timer the whole dialogue box thing happens again and the items are restored. Infact the Tea Timer dialogue box is messed up whenever it appears now.


----------



## Cheeseball81 (Mar 3, 2004)

Open Hijack This.
Click on *Open Misc Tools Section*
Make sure that both boxes beside "Generate StartupList Log" are checked:

*List all minor sections(Full)*
*List Empty Sections(Complete)*

Click *Generate StartupList Log*.
Click *Yes* at the prompt.
It will open a text file. Please copy the entire contents of that page and paste it here.

Run Hijack This and click *Open the Misc Tools* section.
Click Open Uninstall Manager > Save list and save the log to your Desktop.
A list of programs will open in Notepad. Post the contents of this log.


----------



## bandyandy (Aug 26, 2006)

Ok, First half of Startup List Log Follows:

StartupList report, 11/04/2007, 01:42:13
StartupList version: 1.52.2
Started from : C:\Program Files\hijackthis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Bandwidth\BandMon.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\hijackthis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Log In\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
*No files*

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

AVG7_CC = C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
CTHelper = CTHELPER.EXE
BatchBandwidth = C:\Program Files\Bandwidth\BandMon.exe
SpywareTerminator = "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
NeroCheck = C:\WINDOWS\system32\NeroCheck.exe
Zone Labs Client = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
SunJavaUpdateSched = "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
SpyHunter =

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\System32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mswmp.inf,PerUserStub

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{4b218e3e-bc98-4770-93d3-2731b9329278}] *
StubPath = %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - (no file) - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
(no name) - (no file) - {AA58ED58-01DD-4d91-8333-CF10577473F7}


----------



## bandyandy (Aug 26, 2006)

2nd Half of Startup List Log Follows:

--------------------------------------------------

Enumerating Task Scheduler jobs:

*No jobs found*

--------------------------------------------------

Enumerating Download Program Files:

[DirectAnimation Java Classes]
CODEBASE = file://C:\WINDOWS\Java\classes\dajava.cab
OSD = C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINDOWS\Java\classes\xmldso.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

[{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}]

[{0A5FD7C5-A45C-49FC-ADB5-9952547D5715}]

[PCPitstop Utility]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\PCPitstop.dll
CODEBASE = http://pcpitstop.com/pcpitstop/pcpitstop.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\macromed\Director\SwDir.dll

[Trend Micro ActiveX Scan Agent 6.6]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\Housecall_ActiveX.dll
CODEBASE = http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab

[BDSCANONLINE Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\oscan8.ocx
CODEBASE = http://download.bitdefender.com/resources/scan8/oscan8.cab

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\System32\wuweb.dll

[WScanCtl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\webscan.dll
CODEBASE = http://www3.ca.com/securityadvisor/virusinfo/webscan.cab

[Java Plug-in 1.5.0_11]
InProcServer32 = C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab

[mhLabel Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\mhLbl.dll
CODEBASE = http://pcpitstop.com/mhLbl.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
CODEBASE = http://acs.pandasoftware.com/activescan/as5free/asinst.cab

[Java Plug-in 1.5.0_11]
InProcServer32 = C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab

[Java Plug-in 1.5.0_11]
InProcServer32 = C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab

[{F6ACF75C-C32C-447B-9BEF-46B766368D29}]

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (system)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
AMD K7 Processor Driver: System32\DRIVERS\amdk7.sys (system)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
AVG7 Alert Manager Server: C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (autostart)
AVG7 Kernel: \SystemRoot\System32\Drivers\avg7core.sys (system)
AVG7 Wrap Driver: \SystemRoot\System32\Drivers\avg7rsw.sys (system)
AVG7 Rezident Driver: \SystemRoot\System32\Drivers\avg7rsxp.sys (system)
AVG7 Update Service: C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe (autostart)
AVG7 Clean Driver: \SystemRoot\System32\Drivers\avgclean.sys (system)
AVG E-mail Scanner: C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe (autostart)
AVG Network Redirector: \SystemRoot\System32\Drivers\avgtdi.sys (autostart)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Closed Caption Decoder: system32\DRIVERS\CCDECODE.sys (manual start)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
.NET Runtime Optimization Service v2.0.50727_X86: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (manual start)
COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Creative Service for CDROM Access: C:\WINDOWS\system32\CTsvcCDA.exe (autostart)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Creative AC3 Software Decoder: System32\drivers\ctac32k.sys (manual start)
Creative Audio Driver (WDM): system32\drivers\ctaud2k.sys (manual start)
Creative DVD-Audio Device Driver: System32\drivers\ctdvda2k.sys (manual start)
Creative SBLive! Gameport: System32\DRIVERS\ctljystk.sys (manual start)
Creative Proxy Driver: System32\drivers\ctprxy2k.sys (manual start)
Creative SoundFont Management Device Driver: System32\drivers\ctsfm2k.sys (manual start)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Diskeeper: "C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe" (autostart)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
dmio: System32\drivers\dmio.sys (disabled)
dmload: System32\drivers\dmload.sys (disabled)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (manual start)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
E-mu Plug-in Architecture Driver: System32\drivers\emupia2k.sys (manual start)
EPSON Printer Status Agent2: C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe (autostart)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
FltMgr: system32\drivers\fltmgr.sys (system)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
Game Port Enumerator: System32\DRIVERS\gameenum.sys (manual start)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Creative Hardware Abstract Layer Driver: system32\drivers\ha10kx2k.sys (manual start)
Creative P16V HAL Driver: System32\drivers\hap16v2k.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Microsoft HID Class Driver: System32\DRIVERS\hidusb.sys (manual start)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
InstallDriver Table Manager: "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe" (manual start)
CD-Burning Filter Driver: System32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)
IPv6 Windows Firewall Driver: system32\drivers\ip6fw.sys (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Jukebox3: system32\DRIVERS\ctpdusb.sys (manual start)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: System32\DRIVERS\mouhid.sys (manual start)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\System32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: System32\DRIVERS\mssmbios.sys (manual start)
Microsoft Streaming Tee/Sink-to-Sink Converter: system32\drivers\MSTEE.sys (manual start)
Microsoft MPU-401 MIDI UART Driver: system32\drivers\msmpu401.sys (manual start)
NABTS/FEC VBI Codec: system32\DRIVERS\NABTSFEC.sys (manual start)
Microsoft TV/Video Connection: system32\DRIVERS\NdisIP.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
Creative OS Services Driver: system32\drivers\ctoss2k.sys (manual start)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
PCIIde: System32\DRIVERS\pciide.sys (system)
PfModNT: \??\C:\WINDOWS\system32\drivers\PfModNT.sys (autostart)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
TRENDnet TE100 PCBUSR PC Card: system32\DRIVERS\TE100XP.SYS (manual start)
Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver: System32\DRIVERS\RTL8139.SYS (manual start)
SABProcEnum: \??\C:\PROGRA~1\MOZILL~1\SABProcEnum.sys (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
SASDIFSV: \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS (system)
SASENUM: \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS (manual start)
SASKUTIL: \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (system)
ProgramCheckerPro: C:\Program Files\Zenturi\ProgramChecker\sassvc.exe (manual start)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
SiS300i: System32\DRIVERS\sis300ip.sys (manual start)
SiS630: system32\DRIVERS\sis630p.sys (manual start)
Service for SiS7018 Driver (WDM): system32\drivers\sis7018.sys (manual start)
SIS AGP Bus Filter: System32\DRIVERS\sisagp.sys (system)
SiS PCI Fast Ethernet Adapter Driver: System32\DRIVERS\sisnic.sys (manual start)
SiS PCI Fast Ethernet Adapter Driver for NDIS51: system32\DRIVERS\sisnicxp.sys (manual start)
BDA Slip De-Framer: system32\DRIVERS\SLIP.sys (manual start)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
Spyware Terminator Driver 2: \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys (system)
Spyware Terminator Realtime Shield Service: C:\Program Files\Spyware Terminator\sp_rsser.exe (autostart)
CAMERA: System32\Drivers\Capt9160.sys (manual start)
System Restore Filter Driver: System32\DRIVERS\sr.sys (system)
srescan: system32\ZoneLabs\srescan.sys (system)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
Player Recovery Device Control Driver: System32\Drivers\StMp3Rec.sys (manual start)
BDA IPSink: system32\DRIVERS\StreamIP.sys (manual start)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{4B27FCA3-B5B3-4409-8ACE-6B56B5A6CD84} (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
tmcomm: \??\C:\WINDOWS\system32\drivers\tmcomm.sys (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows User Mode Driver Framework: C:\WINDOWS\system32\wdfmgr.exe (autostart)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
USB Audio Driver (WDM): system32\drivers\usbaudio.sys (manual start)
Microsoft USB Generic Parent Driver: system32\DRIVERS\usbccgp.sys (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: system32\DRIVERS\usbehci.sys (manual start)
USB2 Enabled Hub: System32\DRIVERS\usbhub.sys (manual start)
Microsoft USB Open Host Controller Miniport Driver: System32\DRIVERS\usbohci.sys (manual start)
Microsoft USB PRINTER Class: System32\DRIVERS\usbprint.sys (manual start)
Motorola USB Modem Driver: system32\DRIVERS\usbser.sys (manual start)
Motorola USB Modem Driver for MPT XP: system32\DRIVERS\usbsermptxp.sys (manual start)
USB Mass Storage Driver: system32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: system32\DRIVERS\usbuhci.sys (manual start)
Messenger Sharing Folders USN Journal Reader service: "C:\Program Files\MSN Messenger\usnsvc.exe" (manual start)
VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)
vsdatant: System32\vsdatant.sys (system)
TrueVector Internet Monitor: C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service (autostart)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Windows Media Connect Service: C:\Program Files\Windows Media Connect 2\wmccds.exe (manual start)
WMDM PMSP Service: C:\WINDOWS\system32\MsPMSPSv.exe (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
Windows Socket 2.0 Non-IFS Service Provider Support Environment: \SystemRoot\System32\drivers\ws2ifsl.sys (disabled)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
World Standard Teletext Codec: system32\DRIVERS\WSTCODEC.SYS (manual start)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Vimicro USB PC Camera (ZC0301PL): System32\Drivers\usbVM31b.sys (manual start)

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

End of report, 36,453 bytes
Report generated in 0.521 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


----------



## bandyandy (Aug 26, 2006)

Uninstall List Follows:

Ad-Aware SE Personal
Adobe Flash Player 9 ActiveX
Adobe Reader 7.0.9
Adobe Shockwave Player
AKAI professional VST Collection v1.0
AnimaRO
Antares Autotune DX v4.12
Antares Filter VST DX v1.0
Art Attack
Arturia Moog Modular V v1.1
Atomic Clock Sync
Avanquest update
AVG Free Edition
Bandwidth Monitor 1.0
Creative DMP Drivers
Creative Jukebox Driver
Creative MediaSource
Creative System Information
Creative Zen Touch
Cubase VST 24 v3.70
Disk Cleaner (remove only)
Diskeeper 2007 Home
EPSON Printer Software
FirstClass® Client
GCSE Mathematics
GRM Tools VST v1.0
HijackThis 1.99.1
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows XP (KB896344)
iZotope Trash DX v1.0.140d
J2SE Runtime Environment 5.0 Update 11
Live 4.0.1
Macrogaming SweetIM 2.0
Macromedia Shockwave Player
MAGIX audio cleaning lab
MediaShow 3.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Office 2000 SR-1 Premium
Motorola Phone Tools
Mozilla Firefox (2.0.0.2)
Mozilla Firefox (2.0.0.3)
MP3 Player Utilities 1.47
Nero Suite
NoClone
Novation Bass-Station VSTi v1.10
Panda ActiveScan
PC Pitstop Optimize 1.5
PhotoNow! 1.0
Power Tab Editor 1.7
PowerDVD
PrintMaster Gold 3.00
ProgramChecker
QuickTime
RealPlayer
Science Explorer
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929969)
sfArk
SFPack
SiS 900 PCI Fast Ethernet Adapter Driver
SiS Audio Driver
SiS630_730 V2.09
Sonic Foundry CD Architect 5.0
SoulSeek Client 156c
Sound Blaster Live!
Spybot - Search & Destroy 1.4
Spyware Terminator
SpywareBlaster v3.5.1
SUPERAntiSpyware Free Edition
SweetIM For Internet Explorer 3.0b
TreeSize 1.7
Ulead Drop Spot 1.0
Ulead Photo Explorer 8.0 SE Basic
Ulead PhotoImpact XL
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920342)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB929338)
Update for Windows XP (KB931836)
V3786s Digital Camera Driver
Viewpoint Media Player
Vocal Rack Trial
WaveLab
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Media Connect
Windows Media Format Runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 10
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WinRAR archiver
WolfgangsVault01
WolfgangsVault02
WolfgangsVault03
WV_Love
WV_NewWave
ZoneAlarm


----------



## Cheeseball81 (Mar 3, 2004)

It appears that the name of the startup entry is compared with the value between the braces ([]) on the first line of the entry. The first entry in the file above does not any value between the braces. Since the startup entry that you had did not have a name, I believe that this why it matched the description of the first entry in the file.

Since your entire entry was blank and was not starting system32.exe, I don't think that you have the AGOBOT-KU - WORM!, but that the description was displayed because of the blank name of the entry you have.

I don't real think that you can consider it a "false positive" pre say, but rather a limitation because startup entry descriptions are provided based on the name of the startup entry.

* *Click here* to download *StartDreck*.

Unzip the startdreck.zip file first. DoubleClick: '*StartDreck.exe*' 
First click on the *config* button. 
Now click the *Unmark all* button 
Put a check by these boxes only:

*In the Registry column select "Run keys"
*In the Files column select "Autostart folders"

Hit OK.

Now click the Save button to save that log. Go to the StartDreck folder and find the *Startdreck.log* file.

Copy and paste the contents of that log back here and await further instructions.


----------



## bandyandy (Aug 26, 2006)

Startdreck Log follows:

StartDreck (build 2.1.7 public stable) - 2007-04-11 @ 11:11:21 (GMT +01:00)
Platform: Windows XP (Win NT 5.1.2600 Service Pack 2)
Internet Explorer: 6.0.2900.2180
Logged in as Log In at MYRTLE

»Registry
»Run Keys
»Current User
»Run
*Creative Detector="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
*FreeRAM XP="C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
»RunOnce
»Default User
»Run
*CTFMON.EXE=C:\WINDOWS\System32\CTFMON.EXE
*AVG7_Run=C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE
»RunOnce
»Local Machine
»Run
*AVG7_CC=C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
*CTHelper=CTHELPER.EXE
*BatchBandwidth=C:\Program Files\Bandwidth\BandMon.exe
*SpywareTerminator="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
*KernelFaultCheck=%systemroot%\system32\dumprep 0 -k
*NeroCheck=C:\WINDOWS\system32\NeroCheck.exe
*Zone Labs Client="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
*SunJavaUpdateSched="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
*SpyHunter=
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*NoChange=1
*Installed=1
+MAPI
*NoChange=1
*Installed=1
»RunOnce
»RunServices
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»Files
»Autostart Folders
»Current User
*C:\Documents and Settings\Log In\Start Menu\Programs\Startup\desktop.ini
»Default User
*C:\Documents and Settings\Default User\Start Menu\Programs\StartUp\desktop.ini
»Local Machine
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
»System/Drivers
»Application specific


----------



## Cheeseball81 (Mar 3, 2004)

Run StartDreck again and check the same options as you did before then find this entry:

**SpyHunter=*

Select that entry then click the "Delete" button to delete it.

Rescan with Hijack This and post a new log.


----------



## bandyandy (Aug 26, 2006)

Deleted SpyHunter, HJT Log follows:

Logfile of HijackThis v1.99.1
Scan saved at 22:51:29, on 11/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Bandwidth\BandMon.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [BatchBandwidth] C:\Program Files\Bandwidth\BandMon.exe
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - 
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} - 
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/pcpitstop.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - 
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - 
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://pcpitstop.com/mhLbl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - 
O17 - HKLM\System\CCS\Services\Tcpip\..\{3FC7A7DE-D4FA-47A2-BAAC-2507077E503E}: NameServer = 84.203.254.34,84.203.255.34
O17 - HKLM\System\CCS\Services\Tcpip\..\{F97CD4AF-2BC6-4C6A-8182-E544357D0C97}: NameServer = 84.203.254.34,84.203.255.34
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: CwWLEvent - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ProgramCheckerPro (sassvc) - Unknown owner - C:\Program Files\Zenturi\ProgramChecker\sassvc.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


----------



## Cheeseball81 (Mar 3, 2004)

How are things now


----------



## bandyandy (Aug 26, 2006)

Ok, checked Spybot startup list - SpyHunter gone. Enabled Tea Timer - still corrupted and SpyHunter is back. Also blank HK_CU Run remains.


----------



## h0MbrE (Apr 6, 2007)

Am I to assume from all of this that Spyhunter is a rogue program and should be removed?
I have it too and if it's bad to have let me know please!


----------



## Cookiegal (Aug 27, 2003)

SpyHunter was listed as a rogue program in the past and was subsequently delisted a couple of years ago but I do not trust it and would remove it.


----------



## Cookiegal (Aug 27, 2003)

bandyandy,

Download *AVG Anti-Spyware* from *HERE* and save that file to your desktop.

When the trial period expires it becomes feature-limited freeware but is still worth keeping as a good on-demand scanner.


Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double click it to launch the set up program.
Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
On the main screen select the icon "*Update*" then select the "*Update now*" link.
Next select the "*Start Update*" button. The update will start and a progress bar will show the updates being installed.

Once the update has completed, select the "*Scanner*" icon at the top of the screen, then select the "*Settings*" tab.
Once in the Settings screen click on "*Recommended actions*" and then select "*Quarantine*".
Under "*Reports*"
Select "*Automatically generate report after every scan*"
Un-Select "*Only if threats were found*"

Close AVG Anti-Spyware. Do Not run a scan just yet, we will run it in safe mode.
Reboot your computer into *Safe Mode*. You can do this by restarting your computer and continually tapping the *F8* key until a menu appears. Use your up arrow key to highlight *Safe Mode* then hit enter.

*IMPORTANT:* Do not open any other windows or programs while AVG Anti-Spyware is scanning as it may interfere with the scanning process:

Launch AVG Anti-Spyware by double clicking the icon on your desktop.
Select the "*Scanner*" icon at the top and then the "*Scan*" tab then click on "*Complete System Scan*".
AVG will now begin the scanning process. Please be patient as this may take a little time.
*Once the scan is complete, do the following:*
If you have any infections you will be prompted. Then select "*Apply all actions.*"
Next select the "*Reports*" icon at the top.
Select the "*Save report as*" button in the lower left-hand of the screen and save it to a text file on your system (make sure to remember where you saved that file. This is important).
Close AVG Anti-Spyware and reboot your system back into Normal Mode.


----------



## bandyandy (Aug 26, 2006)

Hi Cookiegal,

Thanks for getting involved in this little nightmare.

AVG AntiSpyware Scan Log Follows:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at:	13:40:23 12/04/2007

+ Scan result:	



Nothing found.


::Report end

Do you think the following is a useful course of action?

Uninstall Spybot.

Delete the two dodgy startup entries.

Run Regclean

Reboot computer

Check startup items are gone.

Reinstall Spybot

Enable Tea Timer.

I am thinking that Tea Timer responds to Registry changes so if it is installed while there is no registry key for the two start up items it has no reason to believe the registry has changed.

Just a thought.


----------



## Cookiegal (Aug 27, 2003)

Please do not do anything else, other that what I instruct you to do.

Download *WinPFind3U.exe* to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

Open the WinPFind3u folder and double-click on *WinPFind3U.exe* to start the program.
In the *Processes * group click *ALL* 
In the *Win32 Services * group click *ALL* 
In the *Driver Services * group click *ALL* 
In the *Registry * group click *ALL* 
In the *Files Created Within* group click *30 days* Make sure Non-Microsoft only is *UNCHECKED*
In the *Files Modified Within* group select *30 days* Make sure Non-Microsoft only is *UNCHECKED*
In the *File String Search* group select *ALL*
in the Additional scans sections please press select all 
Now click the *Run Scan* button on the toolbar.
The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file 
Copy/Paste the information back here.


----------



## bandyandy (Aug 26, 2006)

"Please do not do anything else, other that what I instruct you to do."

Message received and understood.

WinPFind3U Log follows:

WinPFind3 logfile created on: 12/04/2007 18:03:30
WinPFind3U by OldTimer - Version 1.0.34	Folder = C:\Documents and Settings\Log In\Desktop\WinPFind3u\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 6.0.2900.2180)

495.48 Mb Total Physical Memory | 205.39 Mb Available Physical Memory | 41.45% Memory free
1.13 Gb Paging File | 0.87 Gb Available in Paging File | 77.04% Paging File free
Paging file location(s): C:\pagefile.sys 744 1488;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.26 Gb Total Space | 28.14 Gb Free Space | 75.51% Space Free
Drive D: | 82.83 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free
E: Drive not present or media not loaded
Drive F: | 298.02 Gb Total Space | 256.62 Gb Free Space | 86.11% Space Free

Computer Name: MYRTLE
Current User Name: Log In
Logged in as Administrator.
Current Boot Mode: Normal

[Processes - All]
smss.exe -> %System32%\smss.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 50688 bytes

| Modified Date = 04/08/2004 08:56:56 | Attr = ]
csrss.exe -> %System32%\csrss.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 6144

bytes | Modified Date = 04/08/2004 08:56:48 | Attr = ]
winlogon.exe -> %System32%\winlogon.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size =

502272 bytes | Modified Date = 04/08/2004 08:56:58 | Attr = ]
services.exe -> %System32%\services.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size =

108032 bytes | Modified Date = 04/08/2004 08:56:56 | Attr = ]
lsass.exe -> %System32%\lsass.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 13312

bytes | Modified Date = 04/08/2004 08:56:50 | Attr = ]
svchost.exe -> %System32%\svchost.exe [C:\WINDOWS\SYSTEM32\SVCHOST -K DCOMLAUNCH] -> Microsoft Corporation [Ver =

5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 04/08/2004 08:56:58 | Attr = ]
-> %System32%\rpcss.dll [DcomLaunch] -> Microsoft Corporation [Ver = 5.1.2600.2726 (xpsp_sp2_gdr.050725-1528) | Size =

397824 bytes | Modified Date = 26/07/2005 05:39:50 | Attr = ]
-> %System32%\termsrv.dll [TermService] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size =

295424 bytes | Modified Date = 04/08/2004 08:56:46 | Attr = ]
-> %System32%\termsrv.dll [TermService] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size =

295424 bytes | Modified Date = 04/08/2004 08:56:46 | Attr = ]
-> %System32%\termsrv.dll [TermService] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size =

295424 bytes | Modified Date = 04/08/2004 08:56:46 | Attr = ]
-> [Wmi] -> File not found
svchost.exe -> %System32%\svchost.exe [C:\WINDOWS\SYSTEM32\SVCHOST -K RPCSS] -> Microsoft Corporation [Ver = 5.1.2600.2180

(xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 04/08/2004 08:56:58 | Attr = ]
-> %System32%\rpcss.dll [RpcSs] -> Microsoft Corporation [Ver = 5.1.2600.2726 (xpsp_sp2_gdr.050725-1528) | Size = 397824

bytes | Modified Date = 26/07/2005 05:39:50 | Attr = ]
-> [Wmi] -> File not found
svchost.exe -> %System32%\svchost.exe [C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS] -> Microsoft Corporation [Ver =

5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 04/08/2004 08:56:58 | Attr = ]
-> %System32%\appmgmts.dll [AppMgmt] -> File not found
-> %System32%\audiosrv.dll [AudioSrv] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size =

42496 bytes | Modified Date = 04/08/2004 08:56:42 | Attr = ]
-> %System32%\qmgr.dll [BITS] -> Microsoft Corporation [Ver = 6.6.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 382464

bytes | Modified Date = 04/08/2004 08:56:44 | Attr = ]
-> %System32%\browser.dll [Browser] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 77312

bytes | Modified Date = 04/08/2004 08:56:42 | Attr = ]
-> %System32%\cryptsvc.dll [CryptSvc] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size =

60416 bytes | Modified Date = 04/08/2004 08:56:42 | Attr = ]
-> %System32%\dhcpcsvc.dll [Dhcp] -> Microsoft Corporation [Ver = 5.1.2600.2912 (xpsp_sp2_gdr.060519-0003) | Size = 111616

bytes | Modified Date = 19/05/2006 13:59:42 | Attr = ]
-> %System32%\dmserver.dll [dmserver] -> Microsoft Corp. [Ver = 2600.2180.503.0 | Size = 23552 bytes | Modified Date =

04/08/2004 08:56:42 | Attr = ]
-> %System32%\ersvc.dll [ERSvc] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 23040

bytes | Modified Date = 04/08/2004 08:56:42 | Attr = ]
-> %System32%\es.dll [EventSystem] -> Microsoft Corporation [Ver = 2001.12.4414.308 | Size = 243200 bytes | Modified Date =

26/07/2005 05:39:46 | Attr = ]
-> %System32%\shsvcs.dll [FastUserSwitchingCompatibility] -> Microsoft Corporation [Ver = 6.00.2900.3051

(xpsp_sp2_gdr.061219-0316) | Size = 134656 bytes | Modified Date = 19/12/2006 22:52:18 | Attr = ]
-> %WINDIR%\PCHealth\HelpCtr\Binaries\pchsvc.dll [helpsvc] -> File not found
-> %System32%\hidserv.dll [HidServ] -> File not found
-> %System32%\srvsvc.dll [lanmanserver] -> Microsoft Corporation [Ver = 5.1.2600.2577 (xpsp_sp2_gdr.041130-1729) | Size =

96768 bytes | Modified Date = 07/12/2004 20:32:34 | Attr = ]
-> %System32%\wkssvc.dll [lanmanworkstation] -> Microsoft Corporation [Ver = 5.1.2600.2976 (xpsp_sp2_gdr.060817-0106) |

Size = 132096 bytes | Modified Date = 17/08/2006 13:28:28 | Attr = ]
-> %System32%\msgsvc.dll [Messenger] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size =

33792 bytes | Modified Date = 04/08/2004 08:56:44 | Attr = ]
-> %System32%\netman.dll [Netman] -> Microsoft Corporation [Ver = 5.1.2600.2743 (xpsp_sp2_gdr.050819-1525) | Size = 197632

bytes | Modified Date = 22/08/2005 19:29:46 | Attr = ]
-> %System32%\mswsock.dll [Nla] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 245248

bytes | Modified Date = 04/08/2004 08:56:44 | Attr = ]
-> %System32%\ntmssvc.dll [NtmsSvc] -> Microsoft Corporation [Ver = 5.1.2400.2180 | Size = 435200 bytes | Modified Date =

04/08/2004 08:56:44 | Attr = ]
-> %System32%\rasauto.dll [RasAuto] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 89088

bytes | Modified Date = 04/08/2004 08:56:44 | Attr = ]
-> %System32%\rasmans.dll [RasMan] -> Microsoft Corporation [Ver = 5.1.2600.2908 (xpsp_sp2_gdr.060513-0343) | Size = 181248

bytes | Modified Date = 14/05/2006 09:44:08 | Attr = ]
-> %System32%\mprdim.dll [RemoteAccess] -> Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 49152

bytes | Modified Date = 29/08/2002 13:00:00 | Attr = ]
-> %System32%\schedsvc.dll [Schedule] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size =

190976 bytes | Modified Date = 04/08/2004 08:56:44 | Attr = ]
-> %System32%\seclogon.dll [seclogon] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size =

18944 bytes | Modified Date = 04/08/2004 08:56:44 | Attr = ]
-> %System32%\sens.dll [SENS] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 38912 bytes

| Modified Date = 04/08/2004 08:56:44 | Attr = ]
-> %System32%\ipnathlp.dll [SharedAccess] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size =

331264 bytes | Modified Date = 04/08/2004 08:56:42 | Attr = ]
-> %System32%\shsvcs.dll [ShellHWDetection] -> Microsoft Corporation [Ver = 6.00.2900.3051 (xpsp_sp2_gdr.061219-0316) |

Size = 134656 bytes | Modified Date = 19/12/2006 22:52:18 | Attr = ]
-> %System32%\srsvc.dll [srservice] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size =

170496 bytes | Modified Date = 04/08/2004 08:56:46 | Attr = ]
-> %System32%\tapisrv.dll [TapiSrv] -> Microsoft Corporation [Ver = 5.1.2600.2716 (xpsp_sp2_gdr.050707-1657) | Size =

249344 bytes | Modified Date = 08/07/2005 17:27:56 | Attr = ]
-> %System32%\shsvcs.dll [Themes] -> Microsoft Corporation [Ver = 6.00.2900.3051 (xpsp_sp2_gdr.061219-0316) | Size = 134656

bytes | Modified Date = 19/12/2006 22:52:18 | Attr = ]
-> %System32%\trkwks.dll [TrkWks] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 90624

bytes | Modified Date = 04/08/2004 08:56:46 | Attr = ]
-> %System32%\w32time.dll [W32Time] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size =

174592 bytes | Modified Date = 04/08/2004 08:56:46 | Attr = ]
-> %System32%\wbem\WMIsvc.dll [winmgmt] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size =

144896 bytes | Modified Date = 04/08/2004 08:56:46 | Attr = ]
-> %System32%\MsPMSNSv.dll [WmdmPmSN] -> Microsoft Corporation [Ver = 10.0.3790.3802 | Size = 25088 bytes | Modified Date =

28/01/2005 13:44:28 | Attr = ]
-> %System32%\wscsvc.dll [wscsvc] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 81408

bytes | Modified Date = 04/08/2004 08:56:46 | Attr = ]
-> %System32%\wuauserv.dll [wuauserv] -> Microsoft Corporation [Ver = 5.4.3790.2180 (xpsp_sp2_rtm.040803-2158) | Size =

6656 bytes | Modified Date = 04/08/2004 08:56:46 | Attr = ]
-> %System32%\wzcsvc.dll [WZCSVC] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 359936

bytes | Modified Date = 04/08/2004 08:56:46 | Attr = ]
-> %System32%\xmlprov.dll [xmlprov] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size =

129536 bytes | Modified Date = 04/08/2004 08:56:46 | Attr = ]
-> [Wmi] -> File not found
svchost.exe -> %System32%\svchost.exe [C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K LOCALSERVICE] -> Microsoft Corporation [Ver =

5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 04/08/2004 08:56:58 | Attr = ]
-> %System32%\alrsvc.dll [Alerter] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 17408

bytes | Modified Date = 04/08/2004 08:56:42 | Attr = ]
-> %System32%\lmhsvc.dll [LmHosts] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 13824

bytes | Modified Date = 04/08/2004 08:56:42 | Attr = ]
-> %System32%\ssdpsrv.dll [SSDPSRV] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 71680

bytes | Modified Date = 04/08/2004 08:56:46 | Attr = ]
-> %System32%\upnphost.dll [upnphost] -> Microsoft Corporation [Ver = 5.1.2600.3077 (xpsp_sp2_gdr.070204-2255) | Size =

185344 bytes | Modified Date = 05/02/2007 21:17:02 | Attr = ]
-> %System32%\webclnt.dll [WebClient] -> Microsoft Corporation [Ver = 5.1.2600.2821 (xpsp_sp2_gdr.060103-1536) | Size =

68096 bytes | Modified Date = 04/01/2006 04:35:06 | Attr = ]
-> [Wmi] -> File not found
spoolsv.exe -> %System32%\spoolsv.exe -> Microsoft Corporation [Ver = 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519) | Size = 57856

bytes | Modified Date = 11/06/2005 00:53:32 | Attr = ]
explorer.exe -> %SystemRoot%\explorer.exe -> Microsoft Corporation [Ver = 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Size =

1032192 bytes | Modified Date = 04/08/2004 08:56:50 | Attr = ]
guard.exe -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.exe -> Anti-Malware Development a.s. [Ver = 7, 5, 0, 47 | Size

= 204800 bytes | Modified Date = 28/09/2006 15:13:20 | Attr = ]
avgamsvr.exe -> %ProgramFiles%\Grisoft\AVG Free\avgamsvr.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.445 | Size = 353792 bytes |

Modified Date = 25/02/2007 11:22:50 | Attr = ]
avgupsvc.exe -> %ProgramFiles%\Grisoft\AVG Free\avgupsvc.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.420 | Size = 49664 bytes |

Modified Date = 17/11/2006 13:25:18 | Attr = ]
avgcc.exe -> %ProgramFiles%\Grisoft\AVG Free\avgcc.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.438 | Size = 411648 bytes | Modified

Date = 11/02/2007 10:36:04 | Attr = ]
avgemc.exe -> %ProgramFiles%\Grisoft\AVG Free\avgemc.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.442 | Size = 324096 bytes | Modified

Date = 25/02/2007 11:22:58 | Attr = ]
cthelper.exe -> %System32%\CTHELPER.EXE -> Creative Technology Ltd [Ver = 1, 1, 0, 2 | Size = 28672 bytes | Modified Date =

09/06/2003 03:07:00 | Attr = ]
bandmon.exe -> %ProgramFiles%\Bandwidth\BandMon.exe -> Batch Software [Ver = 1.00.0010 | Size = 237568 bytes | Modified Date

= 07/05/2003 20:05:46 | Attr = ]
ctsvccda.exe -> %System32%\CTSVCCDA.EXE -> Creative Technology Ltd [Ver = 1.0.1.0 | Size = 44032 bytes | Modified Date =

13/12/1999 02:01:00 | Attr = ]
spywareterminatorshield.exe -> %ProgramFiles%\Spyware Terminator\SpywareTerminatorShield.exe -> Crawler.com [Ver = 1.8.2.458


----------



## bandyandy (Aug 26, 2006)

Part 2:

| Size = 2903040 bytes | Modified Date = 20/02/2007 12:00:28 | Attr = ]
dkservice.exe -> %ProgramFiles%\Diskeeper Corporation\Diskeeper\DkService.exe -> Diskeeper Corporation [Ver = 11.0.701.0 |

Size = 925696 bytes | Modified Date = 23/02/2007 13:40:02 | Attr = ]
zlclient.exe -> %ProgramFiles%\Zone Labs\ZoneAlarm\zlclient.exe -> Zone Labs, LLC [Ver = 6.5.737.000 | Size = 968696 bytes |

Modified Date = 23/08/2006 23:38:28 | Attr = ]
ctdetect.exe -> %ProgramFiles%\Creative\MediaSource\Detector\CTDetect.exe -> Creative Technology Ltd [Ver = 3.0.2.0 | Size =

102400 bytes | Modified Date = 02/12/2004 18:23:34 | Attr = ]
freeram xp pro.exe -> %ProgramFiles%\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe -> YourWare Solutions (TM) [Ver =

1.5.1.0 | Size = 1591808 bytes | Modified Date = 23/03/2006 00:13:46 | Attr = R ]
sagent2.exe -> %CommonProgramFiles%\EPSON\EBAPI\SAgent2.exe -> SEIKO EPSON CORPORATION [Ver = 2, 3, 0, 0 | Size = 94208 bytes

| Modified Date = 17/07/2002 02:03:00 | Attr = ]
sp_rsser.exe -> %ProgramFiles%\Spyware Terminator\sp_rsser.exe -> Crawler.com [Ver = 1.8.2.121 | Size = 902144 bytes |

Modified Date = 20/02/2007 12:00:56 | Attr = ]
svchost.exe -> %System32%\svchost.exe [C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K IMGSVC] -> Microsoft Corporation [Ver =

5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 04/08/2004 08:56:58 | Attr = ]
-> %System32%\wiaservc.dll [stisvc] -> Microsoft Corporation [Ver = 5.1.2600.3051 (xpsp_sp2_gdr.061219-0316) | Size =

333824 bytes | Modified Date = 19/12/2006 19:16:48 | Attr = ]
-> [Wmi] -> File not found
wdfmgr.exe -> %System32%\wdfmgr.exe -> Microsoft Corporation [Ver = 5.2.3790.1230 built by: dnsrv(bld4act) | Size = 38912

bytes | Modified Date = 28/01/2005 13:44:28 | Attr = ]
vsmon.exe -> %System32%\ZoneLabs\vsmon.exe -> Zone Labs, LLC [Ver = 6.5.737.000 | Size = 75768 bytes | Modified Date =

23/08/2006 23:38:26 | Attr = ]
mspmspsv.exe -> %System32%\MsPMSPSv.exe -> Microsoft Corporation [Ver = 7.00.00.1954 | Size = 53520 bytes | Modified Date =

26/06/2000 07:44:20 | Attr = ]
alg.exe -> %System32%\alg.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 44544 bytes |

Modified Date = 04/08/2004 08:56:48 | Attr = ]
winpfind3u.exe -> %UserDesktop%\WinPFind3u\WinPFind3U.exe -> OldTimer Tools [Ver = 1.0.34.0 | Size = 318976 bytes | Modified

Date = 10/04/2007 22:00:18 | Attr = ]

[Win32 Services - All]
(Alerter) Alerter [Win32_Shared | Auto | Running] -> %System32%\svchost.exe -> Microsoft Corporation [Ver = 5.1.2600.2180

(xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 04/08/2004 08:56:58 | Attr = ]
(ALG) Application Layer Gateway Service [Win32_Own | On_Demand | Running] -> %System32%\alg.exe -> Microsoft Corporation [Ver

= 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 44544 bytes | Modified Date = 04/08/2004 08:56:48 | Attr = ]
(AppMgmt) Application Management [Win32_Shared | On_Demand | Stopped] -> %System32%\svchost.exe -> Microsoft Corporation [Ver

= 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 04/08/2004 08:56:58 | Attr = ]
(aspnet_state) ASP.NET State Service [Win32_Own | On_Demand | Stopped] ->

%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -> Microsoft Corporation [Ver = 2.0.50727.42

(RTM.050727-4200) | Size = 29896 bytes | Modified Date = 23/09/2005 07:28:32 | Attr = ]
(AudioSrv) Windows Audio [Win32_Shared | Auto | Running] -> %System32%\svchost.exe -> Microsoft Corporation [Ver =

5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 04/08/2004 08:56:58 | Attr = ]
(AVG Anti-Spyware Guard) AVG Anti-Spyware Guard [Win32_Own | Auto | Running] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware

7.5\guard.exe -> Anti-Malware Development a.s. [Ver = 7, 5, 0, 47 | Size = 204800 bytes | Modified Date = 28/09/2006 15:13:20

| Attr = ]
(Avg7Alrt) AVG7 Alert Manager Server [Win32_Own | Auto | Running] -> %ProgramFiles%\Grisoft\AVG Free\avgamsvr.exe -> GRISOFT,

s.r.o. [Ver = 7.5.0.445 | Size = 353792 bytes | Modified Date = 25/02/2007 11:22:50 | Attr = ]
(Avg7UpdSvc) AVG7 Update Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Grisoft\AVG Free\avgupsvc.exe -> GRISOFT,

s.r.o. [Ver = 7.5.0.420 | Size = 49664 bytes | Modified Date = 17/11/2006 13:25:18 | Attr =  ]
(AVGEMS) AVG E-mail Scanner [Win32_Own | Auto | Running] -> %ProgramFiles%\Grisoft\AVG Free\avgemc.exe -> GRISOFT, s.r.o.

[Ver = 7.5.0.442 | Size = 324096 bytes | Modified Date = 25/02/2007 11:22:58 | Attr = ]
(BITS) Background Intelligent Transfer Service [Win32_Shared | On_Demand | Stopped] -> %System32%\svchost.exe -> Microsoft

Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 04/08/2004 08:56:58 | Attr

= ]
(Browser) Computer Browser [Win32_Shared | Auto | Running] -> %System32%\svchost.exe -> Microsoft Corporation [Ver =

5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 04/08/2004 08:56:58 | Attr = ]
(CiSvc) Indexing Service [Win32_Shared | On_Demand | Stopped] -> %System32%\cisvc.exe -> Microsoft Corporation [Ver =

5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 5632 bytes | Modified Date = 04/08/2004 08:56:48 | Attr = ]
(ClipSrv) ClipBook [Win32_Own | Disabled | Stopped] -> %System32%\clipsrv.exe -> Microsoft Corporation [Ver = 5.1.2600.2180

(xpsp_sp2_rtm.040803-2158) | Size = 33280 bytes | Modified Date = 04/08/2004 08:56:48 | Attr = ]
(clr_optimization_v2.0.50727_32) .NET Runtime Optimization Service v2.0.50727_X86 [Win32_Own | On_Demand | Stopped] ->

%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -> Microsoft Corporation [Ver = 2.0.50727.42 (RTM.050727-4200) |

Size = 66240 bytes | Modified Date = 23/09/2005 07:28:56 | Attr = ]
(COMSysApp) COM+ System Application [Win32_Own | On_Demand | Stopped] -> %System32%\dllhost.exe -> Microsoft Corporation [Ver

= 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 5120 bytes | Modified Date = 04/08/2004 08:56:48 | Attr = ]
(Creative Service for CDROM Access) Creative Service for CDROM Access [Win32_Own | Auto | Running] -> %System32%\CTSVCCDA.EXE

-> Creative Technology Ltd [Ver = 1.0.1.0 | Size = 44032 bytes | Modified Date = 13/12/1999 02:01:00 | Attr = ]
(CryptSvc) Cryptographic Services [Win32_Shared | Auto | Running] -> %System32%\svchost.exe -> Microsoft Corporation [Ver =

5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 04/08/2004 08:56:58 | Attr = ]
(DcomLaunch) DCOM Server Process Launcher [Win32_Shared | Auto | Running] -> %System32%\svchost.exe -> Microsoft Corporation

[Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 04/08/2004 08:56:58 | Attr = ]
(Dhcp) DHCP Client [Win32_Shared | Auto | Running] -> %System32%\svchost.exe -> Microsoft Corporation [Ver = 5.1.2600.2180

(xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 04/08/2004 08:56:58 | Attr = ]
(Diskeeper) Diskeeper [Win32_Own | Auto | Running] -> %ProgramFiles%\Diskeeper Corporation\Diskeeper\DkService.exe ->

Diskeeper Corporation [Ver = 11.0.701.0 | Size = 925696 bytes | Modified Date = 23/02/2007 13:40:02 | Attr = ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %System32%\dmadmin.exe ->

Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 224768 bytes | Modified Date = 04/08/2004 08:56:48 | Attr =

]
(dmserver) Logical Disk Manager [Win32_Shared | On_Demand | Stopped] -> %System32%\svchost.exe -> Microsoft Corporation [Ver

= 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 04/08/2004 08:56:58 | Attr = ]
(Dnscache) DNS Client [Win32_Shared | On_Demand | Stopped] -> %System32%\svchost.exe -> Microsoft Corporation [Ver =

5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 04/08/2004 08:56:58 | Attr = ]
(EPSONStatusAgent2) EPSON Printer Status Agent2 [Win32_Own | Auto | Running] -> %CommonProgramFiles%\EPSON\EBAPI\SAgent2.exe

-> SEIKO EPSON CORPORATION [Ver = 2, 3, 0, 0 | Size = 94208 bytes | Modified Date = 17/07/2002 02:03:00 | Attr = ]
(ERSvc) Error Reporting Service [Win32_Shared | Auto | Running] -> %System32%\svchost.exe -> Microsoft Corporation [Ver =

5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 04/08/2004 08:56:58 | Attr = ]
(Eventlog) Event Log [Win32_Shared | Auto | Running] -> %System32%\services.exe -> Microsoft Corporation [Ver = 5.1.2600.2180

(xpsp_sp2_rtm.040803-2158) | Size = 108032 bytes | Modified Date = 04/08/2004 08:56:56 | Attr = ]
(EventSystem) COM+ Event System [Win32_Shared | On_Demand | Running] -> %System32%\svchost.exe -> Microsoft Corporation [Ver

= 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 04/08/2004 08:56:58 | Attr = ]
(FastUserSwitchingCompatibility) Fast User Switching Compatibility [Win32_Shared | On_Demand | Running] ->

%System32%\svchost.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes |

Modified Date = 04/08/2004 08:56:58 | Attr = ]
(helpsvc) Help and Support [Win32_Shared | Auto | Running] -> %System32%\svchost.exe -> Microsoft Corporation [Ver =

5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 04/08/2004 08:56:58 | Attr = ]
(HidServ) Human Interface Device Access [Win32_Shared | Disabled | Stopped] -> %System32%\svchost.exe -> Microsoft

Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 04/08/2004 08:56:58 | Attr

= ]
(HTTPFilter) HTTP SSL [Win32_Shared | On_Demand | Stopped] -> %System32%\svchost.exe -> Microsoft Corporation [Ver =

5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 04/08/2004 08:56:58 | Attr = ]
(IDriverT) InstallDriver Table Manager [Win32_Own | On_Demand | Stopped] ->

%CommonProgramFiles%\InstallShield\Driver\11\Intel 32\IDriverT.exe -> Macrovision Corporation [Ver = 11.00.28844 | Size =

69632 bytes | Modified Date = 04/04/2005 00:41:10 | Attr = ]
(ImapiService) IMAPI CD-Burning COM Service [Win32_Own | On_Demand | Stopped] -> %System32%\imapi.exe -> Microsoft

Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 150016 bytes | Modified Date = 04/08/2004 08:56:50 |

Attr = ]
(lanmanserver) Server [Win32_Shared | Auto | Running] -> %System32%\svchost.exe -> Microsoft Corporation [Ver = 5.1.2600.2180

(xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 04/08/2004 08:56:58 | Attr = ]
(lanmanworkstation) Workstation [Win32_Shared | Auto | Running] -> %System32%\svchost.exe -> Microsoft Corporation [Ver =

5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 04/08/2004 08:56:58 | Attr = ]
(LmHosts) TCP/IP NetBIOS Helper [Win32_Shared | Auto | Running] -> %System32%\svchost.exe -> Microsoft Corporation [Ver =

5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 04/08/2004 08:56:58 | Attr = ]
(Messenger) Messenger [Win32_Shared | Disabled | Stopped] -> %System32%\svchost.exe -> Microsoft Corporation [Ver =

5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 04/08/2004 08:56:58 | Attr = ]
(mnmsrvc) NetMeeting Remote Desktop Sharing [Win32_Own | On_Demand | Stopped] -> %System32%\mnmsrvc.exe -> Microsoft

Corporation [Ver = 5.1.2600.2180 | Size = 32768 bytes | Modified Date = 04/08/2004 08:56:52 | Attr = ]
(MSDTC) Distributed Transaction Coordinator [Win32_Own | On_Demand | Stopped] -> %System32%\msdtc.exe -> Microsoft

Corporation [Ver = 2001.12.4414.258 | Size = 6144 bytes | Modified Date = 04/08/2004 08:56:54 | Attr = ]
(MSIServer) Windows Installer [Win32_Shared | On_Demand | Stopped] -> %System32%\msiexec.exe -> Microsoft Corporation [Ver =

3.1.4000.1823 | Size = 78848 bytes | Modified Date = 04/05/2005 14:45:36 | Attr = ]
(NetDDE) Network DDE [Win32_Shared | Disabled | Stopped] -> %System32%\netdde.exe -> Microsoft Corporation [Ver =

5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 111104 bytes | Modified Date = 04/08/2004 08:56:54 | Attr = ]
(NetDDEdsdm) Network DDE DSDM [Win32_Shared | Disabled | Stopped] -> %System32%\netdde.exe -> Microsoft Corporation [Ver =

5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 111104 bytes | Modified Date = 04/08/2004 08:56:54 | Attr = ]
(Netlogon) Net Logon [Win32_Shared | On_Demand | Stopped] -> %System32%\lsass.exe -> Microsoft Corporation [Ver =

5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 13312 bytes | Modified Date = 04/08/2004 08:56:50 | Attr = ]
(Netman) Network Connections [Win32_Shared | On_Demand | Running] -> %System32%\svchost.exe -> Microsoft Corporation [Ver =

5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 04/08/2004 08:56:58 | Attr = ]
(Nla) Network Location Awareness (NLA) [Win32_Shared | On_Demand | Running] -> %System32%\svchost.exe -> Microsoft

Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 04/08/2004 08:56:58 | Attr

= ]
(NtLmSsp) NT LM Security Support Provider [Win32_Shared | On_Demand | Stopped] -> %System32%\lsass.exe -> Microsoft

Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 13312 bytes | Modified Date = 04/08/2004 08:56:50 | Attr

= ]
(NtmsSvc) Removable Storage [Win32_Shared | On_Demand | Stopped] -> %System32%\svchost.exe -> Microsoft Corporation [Ver =

5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 04/08/2004 08:56:58 | Attr = ]
(PlugPlay) Plug and Play [Win32_Shared | Auto | Running] -> %System32%\services.exe -> Microsoft Corporation [Ver =

5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 108032 bytes | Modified Date = 04/08/2004 08:56:56 | Attr = ]
(PolicyAgent) IPSEC Services [Win32_Shared | Auto | Running] -> %System32%\lsass.exe -> Microsoft Corporation [Ver =

5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 13312 bytes | Modified Date = 04/08/2004 08:56:50 | Attr = ]
(ProtectedStorage) Protected Storage [Win32_Shared | Auto | Running] -> %System32%\lsass.exe -> Microsoft Corporation [Ver =

5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 13312 bytes | Modified Date = 04/08/2004 08:56:50 | Attr = ]
(RasAuto) Remote Access Auto Connection Manager [Win32_Shared | On_Demand | Stopped] -> %System32%\svchost.exe -> Microsoft


----------



## bandyandy (Aug 26, 2006)

Part 3:

Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 04/08/2004 08:56:58 | Attr

= ]
(RasMan) Remote Access Connection Manager [Win32_Shared | On_Demand | Running] -> %System32%\svchost.exe -> Microsoft

Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 04/08/2004 08:56:58 | Attr

= ]
(RDSessMgr) Remote Desktop Help Session Manager [Win32_Own | On_Demand | Stopped] -> %System32%\sessmgr.exe -> Microsoft

Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 140800 bytes | Modified Date = 04/08/2004 08:56:56 |

Attr = ]
(RemoteAccess) Routing and Remote Access [Win32_Shared | Disabled | Stopped] -> %System32%\svchost.exe -> Microsoft

Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 04/08/2004 08:56:58 | Attr

= ]
(RpcLocator) Remote Procedure Call (RPC) Locator [Win32_Own | On_Demand | Stopped] -> %System32%\locator.exe -> Microsoft

Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 75264 bytes | Modified Date = 04/08/2004 08:56:50 | Attr

= ]
(RpcSs) Remote Procedure Call (RPC) [Win32_Shared | Auto | Running] -> %System32%\svchost.exe -> Microsoft Corporation [Ver =

5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 04/08/2004 08:56:58 | Attr = ]
(RSVP) QoS RSVP [Win32_Own | On_Demand | Stopped] -> %System32%\rsvp.exe -> Microsoft Corporation [Ver = 5.1.2600.0

(xpclient.010817-1148) | Size = 132608 bytes | Modified Date = 29/08/2002 13:00:00 | Attr = ]
(SamSs) Security Accounts Manager [Win32_Shared | Auto | Running] -> %System32%\lsass.exe -> Microsoft Corporation [Ver =

5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 13312 bytes | Modified Date = 04/08/2004 08:56:50 | Attr = ]
(sassvc) ProgramCheckerPro [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Zenturi\ProgramChecker\sassvc.exe -> [Ver =

| Size = 122880 bytes | Modified Date = 15/02/2006 16:17:12 | Attr = ]
(SCardSvr) Smart Card [Win32_Shared | On_Demand | Stopped] -> %System32%\scardsvr.exe -> Microsoft Corporation [Ver =

5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 95744 bytes | Modified Date = 04/08/2004 08:56:56 | Attr = ]
(Schedule) Task Scheduler [Win32_Shared | Auto | Running] -> %System32%\svchost.exe -> Microsoft Corporation [Ver =

5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 04/08/2004 08:56:58 | Attr = ]
(seclogon) Secondary Logon [Win32_Shared | Auto | Running] -> %System32%\svchost.exe -> Microsoft Corporation [Ver =

5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 04/08/2004 08:56:58 | Attr = ]
(SENS) System Event Notification [Win32_Shared | Auto | Running] -> %System32%\svchost.exe -> Microsoft Corporation [Ver =

5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 04/08/2004 08:56:58 | Attr = ]
(SharedAccess) Windows Firewall/Internet Connection Sharing (ICS) [Win32_Shared | Auto | Running] -> %System32%\svchost.exe

-> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 04/08/2004

08:56:58 | Attr = ]
(ShellHWDetection) Shell Hardware Detection [Win32_Shared | Auto | Running] -> %System32%\svchost.exe -> Microsoft

Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 04/08/2004 08:56:58 | Attr

= ]
(Spooler) Print Spooler [Win32_Own | Auto | Running] -> %System32%\spoolsv.exe -> Microsoft Corporation [Ver = 5.1.2600.2696

(xpsp_sp2_gdr.050610-1519) | Size = 57856 bytes | Modified Date = 11/06/2005 00:53:32 | Attr = ]
(sp_rssrv) Spyware Terminator Realtime Shield Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Spyware

Terminator\sp_rsser.exe -> Crawler.com [Ver = 1.8.2.121 | Size = 902144 bytes | Modified Date = 20/02/2007 12:00:56 | Attr =

]
(srservice) System Restore Service [Win32_Shared | Auto | Running] -> %System32%\svchost.exe -> Microsoft Corporation [Ver =

5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 04/08/2004 08:56:58 | Attr = ]
(SSDPSRV) SSDP Discovery Service [Win32_Shared | On_Demand | Running] -> %System32%\svchost.exe -> Microsoft Corporation [Ver

= 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 04/08/2004 08:56:58 | Attr = ]
(stisvc) Windows Image Acquisition (WIA) [Win32_Shared | Auto | Running] -> %System32%\svchost.exe -> Microsoft Corporation

[Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 04/08/2004 08:56:58 | Attr = ]
(SwPrv) MS Software Shadow Copy Provider [Win32_Own | On_Demand | Stopped] -> %System32%\dllhost.exe -> Microsoft Corporation

[Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 5120 bytes | Modified Date = 04/08/2004 08:56:48 | Attr = ]
(SysmonLog) Performance Logs and Alerts [Win32_Own | On_Demand | Stopped] -> %System32%\smlogsvc.exe -> Microsoft Corporation

[Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 89600 bytes | Modified Date = 04/08/2004 08:56:56 | Attr = ]
(TapiSrv) Telephony [Win32_Shared | On_Demand | Running] -> %System32%\svchost.exe -> Microsoft Corporation [Ver =

5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 04/08/2004 08:56:58 | Attr = ]
(TermService) Terminal Services [Win32_Shared | On_Demand | Running] -> %System32%\svchost.exe -> Microsoft Corporation [Ver

= 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 04/08/2004 08:56:58 | Attr = ]
(Themes) Themes [Win32_Shared | Auto | Running] -> %System32%\svchost.exe -> Microsoft Corporation [Ver = 5.1.2600.2180

(xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 04/08/2004 08:56:58 | Attr = ]
(TrkWks) Distributed Link Tracking Client [Win32_Shared | Auto | Running] -> %System32%\svchost.exe -> Microsoft Corporation

[Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 04/08/2004 08:56:58 | Attr = ]
(UMWdf) Windows User Mode Driver Framework [Win32_Own | Auto | Running] -> %System32%\wdfmgr.exe -> Microsoft Corporation

[Ver = 5.2.3790.1230 built by: dnsrv(bld4act) | Size = 38912 bytes | Modified Date = 28/01/2005 13:44:28 | Attr = ]
(upnphost) Universal Plug and Play Device Host [Win32_Shared | On_Demand | Stopped] -> %System32%\svchost.exe -> Microsoft

Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 04/08/2004 08:56:58 | Attr

= ]
(UPS) Uninterruptible Power Supply [Win32_Own | On_Demand | Stopped] -> %System32%\ups.exe -> Microsoft Corporation [Ver =

5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 18432 bytes | Modified Date = 04/08/2004 08:56:58 | Attr = ]
(usnjsvc) Messenger Sharing Folders USN Journal Reader service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\MSN

Messenger\usnsvc.exe -> Microsoft Corporation [Ver = 8.1.0178.00 | Size = 97136 bytes | Modified Date = 19/01/2007 13:54:14 |

Attr = ]
(vsmon) TrueVector Internet Monitor [Win32_Own | Auto | Running] -> %System32%\ZoneLabs\vsmon.exe -> Zone Labs, LLC [Ver =

6.5.737.000 | Size = 75768 bytes | Modified Date = 23/08/2006 23:38:26 | Attr = ]
(VSS) Volume Shadow Copy [Win32_Own | On_Demand | Stopped] -> %System32%\vssvc.exe -> Microsoft Corporation [Ver =

5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 289792 bytes | Modified Date = 04/08/2004 08:56:58 | Attr = ]
(W32Time) Windows Time [Win32_Shared | Auto | Running] -> %System32%\svchost.exe -> Microsoft Corporation [Ver =

5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 04/08/2004 08:56:58 | Attr = ]
(WebClient) WebClient [Win32_Shared | Auto | Running] -> %System32%\svchost.exe -> Microsoft Corporation [Ver = 5.1.2600.2180

(xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 04/08/2004 08:56:58 | Attr = ]
(winmgmt) Windows Management Instrumentation [Win32_Shared | Auto | Running] -> %System32%\svchost.exe -> Microsoft

Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 04/08/2004 08:56:58 | Attr

= ]
(WMConnectCDS) Windows Media Connect Service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Windows Media Connect

2\wmccds.exe -> Microsoft Corporation [Ver = 5.1.2600.2771 (xpsp(wmbla).051006-1809) | Size = 855552 bytes | Modified Date =

06/10/2005 18:12:30 | Attr = ]
(WMDM PMSP Service) WMDM PMSP Service [Win32_Own | Auto | Running] -> %System32%\MsPMSPSv.exe -> Microsoft Corporation [Ver =

7.00.00.1954 | Size = 53520 bytes | Modified Date = 26/06/2000 07:44:20 | Attr = ]
(WmdmPmSN) Portable Media Serial Number Service [Win32_Shared | On_Demand | Stopped] -> %System32%\svchost.exe -> Microsoft

Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 04/08/2004 08:56:58 | Attr

= ]
(WmiApSrv) WMI Performance Adapter [Win32_Own | On_Demand | Stopped] -> %System32%\wbem\wmiapsrv.exe -> Microsoft Corporation

[Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 126464 bytes | Modified Date = 04/08/2004 08:56:58 | Attr = ]
(wscsvc) Security Center [Win32_Shared | Auto | Running] -> %System32%\svchost.exe -> Microsoft Corporation [Ver =

5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 04/08/2004 08:56:58 | Attr = ]
(wuauserv) Automatic Updates [Win32_Shared | Auto | Running] -> %System32%\svchost.exe -> Microsoft Corporation [Ver =

5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 04/08/2004 08:56:58 | Attr = ]
(WZCSVC) Wireless Zero Configuration [Win32_Shared | Auto | Running] -> %System32%\svchost.exe -> Microsoft Corporation [Ver

= 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 04/08/2004 08:56:58 | Attr = ]
(xmlprov) Network Provisioning Service [Win32_Shared | On_Demand | Stopped] -> %System32%\svchost.exe -> Microsoft

Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 04/08/2004 08:56:58 | Attr

= ]

[Driver Services - All]
(Abiosdsk) Abiosdsk [Kernel | Disabled | Stopped] -> -> File not found
(abp480n5) abp480n5 [Kernel | Disabled | Stopped] -> -> File not found
(ACPI) Microsoft ACPI Driver [Kernel | Boot | Running] -> %System32%\drivers\acpi.sys -> Microsoft Corporation [Ver =

5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 187776 bytes | Modified Date = 04/08/2004 07:07:38 | Attr = ]
(ACPIEC) ACPIEC [Kernel | Disabled | Stopped] -> %System32%\drivers\acpiec.sys -> Microsoft Corporation [Ver = 5.1.2600.0

(xpclient.010817-1148) | Size = 11648 bytes | Modified Date = 29/08/2002 13:00:00 | Attr = ]
(adpu160m) adpu160m [Kernel | Disabled | Stopped] -> -> File not found
(aec) Microsoft Kernel Acoustic Echo Canceller [Kernel | On_Demand | Stopped] -> %System32%\drivers\aec.sys -> Microsoft

Corporation [Ver = 5.1.2601.2180 | Size = 142464 bytes | Modified Date = 15/02/2006 01:22:26 | Attr = ]
(AFD) AFD Networking Support Environment [Kernel | System | Running] -> %System32%\drivers\afd.sys -> Microsoft Corporation

[Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 138496 bytes | Modified Date = 04/08/2004 07:14:14 | Attr = ]
(Aha154x) Aha154x [Kernel | Disabled | Stopped] -> -> File not found
(aic78u2) aic78u2 [Kernel | Disabled | Stopped] -> -> File not found
(aic78xx) aic78xx [Kernel | Disabled | Stopped] -> -> File not found
(AliIde) AliIde [Kernel | Disabled | Stopped] -> -> File not found
(AmdK7) AMD K7 Processor Driver [Kernel | System | Running] -> %System32%\drivers\amdk7.sys -> Microsoft Corporation [Ver =

5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 37376 bytes | Modified Date = 04/08/2004 06:59:20 | Attr = ]
(amsint) amsint [Kernel | Disabled | Stopped] -> -> File not found
(asc) asc [Kernel | Disabled | Stopped] -> -> File not found
(asc3350p) asc3350p [Kernel | Disabled | Stopped] -> -> File not found
(asc3550) asc3550 [Kernel | Disabled | Stopped] -> -> File not found
(AsyncMac) RAS Asynchronous Media Driver [Kernel | On_Demand | Stopped] -> %System32%\drivers\asyncmac.sys -> Microsoft

Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 04/08/2004 07:05:04 | Attr

= ]
(atapi) Standard IDE/ESDI Hard Disk Controller [Kernel | Boot | Running] -> %System32%\drivers\atapi.sys -> Microsoft

Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 95360 bytes | Modified Date = 04/08/2004 06:59:42 | Attr

= ]
(Atdisk) Atdisk [Kernel | Disabled | Stopped] -> -> File not found
(Atmarpc) ATM ARP Client Protocol [Kernel | On_Demand | Stopped] -> %System32%\drivers\atmarpc.sys -> Microsoft Corporation

[Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 59904 bytes | Modified Date = 04/08/2004 06:58:30 | Attr = ]
(audstub) Audio Stub Driver [Kernel | On_Demand | Running] -> %System32%\drivers\audstub.sys -> Microsoft Corporation


----------



## bandyandy (Aug 26, 2006)

Part 4:

[Ver =

5.1.2600.0 (XPClient.010817-1148) | Size = 3072 bytes | Modified Date = 17/08/2001 14:59:44 | Attr = ]
(Av360cn) Av360cn [Kernel | Auto | Running] -> %System32%\drivers\av360cn.sys -> [Ver = | Size = 60448 bytes | Modified

Date = 09/07/1997 09:53:10 | Attr = ]
(Av363cn) Av363cn [Kernel | Auto | Running] -> %System32%\drivers\av363cn.sys -> [Ver = | Size = 74944 bytes | Modified

Date = 18/07/1997 17:04:46 | Attr = ]
(Av363cnb) Av363cnb [Kernel | Auto | Running] -> %System32%\drivers\av363cnb.sys -> [Ver = | Size = 74912 bytes | Modified

Date = 25/08/1997 17:59:20 | Attr = ]
(AVG Anti-Spyware Driver) AVG Anti-Spyware Driver [Kernel | System | Running] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware

7.5\guard.sys -> [Ver = | Size = 4096 bytes | Modified Date = 28/09/2006 15:13:34 | Attr = ]
(Avg7Core) AVG7 Kernel [Kernel | System | Running] -> %System32%\drivers\avg7core.sys -> GRISOFT, s.r.o. [Ver = 7.5.0.444 |

Size = 775680 bytes | Modified Date = 25/02/2007 11:22:36 | Attr = ]
(Avg7RsW) AVG7 Wrap Driver [Kernel | System | Running] -> %System32%\drivers\avg7rsw.sys -> GRISOFT, s.r.o. [Ver = 7,0,0,340

| Size = 4224 bytes | Modified Date = 17/11/2006 13:25:20 | Attr = ]
(Avg7RsXP) AVG7 Rezident Driver [Kernel | System | Running] -> %System32%\drivers\avg7rsxp.sys -> GRISOFT, s.r.o. [Ver =

7.5.0.442 | Size = 27776 bytes | Modified Date = 25/02/2007 11:22:40 | Attr = ]
(AvgAsCln) AVG Anti-Spyware Clean Driver [Kernel | System | Running] -> %System32%\drivers\AvgAsCln.sys -> GRISOFT, s.r.o.

[Ver = 1.0.0.14 | Size = 3968 bytes | Modified Date = 05/09/2006 17:03:16 | Attr = ]
(AvgClean) AVG7 Clean Driver [Kernel | System | Running] -> %System32%\drivers\avgclean.sys -> GRISOFT, s.r.o. [Ver =

1.0.0.14 | Size = 3968 bytes | Modified Date = 17/11/2006 13:25:18 | Attr = ]
(AvgTdi) AVG Network Redirector [Kernel | Auto | Running] -> %System32%\drivers\avgtdi.sys -> GRISOFT, s.r.o. [Ver =

7,0,0,346 | Size = 4960 bytes | Modified Date = 17/11/2006 13:25:18 | Attr = ]
(Beep) Beep [Kernel | System | Running] -> %System32%\drivers\beep.sys -> Microsoft Corporation [Ver = 5.1.2600.0

(XPClient.010817-1148) | Size = 4224 bytes | Modified Date = 29/08/2002 13:00:00 | Attr = ]
(cbidf2k) cbidf2k [Kernel | Disabled | Stopped] -> %System32%\drivers\cbidf2k.sys -> Microsoft Corporation [Ver = 5.1.2600.0

(XPClient.010817-1148) | Size = 13952 bytes | Modified Date = 29/08/2002 13:00:00 | Attr = ]
(CCDECODE) Closed Caption Decoder [Kernel | On_Demand | Stopped] -> %System32%\drivers\CCDECODE.sys -> Microsoft Corporation

[Ver = 5.3.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 17024 bytes | Modified Date = 04/08/2004 08:10:16 | Attr = ]
(cd20xrnt) cd20xrnt [Kernel | Disabled | Stopped] -> -> File not found
(Cdaudio) Cdaudio [Kernel | System | Stopped] -> %System32%\drivers\cdaudio.sys -> Microsoft Corporation [Ver = 5.1.2600.0

(XPClient.010817-1148) | Size = 18688 bytes | Modified Date = 29/08/2002 13:00:00 | Attr = ]
(Cdfs) Cdfs [File_System | Disabled | Running] -> %System32%\drivers\cdfs.sys -> Microsoft Corporation [Ver = 5.1.2600.2180

(xpsp_sp2_rtm.040803-2158) | Size = 63744 bytes | Modified Date = 04/08/2004 07:14:10 | Attr = ]
(Cdrom) CD-ROM Driver [Kernel | System | Running] -> %System32%\drivers\cdrom.sys -> Microsoft Corporation [Ver =

5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 49536 bytes | Modified Date = 04/08/2004 06:59:52 | Attr = ]
(Changer) Changer [Kernel | System | Stopped] -> -> File not found
(CmdIde) CmdIde [Kernel | Disabled | Stopped] -> -> File not found
(Cpqarray) Cpqarray [Kernel | Disabled | Stopped] -> -> File not found
(ctac32k) Creative AC3 Software Decoder [Kernel | On_Demand | Running] -> %System32%\drivers\CTAC32K.SYS -> Creative

Technology Ltd [Ver = 5.12.01.0285-1.42.0020 | Size = 186068 bytes | Modified Date = 09/06/2003 02:42:58 | Attr = ]
(ctaud2k) Creative Audio Driver (WDM) [Kernel | On_Demand | Running] -> %System32%\drivers\ctaud2k.sys -> Creative Technology

Ltd [Ver = 5.12.01.0290-1.42.0070 | Size = 494384 bytes | Modified Date = 09/06/2003 02:44:22 | Attr = ]
(ctdvda2k) Creative DVD-Audio Device Driver [Kernel | On_Demand | Stopped] -> System32\drivers\ctdvda2k.sys -> File not found
(ctljystk) Creative SBLive! Gameport [Kernel | On_Demand | Stopped] -> %System32%\drivers\ctljystk.sys -> Creative Technology

Ltd. [Ver = 5.1.2501.0 built by: WinDDK | Size = 3712 bytes | Modified Date = 17/08/2001 13:19:20 | Attr = ]
(ctprxy2k) Creative Proxy Driver [Kernel | On_Demand | Running] -> %System32%\drivers\CTPRXY2K.SYS -> Creative Technology Ltd

[Ver = 5.12.01.0285-1.42.0020 | Size = 6144 bytes | Modified Date = 09/06/2003 02:44:36 | Attr = ]
(ctsfm2k) Creative SoundFont Management Device Driver [Kernel | On_Demand | Running] -> %System32%\drivers\CTSFM2K.SYS ->

Creative Technology Ltd [Ver = 5.12.01.0286-1.42.0030 | Size = 136448 bytes | Modified Date = 09/06/2003 02:44:52 | Attr =

]
(Cubase32) Cubase32 [Kernel | Auto | Running] -> %System32%\drivers\Cubase32.sys -> Microsoft Corporation [Ver = 4.00 | Size

= 11808 bytes | Modified Date = 14/08/1996 13:07:42 | Attr = ]
(dac960nt) dac960nt [Kernel | Disabled | Stopped] -> -> File not found
(Disk) Disk Driver [Kernel | Boot | Running] -> %System32%\drivers\disk.sys -> Microsoft Corporation [Ver = 5.1.2600.2180

(xpsp_sp2_rtm.040803-2158) | Size = 36352 bytes | Modified Date = 04/08/2004 06:59:54 | Attr = ]
(dmboot) dmboot [Kernel | Disabled | Stopped] -> %System32%\drivers\dmboot.sys -> Microsoft Corp., Veritas Software [Ver =

2600.2180.503.0 | Size = 799744 bytes | Modified Date = 04/08/2004 07:07:18 | Attr = ]
(dmio) dmio [Kernel | Disabled | Stopped] -> %System32%\drivers\dmio.sys -> Microsoft Corp., Veritas Software [Ver =

2600.2180.503.0 | Size = 153344 bytes | Modified Date = 04/08/2004 07:07:16 | Attr = ]
(dmload) dmload [Kernel | Disabled | Stopped] -> %System32%\drivers\dmload.sys -> Microsoft Corp., Veritas Software. [Ver =

2600.0.503.0 | Size = 5888 bytes | Modified Date = 29/08/2002 13:00:00 | Attr = ]
(DMusic) Microsoft Kernel DLS Syntheiszer [Kernel | On_Demand | Stopped] -> %System32%\drivers\dmusic.sys -> Microsoft

Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 52864 bytes | Modified Date = 04/08/2004 07:07:38 | Attr

= ]
(dpti2o) dpti2o [Kernel | Disabled | Stopped] -> -> File not found
(drmkaud) Microsoft Kernel DRM Audio Descrambler [Kernel | On_Demand | Stopped] -> %System32%\drivers\drmkaud.sys ->

Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 2944 bytes | Modified Date = 04/08/2004

07:07:58 | Attr = ]
(emupia) E-mu Plug-in Architecture Driver [Kernel | On_Demand | Running] -> %System32%\drivers\EMUPIA2K.SYS -> Creative

Technology Ltd [Ver = 5.12.01.0286-1.42.0030 | Size = 116416 bytes | Modified Date = 09/06/2003 02:45:04 | Attr = ]
(Fastfat) Fastfat [File_System | Disabled | Running] -> %System32%\drivers\fastfat.sys -> Microsoft Corporation [Ver =

5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 143360 bytes | Modified Date = 04/08/2004 07:14:16 | Attr = ]
(Fdc) Floppy Disk Controller Driver [Kernel | On_Demand | Running] -> %System32%\drivers\fdc.sys -> Microsoft Corporation

[Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 27392 bytes | Modified Date = 04/08/2004 06:59:28 | Attr = ]
(Fips) Fips [Kernel | System | Running] -> %System32%\drivers\fips.sys -> Microsoft Corporation [Ver = 5.1.2600.0

(xpclient.010817-1148) | Size = 34944 bytes | Modified Date = 29/08/2002 13:00:00 | Attr = ]
(Flpydisk) Floppy Disk Driver [Kernel | On_Demand | Running] -> %System32%\drivers\flpydisk.sys -> Microsoft Corporation [Ver

= 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 20480 bytes | Modified Date = 04/08/2004 06:59:28 | Attr = ]
(FltMgr) FltMgr [File_System | Boot | Running] -> %System32%\drivers\fltmgr.sys -> Microsoft Corporation [Ver = 5.1.2600.2978

(xpsp_sp2_gdr.060821-0039) | Size = 128896 bytes | Modified Date = 21/08/2006 10:14:58 | Attr = ]
(Ftdisk) Volume Manager Driver [Kernel | Boot | Running] -> %System32%\drivers\ftdisk.sys -> Microsoft Corporation [Ver =

5.1.2600.0 (XPClient.010817-1148) | Size = 125056 bytes | Modified Date = 29/08/2002 13:00:00 | Attr = ]
(gameenum) Game Port Enumerator [Kernel | On_Demand | Running] -> %System32%\drivers\gameenum.sys -> Microsoft Corporation

[Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 10624 bytes | Modified Date = 04/08/2004 07:08:22 | Attr = ]
(Gpc) Generic Packet Classifier [Kernel | On_Demand | Running] -> %System32%\drivers\msgpc.sys -> Microsoft Corporation [Ver

= 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 35072 bytes | Modified Date = 04/08/2004 07:04:12 | Attr = ]
(ha10kx2k) Creative Hardware Abstract Layer Driver [Kernel | On_Demand | Running] -> %System32%\drivers\ha10kx2k.sys ->

Creative Technology Ltd [Ver = 5.12.01.0290-1.42.0070 | Size = 819984 bytes | Modified Date = 09/06/2003 02:42:28 | Attr =

]
(hap16v2k) Creative P16V HAL Driver [Kernel | On_Demand | Stopped] -> %System32%\drivers\HAP16V2K.SYS -> Creative Technology

Ltd [Ver = 5.12.01.0285-1.42.0020 | Size = 135696 bytes | Modified Date = 09/06/2003 02:42:44 | Attr = ]
(hidusb) Microsoft HID Class Driver [Kernel | On_Demand | Running] -> %System32%\drivers\hidusb.sys -> Microsoft Corporation

[Ver = 5.1.2600.0 (XPClient.010817-1148) | Size = 9600 bytes | Modified Date = 29/08/2002 13:00:00 | Attr = ]
(hpn) hpn [Kernel | Disabled | Stopped] -> -> File not found
(HTTP) HTTP [Kernel | On_Demand | Running] -> %System32%\drivers\http.sys -> Microsoft Corporation [Ver = 5.1.2600.2869

(xpsp_sp2_gdr.060316-1512) | Size = 262784 bytes | Modified Date = 17/03/2006 01:33:10 | Attr = ]
(i2omgmt) i2omgmt [Kernel | System | Stopped] -> -> File not found
(i2omp) i2omp [Kernel | Disabled | Stopped] -> -> File not found
(i8042prt) i8042 Keyboard and PS/2 Mouse Port Driver [Kernel | System | Running] -> %System32%\drivers\i8042prt.sys ->

Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 52736 bytes | Modified Date = 04/08/2004

07:14:36 | Attr = ]
(Imapi) CD-Burning Filter Driver [Kernel | System | Running] -> %System32%\drivers\imapi.sys -> Microsoft Corporation [Ver =

5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 41856 bytes | Modified Date = 04/08/2004 07:00:16 | Attr = ]
(ini910u) ini910u [Kernel | Disabled | Stopped] -> -> File not found
(IntelIde) IntelIde [Kernel | Disabled | Stopped] -> -> File not found
(ip6fw) IPv6 Windows Firewall Driver [Kernel | On_Demand | Stopped] -> %System32%\drivers\ip6fw.sys -> Microsoft Corporation

[Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 29056 bytes | Modified Date = 04/08/2004 07:00:06 | Attr = ]
(IpFilterDriver) IP Traffic Filter Driver [Kernel | On_Demand | Stopped] -> %System32%\drivers\ipfltdrv.sys -> Microsoft

Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 32896 bytes | Modified Date = 29/08/2002 13:00:00 | Attr = ]
(IpInIp) IP in IP Tunnel Driver [Kernel | On_Demand | Stopped] -> %System32%\drivers\ipinip.sys -> Microsoft Corporation [Ver

= 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 20992 bytes | Modified Date = 04/08/2004 07:04:46 | Attr = ]
(IpNat) IP Network Address Translator [Kernel | On_Demand | Running] -> %System32%\drivers\ipnat.sys -> Microsoft Corporation

[Ver = 5.1.2600.2524 (xpsp_sp2_gdr.040919-1056) | Size = 134912 bytes | Modified Date = 29/09/2004 23:28:38 | Attr = ]
(IPSec) IPSEC driver [Kernel | System | Running] -> %System32%\drivers\ipsec.sys -> Microsoft Corporation [Ver =

5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 74752 bytes | Modified Date = 04/08/2004 07:14:28 | Attr = ]
(IRENUM) IR Enumerator Service [Kernel | On_Demand | Stopped] -> %System32%\drivers\irenum.sys -> Microsoft Corporation [Ver

= 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 11264 bytes | Modified Date = 04/08/2004 07:00:46 | Attr = ]
(isapnp) PnP ISA/EISA Bus Driver [Kernel | Boot | Running] -> %System32%\drivers\isapnp.sys -> Microsoft Corporation [Ver =

5.1.2600.0 (xpclient.010817-1148) | Size = 35840 bytes | Modified Date = 29/08/2002 13:00:00 | Attr = ]
(Jukebox3) Jukebox3 [Kernel | On_Demand | Stopped] -> %System32%\drivers\ctpdusb.sys -> Creative Technology Ltd. [Ver =

1.30.03.00 | Size = 16000 bytes | Modified Date = 16/05/2005 01:30:00 | Attr = ]
(Kbdclass) Keyboard Class Driver [Kernel | System | Running] -> %System32%\drivers\kbdclass.sys -> Microsoft Corporation [Ver

= 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 24576 bytes | Modified Date = 04/08/2004 06:58:32 | Attr = ]
(kmixer) Microsoft Kernel Wave Audio Mixer [Kernel | On_Demand | Stopped] -> %System32%\drivers\kmixer.sys -> Microsoft

Corporation [Ver = 5.1.2600.2929 (xpsp_sp2_gdr.060613-2359) | Size = 172416 bytes | Modified Date = 14/06/2006 09:47:46 |

Attr = ]
(KSecDD) KSecDD [Kernel | Boot | Running] -> %System32%\drivers\ksecdd.sys -> Microsoft Corporation [Ver = 5.1.2600.2180

(xpsp_sp2_rtm.040803-2158) | Size = 92032 bytes | Modified Date = 04/08/2004 06:59:48 | Attr = ]
(lbrtfdc) lbrtfdc [Kernel | System | Stopped] -> -> File not found
(mnmdd) mnmdd [Kernel | System | Running] -> %System32%\drivers\mnmdd.sys -> Microsoft Corporation [Ver = 5.1.2600.0

(XPClient.010817-1148) | Size = 4224 bytes | Modified Date = 29/08/2002 13:00:00 | Attr = ]


----------



## bandyandy (Aug 26, 2006)

Part 5:

(Modem) Modem [Kernel | On_Demand | Stopped] -> %System32%\drivers\modem.sys -> Microsoft Corporation [Ver = 5.1.2600.2180

(xpsp_sp2_rtm.040803-2158) | Size = 30080 bytes | Modified Date = 04/08/2004 07:08:06 | Attr = ]
(Mouclass) Mouse Class Driver [Kernel | System | Running] -> %System32%\drivers\mouclass.sys -> Microsoft Corporation [Ver =

5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 23040 bytes | Modified Date = 04/08/2004 06:58:32 | Attr = ]
(mouhid) Mouse HID Driver [Kernel | On_Demand | Running] -> %System32%\drivers\mouhid.sys -> Microsoft Corporation [Ver =

5.1.2600.0 (XPClient.010817-1148) | Size = 12160 bytes | Modified Date = 29/08/2002 13:00:00 | Attr = ]
(MountMgr) Mount Point Manager [Kernel | Boot | Running] -> %System32%\drivers\mountmgr.sys -> Microsoft Corporation [Ver =

5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 42240 bytes | Modified Date = 04/08/2004 06:58:30 | Attr = ]
(mraid35x) mraid35x [Kernel | Disabled | Stopped] -> -> File not found
(MRxDAV) WebDav Client Redirector [File_System | On_Demand | Running] -> %System32%\drivers\mrxdav.sys -> Microsoft

Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 181248 bytes | Modified Date = 04/08/2004 07:00:56 |

Attr = ]
(MRxSmb) MRxSmb [File_System | System | Running] -> %System32%\drivers\mrxsmb.sys -> Microsoft Corporation [Ver =

5.1.2600.2902 (xpsp_sp2_gdr.060505-0036) | Size = 453120 bytes | Modified Date = 05/05/2006 10:41:46 | Attr = ]
(Msfs) Msfs [File_System | System | Running] -> %System32%\drivers\msfs.sys -> Microsoft Corporation [Ver = 5.1.2600.2180

(xpsp_sp2_rtm.040803-2158) | Size = 19072 bytes | Modified Date = 04/08/2004 07:00:42 | Attr = ]
(MSKSSRV) Microsoft Streaming Service Proxy [Kernel | On_Demand | Stopped] -> %System32%\drivers\mskssrv.sys -> Microsoft

Corporation [Ver = 5.3.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 7552 bytes | Modified Date = 04/08/2004 06:58:42 | Attr

= ]
(MSPCLOCK) Microsoft Streaming Clock Proxy [Kernel | On_Demand | Stopped] -> %System32%\drivers\mspclock.sys -> Microsoft

Corporation [Ver = 5.3.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 5376 bytes | Modified Date = 04/08/2004 06:58:38 | Attr

= ]
(MSPQM) Microsoft Streaming Quality Manager Proxy [Kernel | On_Demand | Stopped] -> %System32%\drivers\mspqm.sys -> Microsoft

Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 4992 bytes | Modified Date = 04/08/2004 06:58:40 | Attr

= ]
(mssmbios) Microsoft System Management BIOS Driver [Kernel | On_Demand | Running] -> %System32%\drivers\mssmbios.sys ->

Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 15488 bytes | Modified Date = 04/08/2004

07:07:48 | Attr = ]
(MSTEE) Microsoft Streaming Tee/Sink-to-Sink Converter [Kernel | On_Demand | Stopped] -> %System32%\drivers\MSTEE.sys ->

Microsoft Corporation [Ver = 5.3.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 5504 bytes | Modified Date = 04/08/2004

07:58:38 | Attr = ]
(ms_mpu401) Microsoft MPU-401 MIDI UART Driver [Kernel | On_Demand | Running] -> %System32%\drivers\msmpu401.sys -> Microsoft

Corporation [Ver = 5.1.2600.0 (XPClient.010817-1148) | Size = 2944 bytes | Modified Date = 17/08/2001 15:00:04 | Attr = ]
(Mup) Mup [File_System | Boot | Running] -> %System32%\drivers\mup.sys -> Microsoft Corporation [Ver = 5.1.2600.2180

(xpsp_sp2_rtm.040803-2158) | Size = 107904 bytes | Modified Date = 04/08/2004 07:15:20 | Attr = ]
(NABTSFEC) NABTS/FEC VBI Codec [Kernel | On_Demand | Stopped] -> %System32%\drivers\NABTSFEC.sys -> Microsoft Corporation

[Ver = 5.3.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 85376 bytes | Modified Date = 04/08/2004 08:10:28 | Attr = ]
(NDIS) NDIS System Driver [Kernel | Boot | Running] -> %System32%\drivers\ndis.sys -> Microsoft Corporation [Ver =

5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 182912 bytes | Modified Date = 04/08/2004 07:14:28 | Attr = ]
(NdisIP) Microsoft TV/Video Connection [Kernel | On_Demand | Stopped] -> %System32%\drivers\NdisIP.sys -> Microsoft

Corporation [Ver = 5.3.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 10880 bytes | Modified Date = 04/08/2004 08:10:12 | Attr

= ]
(NdisTapi) Remote Access NDIS TAPI Driver [Kernel | On_Demand | Running] -> %System32%\drivers\ndistapi.sys -> Microsoft

Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 9600 bytes | Modified Date = 29/08/2002 13:00:00 | Attr = ]
(Ndisuio) NDIS Usermode I/O Protocol [Kernel | On_Demand | Running] -> %System32%\drivers\ndisuio.sys -> Microsoft

Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 12928 bytes | Modified Date = 04/08/2004 07:03:12 | Attr

= ]
(NdisWan) Remote Access NDIS WAN Driver [Kernel | On_Demand | Running] -> %System32%\drivers\ndiswan.sys -> Microsoft

Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 91776 bytes | Modified Date = 04/08/2004 07:14:32 | Attr

= ]
(NDProxy) NDIS Proxy [Kernel | On_Demand | Running] -> %System32%\drivers\ndproxy.sys -> Microsoft Corporation [Ver =

5.1.2600.0 (xpclient.010817-1148) | Size = 38016 bytes | Modified Date = 29/08/2002 13:00:00 | Attr = ]
(NetBIOS) NetBIOS Interface [File_System | System | Running] -> %System32%\drivers\netbios.sys -> Microsoft Corporation [Ver

= 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 34560 bytes | Modified Date = 04/08/2004 07:03:22 | Attr = ]
(NetBT) NetBios over Tcpip [Kernel | System | Running] -> %System32%\drivers\netbt.sys -> Microsoft Corporation [Ver =

5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 162816 bytes | Modified Date = 04/08/2004 07:14:38 | Attr = ]
(Npfs) Npfs [File_System | System | Running] -> %System32%\drivers\npfs.sys -> Microsoft Corporation [Ver = 5.1.2600.2180

(xpsp_sp2_rtm.040803-2158) | Size = 30848 bytes | Modified Date = 04/08/2004 07:00:44 | Attr = ]
(Ntfs) Ntfs [File_System | Disabled | Running] -> %System32%\drivers\ntfs.sys -> Microsoft Corporation [Ver = 5.1.2600.2180

(xpsp_sp2_rtm.040803-2158) | Size = 574592 bytes | Modified Date = 04/08/2004 07:15:10 | Attr = ]
(Null) Null [Kernel | System | Running] -> %System32%\drivers\null.sys -> Microsoft Corporation [Ver = 5.1.2600.0

(XPClient.010817-1148) | Size = 2944 bytes | Modified Date = 29/08/2002 13:00:00 | Attr = ]
(NwlnkFlt) IPX Traffic Filter Driver [Kernel | On_Demand | Stopped] -> %System32%\drivers\nwlnkflt.sys -> Microsoft

Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 12416 bytes | Modified Date = 29/08/2002 13:00:00 | Attr = ]
(NwlnkFwd) IPX Traffic Forwarder Driver [Kernel | On_Demand | Stopped] -> %System32%\drivers\nwlnkfwd.sys -> Microsoft

Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 32512 bytes | Modified Date = 29/08/2002 13:00:00 | Attr = ]
(ossrv) Creative OS Services Driver [Kernel | On_Demand | Running] -> %System32%\drivers\ctoss2k.sys -> Creative Technology

Ltd. [Ver = 5.12.01.0286-1.42.0030 | Size = 113840 bytes | Modified Date = 09/06/2003 02:44:32 | Attr = ]
(Parport) Parallel port driver [Kernel | On_Demand | Running] -> %System32%\drivers\parport.sys -> Microsoft Corporation [Ver

= 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 80128 bytes | Modified Date = 04/08/2004 06:59:06 | Attr = ]
(PartMgr) Partition Manager [Kernel | Boot | Running] -> %System32%\drivers\partmgr.sys -> Microsoft Corporation [Ver =

5.1.2600.0 (XPClient.010817-1148) | Size = 18688 bytes | Modified Date = 29/08/2002 13:00:00 | Attr = ]
(ParVdm) ParVdm [Kernel | Auto | Running] -> %System32%\drivers\parvdm.sys -> Microsoft Corporation [Ver = 5.1.2600.0

(XPClient.010817-1148) | Size = 6784 bytes | Modified Date = 29/08/2002 13:00:00 | Attr = ]
(PCI) PCI Bus Driver [Kernel | Boot | Running] -> %System32%\drivers\pci.sys -> Microsoft Corporation [Ver = 5.1.2600.2180

(xpsp_sp2_rtm.040803-2158) | Size = 68224 bytes | Modified Date = 04/08/2004 07:07:46 | Attr = ]
(PCIDump) PCIDump [Kernel | System | Stopped] -> -> File not found
(PCIIde) PCIIde [Kernel | Boot | Running] -> %System32%\drivers\pciide.sys -> Microsoft Corporation [Ver = 5.1.2600.0

(XPClient.010817-1148) | Size = 3328 bytes | Modified Date = 29/08/2002 13:00:00 | Attr = ]
(Pcmcia) Pcmcia [Kernel | Disabled | Stopped] -> %System32%\drivers\pcmcia.sys -> Microsoft Corporation [Ver = 5.1.2600.2180

(xpsp_sp2_rtm.040803-2158) | Size = 119936 bytes | Modified Date = 04/08/2004 07:07:46 | Attr = ]
(PDCOMP) PDCOMP [Kernel | On_Demand | Stopped] -> -> File not found
(PDFRAME) PDFRAME [Kernel | On_Demand | Stopped] -> -> File not found
(PDRELI) PDRELI [Kernel | On_Demand | Stopped] -> -> File not found
(PDRFRAME) PDRFRAME [Kernel | On_Demand | Stopped] -> -> File not found
(perc2) perc2 [Kernel | Disabled | Stopped] -> -> File not found
(perc2hib) perc2hib [Kernel | Disabled | Stopped] -> -> File not found
(PfModNT) PfModNT [Kernel | Auto | Running] -> %System32%\drivers\PFModNT.sys -> Creative Technology Ltd. [Ver = 3.0.0.4 |

Size = 71596 bytes | Modified Date = 03/06/2004 12:10:00 | Attr = ]
(PptpMiniport) WAN Miniport (PPTP) [Kernel | On_Demand | Running] -> %System32%\drivers\raspptp.sys -> Microsoft Corporation

[Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 48384 bytes | Modified Date = 04/08/2004 07:14:26 | Attr = ]
(PSched) QoS Packet Scheduler [Kernel | On_Demand | Running] -> %System32%\drivers\psched.sys -> Microsoft Corporation [Ver =

5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69120 bytes | Modified Date = 04/08/2004 07:04:20 | Attr = ]
(Ptilink) Direct Parallel Link Driver [Kernel | On_Demand | Running] -> %System32%\drivers\ptilink.sys -> Parallel

Technologies, Inc. [Ver = 1.10 (XPClient.010817-1148) | Size = 17792 bytes | Modified Date = 29/08/2002 13:00:00 | Attr =

]
(ql1080) ql1080 [Kernel | Disabled | Stopped] -> -> File not found
(Ql10wnt) Ql10wnt [Kernel | Disabled | Stopped] -> -> File not found
(ql12160) ql12160 [Kernel | Disabled | Stopped] -> -> File not found
(ql1240) ql1240 [Kernel | Disabled | Stopped] -> -> File not found
(ql1280) ql1280 [Kernel | Disabled | Stopped] -> -> File not found
(RasAcd) Remote Access Auto Connection Driver [Kernel | System | Running] -> %System32%\drivers\rasacd.sys -> Microsoft

Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 8832 bytes | Modified Date = 29/08/2002 13:00:00 | Attr = ]
(Rasl2tp) WAN Miniport (L2TP) [Kernel | On_Demand | Running] -> %System32%\drivers\rasl2tp.sys -> Microsoft Corporation [Ver

= 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 51328 bytes | Modified Date = 04/08/2004 07:14:22 | Attr = ]
(RasPppoe) Remote Access PPPOE Driver [Kernel | On_Demand | Running] -> %System32%\drivers\raspppoe.sys -> Microsoft

Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 41472 bytes | Modified Date = 04/08/2004 07:05:08 | Attr

= ]
(Raspti) Direct Parallel [Kernel | On_Demand | Running] -> %System32%\drivers\raspti.sys -> Microsoft Corporation [Ver =

5.1.2600.0 (xpclient.010817-1148) | Size = 16512 bytes | Modified Date = 29/08/2002 13:00:00 | Attr = ]
(Rdbss) Rdbss [File_System | System | Running] -> %System32%\drivers\rdbss.sys -> Microsoft Corporation [Ver = 5.1.2600.2902

(xpsp_sp2_gdr.060505-0036) | Size = 174592 bytes | Modified Date = 05/05/2006 10:47:58 | Attr = ]
(RDPCDD) RDPCDD [Kernel | System | Running] -> %System32%\drivers\rdpcdd.sys -> Microsoft Corporation [Ver = 5.1.2600.0

(xpclient.010817-1148) | Size = 4224 bytes | Modified Date = 29/08/2002 13:00:00 | Attr = ]
(RDPWD) RDPWD [Kernel | On_Demand | Stopped] -> %System32%\drivers\rdpwd.sys -> Microsoft Corporation [Ver = 5.1.2600.2695

(xpsp_sp2_gdr.050609-1528) | Size = 139528 bytes | Modified Date = 10/06/2005 05:09:46 | Attr = ]
(redbook) Digital CD Audio Playback Filter Driver [Kernel | System | Running] -> %System32%\drivers\redbook.sys -> Microsoft

Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 57472 bytes | Modified Date = 04/08/2004 06:59:38 | Attr

= ]
(RTL8023xp) TRENDnet TE100 PCBUSR PC Card [Kernel | On_Demand | Stopped] -> %System32%\drivers\TE100XP.SYS -> TRENDnet

[Ver = 5,635,0923,2005 built by: WinDDK | Size = 78720 bytes | Modified Date =

18/04/2006 11:59:10 | Attr = ]
(rtl8139) Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver [Kernel | On_Demand | Stopped] ->

%System32%\drivers\rtl8139.sys -> Realtek Semiconductor Corporation [Ver = 5.398.613.2003 built by: WinDDK | Size = 20992

bytes | Modified Date = 04/08/2004 06:31:32 | Attr = ]
(SABProcEnum) SABProcEnum [Kernel | On_Demand | Stopped] -> %SystemDrive%\PROGRA~1\MOZILL~1\SABProcEnum.sys -> File not found
(SASDIFSV) SASDIFSV [Kernel | System | Running] -> %ProgramFiles%\SUPERAntiSpyware\sasdifsv.sys -> [Ver = 1, 0, 0, 1006 |

Size = 5632 bytes | Modified Date = 10/10/2006 14:53:48 | Attr = ]
(SASENUM) SASENUM [Kernel | On_Demand | Stopped] -> %ProgramFiles%\SUPERAntiSpyware\SASENUM.SYS -> SuperAdBlocker, Inc. [Ver

= 1, 0, 0, 1002 | Size = 4096 bytes | Modified Date = 16/02/2006 18:51:08 | Attr = R ]
(SASKUTIL) SASKUTIL [Kernel | System | Running] -> %ProgramFiles%\SUPERAntiSpyware\SASKUTIL.SYS ->


----------



## bandyandy (Aug 26, 2006)

Part 6:

[Ver = 1, 0, 0, 1036 |

Size = 32256 bytes | Modified Date = 10/03/2007 15:35:34 | Attr = ]
(Secdrv) Secdrv [Kernel | On_Demand | Stopped] -> %System32%\drivers\secdrv.sys -> [Ver = | Size = 27440 bytes | Modified

Date = 29/08/2002 13:00:00 | Attr = ]
(serenum) Serenum Filter Driver [Kernel | On_Demand | Running] -> %System32%\drivers\serenum.sys -> Microsoft Corporation

[Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 15488 bytes | Modified Date = 04/08/2004 06:59:08 | Attr = ]
(Serial) Serial port driver [Kernel | System | Running] -> %System32%\drivers\serial.sys -> Microsoft Corporation [Ver =

5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 64896 bytes | Modified Date = 04/08/2004 07:15:52 | Attr = ]
(Sfloppy) Sfloppy [Kernel | System | Stopped] -> %System32%\drivers\sfloppy.sys -> Microsoft Corporation [Ver = 5.1.2600.2180

(xpsp_sp2_rtm.040803-2158) | Size = 11392 bytes | Modified Date = 04/08/2004 06:59:54 | Attr = ]
(Simbad) Simbad [Kernel | Disabled | Stopped] -> -> File not found
(SiS300i) SiS300i [Kernel | On_Demand | Stopped] -> %System32%\drivers\sis300ip.sys -> Silicon Integrated Systems Corporation

[Ver = 5.13.01.1100 (Lab01_N(ericks).010612-1818) | Size = 101760 bytes | Modified Date = 17/08/2001 13:50:46 | Attr = ]
(SiS630) SiS630 [Kernel | On_Demand | Running] -> %System32%\drivers\sis630p.sys -> Silicon Integrated Systems Corporation

[Ver = 6.13.10.2090 | Size = 164608 bytes | Modified Date = 23/01/2003 18:12:48 | Attr = ]
(SiS7018) Service for SiS7018 Driver (WDM) [Kernel | On_Demand | Stopped] -> %System32%\drivers\sis7018.sys -> Silicon

Integrated Systems Corporation [Ver = 5.10.00.6180 | Size = 380288 bytes | Modified Date = 06/06/2002 18:10:02 | Attr = ]
(sisagp) SIS AGP Bus Filter [Kernel | Boot | Running] -> %System32%\drivers\sisagp.sys -> Silicon Integrated Systems

Corporation [Ver = 5.12.01.2010 (xpsp_sp2_rtm.040803-2158) | Size = 41088 bytes | Modified Date = 04/08/2004 07:07:42 | Attr

= ]
(SISNIC) SiS PCI Fast Ethernet Adapter Driver [Kernel | On_Demand | Stopped] -> %System32%\drivers\sisnic.sys -> SiS

Corporation [Ver = 1.16.00.05 built by: WinDDK | Size = 32768 bytes | Modified Date = 04/08/2004 06:31:34 | Attr = ]
(SISNICXP) SiS PCI Fast Ethernet Adapter Driver for NDIS51 [Kernel | On_Demand | Running] -> %System32%\drivers\sisnicxp.sys

-> SiS Corporation [Ver = 2.0.1039.1190 built by: WinDDK | Size = 32768 bytes | Modified Date = 14/02/2006 16:02:58 | Attr =

]
(SLIP) BDA Slip De-Framer [Kernel | On_Demand | Stopped] -> %System32%\drivers\SLIP.sys -> Microsoft Corporation [Ver =

5.3.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 11136 bytes | Modified Date = 04/08/2004 08:10:16 | Attr = ]
(Sparrow) Sparrow [Kernel | Disabled | Stopped] -> -> File not found
(splitter) Microsoft Kernel Audio Splitter [Kernel | On_Demand | Stopped] -> %System32%\drivers\splitter.sys -> Microsoft

Corporation [Ver = 5.1.2600.2929 (xpsp_sp2_gdr.060613-2359) | Size = 6400 bytes | Modified Date = 14/06/2006 09:47:46 | Attr

= ]
(sp_rsdrv2) Spyware Terminator Driver 2 [Kernel | System | Running] -> %System32%\drivers\sp_rsdrv2.sys -> [Ver = | Size =

135936 bytes | Modified Date = 20/02/2007 12:00:56 | Attr = ]
(SQTECH9160) CAMERA [Kernel | On_Demand | Stopped] -> %System32%\drivers\Capt9160.sys -> [Ver = 0.0.0.1 | Size = 45711 bytes

| Modified Date = 21/03/2006 13:14:06 | Attr = ]
(sr) System Restore Filter Driver [File_System | Boot | Running] -> %System32%\drivers\sr.sys -> Microsoft Corporation [Ver =

5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 73472 bytes | Modified Date = 04/08/2004 07:06:26 | Attr = ]
(srescan) srescan [Kernel | Boot | Running] -> %System32%\ZoneLabs\srescan.sys -> Zone Labs, LLC [Ver = 5, 0, 63, 0 | Size =

29680 bytes | Modified Date = 03/08/2006 01:53:32 | Attr = ]
(Srv) Srv [File_System | On_Demand | Running] -> %System32%\drivers\srv.sys -> Microsoft Corporation [Ver = 5.1.2600.2974

(xpsp_sp2_gdr.060814-0101) | Size = 332928 bytes | Modified Date = 14/08/2006 11:34:42 | Attr = ]
(StMp3Rec) Player Recovery Device Control Driver [Kernel | On_Demand | Stopped] -> %System32%\drivers\StMp3Rec.sys -> Generic

[Ver = 1, 521, 0, 139 | Size = 38409 bytes | Modified Date = 25/04/2005 13:59:04 | Attr = ]
(streamip) BDA IPSink [Kernel | On_Demand | Stopped] -> %System32%\drivers\StreamIP.sys -> Microsoft Corporation [Ver =

5.3.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 15360 bytes | Modified Date = 04/08/2004 08:10:12 | Attr = ]
(swenum) Software Bus Driver [Kernel | On_Demand | Running] -> %System32%\drivers\swenum.sys -> Microsoft Corporation [Ver =

5.3.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 4352 bytes | Modified Date = 04/08/2004 06:58:42 | Attr = ]
(swmidi) Microsoft Kernel GS Wavetable Synthesizer [Kernel | On_Demand | Stopped] -> %System32%\drivers\swmidi.sys ->

Microsoft Corporation [Ver = 5.1.2600.0 (XPClient.010817-1148) | Size = 54272 bytes | Modified Date = 17/08/2001 15:00:52 |

Attr = ]
(symc810) symc810 [Kernel | Disabled | Stopped] -> -> File not found
(symc8xx) symc8xx [Kernel | Disabled | Stopped] -> -> File not found
(sym_hi) sym_hi [Kernel | Disabled | Stopped] -> -> File not found
(sym_u3) sym_u3 [Kernel | Disabled | Stopped] -> -> File not found
(sysaudio) Microsoft Kernel System Audio Device [Kernel | On_Demand | Running] -> %System32%\drivers\sysaudio.sys ->

Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 60800 bytes | Modified Date = 04/08/2004

07:15:56 | Attr = ]
(Tcpip) TCP/IP Protocol Driver [Kernel | System | Running] -> %System32%\drivers\TCPIP.SYS -> Microsoft Corporation [Ver =

5.1.2600.2892 (xpsp_sp2_gdr.060420-0254) | Size = 359808 bytes | Modified Date = 07/11/2006 00:32:50 | Attr = ]
(TDPIPE) TDPIPE [Kernel | On_Demand | Stopped] -> %System32%\drivers\tdpipe.sys -> Microsoft Corporation [Ver = 5.1.2600.2180

(xpsp_sp2_rtm.040803-2158) | Size = 12040 bytes | Modified Date = 04/08/2004 09:01:08 | Attr = ]
(TDTCP) TDTCP [Kernel | On_Demand | Stopped] -> %System32%\drivers\tdtcp.sys -> Microsoft Corporation [Ver = 5.1.2600.2180

(xpsp_sp2_rtm.040803-2158) | Size = 21896 bytes | Modified Date = 04/08/2004 09:01:08 | Attr = ]
(TermDD) Terminal Device Driver [Kernel | System | Running] -> %System32%\drivers\termdd.sys -> Microsoft Corporation [Ver =

5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 40840 bytes | Modified Date = 04/08/2004 09:01:08 | Attr = ]
(tmcomm) tmcomm [Kernel | Auto | Running] -> %System32%\drivers\tmcomm.sys -> Trend Micro Inc. [Ver = 1.5.0.1052 | Size =

76560 bytes | Modified Date = 10/03/2007 20:15:04 | Attr = ]
(TosIde) TosIde [Kernel | Disabled | Stopped] -> -> File not found
(Udfs) Udfs [File_System | Disabled | Stopped] -> %System32%\drivers\udfs.sys -> Microsoft Corporation [Ver = 5.1.2600.2180

(xpsp_sp2_rtm.040803-2158) | Size = 66176 bytes | Modified Date = 04/08/2004 07:00:32 | Attr = ]
(ultra) ultra [Kernel | Disabled | Stopped] -> -> File not found
(Update) Microcode Update Driver [Kernel | On_Demand | Running] -> %System32%\drivers\update.sys -> Microsoft Corporation

[Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 209408 bytes | Modified Date = 04/08/2004 06:58:32 | Attr = ]
(usbaudio) USB Audio Driver (WDM) [Kernel | On_Demand | Stopped] -> %System32%\drivers\USBAUDIO.sys -> Microsoft Corporation

[Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 59264 bytes | Modified Date = 04/08/2004 08:07:56 | Attr = ]
(usbccgp) Microsoft USB Generic Parent Driver [Kernel | On_Demand | Stopped] -> %System32%\drivers\usbccgp.sys -> Microsoft

Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 31616 bytes | Modified Date = 04/08/2004 08:08:46 | Attr

= ]
(usbehci) Microsoft USB 2.0 Enhanced Host Controller Miniport Driver [Kernel | On_Demand | Running] ->

%System32%\drivers\usbehci.sys -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 26624 bytes

| Modified Date = 04/08/2004 07:08:38 | Attr = ]
(usbhub) USB2 Enabled Hub [Kernel | On_Demand | Running] -> %System32%\drivers\usbhub.sys -> Microsoft Corporation [Ver =

5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 57600 bytes | Modified Date = 04/08/2004 07:08:42 | Attr = ]
(usbohci) Microsoft USB Open Host Controller Miniport Driver [Kernel | On_Demand | Running] -> %System32%\drivers\usbohci.sys

-> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 17024 bytes | Modified Date = 04/08/2004

07:08:36 | Attr = ]
(usbprint) Microsoft USB PRINTER Class [Kernel | On_Demand | Running] -> %System32%\drivers\usbprint.sys -> Microsoft

Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 25856 bytes | Modified Date = 04/08/2004 07:01:24 | Attr

= ]
(usbser) Motorola USB Modem Driver [Kernel | On_Demand | Stopped] -> %System32%\drivers\usbser.sys -> Microsoft Corporation

[Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 25600 bytes | Modified Date = 04/08/2004 07:08:42 | Attr = ]
(usbsermptxp) Motorola USB Modem Driver for MPT XP [Kernel | On_Demand | Stopped] -> %System32%\drivers\usbsermptxp.sys ->

Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 25600 bytes | Modified Date = 07/08/2006

21:03:56 | Attr = ]
(USBSTOR) USB Mass Storage Driver [Kernel | On_Demand | Running] -> %System32%\drivers\USBSTOR.SYS -> Microsoft Corporation

[Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 26496 bytes | Modified Date = 04/08/2004 07:08:46 | Attr = ]
(usbuhci) Microsoft USB Universal Host Controller Miniport Driver [Kernel | On_Demand | Running] ->

%System32%\drivers\usbuhci.sys -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 20480 bytes

| Modified Date = 04/08/2004 07:08:38 | Attr = ]
(VgaSave) VGA Display Controller. [Kernel | System | Running] -> %System32%\drivers\vga.sys -> Microsoft Corporation [Ver =

5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 20992 bytes | Modified Date = 04/08/2004 07:07:06 | Attr = ]
(ViaIde) ViaIde [Kernel | Disabled | Stopped] -> -> File not found
(VolSnap) VolSnap [Kernel | Boot | Running] -> %System32%\drivers\volsnap.sys -> Microsoft Corporation [Ver = 5.1.2600.2180

(xpsp_sp2_rtm.040803-2158) | Size = 52352 bytes | Modified Date = 04/08/2004 07:00:16 | Attr = ]
(vsdatant) vsdatant [Kernel | System | Running] -> %System32%\vsdatant.sys -> Zone Labs, LLC [Ver = 6.5.737.000 | Size =

392824 bytes | Modified Date = 23/08/2006 23:38:36 | Attr = ]
(Wanarp) Remote Access IP ARP Driver [Kernel | On_Demand | Running] -> %System32%\drivers\wanarp.sys -> Microsoft Corporation

[Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 34560 bytes | Modified Date = 04/08/2004 07:04:58 | Attr = ]
(WDICA) WDICA [Kernel | On_Demand | Stopped] -> -> File not found
(wdmaud) Microsoft WINMM WDM Audio Compatibility Driver [Kernel | On_Demand | Running] -> %System32%\drivers\wdmaud.sys ->

Microsoft Corporation [Ver = 5.1.2600.2929 (xpsp_sp2_gdr.060613-2359) | Size = 82944 bytes | Modified Date = 14/06/2006

10:00:46 | Attr = ]
(WS2IFSL) Windows Socket 2.0 Non-IFS Service Provider Support Environment [Kernel | Disabled | Stopped] ->

%System32%\drivers\ws2ifsl.sys -> Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 12032 bytes |

Modified Date = 29/08/2002 13:00:00 | Attr = ]
(WSTCODEC) World Standard Teletext Codec [Kernel | On_Demand | Stopped] -> %System32%\drivers\WSTCODEC.SYS -> Microsoft

Corporation [Ver = 5.3.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 19328 bytes | Modified Date = 04/08/2004 08:10:22 | Attr

= ]
(ZSMC301b) Vimicro USB PC Camera (ZC0301PL) [Kernel | On_Demand | Running] -> %System32%\drivers\usbVM31b.sys -> VM [Ver = 3,

6, 308, 7 | Size = 194933 bytes | Modified Date = 10/03/2006 11:22:58 | Attr = ]

[Registry - All]
< Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
AVG7_CC -> %ProgramFiles%\Grisoft\AVG Free\avgcc.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.438 | Size = 411648 bytes | Modified

Date = 11/02/2007 10:36:04 | Attr = ]
BatchBandwidth -> %ProgramFiles%\Bandwidth\BandMon.exe -> Batch Software [Ver = 1.00.0010 | Size = 237568 bytes | Modified

Date = 07/05/2003 20:05:46 | Attr = ]
CTHelper -> %System32%\CTHELPER.EXE -> Creative Technology Ltd [Ver = 1, 1, 0, 2 | Size = 28672 bytes | Modified Date =

09/06/2003 03:07:00 | Attr = ]
KernelFaultCheck -> -> File not found
NeroCheck -> %System32%\NeroCheck.exe -> Ahead Software Gmbh [Ver = 1, 0, 0, 2 | Size = 155648 bytes | Modified Date =

09/07/2001 11:50:42 | Attr = ]
SpyHunter -> -> File not found
SpywareTerminator -> %ProgramFiles%\Spyware Terminator\SpywareTerminatorShield.exe -> Crawler.com [Ver = 1.8.2.458 | Size =

2903040 bytes | Modified Date = 20/02/2007 12:00:28 | Attr = ]
Zone Labs Client -> %ProgramFiles%\Zone Labs\ZoneAlarm\zlclient.exe -> Zone Labs, LLC [Ver =


----------



## bandyandy (Aug 26, 2006)

Part 7:

6.5.737.000 | Size = 968696

bytes | Modified Date = 23/08/2006 23:38:28 | Attr = ]
< OptionalComponents [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\
IMAIL -> Installed = 1 -> 
MAPI -> Installed = 1 -> 
MSFS -> Installed = 1 -> 
< Run [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
-> -> File not found
Creative Detector -> %ProgramFiles%\Creative\MediaSource\Detector\CTDetect.exe -> Creative Technology Ltd [Ver = 3.0.2.0 |

Size = 102400 bytes | Modified Date = 02/12/2004 18:23:34 | Attr = ]
FreeRAM XP -> %ProgramFiles%\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe -> YourWare Solutions (TM) [Ver = 1.5.1.0 |

Size = 1591808 bytes | Modified Date = 23/03/2006 00:13:46 | Attr = R ]
< IFEO [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
Your Image File Name Here without a path -> %System32%\ntsd.exe [Debugger] -> Microsoft Corporation [Ver = 5.1.2600.0

(XPClient.010817-1148) | Size = 31744 bytes | Modified Date = 29/08/2002 13:00:00 | Attr = ]
< SSODL [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
{fbeb8a05-beee-4442-804e-409d6c4515e9} [HKLM] -> %System32%\shell32.dll [CDBurn] -> Microsoft Corporation [Ver =

6.00.2900.3051 (xpsp_sp2_gdr.061219-0316) | Size = 8453632 bytes | Modified Date = 19/12/2006 22:52:18 | Attr = ]
{7849596a-48ea-486e-8937-a2a3009f31a9} [HKLM] -> %System32%\shell32.dll [PostBootReminder] -> Microsoft Corporation [Ver =

6.00.2900.3051 (xpsp_sp2_gdr.061219-0316) | Size = 8453632 bytes | Modified Date = 19/12/2006 22:52:18 | Attr = ]
{35CEC8A3-2BE6-11D2-8773-92E220524153} [HKLM] -> %System32%\stobject.dll [SysTray] -> Microsoft Corporation [Ver =

5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 121856 bytes | Modified Date = 04/08/2004 08:56:46 | Attr = ]
{E6FB5E20-DE35-11CF-9C87-00AA005127ED} [HKLM] -> %System32%\webcheck.dll [WebCheck] -> Microsoft Corporation [Ver =

6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Size = 276480 bytes | Modified Date = 04/08/2004 08:56:46 | Attr = ]
< ShellExecuteHooks [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
{57B86673-276A-48B2-BAE7-C6DBB3020EB8} [HKLM] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll [AVG

Anti-Spyware 7.5] -> Anti-Malware Development a.s. [Ver = 7, 5, 0, 47 | Size = 73728 bytes | Modified Date = 28/09/2006

15:13:28 | Attr = ]
{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} [HKLM] -> %ProgramFiles%\SUPERAntiSpyware\SASSEH.DLL [] -> SuperAdBlocker.com [Ver =

1, 0, 0, 1008 | Size = 77824 bytes | Modified Date = 10/03/2007 15:35:28 | Attr = ]
{AEB6717E-7E19-11d0-97EE-00C04FD91972} [HKLM] -> %System32%\shell32.dll [] -> Microsoft Corporation [Ver = 6.00.2900.3051

(xpsp_sp2_gdr.061219-0316) | Size = 8453632 bytes | Modified Date = 19/12/2006 22:52:18 | Attr = ]
< SharedTaskScheduler [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
{438755C2-A8BA-11D1-B96B-00A0C90312E1} [HKLM] -> %System32%\browseui.dll [Browseui preloader] -> Microsoft Corporation [Ver =

6.00.2900.3059 (xpsp_sp2_qfe.070104-0040) | Size = 1022976 bytes | Modified Date = 04/01/2007 15:05:28 | Attr = ]
{8C7461EF-2B13-11d2-BE35-3078302C2030} [HKLM] -> %System32%\browseui.dll [Component Categories cache daemon] -> Microsoft

Corporation [Ver = 6.00.2900.3059 (xpsp_sp2_qfe.070104-0040) | Size = 1022976 bytes | Modified Date = 04/01/2007 15:05:28 |

Attr = ]
< SecurityProviders [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders
*SecurityProviders* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders -> 
msapsspc.dll -> %System32%\msapsspc.dll -> Microsoft Corporation [Ver = 6.00.7755 | Size = 86016 bytes | Modified Date =

04/08/2004 08:56:42 | Attr = ]
schannel.dll -> %System32%\schannel.dll -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size =

144896 bytes | Modified Date = 04/08/2004 08:56:44 | Attr = ]
digest.dll -> %System32%\digest.dll -> Microsoft Corporation [Ver = 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Size = 68608

bytes | Modified Date = 04/08/2004 08:56:42 | Attr = ]
msnsspc.dll -> %System32%\msnsspc.dll -> Microsoft Corporation [Ver = 6.1.1825.0 | Size = 290816 bytes | Modified Date =

04/08/2004 08:56:44 | Attr = ]
< Winlogon settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
*Shell* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell -> 
Explorer.exe -> %SystemRoot%\explorer.exe -> Microsoft Corporation [Ver = 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Size =

1032192 bytes | Modified Date = 04/08/2004 08:56:50 | Attr = ]
*UserInit* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit -> 
C:\WINDOWS\system32\userinit.exe -> %System32%\userinit.exe -> Microsoft Corporation [Ver = 5.1.2600.2180

(xpsp_sp2_rtm.040803-2158) | Size = 24576 bytes | Modified Date = 04/08/2004 08:56:58 | Attr = ]
*VMApplet* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet -> 
rundll32 -> %System32%\rundll32.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 33280

bytes | Modified Date = 04/08/2004 08:56:56 | Attr = ]
shell32 -> %System32%\shell32.dll -> Microsoft Corporation [Ver = 6.00.2900.3051 (xpsp_sp2_gdr.061219-0316) | Size = 8453632

bytes | Modified Date = 19/12/2006 22:52:18 | Attr = ]
"sysdm.cpl" -> %System32%\sysdm.cpl -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 298496

bytes | Modified Date = 04/08/2004 08:56:58 | Attr = ]
< Winlogon settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
< Winlogon\Notify settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
!SASWinLogon -> %ProgramFiles%\SUPERAntiSpyware\SASWINLO.DLL -> SUPERAntiSpyware.com [Ver = 1, 0, 0, 1030 | Size = 282624

bytes | Modified Date = 10/03/2007 15:35:34 | Attr = ]
crypt32chain -> %System32%\crypt32.dll -> Microsoft Corporation [Ver = 5.131.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size =

597504 bytes | Modified Date = 04/08/2004 08:56:42 | Attr = ]
cryptnet -> %System32%\cryptnet.dll -> Microsoft Corporation [Ver = 5.131.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 63488

bytes | Modified Date = 04/08/2004 08:56:42 | Attr = ]
cscdll -> %System32%\cscdll.dll -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 101888

bytes | Modified Date = 04/08/2004 08:56:42 | Attr = ]
CwWLEvent -> Reg Data - Value does not exist -> File not found
ScCertProp -> %System32%\wlnotify.dll -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 92672

bytes | Modified Date = 04/08/2004 08:56:46 | Attr = ]
Schedule -> %System32%\wlnotify.dll -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 92672

bytes | Modified Date = 04/08/2004 08:56:46 | Attr = ]
sclgntfy -> %System32%\sclgntfy.dll -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 20992

bytes | Modified Date = 04/08/2004 08:56:44 | Attr = ]
SensLogn -> %System32%\wlnotify.dll -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 92672

bytes | Modified Date = 04/08/2004 08:56:46 | Attr = ]
termsrv -> %System32%\wlnotify.dll -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 92672

bytes | Modified Date = 04/08/2004 08:56:46 | Attr = ]
WgaLogon -> %System32%\WgaLogon.dll -> Microsoft Corporation [Ver = 1.7.0018.5 | Size = 236928 bytes | Modified Date =

15/03/2007 18:16:42 | Attr = ]
wlballoon -> %System32%\wlnotify.dll -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 92672

bytes | Modified Date = 04/08/2004 08:56:46 | Attr = ]
< HOSTS File > (698 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts
127.0.0.1 localhost -> -> 
< Internet Explorer Settings > -> 
HKLM: Default_Page_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome -> 
HKLM: Main\\Default_Search_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> 
HKLM: Local Page -> C:\windows\system32\blank.htm -> 
HKLM: Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> 
HKLM: Start Page -> http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home -> 
HKLM: CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm -> 
HKLM: Search\\Default_Search_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> 
HKLM: SearchAssistant -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm -> 
HKCU: Default_Search_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> 
HKCU: Local Page -> C:\windows\system32\blank.htm -> 
HKCU: Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> 
HKCU: Start Page -> http://www.google.ie/ -> 
HKCU: URLSearchHooks\\{BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} [HKLM] -> Reg Data - Key not found [SweetIM For Internet

Explorer] -> File not found
HKCU: URLSearchHooks\\{CFBFAE00-17A6-11D0-99CB-00C04FD64497} [HKLM] -> %System32%\shdocvw.dll [Microsoft Url Search Hook] ->

Microsoft Corporation [Ver = 6.00.2900.3059 (xpsp_sp2_qfe.070104-0040) | Size = 1498112 bytes | Modified Date = 04/01/2007

15:05:30 | Attr = ]
HKCU: ProxyEnable -> 0 -> 
< Trusted Sites > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
msn.com [ - ] -> -> 
< BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [Adobe PDF Reader

Link Helper] -> Adobe Systems Incorporated [Ver = 7.0.9.2006121800 | Size = 59032 bytes | Modified Date = 18/12/2006 05:16:42

| Attr = ]
{1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
{53707962-6F74-2D53-2644-206D7942484F} [HKLM] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [] -> Safer Networking

Limited [Ver = 1, 4, 0, 0 | Size = 853672 bytes | Modified Date = 31/05/2005 01:04:00 | Attr = ]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKLM] -> %ProgramFiles%\Java\jre1.5.0_11\bin\ssv.dll [SSVHelper Class] -> Sun

Microsystems, Inc. [Ver = 5.0.110.3 | Size = 440056 bytes | Modified Date = 15/12/2006 03:23:24 | Attr = ]
{AA58ED58-01DD-4d91-8333-CF10577473F7} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
< Internet Explorer Bars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
{4D5C8C25-D075-11d0-B416-00C04FB90376} [HKLM] -> %System32%\shdocvw.dll [&Tip of the Day] -> Microsoft Corporation [Ver =

6.00.2900.3059 (xpsp_sp2_qfe.070104-0040) | Size = 1498112 bytes | Modified Date = 04/01/2007 15:05:30 | Attr = ]
< Internet Explorer Bars [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
{32683183-48a0-441b-a342-7c2a440a9478} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
{EFA24E61-B078-11D0-89E4-00C04FC9E26E} [HKLM] -> %System32%\shdocvw.dll [Favorites Band] -> Microsoft Corporation [Ver =

6.00.2900.3059 (xpsp_sp2_qfe.070104-0040) | Size = 1498112 bytes | Modified Date = 04/01/2007 15:05:30 | Attr = ]
{EFA24E62-B078-11D0-89E4-00C04FC9E26E} [HKLM] -> %System32%\shdocvw.dll [History Band] -> Microsoft Corporation [Ver =

6.00.2900.3059 (xpsp_sp2_qfe.070104-0040) | Size = 1498112 bytes | Modified Date = 04/01/2007 15:05:30 | Attr = ]
{EFA24E64-B078-11D0-89E4-00C04FC9E26E} [HKLM] -> %System32%\shdocvw.dll [Explorer Band] -> Microsoft Corporation [Ver =

6.00.2900.3059 (xpsp_sp2_qfe.070104-0040) | Size = 1498112 bytes | Modified Date = 04/01/2007 15:05:30 | Attr = ]
< Internet Explorer ToolBars [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
ShellBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} [HKLM] -> %System32%\browseui.dll [&Address] -> Microsoft Corporation

[Ver = 6.00.2900.3059 (xpsp_sp2_qfe.070104-0040) | Size = 1022976 bytes | Modified Date = 04/01/2007 15:05:28 | Attr = ]
ShellBrowser\\{0E5CBF21-D15F-11D0-8301-00AA005B4383} [HKLM] -> %System32%\shell32.dll [&Links] -> Microsoft Corporation [Ver

= 6.00.2900.3051 (xpsp_sp2_gdr.061219-0316) | Size = 8453632 bytes | Modified Date = 19/12/2006 22:52:18 | Attr = ]
WebBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} [HKLM] -> %System32%\browseui.dll [&Address] -> Microsoft Corporation [Ver

= 6.00.2900.3059 (xpsp_sp2_qfe.070104-0040) | Size = 1022976 bytes | Modified Date = 04/01/2007 15:05:28 | Attr = ]


----------



## bandyandy (Aug 26, 2006)

Part 8:

WebBrowser\\{0E5CBF21-D15F-11D0-8301-00AA005B4383} [HKLM] -> %System32%\shell32.dll [&Links] -> Microsoft Corporation [Ver =

6.00.2900.3051 (xpsp_sp2_gdr.061219-0316) | Size = 8453632 bytes | Modified Date = 19/12/2006 22:52:18 | Attr = ]
WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not

found
WebBrowser\\{BC4FFE41-DE9F-46FA-B455-AAD49B9F9938} [HKLM] -> Reg Data - Key not found [SweetIM For Internet Explorer] -> File

not found
WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKLM] -> Reg Data - Key not found [&Yahoo! Toolbar] -> File not found
< Internet Explorer Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %ProgramFiles%\Java\jre1.5.0_11\bin\npjpi150_11.dll [MenuText: Sun Java

Console] -> Sun Microsystems, Inc. [Ver = 5.0.110.3 | Size = 75528 bytes | Modified Date = 15/12/2006 03:23:26 | Attr = ]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKCU] -> %ProgramFiles%\Java\jre1.5.0_11\bin\ssv.dll [MenuText: Sun Java Console] ->

Sun Microsystems, Inc. [Ver = 5.0.110.3 | Size = 440056 bytes | Modified Date = 15/12/2006 03:23:24 | Attr = ]
{85d1f590-48f4-11d9-9669-0800200c9a66} [HKLM] -> Reg Data - Key not found [MenuText: Uninstall BitDefender Online Scanner v8]

-> File not found
{FB5F1910-F110-11d2-BB9E-00C04F795683} -> %ProgramFiles%\Messenger\msmsgs.exe [ButtonText: Messenger] -> Microsoft

Corporation [Ver = 4.7.3001 | Size = 1694208 bytes | Modified Date = 13/10/2004 17:24:38 | Attr = ]
< Internet Explorer Menu Extensions [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\
&Google Search -> Reg Data - Value does not exist -> File not found
&Translate English Word -> Reg Data - Value does not exist -> File not found
Backward Links -> Reg Data - Value does not exist -> File not found
Cached Snapshot of Page -> Reg Data - Value does not exist -> File not found
Similar Pages -> Reg Data - Value does not exist -> File not found
Translate Page into English -> Reg Data - Value does not exist -> File not found
< User Agent Post Platform [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User

Agent\Post Platform
SIMBAR={F1FE2854-C110-40fb-94BB-38D4CB5AD989} -> -> 
SV1 -> -> 
< DNS Name Servers [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\
{2BFE3B99-4241-4C88-9697-664DFC9EC9CE} -> () -> 
{3FC7A7DE-D4FA-47A2-BAAC-2507077E503E} -> 84.203.254.34,84.203.255.34 (SiS 900 PCI Fast Ethernet Adapter) -> 
{F97CD4AF-2BC6-4C6A-8182-E544357D0C97} -> 84.203.254.34,84.203.255.34 (TE100-PCBUSR 32-Bit Cardbus PC Card) -> 
< Winsock2 Catalogs [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\
NameSpace_Catalog5\Catalog_Entries\000000000001 [Tcpip] -> %System32%\mswsock.dll -> Microsoft Corporation [Ver =

5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 245248 bytes | Modified Date = 04/08/2004 08:56:44 | Attr = ]
NameSpace_Catalog5\Catalog_Entries\000000000002 [NTDS] -> %System32%\winrnr.dll -> Microsoft Corporation [Ver = 5.1.2600.2180

(xpsp_sp2_rtm.040803-2158) | Size = 16896 bytes | Modified Date = 04/08/2004 08:56:46 | Attr = ]
NameSpace_Catalog5\Catalog_Entries\000000000003 [Network Location Awareness (NLA) Namespace] -> %System32%\mswsock.dll ->

Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 245248 bytes | Modified Date = 04/08/2004

08:56:44 | Attr = ]
Protocol_Catalog9\Catalog_Entries\000000000001 -> %System32%\mswsock.dll -> Microsoft Corporation [Ver = 5.1.2600.2180

(xpsp_sp2_rtm.040803-2158) | Size = 245248 bytes | Modified Date = 04/08/2004 08:56:44 | Attr = ]
Protocol_Catalog9\Catalog_Entries\000000000002 -> %System32%\mswsock.dll -> Microsoft Corporation [Ver = 5.1.2600.2180

(xpsp_sp2_rtm.040803-2158) | Size = 245248 bytes | Modified Date = 04/08/2004 08:56:44 | Attr = ]
Protocol_Catalog9\Catalog_Entries\000000000003 -> %System32%\mswsock.dll -> Microsoft Corporation [Ver = 5.1.2600.2180

(xpsp_sp2_rtm.040803-2158) | Size = 245248 bytes | Modified Date = 04/08/2004 08:56:44 | Attr = ]
Protocol_Catalog9\Catalog_Entries\000000000004 -> %System32%\rsvpsp.dll -> Microsoft Corporation [Ver = 5.1.2600.0

(xpclient.010817-1148) | Size = 90112 bytes | Modified Date = 29/08/2002 13:00:00 | Attr = ]
Protocol_Catalog9\Catalog_Entries\000000000005 -> %System32%\rsvpsp.dll -> Microsoft Corporation [Ver = 5.1.2600.0

(xpclient.010817-1148) | Size = 90112 bytes | Modified Date = 29/08/2002 13:00:00 | Attr = ]
Protocol_Catalog9\Catalog_Entries\000000000006 -> %System32%\mswsock.dll -> Microsoft Corporation [Ver = 5.1.2600.2180

(xpsp_sp2_rtm.040803-2158) | Size = 245248 bytes | Modified Date = 04/08/2004 08:56:44 | Attr = ]
Protocol_Catalog9\Catalog_Entries\000000000007 -> %System32%\mswsock.dll -> Microsoft Corporation [Ver = 5.1.2600.2180

(xpsp_sp2_rtm.040803-2158) | Size = 245248 bytes | Modified Date = 04/08/2004 08:56:44 | Attr = ]
Protocol_Catalog9\Catalog_Entries\000000000008 -> %System32%\mswsock.dll -> Microsoft Corporation [Ver = 5.1.2600.2180

(xpsp_sp2_rtm.040803-2158) | Size = 245248 bytes | Modified Date = 04/08/2004 08:56:44 | Attr = ]
Protocol_Catalog9\Catalog_Entries\000000000009 -> %System32%\mswsock.dll -> Microsoft Corporation [Ver = 5.1.2600.2180

(xpsp_sp2_rtm.040803-2158) | Size = 245248 bytes | Modified Date = 04/08/2004 08:56:44 | Attr = ]
Protocol_Catalog9\Catalog_Entries\000000000010 -> %System32%\mswsock.dll -> Microsoft Corporation [Ver = 5.1.2600.2180

(xpsp_sp2_rtm.040803-2158) | Size = 245248 bytes | Modified Date = 04/08/2004 08:56:44 | Attr = ]
Protocol_Catalog9\Catalog_Entries\000000000011 -> %System32%\mswsock.dll -> Microsoft Corporation [Ver = 5.1.2600.2180

(xpsp_sp2_rtm.040803-2158) | Size = 245248 bytes | Modified Date = 04/08/2004 08:56:44 | Attr = ]
Protocol_Catalog9\Catalog_Entries\000000000012 -> %System32%\mswsock.dll -> Microsoft Corporation [Ver = 5.1.2600.2180

(xpsp_sp2_rtm.040803-2158) | Size = 245248 bytes | Modified Date = 04/08/2004 08:56:44 | Attr = ]
Protocol_Catalog9\Catalog_Entries\000000000013 -> %System32%\mswsock.dll -> Microsoft Corporation [Ver = 5.1.2600.2180

(xpsp_sp2_rtm.040803-2158) | Size = 245248 bytes | Modified Date = 04/08/2004 08:56:44 | Attr = ]
Protocol_Catalog9\Catalog_Entries\000000000014 -> %System32%\mswsock.dll -> Microsoft Corporation [Ver = 5.1.2600.2180

(xpsp_sp2_rtm.040803-2158) | Size = 245248 bytes | Modified Date = 04/08/2004 08:56:44 | Attr = ]
Protocol_Catalog9\Catalog_Entries\000000000015 -> %System32%\mswsock.dll -> Microsoft Corporation [Ver = 5.1.2600.2180

(xpsp_sp2_rtm.040803-2158) | Size = 245248 bytes | Modified Date = 04/08/2004 08:56:44 | Attr = ]
< Protocol Handlers [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\
about -> %System32%\mshtml.dll -> Microsoft Corporation [Ver = 6.00.2900.3059 (xpsp_sp2_qfe.070104-0040) | Size = 3062272

bytes | Modified Date = 04/01/2007 15:05:30 | Attr = ]
cdl -> %System32%\urlmon.dll -> Microsoft Corporation [Ver = 6.00.2900.3072 (xpsp_sp2_qfe.070124-2324) | Size = 616960 bytes

| Modified Date = 25/01/2007 13:24:58 | Attr = ]
dvd -> %System32%\msvidctl.dll -> Microsoft Corporation [Ver = 6.05.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 1428480

bytes | Modified Date = 04/08/2004 08:56:44 | Attr = ]
file -> %System32%\urlmon.dll -> Microsoft Corporation [Ver = 6.00.2900.3072 (xpsp_sp2_qfe.070124-2324) | Size = 616960 bytes

| Modified Date = 25/01/2007 13:24:58 | Attr = ]
ftp -> %System32%\urlmon.dll -> Microsoft Corporation [Ver = 6.00.2900.3072 (xpsp_sp2_qfe.070124-2324) | Size = 616960 bytes

| Modified Date = 25/01/2007 13:24:58 | Attr = ]
gopher -> %System32%\urlmon.dll -> Microsoft Corporation [Ver = 6.00.2900.3072 (xpsp_sp2_qfe.070124-2324) | Size = 616960

bytes | Modified Date = 25/01/2007 13:24:58 | Attr = ]
http -> %System32%\urlmon.dll -> Microsoft Corporation [Ver = 6.00.2900.3072 (xpsp_sp2_qfe.070124-2324) | Size = 616960 bytes

| Modified Date = 25/01/2007 13:24:58 | Attr = ]
http\0x00000001 -> %CommonProgramFiles%\System\Ole DB\msdaipp.dll -> Microsoft Corporation [Ver = 8.103.5219.0 | Size =

532480 bytes | Modified Date = 04/08/2004 08:56:44 | Attr = ]
http\oledb -> %CommonProgramFiles%\System\Ole DB\msdaipp.dll -> Microsoft Corporation [Ver = 8.103.5219.0 | Size = 532480

bytes | Modified Date = 04/08/2004 08:56:44 | Attr = ]
https -> %System32%\urlmon.dll -> Microsoft Corporation [Ver = 6.00.2900.3072 (xpsp_sp2_qfe.070124-2324) | Size = 616960

bytes | Modified Date = 25/01/2007 13:24:58 | Attr = ]
https\0x00000001 -> %CommonProgramFiles%\System\Ole DB\msdaipp.dll -> Microsoft Corporation [Ver = 8.103.5219.0 | Size =

532480 bytes | Modified Date = 04/08/2004 08:56:44 | Attr = ]
https\oledb -> %CommonProgramFiles%\System\Ole DB\msdaipp.dll -> Microsoft Corporation [Ver = 8.103.5219.0 | Size = 532480

bytes | Modified Date = 04/08/2004 08:56:44 | Attr = ]
ipp -> Reg Data - Key not found -> File not found
ipp\0x00000001 -> %CommonProgramFiles%\System\Ole DB\msdaipp.dll -> Microsoft Corporation [Ver = 8.103.5219.0 | Size = 532480

bytes | Modified Date = 04/08/2004 08:56:44 | Attr = ]
its -> %System32%\itss.dll -> Microsoft Corporation [Ver = 5.2.3790.2453 (srv03_sp1_gdr.050525-1542) | Size = 137216 bytes |

Modified Date = 27/05/2005 03:04:28 | Attr = ]
javascript -> %System32%\mshtml.dll -> Microsoft Corporation [Ver = 6.00.2900.3059 (xpsp_sp2_qfe.070104-0040) | Size =

3062272 bytes | Modified Date = 04/01/2007 15:05:30 | Attr = ]
livecall -> %ProgramFiles%\MSN Messenger\msgrapp.8.1.0178.00.dll -> Microsoft Corporation [Ver = 8.1.0178.00 | Size = 63344

bytes | Modified Date = 19/01/2007 13:53:24 | Attr = ]
local -> %System32%\urlmon.dll -> Microsoft Corporation [Ver = 6.00.2900.3072 (xpsp_sp2_qfe.070124-2324) | Size = 616960

bytes | Modified Date = 25/01/2007 13:24:58 | Attr = ]
mailto -> %System32%\mshtml.dll -> Microsoft Corporation [Ver = 6.00.2900.3059 (xpsp_sp2_qfe.070104-0040) | Size = 3062272

bytes | Modified Date = 04/01/2007 15:05:30 | Attr = ]
mhtml -> %System32%\inetcomm.dll -> Microsoft Corporation [Ver = 6.00.2900.2962 (xpsp_sp2_gdr.060727-0051) | Size = 679424

bytes | Modified Date = 27/07/2006 14:24:46 | Attr = ]
mk -> %System32%\urlmon.dll -> Microsoft Corporation [Ver = 6.00.2900.3072 (xpsp_sp2_qfe.070124-2324) | Size = 616960 bytes |

Modified Date = 25/01/2007 13:24:58 | Attr = ]
msdaipp -> Reg Data - Key not found -> File not found
msdaipp\0x00000001 -> %CommonProgramFiles%\System\Ole DB\msdaipp.dll -> Microsoft Corporation [Ver = 8.103.5219.0 | Size =

532480 bytes | Modified Date = 04/08/2004 08:56:44 | Attr = ]
msdaipp\oledb -> %CommonProgramFiles%\System\Ole DB\msdaipp.dll -> Microsoft Corporation [Ver = 8.103.5219.0 | Size = 532480

bytes | Modified Date = 04/08/2004 08:56:44 | Attr = ]
ms-its -> %System32%\itss.dll -> Microsoft Corporation [Ver = 5.2.3790.2453 (srv03_sp1_gdr.050525-1542) | Size = 137216 bytes

| Modified Date = 27/05/2005 03:04:28 | Attr = ]
msnim -> %ProgramFiles%\MSN Messenger\msgrapp.8.1.0178.00.dll -> Microsoft Corporation [Ver = 8.1.0178.00 | Size = 63344

bytes | Modified Date = 19/01/2007 13:53:24 | Attr = ]
res -> %System32%\mshtml.dll -> Microsoft Corporation [Ver = 6.00.2900.3059 (xpsp_sp2_qfe.070104-0040) | Size = 3062272 bytes

| Modified Date = 04/01/2007 15:05:30 | Attr = ]
sysimage -> %System32%\mshtml.dll -> Microsoft Corporation [Ver = 6.00.2900.3059 (xpsp_sp2_qfe.070104-0040) | Size = 3062272

bytes | Modified Date = 04/01/2007 15:05:30 | Attr = ]
tv -> %System32%\msvidctl.dll -> Microsoft Corporation [Ver = 6.05.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 1428480

bytes | Modified Date = 04/08/2004 08:56:44 | Attr = ]
vbscript -> %System32%\mshtml.dll -> Microsoft Corporation [Ver = 6.00.2900.3059 (xpsp_sp2_qfe.070104-0040) | Size = 3062272

bytes | Modified Date = 04/01/2007 15:05:30 | Attr = ]
wia -> %System32%\wiascr.dll -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 75776 bytes |

Modified Date = 04/08/2004 08:56:46 | Attr = ]
< Protocol Filters [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\
application/octet-stream -> %System32%\mscoree.dll -> Microsoft Corporation [Ver = 2.0.50727.42 (RTM.050727-4200) | Size =

270848 bytes | Modified Date = 23/09/2005 07:28:52 | Attr = ]
application/x-complus -> %System32%\mscoree.dll -> Microsoft Corporation [Ver = 2.0.50727.42 (RTM.050727-4200) | Size =

270848 bytes | Modified Date = 23/09/2005 07:28:52 | Attr = ]
application/x-msdownload -> %System32%\mscoree.dll -> Microsoft Corporation [Ver = 2.0.50727.42 (RTM.050727-4200) | Size =

270848 bytes | Modified Date = 23/09/2005 07:28:52 | Attr = ]
Class Install Handler -> %System32%\urlmon.dll -> Microsoft Corporation [Ver = 6.00.2900.3072 (xpsp_sp2_qfe.070124-2324) |

Size = 616960 bytes | Modified Date = 25/01/2007 13:24:58 | Attr = ]


----------



## bandyandy (Aug 26, 2006)

Part 9:

deflate -> %System32%\urlmon.dll -> Microsoft Corporation [Ver = 6.00.2900.3072 (xpsp_sp2_qfe.070124-2324) | Size = 616960

bytes | Modified Date = 25/01/2007 13:24:58 | Attr = ]
gzip -> %System32%\urlmon.dll -> Microsoft Corporation [Ver = 6.00.2900.3072 (xpsp_sp2_qfe.070124-2324) | Size = 616960 bytes

| Modified Date = 25/01/2007 13:24:58 | Attr = ]
lzdhtml -> %System32%\urlmon.dll -> Microsoft Corporation [Ver = 6.00.2900.3072 (xpsp_sp2_qfe.070124-2324) | Size = 616960

bytes | Modified Date = 25/01/2007 13:24:58 | Attr = ]
text/webviewhtml -> %System32%\shell32.dll -> Microsoft Corporation [Ver = 6.00.2900.3051 (xpsp_sp2_gdr.061219-0316) | Size =

8453632 bytes | Modified Date = 19/12/2006 22:52:18 | Attr = ]
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} -> - CodeBase = -> 
{0A5FD7C5-A45C-49FC-ADB5-9952547D5715} -> - CodeBase = -> 
{0E5F0222-96B9-11D3-8997-00104BD12D94} -> PCPitstop Utility - CodeBase = http://pcpitstop.com/pcpitstop/pcpitstop.cab -> 
{166B1BCA-3F9C-11CF-8075-444553540000} -> Shockwave ActiveX Control - CodeBase = -> 
{215B8138-A3CF-44C5-803F-8226143CFC0A} -> Trend Micro ActiveX Scan Agent 6.6 - CodeBase =

http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab -> 
{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} -> BDSCANONLINE Control - CodeBase =

http://download.bitdefender.com/resources/scan8/oscan8.cab -> 
{6414512B-B978-451D-A0D8-FCFDF33E833C} -> WUWebControl Class - CodeBase = -> 
{7B297BFD-85E4-4092-B2AF-16A91B2EA103} -> WScanCtl Class - CodeBase =

http://www3.ca.com/securityadvisor/virusinfo/webscan.cab -> 
{8AD9C840-044E-11D1-B3E9-00805F499D93} -> Java Plug-in 1.5.0_11 - CodeBase =

http://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab -> 
{9732FB42-C321-11D1-836F-00A0C993F125} -> mhLabel Class - CodeBase = http://pcpitstop.com/mhLbl.cab -> 
{9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -> ActiveScan Installer Class - CodeBase =

http://acs.pandasoftware.com/activescan/as5free/asinst.cab -> 
{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} -> Java Plug-in 1.5.0_11 - CodeBase =

http://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab -> 
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -> Java Plug-in 1.5.0_11 - CodeBase =

http://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab -> 
{F6ACF75C-C32C-447B-9BEF-46B766368D29} -> - CodeBase = -> 
DirectAnimation Java Classes -> - CodeBase = file://C:\WINDOWS\Java\classes\dajava.cab -> 
Microsoft XML Parser for Java -> - CodeBase = file://C:\WINDOWS\Java\classes\xmldso.cab ->

[Registry - Additional Scans - Non-Microsoft Only]
< ActiveX StubPath [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\
{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} -> -> 
{22d6f312-b0f6-11d0-94ab-0080c74c7e95} -> rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mswmp.inf,PerUserStub -> 
{2C7339CF-2B09-4501-B3F3-F3508C9228ED} -> %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall

%SystemRoot%\system32\themeui.dll -> 
{44BBA840-CC51-11CF-AAFA-00AA00B6015C} -> "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

-> 
{44BBA842-CC51-11CF-AAFA-00AA00B6015B} -> rundll32.exe advpack.dll,LaunchINFSection

C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT -> 
{4b218e3e-bc98-4770-93d3-2731b9329278} -> %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection

MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf -> 
{5945c046-1e7d-11d1-bc44-00c04fd912be} -> rundll32.exe advpack.dll,LaunchINFSection

C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser -> 
{6BF52A52-394A-11d3-B153-00C04F79FAA6} -> rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub -> 
{7790769C-0471-11d2-AF11-00C04FA35D02} -> "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

-> 
{89820200-ECBD-11cf-8B85-00AA005B4340} -> regsvr32.exe /s /n /i:U shell32.dll -> 
{89820200-ECBD-11cf-8B85-00AA005B4383} -> %SystemRoot%\system32\ie4uinit.exe -> 
{89B4C1CD-B018-4511-B0A1-5476DBF70820} -> C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install -> 
>{22d6f312-b0f6-11d0-94ab-0080c74c7e95} -> C:\WINDOWS\inf\unregmp2.exe /ShowWMP -> 
>{26923b43-4d38-484f-9b9e-de460746276c} -> %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE -> 
>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS -> RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP -> 
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a} -> %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE -> 
< Approved Shell Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell

Extensions\Approved
{0DF44EAA-FF21-4412-828E-260A8728E7F1} [HKLM] -> Reg Data - Key not found [Taskbar and Start Menu] -> File not found
{2C49B5D0-ACE7-4D17-9DF0-A254A6C5A0C5} [HKLM] -> Reg Data - Key not found [dBpowerAMP Music Converter] -> File not found
{32683183-48a0-441b-a342-7c2a440a9478} [HKLM] -> Reg Data - Key not found [Media Band] -> File not found
{42071714-76d4-11d1-8b24-00a0c9068ff3} [HKLM] -> deskpan.dll [Display Panning CPL Extension] -> File not found
{764BF0E1-F219-11ce-972D-00AA00A14F56} [HKLM] -> Reg Data - Key not found [Shell extensions for file compression] -> File not

found
{7A9D77BD-5403-11d2-8785-2E0420524153} [HKLM] -> Reg Data - Key not found [User Accounts] -> File not found
{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} [HKLM] -> Reg Data - Key not found [Encryption Context Menu] -> File not found
{88895560-9AA2-1069-930E-00AA0030EBC8} [HKLM] -> %System32%\hticons.dll [HyperTerminal Icon Ext] -> Hilgraeve, Inc. [Ver =

5.1.2600.0 | Size = 44544 bytes | Modified Date = 29/08/2002 13:00:00 | Attr = ]
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} [HKLM] -> %ProgramFiles%\Grisoft\AVG Free\avgse.dll [AVG7 Shell Extension] -> GRISOFT,

s.r.o. [Ver = 7.5.0.409 | Size = 50688 bytes | Modified Date = 17/11/2006 13:25:16 | Attr = ]
{9F97547E-460A-42C5-AE0C-81C61FFAEBC3} [HKLM] -> %ProgramFiles%\Grisoft\AVG Free\avgse.dll [AVG7 Find Extension] -> GRISOFT,

s.r.o. [Ver = 7.5.0.409 | Size = 50688 bytes | Modified Date = 17/11/2006 13:25:16 | Attr = ]
{A68865DD-EE3C-4442-9BE9-1BAB2576E3FA} [HKLM] -> %ProgramFiles%\Creative\Creative Zen Touch\NOMAD Explorer\CTJBNS.dll [NOMAD

Explorer] -> Creative Technology Ltd [Ver = 3.1.8.0 | Size = 610304 bytes | Modified Date = 24/08/2004 15:00:12 | Attr = ]
{B41DB860-8EE4-11D2-9906-E49FADC173CA} [HKLM] -> %ProgramFiles%\WinRAR\RarExt.dll [WinRAR shell extension] -> [Ver = | Size

= 126464 bytes | Modified Date = 13/07/2006 19:04:04 | Attr = ]
{BD88A479-9623-4897-8546-BC62B9628F44} [HKLM] -> %ProgramFiles%\Spyware Terminator\sptcontmenu.dll [SPTHandler] ->

Crawler.com [Ver = 1.1.0.13 | Size = 140800 bytes | Modified Date = 12/04/2007 11:00:28 | Attr = ]
{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} [HKLM] -> %ProgramFiles%\Real\RealPlayer\rpshell.dll [Shell Extensions for RealOne

Player] -> RealNetworks, Inc. [Ver = 1.0.1.2237 | Size = 49198 bytes | Modified Date = 30/06/2006 14:50:08 | Attr = ]
{FED7043D-346A-414D-ACD7-550D052499A7} [HKLM] -> Reg Data - Key not found [dBpowerAMP Music Converter 1] -> File not found
< Approved Shell Extensions [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
{BDEADF00-C265-11d0-BCED-00A0C90AB50F} [HKLM] -> %CommonProgramFiles%\Microsoft Shared\Web Folders\MSONSEXT.DLL [Web Folders]

-> [Ver = | Size = 561209 bytes | Modified Date = 19/05/2001 08:57:40 | Attr = ]
< BotCheck > -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\\DefaultLaunchPermission -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\\EnableDCOM -> Y -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\\MachineLaunchRestriction -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\\MachineAccessRestriction -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\\EnableRemoteConnect -> Y -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList\\{A50398B8-9075-4FBF-A7A1-456BF21937

AD} -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList\\{AD65A69D-3831-40D7-9629-9B0B50A938

43} -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList\\{0040D221-54A1-11D1-9DE0-006097042D

69} -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList\\{2A6D72F1-6E7E-4702-B99C-E40D3DED33

C3} -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\NONREDIST\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\NONREDIST\\System.EnterpriseServices.Thunk.dll -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\AntiVirusDisableNotify -> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\FirewallDisableNotify -> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\UpdatesDisableNotify -> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\AntiVirusOverride -> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\FirewallOverride -> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall\\DisableMonitoring -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate not found. -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile not found. -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages -> msv1_0; -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Bounds -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Security Packages -> kerberos;msv1_0;schannel;wdigest; -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\LsaPid -> 600 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\SecureBoot -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\auditbaseobjects -> 0 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\crashonauditfail -> 0 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\disabledomaincreds -> 0 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\everyoneincludesanonymous -> 0 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\fipsalgorithmpolicy -> 0 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\forceguest -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\fullprivilegeauditing -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\limitblankpassworduse -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\lmcompatibilitylevel -> 0 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\nodefaultadminowner -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\nolmhash -> 0 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\restrictanonymous -> 0 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\restrictanonymoussam -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Notification Packages -> scecli; -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\ImpersonatePrivilegeUpgradeToolHasRun -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\\ProviderOrder -> Windows NT Access Provider; -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider\\ProviderPath ->

%SystemRoot%\system32\ntmarta.dll -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data\ -> ->


----------



## bandyandy (Aug 26, 2006)

Part 10:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data\\Pattern -> X¿6Ãã¯NN<˜aµØ2ö98169e48
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG\\GrafBlumGroup -> Ö j¿}QFùÏ -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD\\Lookup -> bÌ"‡'× -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\SidCache\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\msv1_0\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\msv1_0\\ntlmminclientsec -> 0 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\msv1_0\\ntlmminserversec -> 0 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1\\SkewMatrix -> å‹﷓k+K﷓ÿÎ•u¿e'ª¯ -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4\\SSOURL -> http://www.passport.com -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\\Time -> aÿ*j‚Æ -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Name -> Digest -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Comment -> Digest SSPI Authentication Package

-> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Capabilities -> 16464 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\RpcId -> 65535 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Version -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\TokenSize -> 65535 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Time -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Type -> 49 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Name -> DPA -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Comment -> DPA Security Package -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Capabilities -> 55 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\RpcId -> 17 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Version -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\TokenSize -> 768 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Time -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Type -> 49 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Name -> MSN -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Comment -> MSN Security Package -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Capabilities -> 55 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\RpcId -> 18 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Version -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\TokenSize -> 768 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Time -> €oã"øyÄ -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Type -> 49 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\Type -> 32 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\Start -> 2 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\ErrorControl -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\ImagePath -> %SystemRoot%\System32\svchost.exe -k netsvcs

-> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\DisplayName -> Windows Firewall/Internet Connection

Sharing (ICS) -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\DependOnService -> Netman;WinMgmt; -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\DependOnGroup -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\ObjectName -> LocalSystem -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\Description -> Provides network address translation,

addressing, name resolution and/or intrusion prevention services for a home or small office network. -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch\\Epoch -> 2936 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\\ServiceDll ->

%SystemRoot%\System32\ipnathlp.dll -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\ \ -> -> 
Key not found -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Security\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Security\\Security -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\\ServiceUpgrade -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate\\{3FC7A7DE-D4FA-47A2-B

AAC-2507077E503E} -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate\\{F97CD4AF-2BC6-4C6A-8

182-E544357D0C97} -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum\\0 -> Root\LEGACY_SHAREDACCESS\0000 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum\\Count -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum\\NextInstance -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\Type -> 32 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\Start -> 2 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\ErrorControl -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\ImagePath -> %systemroot%\system32\svchost.exe -k netsvcs -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\DisplayName -> Automatic Updates -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\ObjectName -> LocalSystem -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\Description -> Enables the download and installation of

Windows updates. If this service is disabled, this computer will not be able to use the Automatic Updates feature or the

Windows Update Web site. -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters\\ServiceDll -> C:\WINDOWS\System32\wuauserv.dll -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Security\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Security\\Security -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\\0 -> Root\LEGACY_WUAUSERV\0000 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\\Count -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\\NextInstance -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry not found. -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr not found. -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet

Settings\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet

Settings\\ProxyEnable -> 0 -> 
< ColumnHandlers - Folder [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 7.0\ActiveX\pdfshell.dll [PDF Shell Extension]

-> Adobe Systems, Inc. [Ver = 7.0.0.0 | Size = 110592 bytes | Modified Date = 14/12/2004 03:20:02 | Attr = ]
< ContextMenuHandlers - * [HKLM] > -> HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers\
{CA8ACAFA-5FBB-467B-B348-90DD488DE003} [HKLM] -> %ProgramFiles%\SUPERAntiSpyware\SASCTXMN.DLL [SASContextMenu Class] ->

SUPERAntiSpyware.com [Ver = 1, 0, 0, 1004 | Size = 61440 bytes | Modified Date = 10/03/2007 15:35:32 | Attr = ]
{8934FCEF-F5B8-468f-951F-78A921CD3920} [HKLM] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\context.dll [AVG Anti-Spyware]

-> Anti-Malware Development a.s. [Ver = 7, 5, 0, 49 | Size = 98304 bytes | Modified Date = 06/10/2006 12:40:48 | Attr = ]
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} [HKLM] -> %ProgramFiles%\Grisoft\AVG Free\avgse.dll [AVG7 Shell Extension] -> GRISOFT,

s.r.o. [Ver = 7.5.0.409 | Size = 50688 bytes | Modified Date = 17/11/2006 13:25:16 | Attr = ]
{3272DE9F-3E78-4272-B228-C63A2E3F21EB} [HKLM] -> %ProgramFiles%\Zenturi\ProgramChecker\pcpshell.dll [ProgramChecker] ->

Zenturi, Inc [Ver = 1,5,0,531 | Size = 122880 bytes | Modified Date = 15/02/2006 16:17:16 | Attr = ]
{BD88A479-9623-4897-8546-BC62B9628F44} [HKLM] -> %ProgramFiles%\Spyware Terminator\sptcontmenu.dll [SPTContMenu] ->

Crawler.com [Ver = 1.1.0.13 | Size = 140800 bytes | Modified Date = 12/04/2007 11:00:28 | Attr = ]
{B41DB860-8EE4-11D2-9906-E49FADC173CA} [HKLM] -> %ProgramFiles%\WinRAR\RarExt.dll [WinRAR] -> [Ver = | Size = 126464 bytes

| Modified Date = 13/07/2006 19:04:04 | Attr = ]
< ContextMenuHandlers - Directory [HKLM] > -> HKEY_LOCAL_MACHINE\Software\Classes\Directory\shellex\ContextMenuHandlers\
{CA8ACAFA-5FBB-467B-B348-90DD488DE003} [HKLM] -> %ProgramFiles%\SUPERAntiSpyware\SASCTXMN.DLL [SASContextMenu Class] ->

SUPERAntiSpyware.com [Ver = 1, 0, 0, 1004 | Size = 61440 bytes | Modified Date = 10/03/2007 15:35:32 | Attr = ]
{8934FCEF-F5B8-468f-951F-78A921CD3920} [HKLM] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\context.dll [AVG Anti-Spyware]

-> Anti-Malware Development a.s. [Ver = 7, 5, 0, 49 | Size = 98304 bytes | Modified Date = 06/10/2006 12:40:48 | Attr = ]
{B41DB860-8EE4-11D2-9906-E49FADC173CA} [HKLM] -> %ProgramFiles%\WinRAR\RarExt.dll [WinRAR] -> [Ver = | Size = 126464 bytes

| Modified Date = 13/07/2006 19:04:04 | Attr = ]
< ContextMenuHandlers - Folder [HKLM] > -> HKEY_LOCAL_MACHINE\Software\Classes\Folder\shell\
C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\pex.exe "%L" -> %ProgramFiles%\Ulead Systems\Ulead Photo

Explorer 8.0 SE Basic\pex.exe [Open with Ulead Photo Explorer] -> Ulead Systems, Inc. [Ver = 8.0 | Size = 1449984 bytes |

Modified Date = 19/11/2003 17:52:32 | Attr = ]
"C:\Program Files\JAM Software\TreeSize\treesize.exe" "%1" -> %ProgramFiles%\JAM Software\TreeSize\treesize.exe [treesize] ->

JAM Software [Ver = 1.7.1.79 | Size = 813056 bytes | Modified Date = 11/02/2004 18:30:24 | Attr = ]
< ContextMenuHandlers - Folder [HKLM] > -> HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers\
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} [HKLM] -> %ProgramFiles%\Grisoft\AVG Free\avgse.dll [AVG7 Shell Extension] -> GRISOFT,

s.r.o. [Ver = 7.5.0.409 | Size = 50688 bytes | Modified Date = 17/11/2006 13:25:16 | Attr = ]
{BD88A479-9623-4897-8546-BC62B9628F44} [HKLM] -> %ProgramFiles%\Spyware Terminator\sptcontmenu.dll [SPTContMenu] ->

Crawler.com [Ver = 1.1.0.13 | Size = 140800 bytes | Modified Date = 12/04/2007 11:00:28 | Attr = ]
{B41DB860-8EE4-11D2-9906-E49FADC173CA} [HKLM] -> %ProgramFiles%\WinRAR\RarExt.dll [WinRAR] -> [Ver = | Size = 126464 bytes

| Modified Date = 13/07/2006 19:04:04 | Attr = ]
< ControlSets > -> 
HKEY_LOCAL_MACHINE\SYSTEM\Select\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\Select\\Current -> 3 -> 
HKEY_LOCAL_MACHINE\SYSTEM\Select\\Default -> 3 -> 
HKEY_LOCAL_MACHINE\SYSTEM\Select\\Failed -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\Select\\LastKnownGood -> 4 -> 
< Disabled MSConfig Folder Items[HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\
C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk -> %ProgramFiles%\Adobe\Acrobat

7.0\Reader\reader_sl.exe -> Adobe Systems Incorporated [Ver = 7.0.5.2005092300 | Size = 29696 bytes | Modified Date =

23/09/2005 23:05:26 | Attr = ]
< Disabled MSConfig Registry Items [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\
SweetIM -> %ProgramFiles%\Macrogaming\SweetIM\SweetIM.exe -> MacroGaming LTD. [Ver = 2, 0, 0, 8 | Size = 73840 bytes |

Modified Date = 27/12/2006 17:53:42 | Attr = R ]
updateMgr -> %ProgramFiles%\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe -> Adobe Systems Incorporated [Ver = 3.1.0.10 |

Size = 313472 bytes | Modified Date = 30/03/2006 17:45:08 | Attr = R ]
< File Associations - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>\
.bat [@ = batfile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb} ->


----------



## bandyandy (Aug 26, 2006)

Part 11:

.chm [@ = chm.file] -> PersistentHandler = Reg Data - Key not found -> 
.cmd [@ = cmdfile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb} -> 
.com [@ = comfile] -> PersistentHandler = {098f2470-bae0-11cd-b579-08002b30bfeb} -> 
.cpl [@ = cplfile] -> PersistentHandler = {098f2470-bae0-11cd-b579-08002b30bfeb} -> 
.exe [@ = exefile] -> PersistentHandler = {098f2470-bae0-11cd-b579-08002b30bfeb} -> 
.hlp [@ = hlpfile] -> PersistentHandler = Reg Data - Key not found -> 
.hta [@ = htafile] -> PersistentHandler = {eec97550-47a9-11cf-b952-00aa0051fe20} -> 
.html [@ = FirefoxHTML] -> PersistentHandler = {eec97550-47a9-11cf-b952-00aa0051fe20} -> 
.inf [@ = inffile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb} -> 
.ini [@ = inifile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb} -> 
.url [@ = InternetShortcut] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb} -> 
.js [@ = JSFile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb} -> 
.jse [@ = JSEFile] -> PersistentHandler = Reg Data - Key not found -> 
.pif [@ = piffile] -> PersistentHandler = Reg Data - Key not found -> 
.reg [@ = regfile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb} -> 
.scr [@ = scrfile] -> PersistentHandler = Reg Data - Key not found -> 
.txt [@ = txtfile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb} -> 
.vbe [@ = VBEFile] -> PersistentHandler = Reg Data - Key not found -> 
.vbs [@ = VBSFile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb} -> 
.wsf [@ = WSFFile] -> PersistentHandler = Reg Data - Key not found -> 
.wsh [@ = WSHFile] -> PersistentHandler = Reg Data - Key not found -> 
< Internet Explorer CmdMapping [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -> 8194 - Sun Java Console -> 
{85d1f590-48f4-11d9-9669-0800200c9a66} -> 8196 - Uninstall BitDefender Online Scanner v8 -> 
{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -> 8195 - Reg Data - Key not found -> 
{FB5F1910-F110-11d2-BB9E-00C04F795683} -> 8193 - Windows Messenger -> 
< Policy Settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} ->

1073741857 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32

-> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 -> 
< Policy Settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ -> -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ -> -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ -> -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableRegistryTools -> 0 -> 
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\ -> -> 
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\ -> -> 
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\\Homepage -> 0 -> 
< Security Settings > -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\AntiVirusDisableNotify -> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\FirewallDisableNotify -> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\UpdatesDisableNotify -> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\AntiVirusOverride -> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\FirewallOverride -> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall\\DisableMonitoring -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\\Type -> 32 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\\Start -> 3 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\\ErrorControl -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\\ImagePath -> %SystemRoot%\System32\svchost.exe -k netsvcs -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\\DisplayName -> Background Intelligent Transfer Service -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\\DependOnService -> Rpcss; -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\\DependOnGroup -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\\ObjectName -> LocalSystem -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\\Description -> Transfers files in the background using idle

network bandwidth. If the service is stopped, features such as Windows Update, and MSN Explorer will be unable to

automatically download programs and other information. If this service is disabled, any services that explicitly depend on it

may fail to transfer files if they do not have a fail safe mechanism to transfer files directly through IE in case BITS has

been disabled. -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\\FailureActions -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Parameters\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Parameters\\ServiceDll -> C:\WINDOWS\System32\qmgr.dll -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Security\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Security\\Security -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Enum\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Enum\\0 -> Root\LEGACY_BITS\0000 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Enum\\Count -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Enum\\NextInstance -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\Type -> 32 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\Start -> 2 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\ErrorControl -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\ImagePath -> %SystemRoot%\System32\svchost.exe -k netsvcs

-> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\DisplayName -> Windows Firewall/Internet Connection

Sharing (ICS) -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\DependOnService -> Netman;WinMgmt; -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\DependOnGroup -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\ObjectName -> LocalSystem -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\Description -> Provides network address translation,

addressing, name resolution and/or intrusion prevention services for a home or small office network. -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch\\Epoch -> 2936 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\\ServiceDll ->

%SystemRoot%\System32\ipnathlp.dll -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\\\ServiceDll ->

%SystemRoot%\System32\ipnathlp.dll -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\\S\ -> -> 
Key not found -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Security\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Security\\Security -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\\ServiceUpgrade -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate\\{3FC7A7DE-D4FA-47A2-B

AAC-2507077E503E} -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate\\{F97CD4AF-2BC6-4C6A-8

182-E544357D0C97} -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum\\0 -> Root\LEGACY_SHAREDACCESS\0000 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum\\Count -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum\\NextInstance -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\Type -> 32 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\Start -> 2 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\ErrorControl -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\ImagePath -> %systemroot%\system32\svchost.exe -k netsvcs -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\DisplayName -> Automatic Updates -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\ObjectName -> LocalSystem -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\Description -> Enables the download and installation of

Windows updates. If this service is disabled, this computer will not be able to use the Automatic Updates feature or the

Windows Update Web site. -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters\\ServiceDll -> C:\WINDOWS\System32\wuauserv.dll -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Security\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Security\\Security -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\\0 -> Root\LEGACY_WUAUSERV\0000 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\\Count -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\\NextInstance -> 1 -> 
< Session Manager Settings [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
BootExecute -> autocheck autochk *; -> 
< Session Manager Environment Settings [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session

Manager\Environment
ComSpec -> C:\WINDOWS\system32\cmd.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size =

388608 bytes | Modified Date = 04/08/2004 08:56:48 | Attr = ]
TEMP -> %SystemRoot%\TEMP -> 
TMP -> %SystemRoot%\TEMP -> 
windir -> %SystemRoot% -> 
*Path* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\\Path -> 
%SystemRoot%\system32 -> -> 
%SystemRoot% -> -> 
%SystemRoot%\System32\Wbem -> -> 
C:\Program Files\Common Files\Ulead Systems\MPEG -> -> 
C:\Program Files\Common Files\Ulead Systems\DVD -> -> 
C:\Program Files\Diskeeper Corporation\Diskeeper\ -> -> 
*PATHEXT* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\\PATHEXT -> 
.COM -> -> 
.EXE -> -> 
.BAT -> -> 
.CMD -> -> 
.VBS -> -> 
.VBE -> ->


----------



## bandyandy (Aug 26, 2006)

Part 12:

.JS -> -> 
.JSE -> -> 
.WSF -> -> 
.WSH -> -> 
< Registry Shell Spawning - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command
batfile [edit] -> %SystemRoot%\System32\NOTEPAD.EXE %1 -> Microsoft Corporation [Ver = 5.1.2600.2180

(xpsp_sp2_rtm.040803-2158) | Size = 69120 bytes | Modified Date = 04/08/2004 08:56:54 | Attr = ]
batfile [open] -> "%1" %* -> 
batfile [print] -> %SystemRoot%\System32\NOTEPAD.EXE /p %1 -> Microsoft Corporation [Ver = 5.1.2600.2180

(xpsp_sp2_rtm.040803-2158) | Size = 69120 bytes | Modified Date = 04/08/2004 08:56:54 | Attr = ]
chm.file [open] -> "%SystemRoot%\hh.exe" %1 -> Microsoft Corporation [Ver = 5.2.3790.2453 (srv03_sp1_gdr.050525-1542) | Size

= 10752 bytes | Modified Date = 27/05/2005 00:22:02 | Attr = ]
cmdfile [edit] -> %SystemRoot%\System32\NOTEPAD.EXE %1 -> Microsoft Corporation [Ver = 5.1.2600.2180

(xpsp_sp2_rtm.040803-2158) | Size = 69120 bytes | Modified Date = 04/08/2004 08:56:54 | Attr = ]
cmdfile [open] -> "%1" %* -> 
cmdfile [print] -> %SystemRoot%\System32\NOTEPAD.EXE /p %1 -> Microsoft Corporation [Ver = 5.1.2600.2180

(xpsp_sp2_rtm.040803-2158) | Size = 69120 bytes | Modified Date = 04/08/2004 08:56:54 | Attr = ]
comfile [open] -> "%1" %* -> 
cplfile [cplopen] -> rundll32.exe shell32.dll,Control_RunDLL "%1",%* -> Microsoft Corporation [Ver = 6.00.2900.3051

(xpsp_sp2_gdr.061219-0316) | Size = 8453632 bytes | Modified Date = 19/12/2006 22:52:18 | Attr = ]
exefile [open] -> "%1" %* -> 
helpfile [open] -> winhlp32.exe %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 283648

bytes | Modified Date = 04/08/2004 08:56:58 | Attr = ]
hlpfile [open] -> %SystemRoot%\System32\winhlp32.exe %1 -> Microsoft Corporation [Ver = 5.1.2600.0 (XPClient.010817-1148) |

Size = 8192 bytes | Modified Date = 29/08/2002 13:00:00 | Attr = ]
htafile [open] -> %System32%\mshta.exe "%1" %* -> Microsoft Corporation [Ver = 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) |

Size = 29184 bytes | Modified Date = 04/08/2004 08:56:54 | Attr = ]
htmlfile [edit] -> "%ProgramFiles%\Microsoft Office\Office\msohtmed.exe" %1 -> Microsoft Corporation [Ver = 9.0.3508 | Size =

41011 bytes | Modified Date = 12/11/1999 01:39:16 | Attr = ]
htmlfile [open] -> "%ProgramFiles%\Internet Explorer\iexplore.exe" -nohome -> Microsoft Corporation [Ver = 6.00.2900.2180

(xpsp_sp2_rtm.040803-2158) | Size = 93184 bytes | Modified Date = 04/08/2004 08:56:50 | Attr = ]
htmlfile [opennew] -> "%ProgramFiles%\Internet Explorer\iexplore.exe" %1 -> Microsoft Corporation [Ver = 6.00.2900.2180

(xpsp_sp2_rtm.040803-2158) | Size = 93184 bytes | Modified Date = 04/08/2004 08:56:50 | Attr = ]
htmlfile [print] -> "%ProgramFiles%\Microsoft Office\Office\msohtmed.exe" /p %1 -> Microsoft Corporation [Ver = 9.0.3508 |

Size = 41011 bytes | Modified Date = 12/11/1999 01:39:16 | Attr = ]
http [open] -> %SystemDrive%\PROGRA~1\MOZILL~1\FIREFOX.EXE -url "%1" -requestPending -> Mozilla Corporation [Ver = 1.8.1.3:

2007030919 | Size = 7633008 bytes | Modified Date = 24/03/2007 19:42:24 | Attr = ]
https [open] -> %SystemDrive%\PROGRA~1\MOZILL~1\FIREFOX.EXE -url "%1" -requestPending -> Mozilla Corporation [Ver = 1.8.1.3:

2007030919 | Size = 7633008 bytes | Modified Date = 24/03/2007 19:42:24 | Attr = ]
inffile [install] -> %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1 -> Microsoft

Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 33280 bytes | Modified Date = 04/08/2004 08:56:56 | Attr

= ]
inffile [open] -> %SystemRoot%\System32\NOTEPAD.EXE %1 -> Microsoft Corporation [Ver = 5.1.2600.2180

(xpsp_sp2_rtm.040803-2158) | Size = 69120 bytes | Modified Date = 04/08/2004 08:56:54 | Attr = ]
inffile [print] -> %SystemRoot%\System32\NOTEPAD.EXE /p %1 -> Microsoft Corporation [Ver = 5.1.2600.2180

(xpsp_sp2_rtm.040803-2158) | Size = 69120 bytes | Modified Date = 04/08/2004 08:56:54 | Attr = ]
inifile [open] -> %SystemRoot%\System32\NOTEPAD.EXE %1 -> Microsoft Corporation [Ver = 5.1.2600.2180

(xpsp_sp2_rtm.040803-2158) | Size = 69120 bytes | Modified Date = 04/08/2004 08:56:54 | Attr = ]
inifile [print] -> %SystemRoot%\System32\NOTEPAD.EXE /p %1 -> Microsoft Corporation [Ver = 5.1.2600.2180

(xpsp_sp2_rtm.040803-2158) | Size = 69120 bytes | Modified Date = 04/08/2004 08:56:54 | Attr = ]
InternetShortcut [open] -> rundll32.exe shdocvw.dll,OpenURL %l -> Microsoft Corporation [Ver = 6.00.2900.3059

(xpsp_sp2_qfe.070104-0040) | Size = 1498112 bytes | Modified Date = 04/01/2007 15:05:30 | Attr = ]
InternetShortcut [print] -> rundll32.exe %SystemRoot%\System32\mshtml.dll,PrintHTML "%1" -> Microsoft Corporation [Ver =

6.00.2900.3059 (xpsp_sp2_qfe.070104-0040) | Size = 3062272 bytes | Modified Date = 04/01/2007 15:05:30 | Attr = ]
jsfile [edit] -> %SystemRoot%\System32\Notepad.exe %1 -> Microsoft Corporation [Ver = 5.1.2600.2180

(xpsp_sp2_rtm.040803-2158) | Size = 69120 bytes | Modified Date = 04/08/2004 08:56:54 | Attr = ]
jsfile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* -> Microsoft Corporation [Ver = 5.6.0.8820 | Size = 114688 bytes |

Modified Date = 04/08/2004 08:56:58 | Attr = ]
jsfile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 -> Microsoft Corporation [Ver = 5.1.2600.2180

(xpsp_sp2_rtm.040803-2158) | Size = 69120 bytes | Modified Date = 04/08/2004 08:56:54 | Attr = ]
jsefile [edit] -> %SystemRoot%\System32\Notepad.exe %1 -> Microsoft Corporation [Ver = 5.1.2600.2180

(xpsp_sp2_rtm.040803-2158) | Size = 69120 bytes | Modified Date = 04/08/2004 08:56:54 | Attr = ]
jsefile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* -> Microsoft Corporation [Ver = 5.6.0.8820 | Size = 114688 bytes

| Modified Date = 04/08/2004 08:56:58 | Attr = ]
jsefile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 -> Microsoft Corporation [Ver = 5.1.2600.2180

(xpsp_sp2_rtm.040803-2158) | Size = 69120 bytes | Modified Date = 04/08/2004 08:56:54 | Attr = ]
piffile [open] -> "%1" %* -> 
regfile [edit] -> %SystemRoot%\system32\NOTEPAD.EXE %1 -> Microsoft Corporation [Ver = 5.1.2600.2180

(xpsp_sp2_rtm.040803-2158) | Size = 69120 bytes | Modified Date = 04/08/2004 08:56:54 | Attr = ]
regfile [open] -> regedit.exe "%1" -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 146432

bytes | Modified Date = 04/08/2004 08:56:56 | Attr = ]
regfile [merge] -> Reg Data - Key not found -> 
regfile [print] -> %SystemRoot%\system32\NOTEPAD.EXE /p %1 -> Microsoft Corporation [Ver = 5.1.2600.2180

(xpsp_sp2_rtm.040803-2158) | Size = 69120 bytes | Modified Date = 04/08/2004 08:56:54 | Attr = ]
scrfile [config] -> "%1" -> 
scrfile [install] -> rundll32.exe desk.cpl,InstallScreenSaver %l -> Microsoft Corporation [Ver = 5.1.2600.2180

(xpsp_sp2_rtm.040803-2158) | Size = 135168 bytes | Modified Date = 04/08/2004 08:56:58 | Attr = ]
scrfile [open] -> "%1" /S -> 
txtfile [edit] -> Reg Data - Key not found -> 
txtfile [open] -> %SystemRoot%\system32\NOTEPAD.EXE %1 -> Microsoft Corporation [Ver = 5.1.2600.2180

(xpsp_sp2_rtm.040803-2158) | Size = 69120 bytes | Modified Date = 04/08/2004 08:56:54 | Attr = ]
txtfile [print] -> %SystemRoot%\system32\NOTEPAD.EXE /p %1 -> Microsoft Corporation [Ver = 5.1.2600.2180

(xpsp_sp2_rtm.040803-2158) | Size = 69120 bytes | Modified Date = 04/08/2004 08:56:54 | Attr = ]
txtfile [printto] -> %SystemRoot%\system32\notepad.exe /pt "%1" "%2" "%3" "%4" -> Microsoft Corporation [Ver = 5.1.2600.2180

(xpsp_sp2_rtm.040803-2158) | Size = 69120 bytes | Modified Date = 04/08/2004 08:56:54 | Attr = ]
vbefile [edit] -> %SystemRoot%\System32\Notepad.exe %1 -> Microsoft Corporation [Ver = 5.1.2600.2180

(xpsp_sp2_rtm.040803-2158) | Size = 69120 bytes | Modified Date = 04/08/2004 08:56:54 | Attr = ]
vbefile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* -> Microsoft Corporation [Ver = 5.6.0.8820 | Size = 114688 bytes

| Modified Date = 04/08/2004 08:56:58 | Attr = ]
vbefile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 -> Microsoft Corporation [Ver = 5.1.2600.2180

(xpsp_sp2_rtm.040803-2158) | Size = 69120 bytes | Modified Date = 04/08/2004 08:56:54 | Attr = ]
vbsfile [edit] -> %SystemRoot%\System32\Notepad.exe %1 -> Microsoft Corporation [Ver = 5.1.2600.2180

(xpsp_sp2_rtm.040803-2158) | Size = 69120 bytes | Modified Date = 04/08/2004 08:56:54 | Attr = ]
vbsfile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* -> Microsoft Corporation [Ver = 5.6.0.8820 | Size = 114688 bytes

| Modified Date = 04/08/2004 08:56:58 | Attr = ]
vbsfile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 -> Microsoft Corporation [Ver = 5.1.2600.2180

(xpsp_sp2_rtm.040803-2158) | Size = 69120 bytes | Modified Date = 04/08/2004 08:56:54 | Attr = ]
wsffile [edit] -> %SystemRoot%\System32\Notepad.exe %1 -> Microsoft Corporation [Ver = 5.1.2600.2180

(xpsp_sp2_rtm.040803-2158) | Size = 69120 bytes | Modified Date = 04/08/2004 08:56:54 | Attr = ]
wsffile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* -> Microsoft Corporation [Ver = 5.6.0.8820 | Size = 114688 bytes

| Modified Date = 04/08/2004 08:56:58 | Attr = ]
wsffile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 -> Microsoft Corporation [Ver = 5.1.2600.2180

(xpsp_sp2_rtm.040803-2158) | Size = 69120 bytes | Modified Date = 04/08/2004 08:56:54 | Attr = ]
wshfile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* -> Microsoft Corporation [Ver = 5.6.0.8820 | Size = 114688 bytes

| Modified Date = 04/08/2004 08:56:58 | Attr = ]
Unknown [openas] -> %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 -> Microsoft

Corporation [Ver = 6.00.2900.3051 (xpsp_sp2_gdr.061219-0316) | Size = 8453632 bytes | Modified Date = 19/12/2006 22:52:18 |

Attr = ]
Directory [find] -> %SystemRoot%\Explorer.exe -> Microsoft Corporation [Ver = 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) |

Size = 1032192 bytes | Modified Date = 04/08/2004 08:56:50 | Attr = ]
Folder [open] -> %SystemRoot%\Explorer.exe /idlist,%I,%L -> Microsoft Corporation [Ver = 6.00.2900.2180

(xpsp_sp2_rtm.040803-2158) | Size = 1032192 bytes | Modified Date = 04/08/2004 08:56:50 | Attr = ]
Folder [explore] -> %SystemRoot%\Explorer.exe /e,/idlist,%I,%L -> Microsoft Corporation [Ver = 6.00.2900.2180

(xpsp_sp2_rtm.040803-2158) | Size = 1032192 bytes | Modified Date = 04/08/2004 08:56:50 | Attr = ]
Drive [find] -> %SystemRoot%\Explorer.exe -> Microsoft Corporation [Ver = 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Size =

1032192 bytes | Modified Date = 04/08/2004 08:56:50 | Attr = ]
Applications\iexplore.exe [open] -> "%ProgramFiles%\Internet Explorer\iexplore.exe" %1 -> Microsoft Corporation [Ver =

6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Size = 93184 bytes | Modified Date = 04/08/2004 08:56:50 | Attr = ]
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -> "%ProgramFiles%\Internet Explorer\iexplore.exe" -> Microsoft

Corporation [Ver = 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Size = 93184 bytes | Modified Date = 04/08/2004 08:56:50 |

Attr = ]
< Uninstall List > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
{00000409-78E1-11D2-B60F-006097C998E7} -> Microsoft Office 2000 SR-1 Premium -> 
{0B095086-7205-4D48-90DF-DCD16613C6D4} -> -> 
{0DDDE141-9696-4E33-AB82-EF398169D7E5} -> Ulead PhotoImpact XL -> 
{103BCDA0-E063-46AC-8028-64E78722ABA7} -> -> 
{1103112B-513D-4DEF-96B4-9889774E0118} -> Creative Zen Touch -> 
{1342DC66-B0E5-44E2-8C68-F6B8377F416C} -> Diskeeper 2007 Home -> 
{2616B36E-38CE-4357-8AB5-8B3EE9B1C117} -> -> 
{28C80CD6-14DF-42E7-B460-CBF194A6439C} -> Sonic Foundry CD Architect 5.0 -> 
{2E0C1913-886B-4C5C-8DAF-D1E649CE5FCC} -> Creative MediaSource -> 
{3248F0A8-6813-11D6-A77B-00B0D0150110} -> J2SE Runtime Environment 5.0 Update 11 -> 
{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227} -> WebFldrs XP -> 
{3BCC5640-5360-11D4-A44A-0000E86D2305} -> Ulead Drop Spot 1.0 -> 
{3C080B57-0D1E-4C73-B03B-68A9EF9F23F3} -> -> 
{435E969D-867E-4364-8E74-3DC8A69C5BDB} -> -> 
{48E3A9E6-FA13-11D5-8CC9-00A0C98192B6} -> -> 
{526294AE-4192-4A19-9BF0-66CE5631C757} -> Art Attack -> 
{571700F0-DB9D-4B3A-B03D-35A14BB5939F} -> Windows Live Messenger -> 
{58582977-44D2-44A0-A09B-031CC2AE5938} -> -> 
{5B35C417-2649-11D6-83D1-0050FC01225C} -> FirstClass® Client -> 
{5BBFB0E4-2250-49C3-A8A3-65BE2197D13B} -> MP3 Player Utilities 1.47 -> 
{5CDDF96A-BC34-4D72-9ABA-E1FFF0C39977} -> -> 
{63A317D0-60A6-43FC-848A-9FE4A53B29CE} ->  -> 
{6811CAA0-BF12-11D4-9EA1-0050BAE317E1} -> PowerDVD -> 
{6A7A7205-8963-46D1-B745-F866ACCCAF1C} -> -> 
{6CA280F4-B354-4167-A262-ABE8347109D2} -> Vocal Rack Trial -> 
{700932B3-A964-4878-82A2-96054622A1F7} -> -> 
{7131646D-CD3C-40F4-97B9-CD9E4E6262EF} -> Microsoft .NET Framework 2.0 -> 
{76E41F43-59D2-4F30-BA42-9A762EE1E8DE} -> Avanquest update -> 
{836612F0-1571-4C65-A4B7-58A39AA578EE} -> -> 
{9115E7DB-3B29-445A-802D-11E0AA945B7F} -> Sound Blaster Live! -> 
{9A4D2983-4662-4387-BE3D-4CFC2FA9C100} -> -> 
{A731533B-B325-4D9C-91A4-D93C8E294C19} -> -> 
{A82F10CB-18B5-4EAC-AEF2-FA49CD565626} -> -> 
{AC157741-3285-4D6A-B934-9174587A3493} -> -> 
{AC76BA86-7AD7-1033-7B44-A70900000002} -> Adobe Reader 7.0.9 -> 
{BAD8CA9C-77C0-4663-B00B-A8D3B13C341B} -> Motorola Phone Tools -> 
{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} -> Microsoft .NET Framework 1.1 -> 
{CB99E420-8071-48F9-9567-4A53BE7569C4} -> -> 
{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA} ->


----------



## bandyandy (Aug 26, 2006)

Part 13:

SUPERAntiSpyware Free Edition -> 
{D2064B75-BFC8-4DE4-97D7-4DC7394C8641} -> -> 
{D271DAE0-8D68-4C97-8356-A126D48A1D8C} -> Ulead Photo Explorer 8.0 SE Basic -> 
{D36DD326-7280-11D8-97C8-000129760CBE} -> PhotoNow! 1.0 -> 
{D524239C-FD5C-4183-A49C-7930915A9C0A} -> -> 
{D5A9B7C0-8751-11D8-9D75-000129760D75} -> MediaShow 3.0 -> 
{D9A812DA-143D-4780-BEDC-FD6D41386317} -> -> 
{D9BBFA60-4514-4F08-A78F-91957F957495} -> Macrogaming SweetIM 2.0 -> 
{DD2D9012-E5A1-4717-8EE9-8DB3F36E2F8C} -> -> 
{E7337A45-3FE5-4392-ABBB-26B794D060C9} -> -> 
{F18E8A0F-BE99-4305-96A5-6C0FD9D7D999} -> -> 
{FD851F7E-F887-405D-9E1C-488811113EF3} -> -> 
{FE047432-CD76-41F9-88FA-1AD225604FFB} -> ProgramChecker -> 
Ad-Aware SE Personal -> Ad-Aware SE Personal -> 
AddressBook -> -> 
Adobe Shockwave Player -> Adobe Shockwave Player -> 
AKAI professional VST Collection v1.0 -> AKAI professional VST Collection v1.0 -> 
AnimaRO_is1 -> AnimaRO -> 
Antares Autotune DX v4.12 -> Antares Autotune DX v4.12 -> 
Antares Filter VST DX v1.0 -> Antares Filter VST DX v1.0 -> 
Arturia Moog Modular V v1.1 -> Arturia Moog Modular V v1.1 -> 
Atomic Clock Sync -> Atomic Clock Sync -> 
AudioHQ -> -> 
AVG7Uninstall -> AVG Free Edition -> 
AVGAntiSpyware75 -> AVG Anti-Spyware 7.5 -> 
Batch Bandwidth Monitor_is1 -> Bandwidth Monitor 1.0 -> 
Branding -> -> 
CADI -> -> 
Connection Manager -> -> 
Creative Audio Device Selection -> -> 
Creative DMP Drivers -> Creative DMP Drivers -> 
Creative File Manager -> -> 
Creative Jukebox Driver -> Creative Jukebox Driver -> 
Creative MediaSource -> -> 
Creative MediaSource AudioSync Plugin -> -> 
Creative MediaSource CD-ROM Burner Plugin -> -> 
Creative MediaSource Detector -> -> 
Creative MediaSource Digital Music Player Plugin -> -> 
Creative MediaSource NOMAD Jukebox 2/3/Zen Plugin -> -> 
Creative MediaSource NOMAD MuVo Plugin -> -> 
Creative MediaSource Player Skin Pack -> -> 
Creative MiniDisc Center -> -> 
Creative PlayCenter 2.0 -> -> 
Creative Recorder -> -> 
Creative Restore Defaults -> -> 
Creative Surround Mixer 2 -> -> 
Creative WaveStudio -> -> 
Creative Zen Touch -> -> 
Cubase VST 24 -> Cubase VST 24 v3.70 -> 
Diagnostics2 -> -> 
DirectAnimation -> -> 
DirectDrawEx -> -> 
DiskCleaner -> Disk Cleaner (remove only) -> 
DMP Driver -> Creative DMP Drivers -> 
DXM_Runtime -> -> 
EPSON Printer and Utilities -> EPSON Printer Software -> 
Fontcore -> -> 
GCSE Mathematics -> GCSE Mathematics -> 
GRM Tools VST -> GRM Tools VST v1.0 -> 
HijackThis -> HijackThis 1.99.1 -> 
ICW -> -> 
IE40 -> -> 
IE4Data -> -> 
IE5BAKEX -> -> 
IEData -> -> 
InstallShield Uninstall Information -> -> 
iZotope Trash DX v1.0.140d -> iZotope Trash DX v1.0.140d -> 
KB873339 -> Windows XP Hotfix - KB873339 -> 
KB884016 -> -> 
KB885250 -> Windows XP Hotfix - KB885250 -> 
KB885835 -> Windows XP Hotfix - KB885835 -> 
KB885836 -> Windows XP Hotfix - KB885836 -> 
KB886185 -> Windows XP Hotfix - KB886185 -> 
KB887472 -> Windows XP Hotfix - KB887472 -> 
KB887742 -> Windows XP Hotfix - KB887742 -> 
KB888113 -> Windows XP Hotfix - KB888113 -> 
KB888302 -> Windows XP Hotfix - KB888302 -> 
KB890046 -> Security Update for Windows XP (KB890046) -> 
KB890859 -> Windows XP Hotfix - KB890859 -> 
KB891122 -> Windows Media Format SDK Hotfix - KB891122 -> 
KB891781 -> Windows XP Hotfix - KB891781 -> 
KB893756 -> Security Update for Windows XP (KB893756) -> 
KB893803 -> -> 
KB893803v2 -> Windows Installer 3.1 (KB893803) -> 
KB896344 -> Hotfix for Windows XP (KB896344) -> 
KB896358 -> Security Update for Windows XP (KB896358) -> 
KB896422 -> Security Update for Windows XP (KB896422) -> 
KB896423 -> Security Update for Windows XP (KB896423) -> 
KB896424 -> Security Update for Windows XP (KB896424) -> 
KB896428 -> Security Update for Windows XP (KB896428) -> 
KB898461 -> Update for Windows XP (KB898461) -> 
KB899587 -> Security Update for Windows XP (KB899587) -> 
KB899591 -> Security Update for Windows XP (KB899591) -> 
KB900485 -> Update for Windows XP (KB900485) -> 
KB900725 -> Security Update for Windows XP (KB900725) -> 
KB901017 -> Security Update for Windows XP (KB901017) -> 
KB901190 -> Security Update for Windows XP (KB901190) -> 
KB901214 -> Security Update for Windows XP (KB901214) -> 
KB902344 -> Hotfix for Windows Media Format SDK (KB902344) -> 
KB902400 -> Security Update for Windows XP (KB902400) -> 
KB904706 -> Security Update for Windows XP (KB904706) -> 
KB904942 -> Update for Windows XP (KB904942) -> 
KB905414 -> Security Update for Windows XP (KB905414) -> 
KB905749 -> Security Update for Windows XP (KB905749) -> 
KB908519 -> Security Update for Windows XP (KB908519) -> 
KB908531 -> Update for Windows XP (KB908531) -> 
KB909520 -> Microsoft Base Smart Card Cryptographic Service Provider Package -> 
KB910437 -> Update for Windows XP (KB910437) -> 
KB911280 -> Security Update for Windows XP (KB911280) -> 
KB911562 -> Security Update for Windows XP (KB911562) -> 
KB911564 -> Security Update for Windows Media Player (KB911564) -> 
KB911565 -> Security Update for Windows Media Player 10 (KB911565) -> 
KB911567 -> Security Update for Windows XP (KB911567) -> 
KB911927 -> Security Update for Windows XP (KB911927) -> 
KB912812 -> Security Update for Windows XP (KB912812) -> 
KB912919 -> Security Update for Windows XP (KB912919) -> 
KB913433 -> Security Update for Windows XP (KB913433) -> 
KB913446 -> Security Update for Windows XP (KB913446) -> 
KB913580 -> Security Update for Windows XP (KB913580) -> 
KB914388 -> Security Update for Windows XP (KB914388) -> 
KB914389 -> Security Update for Windows XP (KB914389) -> 
KB916281 -> Security Update for Windows XP (KB916281) -> 
KB916595 -> Update for Windows XP (KB916595) -> 
KB917159 -> Security Update for Windows XP (KB917159) -> 
KB917283.T1_1ToU93_1 -> Security Update for Microsoft .NET Framework 2.0 (KB917283) -> 
KB917344 -> Security Update for Windows XP (KB917344) -> 
KB917422 -> Security Update for Windows XP (KB917422) -> 
KB917734_WMP10 -> Security Update for Windows Media Player 10 (KB917734) -> 
KB917953 -> Security Update for Windows XP (KB917953) -> 
KB918118 -> Security Update for Windows XP (KB918118) -> 
KB918439 -> Security Update for Windows XP (KB918439) -> 
KB918899 -> Security Update for Windows XP (KB918899) -> 
KB919007 -> Security Update for Windows XP (KB919007) -> 
KB920213 -> Security Update for Windows XP (KB920213) -> 
KB920214 -> Security Update for Windows XP (KB920214) -> 
KB920342 -> Update for Windows XP (KB920342) -> 
KB920670 -> Security Update for Windows XP (KB920670) -> 
KB920683 -> Security Update for Windows XP (KB920683) -> 
KB920685 -> Security Update for Windows XP (KB920685) -> 
KB920872 -> Update for Windows XP (KB920872) -> 
KB921398 -> Security Update for Windows XP (KB921398) -> 
KB921883 -> Security Update for Windows XP (KB921883) -> 
KB922582 -> Update for Windows XP (KB922582) -> 
KB922616 -> Security Update for Windows XP (KB922616) -> 
KB922760 -> Security Update for Windows XP (KB922760) -> 
KB922770.T1_1ToU168_1 -> Security Update for Microsoft .NET Framework 2.0 (KB922770) -> 
KB922819 -> Security Update for Windows XP (KB922819) -> 
KB923191 -> Security Update for Windows XP (KB923191) -> 
KB923414 -> Security Update for Windows XP (KB923414) -> 
KB923689 -> Security Update for Windows XP (KB923689) -> 
KB923980 -> Security Update for Windows XP (KB923980) -> 
KB924191 -> Security Update for Windows XP (KB924191) -> 
KB924270 -> Security Update for Windows XP (KB924270) -> 
KB924496 -> Security Update for Windows XP (KB924496) -> 
KB924667 -> Security Update for Windows XP (KB924667) -> 
KB925398_WMP64 -> Security Update for Windows Media Player 6.4 (KB925398) -> 
KB925486 -> Security Update for Windows XP (KB925486) -> 
KB925902 -> Security Update for Windows XP (KB925902) -> 
KB926255 -> Security Update for Windows XP (KB926255) -> 
KB926436 -> Security Update for Windows XP (KB926436) -> 
KB927779 -> Security Update for Windows XP (KB927779) -> 
KB927802 -> Security Update for Windows XP (KB927802) -> 
KB928090 -> Security Update for Windows XP (KB928090) -> 
KB928255 -> Security Update for Windows XP (KB928255) -> 
KB928843 -> Security Update for Windows XP (KB928843) -> 
KB929338 -> Update for Windows XP (KB929338) -> 
KB929969 -> Security Update for Windows XP (KB929969) -> 
KB930178 -> Security Update for Windows XP (KB930178) -> 
KB931261 -> Security Update for Windows XP (KB931261) -> 
KB931784 -> Security Update for Windows XP (KB931784) -> 
KB931836 -> Update for Windows XP (KB931836) -> 
KB932168 -> Security Update for Windows XP (KB932168) -> 
Live 4.0.1 -> Live 4.0.1 -> 
M886903 -> Microsoft .NET Framework 1.1 Hotfix (KB886903) -> 
Macromedia Shockwave Player -> Macromedia Shockwave Player -> 
MAGIX audio cleaning lab -> MAGIX audio cleaning lab -> 
Megota Software SFPack Uninstall -> SFPack -> 
Microsoft .NET Framework 1.1 (1033) -> Microsoft .NET Framework 1.1 -> 
Microsoft .NET Framework 2.0 -> Microsoft .NET Framework 2.0 -> 
Microsoft NetShow Player 2.0 -> -> 
MobileOptionPack -> -> 
Mozilla Firefox (2.0.0.2) -> Mozilla Firefox (2.0.0.2) -> 
Mozilla Firefox (2.0.0.3) -> Mozilla Firefox (2.0.0.3) -> 
MPlayer2 -> -> 
MSI30a-KB884016 -> -> 
MSI30-Beta1 -> -> 
MSI30-Beta2 -> -> 
MSI30-KB884016 -> -> 
MSI30-RC1 -> -> 
MSI30-RC2 -> -> 
MSI31-Beta -> -> 
MSI31-RC1 -> -> 
MsJavaVM -> -> 
Nero - Burning Rom!UninstallKey -> -> 
NeroMultiInstaller!UninstallKey -> Nero Suite -> 
NetMeeting -> -> 
Novation Bass-Station VSTi v1.10 -> Novation Bass-Station VSTi v1.10 -> 
OutlookExpress -> -> 
Panda ActiveScan -> Panda ActiveScan -> 
PC Pitstop Optimize_is1 -> PC Pitstop Optimize 1.5 -> 
PCHealth -> -> 
Power Tab Editor 1.7 -> Power Tab Editor 1.7 -> 
PrintMaster Gold 3.00 -> PrintMaster Gold 3.00 -> 
QuickTime -> QuickTime -> 
RealJukebox 1.0 -> -> 
RealPlayer 6.0 -> RealPlayer -> 
SchedulingAgent -> -> 
Science Explorer -> Science Explorer -> 
sfArk -> sfArk -> 
Shockwave -> -> 
ShockwaveFlash -> Adobe Flash Player 9 ActiveX -> 
SiS630_730 V2.09 -> SiS630_730 V2.09 -> 
SiS7018 -> SiS Audio Driver -> 
SiSLan -> SiS 900 PCI Fast Ethernet Adapter Driver -> 
Soulseek -> SoulSeek Client 156c -> 
Sound Blaster Live! -> -> 
Sound Blaster Live! Windows Drivers -> -> 
Spybot - Search & Destroy_is1 -> Spybot - Search & Destroy 1.4 -> 
Spyware Terminator_is1 -> Spyware Terminator -> 
SpywareBlaster_is1 -> SpywareBlaster v3.5.1 -> 
ST6UNST #1 -> NoClone -> 
SysInfo -> Creative System Information -> 
TagScanner_is1 -> TagScanner 5.0 build 510 Beta -> 
TreeSize_is1 -> TreeSize 1.7 -> 
V3786s Digital Camera Driver -> V3786s Digital Camera Driver -> 
ViewpointMediaPlayer -> Viewpoint Media Player -> 
WaveLab -> WaveLab -> 
WGA -> Windows Genuine Advantage Validation Tool (KB892130) -> 
WgaNotify -> Windows Genuine Advantage Notifications (KB905474) -> 
Windows Media Format Runtime -> Windows Media Format Runtime -> 
Windows Media Player -> Windows Media Player 10 -> 
Windows XP Service Pack -> Windows XP Service Pack 2 -> 
WinRAR archiver -> WinRAR archiver -> 
WMCSetup -> Windows Media Connect -> 
ZoneAlarm -> ZoneAlarm -> 
< WOW Settings [HKLM] - Select to Repair > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WOW
cmdline -> %SystemRoot%\system32\ntvdm.exe -> 
wowcmdline -> %SystemRoot%\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386 ->

[Files/Folders - Created Within 30 days]
avenger -> %SystemDrive%\avenger -> [Folder | Created Date = 10/04/2007 10:36:13 | Attr = ]
avenger.txt -> %SystemDrive%\avenger.txt -> [Ver = | Size = 1228 bytes | Created Date = 10/04/2007 10:34:48 | Attr = ]
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [Ver = | Size = 519622656 bytes | Created Date = 01/01/1601 | Attr = HS]
HostsXpert -> %SystemDrive%\HostsXpert -> [Folder | Created Date = 06/04/2007 19:47:33 | Attr = ]
IPH.PH -> %SystemDrive%\IPH.PH -> [Ver = | Size = 1117 bytes | Created Date = 08/04/2007 13:01:25 | Attr = H ]
$NtUninstallKB925902$ -> %SystemRoot%\$NtUninstallKB925902$ -> [Folder | Created Date = 04/04/2007 15:18:24 | Attr = H ]
$NtUninstallKB929338$ -> %SystemRoot%\$NtUninstallKB929338$ -> [Folder | Created Date = 16/03/2007 09:57:19 | Attr = H ]
$NtUninstallKB930178$ -> %SystemRoot%\$NtUninstallKB930178$ -> [Folder | Created Date = 12/04/2007 11:11:36 | Attr = H ]
$NtUninstallKB931261$ -> %SystemRoot%\$NtUninstallKB931261$ -> [Folder | Created Date = 12/04/2007 11:11:54 | Attr = H ]
$NtUninstallKB931784$ -> %SystemRoot%\$NtUninstallKB931784$ -> [Folder | Created Date = 12/04/2007 11:12:14 | Attr = H ]
$NtUninstallKB932168$ -> %SystemRoot%\$NtUninstallKB932168$ -> [Folder | Created Date = 12/04/2007 11:11:14 | Attr = H ]
0.log -> %SystemRoot%\0.log -> [Ver = | Size = 0 bytes | Created Date = 12/04/2007 13:02:48 | Attr = ]
BDOSCAN8 -> %SystemRoot%\BDOSCAN8 -> [Folder | Created Date = 08/04/2007 23:19:02 | Attr = ]
LOOP.exe -> %SystemRoot%\LOOP.exe -> [Ver = | Size = 311295 bytes | Created Date = 25/03/2007 00:00:53 | Attr = ]
ntbtlog.txt -> %SystemRoot%\ntbtlog.txt -> [Ver = | Size = 89770 bytes | Created Date = 12/04/2007 11:26:56 | Attr = ]
Sti_Trace.log -> %SystemRoot%\Sti_Trace.log -> [Ver = | Size = 0 bytes | Created Date = 12/04/2007 13:02:10 | Attr = ]
unvise32qt.exe -> %SystemRoot%\unvise32qt.exe -> MindVision Software [Ver = 2.2 | Size = 86016 bytes | Created Date =

18/03/2007 21:12:35 | Attr = ]
wiadebug.log -> %SystemRoot%\wiadebug.log -> [Ver =  | Size = 159 bytes | Created Date = 12/04/2007 13:02:15 | Attr = ]
wiaservc.log -> %SystemRoot%\wiaservc.log -> [Ver = | Size = 50 bytes | Created Date = 12/04/2007 13:02:10 | Attr = ]
WindowsUpdate.log -> %SystemRoot%\WindowsUpdate.log -> [Ver = | Size = 4277 bytes | Created Date = 12/04/2007 12:59:37 |

Attr = ]
{00000000-00000000-0000000B-00001102-00000002-80671102}.BAK ->

%SystemRoot%\{00000000-00000000-0000000B-00001102-00000002-80671102}.BAK -> [Ver = | Size = 3448340 bytes | Created Date =

12/04/2007 11:25:38 | Attr = ]
E3TL.DLL -> %System32%\E3TL.DLL -> [Ver = | Size = 26000 bytes | Created Date = 10/04/2007 00:23:24 | Attr = ]
FDlg.dll -> %System32%\FDlg.dll -> [Ver = 1, 0, 0, 1 | Size = 151552 bytes | Created Date = 24/03/2007 23:48:13 | Attr =


----------



## bandyandy (Aug 26, 2006)

Part 14:

]
java.exe -> %System32%\java.exe -> Sun Microsystems, Inc. [Ver = 5.0.110.3 | Size = 49248 bytes | Created Date = 08/04/2007

12:45:57 | Attr = ]
javaw.exe -> %System32%\javaw.exe -> Sun Microsystems, Inc. [Ver = 5.0.110.3 | Size = 53346 bytes | Created Date = 08/04/2007

12:45:57 | Attr = ]
javaws.exe -> %System32%\javaws.exe -> Sun Microsystems, Inc. [Ver = 5.0.110.3 | Size = 127078 bytes | Created Date =

08/04/2007 12:45:57 | Attr = ]
jpicpl32.cpl -> %System32%\jpicpl32.cpl -> Sun Microsystems, Inc. [Ver = 5.0.110.3 | Size = 49265 bytes | Created Date =

08/04/2007 12:45:57 | Attr = ]
libmmd.dll -> %System32%\libmmd.dll -> [Ver = | Size = 520267 bytes | Created Date = 24/03/2007 23:34:35 | Attr = ]
QuickTime -> %System32%\QuickTime -> [Folder | Created Date = 18/03/2007 21:12:17 | Attr = ]
QuickTime.qtp -> %System32%\QuickTime.qtp -> [Ver = | Size = 45897 bytes | Created Date = 18/03/2007 21:12:25 | Attr = ]
ReWire.dll -> %System32%\ReWire.dll -> Propellerhead Software AB [Ver = 1, 4, 3, 70 | Size = 212992 bytes | Created Date =

26/03/2007 22:22:55 | Attr = ]
SmartUI2.ocx -> %System32%\SmartUI2.ocx -> Xceed Software Inc (450) 442-2626 [email protected]

www.xceedsoft.com [Ver = 2.00.6553 | Size = 870152 bytes | Created Date = 15/03/2007 11:22:38 | Attr = ]
SuperAdBlocker.com -> %System32%\SuperAdBlocker.com -> [Folder | Created Date = 08/04/2007 18:59:55 | Attr = ]
XceedCry.dll -> %System32%\XceedCry.dll -> Xceed Software Inc (450) 442-2626 [email protected]

www.xceedsoft.com [Ver = 1.1.6461.0 | Size = 526184 bytes | Created Date = 15/03/2007 11:19:58 | Attr = ]
XceedZip.dll -> %System32%\XceedZip.dll -> Xceed Software Inc (450) 442-2626 [email protected]

www.xceedsoft.com [Ver = 6.0.6621.0 | Size = 497496 bytes | Created Date = 15/03/2007 11:23:16 | Attr = ]
winsrv.dll -> %System32%\dllcache\winsrv.dll -> Microsoft Corporation [Ver = 5.1.2600.3103 (xpsp_sp2_gdr.070316-1309) | Size

= 292864 bytes | Created Date = 17/03/2007 13:43:01 | Attr = ]
AvgAsCln.sys -> %System32%\drivers\AvgAsCln.sys -> GRISOFT, s.r.o. [Ver = 1.0.0.14 | Size = 3968 bytes | Created Date =

11/04/2007 23:25:59 | Attr = ]
tmcomm.sys -> %System32%\drivers\tmcomm.sys -> Trend Micro Inc. [Ver = 1.5.0.1052 | Size = 76560 bytes | Created Date =

09/04/2007 23:28:31 | Attr = ]
hosts.20070404-185242.backup -> %System32%\drivers\etc\hosts.20070404-185242.backup -> [Ver = | Size = 566588 bytes |

Created Date = 04/04/2007 17:52:42 | Attr = R ]
Ableton -> %AllUsersAppData%\Ableton -> [Folder | Created Date = 26/03/2007 22:26:29 | Attr = ]
AOL Downloads -> %AllUsersAppData%\AOL Downloads -> [Folder | Created Date = 08/04/2007 13:01:32 | Attr = ]
Diskeeper Corporation -> %AllUsersAppData%\Diskeeper Corporation -> [Folder | Created Date = 06/04/2007 00:31:00 | Attr =

]
TEMP -> %AllUsersAppData%\TEMP -> [Folder | Created Date = 03/04/2007 19:53:59 | Attr = ]
@Alternate Data Stream - 119 bytes -> %AllUsersAppData%\TEMP:4295826C -> 
Viewpoint -> %AllUsersAppData%\Viewpoint -> [Folder | Created Date = 29/03/2007 16:15:14 | Attr = ]
Zenturi -> %AllUsersAppData%\Zenturi -> [Folder | Created Date = 04/04/2007 10:38:31 | Attr = ]
Ableton -> %UserAppData%\Ableton -> [Folder | Created Date = 26/03/2007 22:26:20 | Attr = ]
Aim -> %UserAppData%\Aim -> [Folder | Created Date = 02/04/2007 00:57:29 | Attr = ]
SoftActivity -> %UserAppData%\SoftActivity -> [Folder | Created Date = 22/03/2007 11:15:01 | Attr = ]
Sonic Foundry -> %UserAppData%\Sonic Foundry -> [Folder | Created Date = 23/03/2007 15:14:17 | Attr = ]
cool stuff# -> %UserDocuments%cool stuff# -> [Folder | Created Date = 29/03/2007 14:54:54 | Attr = ]
Ebay photos -> %UserDocuments%Ebay photos -> [Folder | Created Date = 01/04/2007 16:46:29 | Attr = ]
Tachograph.doc -> %UserDocuments%Tachograph.doc -> [Ver = | Size = 24576 bytes | Created Date = 03/04/2007 12:50:26 | Attr

= ]
Incoming -> %UserDocuments%Incoming -> [Folder | Created Date = 08/04/2007 00:09:40 | Attr = ]
LPB06-04-07 -> %UserDocuments%LPB06-04-07 -> [Folder | Created Date = 06/04/2007 22:01:34 | Attr = ]
AVG Anti-Spyware.lnk -> %AllUsersDesktop%\AVG Anti-Spyware.lnk -> [Ver = | Size = 849 bytes | Created Date = 11/04/2007

23:26:03 | Attr = ]
CD Architect 5.0.lnk -> %AllUsersDesktop%\CD Architect 5.0.lnk -> [Ver = | Size = 1756 bytes | Created Date = 23/03/2007

15:11:27 | Attr = ]
Diskeeper.lnk -> %AllUsersDesktop%\Diskeeper.lnk -> [Ver = | Size = 1815 bytes | Created Date = 06/04/2007 00:31:03 | Attr

= ]
Activescan.txt -> %UserDesktop%\Activescan.txt -> [Ver = | Size = 4420 bytes | Created Date = 09/04/2007 22:31:58 | Attr =

]
Activescan2.txt -> %UserDesktop%\Activescan2.txt -> [Ver = | Size = 2212 bytes | Created Date = 10/04/2007 14:23:26 | Attr

= ]
avenger.exe -> %UserDesktop%\avenger.exe -> [Ver = | Size = 130048 bytes | Created Date = 10/04/2007 10:31:09 | Attr = ]
avenger.zip -> %UserDesktop%\avenger.zip -> [Ver = | Size = 127378 bytes | Created Date = 10/04/2007 10:30:48 | Attr = ]
AVG-AntiS.txt -> %UserDesktop%\AVG-AntiS.txt -> [Ver = | Size = 1985 bytes | Created Date = 12/04/2007 11:07:49 | Attr =

]
bitdefender.html -> %UserDesktop%\bitdefender.html -> [Ver = | Size = 18428 bytes | Created Date = 09/04/2007 17:53:31 |

Attr = ]
breegpainting.jpg -> %UserDesktop%\breegpainting.jpg -> [Ver = | Size = 56861 bytes | Created Date = 08/04/2007 22:10:51 |

Attr = ]
Cheeseball.txt -> %UserDesktop%\Cheeseball.txt -> [Ver = | Size = 5105 bytes | Created Date = 08/04/2007 15:52:59 | Attr =

]
dtco.jpg -> %UserDesktop%\dtco.jpg -> [Ver = | Size = 12005 bytes | Created Date = 03/04/2007 12:45:21 | Attr = ]
File,886,en.pdf -> %UserDesktop%\File,886,en.pdf -> [Ver = | Size = 182818 bytes | Created Date = 20/03/2007 18:08:40 |

Attr = ]
gen_cer_sec_edu.doc -> %UserDesktop%\gen_cer_sec_edu.doc -> [Ver = | Size = 20992 bytes | Created Date = 20/03/2007

18:04:58 | Attr = ]
hijackthis.log -> %UserDesktop%\hijackthis.log -> [Ver = | Size = 6834 bytes | Created Date = 06/04/2007 19:50:21 | Attr =

]
HostsXpert.zip -> %UserDesktop%\HostsXpert.zip -> [Ver = | Size = 278752 bytes | Created Date = 06/04/2007 19:46:41 | Attr

= ]
Instructions 1.txt -> %UserDesktop%\Instructions 1.txt -> [Ver = | Size = 1647 bytes | Created Date = 05/04/2007 22:23:17 |

Attr = ]
Instructions 2.txt -> %UserDesktop%\Instructions 2.txt -> [Ver = | Size = 326 bytes | Created Date = 06/04/2007 20:47:36 |

Attr = ]
It suddenly struck Dick.jpg -> %UserDesktop%\It suddenly struck Dick.jpg -> [Ver = | Size = 107365 bytes | Created Date =

27/03/2007 23:06:00 | Attr = ]
Monk_eteram.mp3 -> %UserDesktop%\Monk_eteram.mp3 -> [Ver = | Size = 477184 bytes | Created Date = 24/03/2007 17:57:57 |

Attr = ]
Monk_low.mp3 -> %UserDesktop%\Monk_low.mp3 -> [Ver = | Size = 454656 bytes | Created Date = 24/03/2007 17:58:09 | Attr =

]
Moog Modular V.lnk -> %UserDesktop%\Moog Modular V.lnk -> [Ver = | Size = 1732 bytes | Created Date = 24/03/2007 23:49:26 |

Attr = ]
New Folder -> %UserDesktop%\New Folder -> [Folder | Created Date = 23/03/2007 20:00:05 | Attr = ]
New Text Document (2).txt -> %UserDesktop%\New Text Document (2).txt -> [Ver = | Size = 584 bytes | Created Date =

08/04/2007 18:28:53 | Attr = ]
Pinky_and_the_Brain.jpg -> %UserDesktop%\Pinky_and_the_Brain.jpg -> [Ver = | Size = 14798 bytes | Created Date = 11/04/2007

01:08:59 | Attr = ]
ProgramChecker.exe -> %UserDesktop%\ProgramChecker.exe -> [Ver = | Size = 3374656 bytes | Created Date = 04/04/2007

09:01:30 | Attr = ]
Report-Scan-20070412-134023.txt -> %UserDesktop%\Report-Scan-20070412-134023.txt -> [Ver = | Size = 500 bytes | Created

Date = 12/04/2007 12:58:31 | Attr = ]
SmitfraudFix -> %UserDesktop%\SmitfraudFix -> [Folder | Created Date = 05/04/2007 10:15:24 | Attr = ]
SmitfraudFix.zip -> %UserDesktop%\SmitfraudFix.zip -> [Ver = | Size = 785511 bytes | Created Date = 05/04/2007 10:14:47 |

Attr = ]
Spybot Forum.txt -> %UserDesktop%\Spybot Forum.txt -> [Ver = | Size = 589 bytes | Created Date = 09/04/2007 19:35:58 | Attr

= ]
SpybotSD.System startup report.txt -> %UserDesktop%\SpybotSD.System startup report.txt -> [Ver = | Size = 7752 bytes |

Created Date = 09/04/2007 22:42:29 | Attr = ]
spybotsd14.exe -> %UserDesktop%\spybotsd14.exe -> Safer Networking Limited [Ver =

| Size = 5037072 bytes | Created Date = 07/04/2007 22:38:49 | Attr = ]
StartDreck -> %UserDesktop%\StartDreck -> [Folder | Created Date = 11/04/2007 10:07:31 | Attr = ]
startuplist.txt -> %UserDesktop%\startuplist.txt -> [Ver = | Size = 35722 bytes | Created Date = 11/04/2007 00:43:04 | Attr

= ]
TagScanner.lnk -> %UserDesktop%\TagScanner.lnk -> [Ver = | Size = 633 bytes | Created Date = 11/04/2007 23:37:20 | Attr =

]
Trend Micro.txt -> %UserDesktop%\Trend Micro.txt -> [Ver = | Size = 7191 bytes | Created Date = 08/04/2007 10:38:20 | Attr

= ]
uninstall_list.txt -> %UserDesktop%\uninstall_list.txt -> [Ver = | Size = 6056 bytes | Created Date = 11/04/2007 00:43:41 |

Attr = ]
WinPFind3u -> %UserDesktop%\WinPFind3u -> [Folder | Created Date = 12/04/2007 16:51:53 | Attr = ]
winpfind3u.exe -> %UserDesktop%\winpfind3u.exe -> [Ver = | Size = 353274 bytes | Created Date = 12/04/2007 16:50:29 | Attr

= ]
WinPFind3U.txt -> %UserDesktop%\WinPFind3U.txt -> [Ver = | Size = 946 bytes | Created Date = 12/04/2007 17:01:46 | Attr =

]
X86 -> %UserDesktop%\X86 -> [Folder | Created Date = 06/04/2007 00:29:45 | Attr = ]
AOL -> %CommonProgramFiles%\AOL -> [Folder | Created Date = 08/04/2007 13:06:27 | Attr = ]
Java -> %CommonProgramFiles%\Java -> [Folder | Created Date = 08/04/2007 12:44:24 | Attr = ]

[Files/Folders - Modified Within 30 days]
$VAULT$.AVG -> %SystemDrive%\$VAULT$.AVG -> [Folder | Modified Date = 04/04/2007 19:39:24 | Attr = RH ]
avenger -> %SystemDrive%\avenger -> [Folder | Modified Date = 10/04/2007 11:36:14 | Attr = ]
avenger.txt -> %SystemDrive%\avenger.txt -> [Ver = | Size = 1228 bytes | Modified Date = 10/04/2007 11:34:50 | Attr = ]
boot.ini -> %SystemDrive%\boot.ini -> [Ver = | Size = 211 bytes | Modified Date = 09/04/2007 19:40:54 | Attr = HS]
Config.Msi -> %SystemDrive%\Config.Msi -> [Folder | Modified Date = 10/04/2007 01:23:00 | Attr = HS]
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [Ver = | Size = 519622656 bytes | Modified Date = 12/04/2007 14:00:58 | Attr

= HS]
HostsXpert -> %SystemDrive%\HostsXpert -> [Folder | Modified Date = 06/04/2007 20:47:34 | Attr = ]
IPH.PH -> %SystemDrive%\IPH.PH -> [Ver = | Size = 1117 bytes | Modified Date = 08/04/2007 14:12:02 | Attr = H ]
Program Files -> %ProgramFiles% -> [Folder | Modified Date = 12/04/2007 00:37:20 | Attr = R ]
rapport.txt -> %SystemDrive%\rapport.txt -> [Ver = | Size = 549259 bytes | Modified Date = 05/04/2007 23:43:58 | Attr =

]
System Volume Information -> %SystemDrive%\System Volume Information -> [Folder | Modified Date = 10/04/2007 14:37:46 | Attr

= HS]
WINDOWS -> %SystemRoot% -> [Folder | Modified Date = 12/04/2007 14:02:50 | Attr = ]
$hf_mig$ -> %SystemRoot%\$hf_mig$ -> [Folder | Modified Date = 12/04/2007 08:26:14 | Attr = H ]
$NtUninstallKB925902$ -> %SystemRoot%\$NtUninstallKB925902$ -> [Folder | Modified Date = 04/04/2007 16:18:28 | Attr = H ]
$NtUninstallKB929338$ -> %SystemRoot%\$NtUninstallKB929338$ -> [Folder | Modified Date = 16/03/2007 10:57:22 | Attr = H ]
$NtUninstallKB930178$ -> %SystemRoot%\$NtUninstallKB930178$ -> [Folder | Modified Date = 12/04/2007 12:11:38 | Attr = H ]
$NtUninstallKB931261$ -> %SystemRoot%\$NtUninstallKB931261$ -> [Folder | Modified Date = 12/04/2007 12:11:56 | Attr = H ]
$NtUninstallKB931784$ -> %SystemRoot%\$NtUninstallKB931784$ -> [Folder | Modified Date = 12/04/2007 12:12:18 | Attr = H ]
$NtUninstallKB932168$ -> %SystemRoot%\$NtUninstallKB932168$ -> [Folder | Modified Date = 12/04/2007 12:11:16 | Attr = H ]
0.log -> %SystemRoot%\0.log -> [Ver = | Size = 0 bytes | Modified Date = 12/04/2007 14:02:50 | Attr = ]
AppPatch -> %SystemRoot%\AppPatch -> [Folder | Modified Date = 10/04/2007 14:43:58 | Attr = ]
AVSCAN32.INI -> %SystemRoot%\AVSCAN32.INI -> [Ver = | Size = 1012 bytes | Modified Date = 04/04/2007 13:17:32 | Attr = ]
BDOSCAN8 -> %SystemRoot%\BDOSCAN8 -> [Folder | Modified Date = 09/04/2007 18:54:54 | Attr = ]
bootstat.dat -> %SystemRoot%\bootstat.dat -> [Ver = | Size = 2048 bytes | Modified Date = 12/04/2007 14:01:04 | Attr = S]
Downloaded Program Files -> %SystemRoot%\Downloaded Program Files -> [Folder | Modified Date = 10/04/2007 14:44:34 | Attr =

S]
Help -> %SystemRoot%\Help -> [Folder | Modified Date = 06/04/2007 01:31:04 | Attr = ]
Iedit.INI -> %SystemRoot%\Iedit.INI -> [Ver = | Size = 30 bytes | Modified Date = 12/04/2007 11:17:02 | Attr = ]
inf -> %SystemRoot%\inf -> [Folder | Modified Date = 12/04/2007 12:12:28 | Attr = H ]
Installer -> %SystemRoot%\Installer -> [Folder | Modified Date = 10/04/2007 01:23:00 | Attr = HS]
Internet Logs -> %SystemRoot%\Internet Logs -> [Folder | Modified Date = 12/04/2007 16:40:24 | Attr = ]
mozver.dat -> %SystemRoot%\mozver.dat -> [Ver = | Size = 1818 bytes | Modified Date = 08/04/2007 19:59:58 | Attr = ]
msagent -> %SystemRoot%\msagent -> [Folder | Modified Date = 12/04/2007 12:16:30 | Attr = ]
NeroDigital.ini -> %SystemRoot%\NeroDigital.ini -> [Ver = | Size = 116 bytes | Modified Date = 12/04/2007 11:45:40 | Attr =

]
nsreg.dat -> %SystemRoot%\nsreg.dat -> [Ver = | Size = 335 bytes | Modified Date = 08/04/2007 14:05:14 | Attr = ]
ntbtlog.txt -> %SystemRoot%\ntbtlog.txt -> [Ver = | Size = 89770 bytes | Modified Date = 12/04/2007 12:27:14 | Attr = ]


----------



## bandyandy (Aug 26, 2006)

Part 15:

pavsig.txt -> %SystemRoot%\pavsig.txt -> [Ver = | Size = 32 bytes | Modified Date = 10/04/2007 13:59:44 | Attr = ]
Prefetch -> %SystemRoot%\Prefetch -> [Folder | Modified Date = 12/04/2007 18:02:34 | Attr = ]
SchedLgU.Txt -> %SystemRoot%\SchedLgU.Txt -> [Ver = | Size = 32652 bytes | Modified Date = 12/04/2007 12:26:02 | Attr =

]
SoftwareDistribution -> %SystemRoot%\SoftwareDistribution -> [Folder | Modified Date = 10/04/2007 14:59:02 | Attr = ]
Sti_Trace.log -> %SystemRoot%\Sti_Trace.log -> [Ver = | Size = 0 bytes | Modified Date = 12/04/2007 14:02:12 | Attr = ]
system -> %SystemRoot%\system -> [Folder | Modified Date = 23/03/2007 12:47:18 | Attr = ]
system.ini -> %SystemRoot%\system.ini -> [Ver = | Size = 243 bytes | Modified Date = 09/04/2007 19:40:54 | Attr = ]
system32 -> %System32% -> [Folder | Modified Date = 12/04/2007 18:02:24 | Attr = ]
Temp -> %SystemRoot%\Temp -> [Folder | Modified Date = 12/04/2007 18:02:44 | Attr = ]
wiadebug.log -> %SystemRoot%\wiadebug.log -> [Ver = | Size = 159 bytes | Modified Date = 12/04/2007 14:02:18 | Attr = ]
wiaservc.log -> %SystemRoot%\wiaservc.log -> [Ver = | Size = 50 bytes | Modified Date = 12/04/2007 14:02:12 | Attr = ]
win.ini -> %SystemRoot%\win.ini -> [Ver = | Size = 776 bytes | Modified Date = 09/04/2007 19:40:54 | Attr = ]
WindowsUpdate.log -> %SystemRoot%\WindowsUpdate.log -> [Ver = | Size = 4277 bytes | Modified Date = 12/04/2007 14:02:48 |

Attr = ]
{00000000-00000000-0000000B-00001102-00000002-80671102}.BAK ->

%SystemRoot%\{00000000-00000000-0000000B-00001102-00000002-80671102}.BAK -> [Ver = | Size = 3448340 bytes | Modified Date =

12/04/2007 12:25:38 | Attr = ]
{00000000-00000000-0000000B-00001102-00000002-80671102}.CDF ->

%SystemRoot%\{00000000-00000000-0000000B-00001102-00000002-80671102}.CDF -> [Ver = | Size = 3448340 bytes | Modified Date =

12/04/2007 12:25:40 | Attr = ]
SA.DAT -> %SystemRoot%\tasks\SA.DAT -> [Ver = | Size = 6 bytes | Modified Date = 12/04/2007 14:01:22 | Attr = H ]
ActiveScan -> %System32%\ActiveScan -> [Folder | Modified Date = 10/04/2007 14:59:12 | Attr = ]
BMXBkpCtrlState-{00000000-00000000-0000000B-00001102-00000002-80671102}.rfx ->

%System32%\BMXBkpCtrlState-{00000000-00000000-0000000B-00001102-00000002-80671102}.rfx -> [Ver = | Size = 24144 bytes |

Modified Date = 12/04/2007 12:26:10 | Attr = ]
BMXCtrlState-{00000000-00000000-0000000B-00001102-00000002-80671102}.rfx ->

%System32%\BMXCtrlState-{00000000-00000000-0000000B-00001102-00000002-80671102}.rfx -> [Ver = | Size = 24144 bytes |

Modified Date = 12/04/2007 12:26:10 | Attr = ]
BMXState-{00000000-00000000-0000000B-00001102-00000002-80671102}.rfx ->

%System32%\BMXState-{00000000-00000000-0000000B-00001102-00000002-80671102}.rfx -> [Ver = | Size = 16348 bytes | Modified

Date = 12/04/2007 12:26:10 | Attr = ]
BMXStateBkp-{00000000-00000000-0000000B-00001102-00000002-80671102}.rfx ->

%System32%\BMXStateBkp-{00000000-00000000-0000000B-00001102-00000002-80671102}.rfx -> [Ver = | Size = 16348 bytes |

Modified Date = 12/04/2007 12:26:10 | Attr = ]
CatRoot -> %System32%\CatRoot -> [Folder | Modified Date = 03/04/2007 00:04:44 | Attr = ]
CatRoot2 -> %System32%\CatRoot2 -> [Folder | Modified Date = 12/04/2007 12:10:56 | Attr = ]
config -> %System32%\config -> [Folder | Modified Date = 10/04/2007 14:59:44 | Attr = ]
dllcache -> %System32%\dllcache -> [Folder | Modified Date = 12/04/2007 12:16:30 | Attr = RHS]
drivers -> %System32%\drivers -> [Folder | Modified Date = 12/04/2007 00:26:00 | Attr = ]
DVCState-{00000000-00000000-0000000B-00001102-00000002-80671102}.dat ->

%System32%\DVCState-{00000000-00000000-0000000B-00001102-00000002-80671102}.dat -> [Ver = | Size = 288 bytes | Modified

Date = 12/04/2007 12:26:10 | Attr = ]
DVCStateBkp-{00000000-00000000-0000000B-00001102-00000002-80671102}.dat ->

%System32%\DVCStateBkp-{00000000-00000000-0000000B-00001102-00000002-80671102}.dat -> [Ver = | Size = 288 bytes | Modified

Date = 12/04/2007 12:26:10 | Attr = ]
E3TL.DLL -> %System32%\E3TL.DLL -> [Ver = | Size = 26000 bytes | Modified Date = 10/04/2007 01:23:26 | Attr = ]
FNTCACHE.DAT -> %System32%\FNTCACHE.DAT -> [Ver = | Size = 140440 bytes | Modified Date = 04/04/2007 16:20:40 | Attr = ]
Help.ico -> %System32%\Help.ico -> [Ver = | Size = 1406 bytes | Modified Date = 10/04/2007 13:59:38 | Attr = ]
jupdate-1.5.0_11-b03.log -> %System32%\jupdate-1.5.0_11-b03.log -> [Ver = | Size = 9354 bytes | Modified Date = 08/04/2007

13:45:58 | Attr = ]
LegitCheckControl.dll -> %System32%\LegitCheckControl.dll -> Microsoft Corporation [Ver = 1.7.0018.5 | Size = 1476992 bytes |

Modified Date = 15/03/2007 18:19:28 | Attr = ]
MRT.exe -> %System32%\MRT.exe -> Microsoft Corporation [Ver = 1.28.1650.0 | Size = 13511640 bytes | Modified Date =

03/04/2007 21:48:52 | Attr = ]
NtmsData -> %System32%\NtmsData -> [Folder | Modified Date = 04/04/2007 09:39:44 | Attr = ]
pavas.ico -> %System32%\pavas.ico -> [Ver = | Size = 30590 bytes | Modified Date = 10/04/2007 13:59:36 | Attr = ]
perfc009.dat -> %System32%\perfc009.dat -> [Ver = | Size = 62480 bytes | Modified Date = 06/04/2007 20:24:46 | Attr = ]
perfh009.dat -> %System32%\perfh009.dat -> [Ver = | Size = 401200 bytes | Modified Date = 06/04/2007 20:24:46 | Attr = ]
PerfStringBackup.INI -> %System32%\PerfStringBackup.INI -> [Ver = | Size = 470580 bytes | Modified Date = 06/04/2007

20:24:46 | Attr = ]
QuickTime -> %System32%\QuickTime -> [Folder | Modified Date = 18/03/2007 22:12:36 | Attr = ]
QuickTime.qtp -> %System32%\QuickTime.qtp -> [Ver = | Size = 45897 bytes | Modified Date = 03/04/2007 18:46:52 | Attr =

]
Restore -> %System32%\Restore -> [Folder | Modified Date = 08/04/2007 09:04:24 | Attr = ]
settings.sfm -> %System32%\settings.sfm -> [Ver = | Size = 11428 bytes | Modified Date = 12/04/2007 12:26:10 | Attr = ]
settingsbkup.sfm -> %System32%\settingsbkup.sfm -> [Ver = | Size = 11428 bytes | Modified Date = 12/04/2007 12:26:10 | Attr

= ]
SmartUI2.ocx -> %System32%\SmartUI2.ocx -> Xceed Software Inc (450) 442-2626 [email protected]

www.xceedsoft.com [Ver = 2.00.6553 | Size = 870152 bytes | Modified Date = 15/03/2007 12:22:38 | Attr = ]
SuperAdBlocker.com -> %System32%\SuperAdBlocker.com -> [Folder | Modified Date = 08/04/2007 19:59:56 | Attr = ]
tmp.reg -> %System32%\tmp.reg -> [Ver = | Size = 2582 bytes | Modified Date = 05/04/2007 23:43:20 | Attr = ]
tmp.txt -> %System32%\tmp.txt -> [Ver = | Size = 0 bytes | Modified Date = 05/04/2007 23:43:22 | Attr = ]
Uninstall.ico -> %System32%\Uninstall.ico -> [Ver = | Size = 2550 bytes | Modified Date = 10/04/2007 13:59:38 | Attr = ]
vsconfig.xml -> %System32%\vsconfig.xml -> [Ver = | Size = 48882 bytes | Modified Date = 12/04/2007 14:02:58 | Attr = H ]
wbem -> %System32%\wbem -> [Folder | Modified Date = 10/04/2007 15:06:18 | Attr = ]
WgaLogon.dll -> %System32%\WgaLogon.dll -> Microsoft Corporation [Ver = 1.7.0018.5 | Size = 236928 bytes | Modified Date =

15/03/2007 18:16:42 | Attr = ]
WgaTray.exe -> %System32%\WgaTray.exe -> Microsoft Corporation [Ver = 1.7.0018.5 | Size = 336768 bytes | Modified Date =

15/03/2007 18:17:08 | Attr = ]
winsrv.dll -> %System32%\winsrv.dll -> Microsoft Corporation [Ver = 5.1.2600.3103 (xpsp_sp2_gdr.070316-1309) | Size = 292864

bytes | Modified Date = 17/03/2007 14:43:02 | Attr = ]
wpa.dbl -> %System32%\wpa.dbl -> [Ver = | Size = 13646 bytes | Modified Date = 12/04/2007 14:03:44 | Attr = ]
XceedCry.dll -> %System32%\XceedCry.dll -> Xceed Software Inc (450) 442-2626 [email protected]

www.xceedsoft.com [Ver = 1.1.6461.0 | Size = 526184 bytes | Modified Date = 15/03/2007 12:19:58 | Attr = ]
XceedZip.dll -> %System32%\XceedZip.dll -> Xceed Software Inc (450) 442-2626 [email protected]

www.xceedsoft.com [Ver = 6.0.6621.0 | Size = 497496 bytes | Modified Date = 15/03/2007 12:23:16 | Attr = ]
ZoneLabs -> %System32%\ZoneLabs -> [Folder | Modified Date = 10/04/2007 15:06:42 | Attr = ]
WgaLogon.dll -> %System32%\dllcache\WgaLogon.dll -> Microsoft Corporation [Ver = 1.7.0018.5 | Size = 236928 bytes | Modified

Date = 15/03/2007 18:16:42 | Attr = ]
WgaTray.exe -> %System32%\dllcache\WgaTray.exe -> Microsoft Corporation [Ver = 1.7.0018.5 | Size = 336768 bytes | Modified

Date = 15/03/2007 18:17:08 | Attr = ]
winsrv.dll -> %System32%\dllcache\winsrv.dll -> Microsoft Corporation [Ver = 5.1.2600.3103 (xpsp_sp2_gdr.070316-1309) | Size

= 292864 bytes | Modified Date = 17/03/2007 14:43:02 | Attr = ]
etc -> %System32%\drivers\etc -> [Folder | Modified Date = 10/04/2007 12:28:46 | Attr = ]
Ableton -> %AllUsersAppData%\Ableton -> [Folder | Modified Date = 26/03/2007 23:26:30 | Attr = ]
AOL Downloads -> %AllUsersAppData%\AOL Downloads -> [Folder | Modified Date = 08/04/2007 14:05:14 | Attr = ]
AVG7 -> %AllUsersAppData%\AVG7 -> [Folder | Modified Date = 08/04/2007 16:03:42 | Attr = ]
Diskeeper Corporation -> %AllUsersAppData%\Diskeeper Corporation -> [Folder | Modified Date = 06/04/2007 01:31:02 | Attr =

]
Microsoft -> %AllUsersAppData%\Microsoft -> [Folder | Modified Date = 20/03/2007 21:06:20 | Attr = S]
Spybot - Search & Destroy -> %AllUsersAppData%\Spybot - Search & Destroy -> [Folder | Modified Date = 12/04/2007 12:23:12 |

Attr = ]
Spyware Terminator -> %AllUsersAppData%\Spyware Terminator -> [Folder | Modified Date = 12/04/2007 11:00:28 | Attr = ]
TEMP -> %AllUsersAppData%\TEMP -> [Folder | Modified Date = 03/04/2007 21:08:52 | Attr = ]
@Alternate Data Stream - 119 bytes -> %AllUsersAppData%\TEMP:4295826C -> 
Viewpoint -> %AllUsersAppData%\Viewpoint -> [Folder | Modified Date = 29/03/2007 17:15:16 | Attr = ]
Zenturi -> %AllUsersAppData%\Zenturi -> [Folder | Modified Date = 04/04/2007 11:38:32 | Attr = ]
Ableton -> %UserAppData%\Ableton -> [Folder | Modified Date = 26/03/2007 23:26:22 | Attr = ]
Aim -> %UserAppData%\Aim -> [Folder | Modified Date = 04/04/2007 09:41:08 | Attr = ]
Creative -> %UserAppData%\Creative -> [Folder | Modified Date = 03/04/2007 13:22:22 | Attr = ]
Mozilla -> %UserAppData%\Mozilla -> [Folder | Modified Date = 08/04/2007 14:05:14 | Attr = ]
SoftActivity -> %UserAppData%\SoftActivity -> [Folder | Modified Date = 22/03/2007 12:15:02 | Attr = ]
Sonic Foundry -> %UserAppData%\Sonic Foundry -> [Folder | Modified Date = 23/03/2007 16:14:18 | Attr = ]
Spyware Terminator -> %UserAppData%\Spyware Terminator -> [Folder | Modified Date = 08/04/2007 20:08:56 | Attr = ]
DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini -> %LocalAppData%\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini -> [Ver = | Size =

75776 bytes | Modified Date = 12/04/2007 11:24:06 | Attr = ]
IconCache.db -> %LocalAppData%\IconCache.db -> [Ver = | Size = 3168038 bytes | Modified Date = 12/04/2007 11:59:14 | Attr =

H ]
WMTools Downloaded Files -> %LocalAppData%\WMTools Downloaded Files -> [Folder | Modified Date = 12/04/2007 11:57:10 | Attr

= ]
cool stuff# -> %UserDocuments%cool stuff# -> [Folder | Modified Date = 29/03/2007 15:54:56 | Attr = ]
Ebay photos -> %UserDocuments%Ebay photos -> [Folder | Modified Date = 01/04/2007 17:46:30 | Attr = ]
Tachograph.doc -> %UserDocuments%Tachograph.doc -> [Ver = | Size = 24576 bytes | Modified Date = 04/04/2007 14:23:44 | Attr

= ]
Incoming -> %UserDocuments%Incoming -> [Folder | Modified Date = 08/04/2007 01:09:42 | Attr = ]
LPB06-04-07 -> %UserDocuments%LPB06-04-07 -> [Folder | Modified Date = 06/04/2007 23:01:36 | Attr = ]
My Sharing Folders.lnk -> %UserDocuments%My Sharing Folders.lnk -> [Ver = | Size = 395 bytes | Modified Date = 12/04/2007

09:02:24 | Attr = ]
AVG Anti-Spyware.lnk -> %AllUsersDesktop%\AVG Anti-Spyware.lnk -> [Ver = | Size = 849 bytes | Modified Date = 12/04/2007

00:26:04 | Attr = ]
CD Architect 5.0.lnk -> %AllUsersDesktop%\CD Architect 5.0.lnk -> [Ver = | Size = 1756 bytes | Modified Date = 23/03/2007

16:11:28 | Attr = ]
Diskeeper.lnk -> %AllUsersDesktop%\Diskeeper.lnk -> [Ver = | Size = 1815 bytes | Modified Date = 06/04/2007 01:31:04 | Attr

= ]
Activescan.txt -> %UserDesktop%\Activescan.txt -> [Ver = | Size = 4420 bytes | Modified Date = 09/04/2007 23:32:00 | Attr =

]
Activescan2.txt -> %UserDesktop%\Activescan2.txt -> [Ver = | Size = 2212 bytes | Modified Date = 10/04/2007 15:23:28 | Attr

= ]
avenger.zip -> %UserDesktop%\avenger.zip -> [Ver = | Size = 127378 bytes | Modified Date = 10/04/2007 11:30:28 | Attr =

]


----------



## bandyandy (Aug 26, 2006)

Part 16:

AVG-AntiS.txt -> %UserDesktop%\AVG-AntiS.txt -> [Ver = | Size = 1985 bytes | Modified Date = 12/04/2007 12:08:56 | Attr =

]
bitdefender.html -> %UserDesktop%\bitdefender.html -> [Ver = | Size = 18428 bytes | Modified Date = 09/04/2007 18:31:00 |

Attr = ]
breegpainting.jpg -> %UserDesktop%\breegpainting.jpg -> [Ver = | Size = 56861 bytes | Modified Date = 08/04/2007 23:10:54 |

Attr = ]
Cheeseball.txt -> %UserDesktop%\Cheeseball.txt -> [Ver = | Size = 5105 bytes | Modified Date = 10/04/2007 00:05:02 | Attr =

]
dtco.jpg -> %UserDesktop%\dtco.jpg -> [Ver = | Size = 12005 bytes | Modified Date = 03/04/2007 13:45:22 | Attr = ]
File,886,en.pdf -> %UserDesktop%\File,886,en.pdf -> [Ver = | Size = 182818 bytes | Modified Date = 20/03/2007 19:08:42 |

Attr = ]
gen_cer_sec_edu.doc -> %UserDesktop%\gen_cer_sec_edu.doc -> [Ver = | Size = 20992 bytes | Modified Date = 20/03/2007

19:04:02 | Attr = ]
hijackthis.log -> %UserDesktop%\hijackthis.log -> [Ver = | Size = 6834 bytes | Modified Date = 11/04/2007 22:51:30 | Attr =

]
HostsXpert.zip -> %UserDesktop%\HostsXpert.zip -> [Ver = | Size = 278752 bytes | Modified Date = 06/04/2007 20:46:44 | Attr

= ]
Instructions 1.txt -> %UserDesktop%\Instructions 1.txt -> [Ver = | Size = 1647 bytes | Modified Date = 05/04/2007 23:23:46

| Attr = ]
Instructions 2.txt -> %UserDesktop%\Instructions 2.txt -> [Ver = | Size = 326 bytes | Modified Date = 06/04/2007 21:48:12 |

Attr = ]
It suddenly struck Dick.jpg -> %UserDesktop%\It suddenly struck Dick.jpg -> [Ver = | Size = 107365 bytes | Modified Date =

28/03/2007 00:06:00 | Attr = ]
Monk_eteram.mp3 -> %UserDesktop%\Monk_eteram.mp3 -> [Ver = | Size = 477184 bytes | Modified Date = 24/03/2007 18:57:50 |

Attr = ]
Monk_low.mp3 -> %UserDesktop%\Monk_low.mp3 -> [Ver = | Size = 454656 bytes | Modified Date = 24/03/2007 18:58:06 | Attr =

 ]
Moog Modular V.lnk -> %UserDesktop%\Moog Modular V.lnk -> [Ver = | Size = 1732 bytes | Modified Date = 25/03/2007 00:49:28

| Attr = ]
New Folder -> %UserDesktop%\New Folder -> [Folder | Modified Date = 23/03/2007 21:00:30 | Attr = ]
New Text Document (2).txt -> %UserDesktop%\New Text Document (2).txt -> [Ver = | Size = 584 bytes | Modified Date =

08/04/2007 19:31:32 | Attr = ]
Pinky_and_the_Brain.jpg -> %UserDesktop%\Pinky_and_the_Brain.jpg -> [Ver = | Size = 14798 bytes | Modified Date =

11/04/2007 02:09:00 | Attr = ]
ProgramChecker.exe -> %UserDesktop%\ProgramChecker.exe -> [Ver = | Size = 3374656 bytes | Modified Date = 04/04/2007

10:01:40 | Attr = ]
Report-Scan-20070412-134023.txt -> %UserDesktop%\Report-Scan-20070412-134023.txt -> [Ver = | Size = 500 bytes | Modified

Date = 12/04/2007 13:58:32 | Attr = ]
SmitfraudFix -> %UserDesktop%\SmitfraudFix -> [Folder | Modified Date = 09/04/2007 20:40:26 | Attr = ]
SmitfraudFix.zip -> %UserDesktop%\SmitfraudFix.zip -> [Ver = | Size = 785511 bytes | Modified Date = 09/04/2007 20:40:30 |

Attr = ]
Spybot Forum.txt -> %UserDesktop%\Spybot Forum.txt -> [Ver = | Size = 589 bytes | Modified Date = 09/04/2007 21:52:48 |

Attr = ]
SpybotSD.System startup report.txt -> %UserDesktop%\SpybotSD.System startup report.txt -> [Ver = | Size = 7752 bytes |

Modified Date = 10/04/2007 23:28:52 | Attr = ]
spybotsd14.exe -> %UserDesktop%\spybotsd14.exe -> Safer Networking Limited [Ver =

| Size = 5037072 bytes | Modified Date = 07/04/2007 23:39:08 | Attr = ]
StartDreck -> %UserDesktop%\StartDreck -> [Folder | Modified Date = 11/04/2007 11:11:22 | Attr = ]
startuplist.txt -> %UserDesktop%\startuplist.txt -> [Ver = | Size = 35722 bytes | Modified Date = 11/04/2007 01:43:06 |

Attr = ]
TagScanner.lnk -> %UserDesktop%\TagScanner.lnk -> [Ver = | Size = 633 bytes | Modified Date = 12/04/2007 00:37:22 | Attr =

]
Trend Micro.txt -> %UserDesktop%\Trend Micro.txt -> [Ver = | Size = 7191 bytes | Modified Date = 08/04/2007 11:39:20 | Attr

= ]
uninstall_list.txt -> %UserDesktop%\uninstall_list.txt -> [Ver = | Size = 6056 bytes | Modified Date = 11/04/2007 01:43:42

| Attr = ]
WinPFind3u -> %UserDesktop%\WinPFind3u -> [Folder | Modified Date = 12/04/2007 17:51:54 | Attr = ]
winpfind3u.exe -> %UserDesktop%\winpfind3u.exe -> [Ver = | Size = 353274 bytes | Modified Date = 12/04/2007 17:49:58 | Attr

= ]
WinPFind3U.txt -> %UserDesktop%\WinPFind3U.txt -> [Ver = | Size = 946 bytes | Modified Date = 12/04/2007 18:02:54 | Attr =

]
X86 -> %UserDesktop%\X86 -> [Folder | Modified Date = 06/04/2007 01:29:46 | Attr = ]
AOL -> %CommonProgramFiles%\AOL -> [Folder | Modified Date = 08/04/2007 14:47:56 | Attr = ]
Java -> %CommonProgramFiles%\Java -> [Folder | Modified Date = 08/04/2007 13:44:26 | Attr = ]
Wise Installation Wizard -> %CommonProgramFiles%\Wise Installation Wizard -> [Folder | Modified Date = 04/04/2007 11:37:50 |

Attr = ]

[File String Scan - All]
qoologic , PTech , SAHAgent , abetterinternet.com , web-nex , ad-w-a-r-e.com , -> %SystemDrive%\rapport.txt -> [Ver = |

Size = 549259 bytes | Modified Date = 05/04/2007 23:43:58 | Attr = ]
PEC2 , -> %System32%\dfrg.msc -> [Ver = | Size = 41397 bytes | Modified Date = 29/08/2002 13:00:00 | Attr = ]
Thawte Consulting , USERTRUST , -> %System32%\initpki.dll -> Microsoft Corporation [Ver = 5.131.2600.2180

(xpsp_sp2_rtm.040803-2158) | Size = 147456 bytes | Modified Date = 04/08/2004 08:56:42 | Attr = ]
PTech , -> %System32%\LegitCheckControl.dll -> Microsoft Corporation [Ver = 1.7.0018.5 | Size = 1476992 bytes | Modified

Date = 15/03/2007 18:19:28 | Attr = ]
PECompact2 , aspack , -> %System32%\MRT.exe -> Microsoft Corporation [Ver = 1.28.1650.0 | Size = 13511640 bytes | Modified

Date = 03/04/2007 21:48:52 | Attr = ]
aspack , -> %System32%\ntdll.dll -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 708096

bytes | Modified Date = 04/08/2004 08:56:36 | Attr = ]
WSUD , -> %System32%\nusrmgr.cpl -> Microsoft Corporation [Ver = 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Size = 257024

bytes | Modified Date = 04/08/2004 08:56:58 | Attr = ]
Umonitor , -> %System32%\rasdlg.dll -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 657920

bytes | Modified Date = 04/08/2004 08:56:44 | Attr = ]
Thawte Consulting , -> %System32%\SmartUI2.ocx -> Xceed Software Inc (450) 442-2626 [email protected]

www.xceedsoft.com [Ver = 2.00.6553 | Size = 870152 bytes | Modified Date = 15/03/2007 12:22:38 | Attr = ]
winsync , -> %System32%\wbdbase.deu -> [Ver = | Size = 1309184 bytes | Modified Date = 29/08/2002 13:00:00 | Attr = ]
PTech , -> %System32%\WgaTray.exe -> Microsoft Corporation [Ver = 1.7.0018.5 | Size = 336768 bytes | Modified Date =

15/03/2007 18:17:08 | Attr = ]
UPX! , UPX0 , -> %System32%\WolfgangsVault01.scr -> [Ver = 1, 0, 0, 1 | Size = 1886224 bytes | Modified Date = 15/03/2004

14:31:28 | Attr = ]
UPX! , UPX0 , -> %System32%\WolfgangsVault02.scr -> [Ver = 1, 0, 0, 1 | Size = 1837072 bytes | Modified Date = 15/03/2004

14:33:42 | Attr = ]
UPX! , UPX0 , -> %System32%\WolfgangsVault03.scr -> [Ver = 1, 0, 0, 1 | Size = 1673232 bytes | Modified Date = 15/03/2004

14:35:48 | Attr = ]
UPX! , UPX0 , -> %System32%\WV_Love.scr -> [Ver = 1, 0, 0, 1 | Size = 3434288 bytes | Modified Date = 27/10/2004 22:59:12 |

Attr = ]
UPX! , UPX0 , -> %System32%\WV_NewWave.scr -> [Ver = 1, 0, 0, 1 | Size = 4515664 bytes | Modified Date = 27/10/2004

22:54:58 | Attr = ]
Thawte Consulting , -> %System32%\XceedCry.dll -> Xceed Software Inc (450) 442-2626 [email protected]

www.xceedsoft.com [Ver = 1.1.6461.0 | Size = 526184 bytes | Modified Date = 15/03/2007 12:19:58 | Attr = ]
Thawte Consulting , -> %System32%\XceedZip.dll -> Xceed Software Inc (450) 442-2626 [email protected]

www.xceedsoft.com [Ver = 6.0.6621.0 | Size = 497496 bytes | Modified Date = 15/03/2007 12:23:16 | Attr = ]
UPX! , -> %System32%\dllcache\hwxcht.dll -> Microsoft Corporation [Ver = 1.0.0304.0 | Size = 10096640 bytes | Modified Date

= 29/08/2002 13:00:00 | Attr = ]
WSUD , UPX0 , -> %System32%\dllcache\hwxjpn.dll -> [Ver = | Size = 13463552 bytes | Modified Date = 29/08/2002 13:00:00 |

Attr = ]
UPX! , WSUD , -> %System32%\dllcache\hwxkor.dll -> Microsoft Corporation [Ver = 1.0.1038.0 | Size = 10129408 bytes |

Modified Date = 29/08/2002 13:00:00 | Attr = ]
Thawte Consulting , USERTRUST , -> %System32%\dllcache\initpki.dll -> Microsoft Corporation [Ver = 5.131.2600.2180

(xpsp_sp2_rtm.040803-2158) | Size = 147456 bytes | Modified Date = 04/08/2004 08:56:42 | Attr = ]
PTech , -> %System32%\dllcache\mtlstrm.sys -> Smart Link [Ver = 3.80.01MC15 | Size = 1309184 bytes | Modified Date =

04/08/2004 06:41:38 | Attr = ]
WSUD , -> %System32%\dllcache\nusrmgr.cpl -> Microsoft Corporation [Ver = 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Size =

257024 bytes | Modified Date = 04/08/2004 08:56:58 | Attr = ]
PTech , -> %System32%\dllcache\WgaTray.exe -> Microsoft Corporation [Ver = 1.7.0018.5 | Size = 336768 bytes | Modified Date

= 15/03/2007 18:17:08 | Attr = ]
UPX! , FSG! , PEC2 , aspack , -> %System32%\drivers\avg7core.sys -> GRISOFT, s.r.o. [Ver = 7.5.0.444 | Size = 775680 bytes |

Modified Date = 25/02/2007 11:22:36 | Attr = ]
PTech , -> %System32%\drivers\mtlstrm.sys -> Smart Link [Ver = 3.80.01MC15 | Size = 1309184 bytes | Modified Date =

04/08/2004 06:41:38 | Attr = ]
qoologic , PTech , SAHAgent , abetterinternet.com , web-nex , ad-w-a-r-e.com , ->

%System32%\drivers\etc\hosts.20070310-154234.backup -> [Ver = | Size = 496245 bytes | Modified Date = 14/11/2006 04:17:02 |

Attr = ]
qoologic , PTech , SAHAgent , abetterinternet.com , web-nex , ad-w-a-r-e.com , ->

%System32%\drivers\etc\hosts.20070404-185242.backup -> [Ver = | Size = 566588 bytes | Modified Date = 10/03/2007 16:42:44 |

Attr = R ]
qoologic , PTech , SAHAgent , abetterinternet.com , web-nex , ad-w-a-r-e.com , -> %System32%\drivers\etc\hosts.msn -> [Ver

= | Size = 566588 bytes | Modified Date = 10/03/2007 16:42:44 | Attr = R ]
@Alternate Data Stream - 119 bytes -> %AllUsersAppData%\TEMP:4295826C ->

< End of report >

A little knowledge is a dangerous thing. Someone put me back in my box


----------



## Cookiegal (Aug 27, 2003)

Please export this registry key for me.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\*Run*

To do that, expand each key by clicking on the + to their left.

Then under Current Version, right click on the Run key and select "export" and save it to your desktop with the name runkey.reg. Then right click the runkey.reg file on your desktop and select "open with" and "Notepad" and then copy and paste its contents here please.

Also, do this please:

Go to Start > Search and under "More advanced search options". 
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Now, go to the following link and upload each of the following files for analysis and let me know what the results are please:

http://virusscan.jotti.org/

*C:\Windows\loop.exe*


----------



## bandyandy (Aug 26, 2006)

runkey.reg:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector"="\"C:\\Program Files\\Creative\\MediaSource\\Detector\\CTDetect.exe\" /R"
"FreeRAM XP"="\"C:\\Program Files\\YourWare Solutions\\FreeRAM XP Pro\\FreeRAM XP Pro.exe\" -win"
@=""

loop.exe scan:

File: LOOP.exe
Status: 
OK
MD5 f82a6b9441dd7c88a68532b5a67db9c8
Packers detected: 
NEOLITE

Scan taken on 12 Apr 2007 22:55:18 (GMT)
AntiVir 
Found nothing
ArcaVir 
Found nothing
Avast 
Found nothing
AVG Antivirus 
Found nothing
BitDefender 
Found nothing
ClamAV 
Found nothing
Dr.Web 
Found nothing
F-Prot Antivirus 
Found nothing
F-Secure Anti-Virus 
Found nothing
Fortinet 
Found nothing
Kaspersky Anti-Virus 
Found nothing
NOD32 
Found nothing
Norman Virus Control 
Found nothing
Panda Antivirus 
Found nothing
Rising Antivirus 
Found nothing
VirusBuster 
Found nothing
VBA32 
Found nothing


----------



## Cookiegal (Aug 27, 2003)

Download *SDFix* and save it to your Desktop.

Double click *SDFix.exe* and it will extract the files to %systemdrive% 
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in *Safe Mode* by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually
Instead of Windows loading as normal, the Advanced Options Menu should appear
Select the first option, to run Windows in Safe Mode, then press *Enter*
Choose your usual account.

Open the extracted SDFix folder and double click *RunThis.bat* to start the script. 
Type *Y* to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to reboot. 
Press any Key and it will restart the PC. 
When the PC restarts the Fixtool will run again and complete the removal process then display *Finished*, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as *Report.txt* 
(Report.txt will also be copied to the clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log


----------



## bandyandy (Aug 26, 2006)

SDFix Log follows:

SDFix: Version 1.78

Run by Log In - 13/04/2007 - 9:42:26.59

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

No Trojan Files Found...

Removing Temp Files

ADS Check:

Checking if ADS is attached to system32 Folder 
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.

Final Check:

Remaining Services:
------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"C:\\WINDOWS\\Temp\\NavBrowser.exe"="C:\\WINDOWS\\Temp\\NavBrowser.exe:*:Enabled:NAVBrowser"
"C:\\Program Files\\Soulseek\\slsk.exe"="C:\\Program Files\\Soulseek\\slsk.exe:*:Enabled:SoulSeek"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\\WINDOWS\\system32\\rundll32.exe"="C:\\WINDOWS\\system32\\rundll32.exe:*isabled:Run a DLL as an App"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\ASPMonitor\\ASMonitor.exe"="C:\\Program Files\\ASPMonitor\\ASMonitor.exe:*:Enabled:System"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files:
---------------

Checking For Files with Hidden Attributes:

C:\Documents and Settings\Log In\Local Settings\Application Data\Microsoft\Messenger\[email protected]\Sharing Folders\[email protected]\Thumbs.db
C:\Documents and Settings\Log In\Local Settings\Application Data\Microsoft\Messenger\[email protected]\Sharing Folders\[email protected]\Thumbs.db
C:\Documents and Settings\Log In\Local Settings\Application Data\Microsoft\Messenger\[email protected]\Sharing Folders\k[email protected]\Thumbs.db
C:\Documents and Settings\Log In\Local Settings\Application Data\Microsoft\Messenger\[email protected]\Sharing Folders\[email protected]\Thumbs.db
C:\Documents and Settings\Log In\Local Settings\Application Data\Microsoft\Messenger\[email protected]\Sharing Folders\[email protected]\Thumbs.db
C:\Documents and Settings\Log In\Local Settings\Application Data\Microsoft\Messenger\[email protected]\Sharing Folders\[email protected]\Thumbs.db
C:\Documents and Settings\Log In\Local Settings\Application Data\Microsoft\Messenger\[email protected]\Sharing Folders\[email protected]\Thumbs.db
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\Log In\Application Data\Microsoft\Word\~WRL0003.tmp
C:\Documents and Settings\Log In\Application Data\Microsoft\Word\~WRL0005.tmp
C:\Documents and Settings\Log In\Application Data\Microsoft\Word\~WRL2706.tmp

Finished

HJT Log follows:

Logfile of HijackThis v1.99.1
Scan saved at 09:54:34, on 13/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Bandwidth\BandMon.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [BatchBandwidth] C:\Program Files\Bandwidth\BandMon.exe
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - 
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} - 
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/pcpitstop.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - 
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - 
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://pcpitstop.com/mhLbl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - 
O17 - HKLM\System\CCS\Services\Tcpip\..\{3FC7A7DE-D4FA-47A2-BAAC-2507077E503E}: NameServer = 84.203.254.34,84.203.255.34
O17 - HKLM\System\CCS\Services\Tcpip\..\{F97CD4AF-2BC6-4C6A-8182-E544357D0C97}: NameServer = 84.203.254.34,84.203.255.34
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: CwWLEvent - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ProgramCheckerPro (sassvc) - Unknown owner - C:\Program Files\Zenturi\ProgramChecker\sassvc.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


----------



## Cookiegal (Aug 27, 2003)

Rescan with HijackThis and fix these entries:

*R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - (no file)

O2 - BHO: (no name) - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - (no file)

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} -

O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} -

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} -

O20 - Winlogon Notify: CwWLEvent - C:\WINDOWS\*

Reboot and post a new HijackThis log.

The blank entry under the HKCU run key is an orphaned entry that points to nothing and is therefore harmless.


----------



## bandyandy (Aug 26, 2006)

Hey Cookiegal,

The blank HK_CU Run key is no longer showing up in spybots start up list, however the SpyHunter one remains.

HJT Log follows:

Logfile of HijackThis v1.99.1
Scan saved at 21:33:55, on 13/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Bandwidth\BandMon.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [BatchBandwidth] C:\Program Files\Bandwidth\BandMon.exe
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/pcpitstop.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://pcpitstop.com/mhLbl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3FC7A7DE-D4FA-47A2-BAAC-2507077E503E}: NameServer = 84.203.254.34,84.203.255.34
O17 - HKLM\System\CCS\Services\Tcpip\..\{F97CD4AF-2BC6-4C6A-8182-E544357D0C97}: NameServer = 84.203.254.34,84.203.255.34
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ProgramCheckerPro (sassvc) - Unknown owner - C:\Program Files\Zenturi\ProgramChecker\sassvc.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


----------



## Cookiegal (Aug 27, 2003)

I'm attaching a FixSpyHunter.zip file to this post. Save it to your desktop. Unzip it and double click the FixSpyHunter.reg file and allow it to enter into the registry.

Locate and delete this folder:

C:\Program Files\*Enigma Software Group*

Reboot and scan again with Spybot and see if it still detects that entry.


----------



## bandyandy (Aug 26, 2006)

Hey Cookiegal,
Put FixSpyHunter into the registry. There was no C:\Program Files\Enigma Software Group folder. Spybot no longer shows the SpyHunter startup entry. Is it possible that this journey may have come to an end?


----------



## Cookiegal (Aug 27, 2003)

It would seem so. How are things running?


----------



## bandyandy (Aug 26, 2006)

I think i am going to cry. Everything appeared to be back to normal. Then i went and enabled Tea Timer. A series ofTea Timer dialogue boxes refering to a bunch of the registry changes we have made opened with all the choices messed up leaving only the option to X out thus denying the changes and now we have SpyHunter and the blank HK_CU Run entries back in Spybots startup list and no doubt a bunch of other stuff as well. It might be worth noting that the 'SunJavaUpdateSched' startup entry dissappeared along with the SpyHunter one and has now also reapppeared.


----------



## bandyandy (Aug 26, 2006)

I am away for the weekend so i will just post a new HJT Log (you will note that all the entries deleted in post #73 are back) and act on your instructions when i get back.

Thankyou hugely for your time, expertise and generosity, the same goes for cheeseball if he is still watching.

Andy.


----------



## bandyandy (Aug 26, 2006)

HJT Log follows:

Logfile of HijackThis v1.99.1
Scan saved at 01:45:48, on 14/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Bandwidth\BandMon.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [BatchBandwidth] C:\Program Files\Bandwidth\BandMon.exe
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - 
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} - 
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/pcpitstop.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - 
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - 
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://pcpitstop.com/mhLbl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - 
O17 - HKLM\System\CCS\Services\Tcpip\..\{3FC7A7DE-D4FA-47A2-BAAC-2507077E503E}: NameServer = 84.203.254.34,84.203.255.34
O17 - HKLM\System\CCS\Services\Tcpip\..\{F97CD4AF-2BC6-4C6A-8182-E544357D0C97}: NameServer = 84.203.254.34,84.203.255.34
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: CwWLEvent - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ProgramCheckerPro (sassvc) - Unknown owner - C:\Program Files\Zenturi\ProgramChecker\sassvc.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


----------



## bandyandy (Aug 26, 2006)

If it is any use here is the Tea Timer Log for the Denied changes that just occured:

14/04/2007 01:33:51 Denied value "" (new data: "") deleted in System Startup user entry!
14/04/2007 01:34:06 Denied value "KernelFaultCheck" (new data: "") deleted in System Startup global entry!
14/04/2007 01:34:09 Denied value "SunJavaUpdateSched" (new data: "") deleted in System Startup global entry!
14/04/2007 01:34:10 Denied value "SpyHunter" (new data: "") deleted in System Startup global entry!
14/04/2007 01:34:17 Denied value "{BC4FFE41-DE9F-46fa-B455-AAD49B9F9938}" (new data: "") deleted in Internet Explorer searches!


----------



## Cookiegal (Aug 27, 2003)

That's exactly why I don't use Tea Timer. It's really more of a nuisance, in my opinion. If you install a program like SpywareBlaster, you really don't need it.

I'd suggest you uninstall SpyBot Search and Destroy completely. Redo the changes I've had you do and then see how things are. Once everything is the way you want it, you can reinstall Spybot.


----------



## bandyandy (Aug 26, 2006)

Hey Cookiegal,
Uninstalled Spybot completely, ran SDFix, deleted HJT entries, checked registry for [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SpyHunter"=-
entry and it was not there so didnt run FixSpyHunter.reg, reinstalled Spybot. Taking your advice that Spyware Blaster covers the same ground as Tea Timer (i also have Spyware Terminators realtime protection enabled so between the two of them i guess Tea Timer is redundant) so leaving it disabled.

As far as i can tell things are now as they should be. Perhaps you might take a final look at a current HJT Log to confirm this before we put this to bed (fingers crossed) and i head for the donations page.

HJT Log follows:

Logfile of HijackThis v1.99.1
Scan saved at 21:14:27, on 15/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Bandwidth\BandMon.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [BatchBandwidth] C:\Program Files\Bandwidth\BandMon.exe
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/pcpitstop.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://pcpitstop.com/mhLbl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3FC7A7DE-D4FA-47A2-BAAC-2507077E503E}: NameServer = 84.203.254.34,84.203.255.34
O17 - HKLM\System\CCS\Services\Tcpip\..\{F97CD4AF-2BC6-4C6A-8182-E544357D0C97}: NameServer = 84.203.254.34,84.203.255.34
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ProgramCheckerPro (sassvc) - Unknown owner - C:\Program Files\Zenturi\ProgramChecker\sassvc.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


----------



## Cookiegal (Aug 27, 2003)

The log looks good but did you uninstall SpyBot Search & Destroy via the control panel? If so, have you rebooted since doing that? The reason I ask is there is still a BHO showing in the log that belongs to that program.

*O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll*


----------



## bandyandy (Aug 26, 2006)

I reinstalled Sptybot after the cleaning process and after i was reasonably confident that things were back to normal (going to leave Tea Timer disabled) so the BHO is in the right place at the right time (sing Hallelujah).

A hundred thousand thankyous for your time and expertise, the web truly is a better place for a site like this and people like yourself.

Off to the donations page,

See ya,

Andy.


----------



## Cookiegal (Aug 27, 2003)

It's my pleasure and thank you for the donation, which is very much appreciated. 

Now you should turn system restore off to flush out all previous system restore points, then turn it back on and create a new restore point:

To turn off system restore, on the Desktop, right click on *My Computer* and click on *Properties.*
Click the *System Restore* tab.
Check *Turn off System Restore.*
Click Apply and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a new restore point, click on *Start*  *All Programs*  *Accessories*  *System Tools* and then select *System Restore*.

In the System Restore wizard, select *Create a restore point* and click the Next button.

Type a name for your new restore point then click on Create.

I also recommend downloading  *SPYWAREBLASTER* for added protection.

*Read here* for info on how to tighten your security.

*Delete your temporary files:*

In safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit - Select All then Edit - Delete to delete the entire contents of the Temp folder.

Go to Start - Run and type *%temp%* in the Run box. The Temp folder will open. Click *Edit - Select All* then hit *Delete* to delete the entire contents of the Temp folder.

Finally go to Control Panel - Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK (this option does not exist in IE7). Click Apply then OK.

*Empty the recycle bin*.


----------

