# Solved: evil emailer has taken over!



## justchange (Oct 18, 2004)

I am trying to help my neighbor whose computer has been taken over by a particularly evil mass mailer and we haven't been able to find it. In the past, I have had success with others (I help many friends and family with their systems) but this one continues to evade me. I connected his hdd to my system and scanned it with Avast, Ewido online, SpyBot S&D, Adaware, MS Malicious SW Remover, and more. All are negative. Rootkit Revealer found a suspicious entry, but it is invisible to the API so I can't delete it.

So far, SpyBot's resident protection stops the mailings, and we're using ZoneAlarm to lockdown internet access.

Your help is greatly appreciated.

Here is the latest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 3:57:26 PM, on 11/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\LVCOMSX.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\MemTurbo\MemTurbo.exe
C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\65exinjs.q.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Documents and Settings\Nice Person\Desktop\Downloads\Tool\HijackThis!\HijackThis1991.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [.nvsvc] C:\WINDOWS\system\smss.exe /w
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - Startup: MemTurbo.lnk = C:\Program Files\MemTurbo\MemTurbo.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.shockwave.com/content/ricochetlostworlds/ReflexiveWebGameLoader.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.shockwave.com/content/luxor/mjolauncher.cab
O16 - DPF: {87056D28-9730-4A47-B9F9-7E890B62C58A} (WildfireActiveXHost Class) - http://www.shockwave.com/content/tumblebugs/axhost.cab
O16 - DPF: {89981B1D-07DA-43C3-9770-06C51E7E5DCE} (NostaleWebStarter Control) - http://game.nostale.com/sso/NostaleWebLauncher.cab
O16 - DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} (Logout Class) - http://www.gamengame.com/KALogoutComponent.cab
O16 - DPF: {F7899FAE-51C9-4EF5-B98C-A64997635235} (GSPRunGame Class) - http://www.playinfinity.net/cab/WindyGSPAx.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Unknown owner - C:\Program Files\Trend Micro\Internet Security\PccPfw.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Unknown owner - C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe (file missing)
O23 - Service: Trend Micro Proxy Service (tmproxy) - Unknown owner - C:\Program Files\Trend Micro\Internet Security\tmproxy.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


----------



## valis (Sep 24, 2004)

well, you got something (C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\65exinjs.q.exe), dunno what it is or where else it has dumped junk, so I would wait for an expert to parse your log. They are id'd by the gold badge next to their name, and are pretty overworked, so be patient.

And welcome to tsg. We'll get you fixed up.


----------



## justchange (Oct 18, 2004)

spotted a similarly named file earlier: "51exinjs.q.exe" and thought it was a bingo, but didn't find any online references to it, nor could I find it with Windows Explorer to delete it.
(I think that's the file found by Rootkit Revealer.)
thanks.
We're waiting. (As patiently as possible!)


----------



## valis (Sep 24, 2004)

someone will be along, I promise.....had you been here a month or so later, I could 'legally' tell you what to do, but I"m still learning the game. You could run ATF by Atribune to dump out all the temp files, but something tells me that that one will respawn itself, and probably has an entry or 300 in the registry.


----------



## valis (Sep 24, 2004)

from what I can gather, it's relatively new (at least all the hits I'm getting are new)......be interested in watching this play out.


----------



## justchange (Oct 18, 2004)

I can go get the hdd and re-connect it to my system. Would that be helpful? Or does it need to be the bootdrive to read the registry?


----------



## valis (Sep 24, 2004)

nah, I would just wait until an expert tells you what needs to be done and then go from there.


----------



## justchange (Oct 18, 2004)

Some observations:
I've noticed from the SpyBot alerts that the emails it generates are to corporate-type addresses and have the subject line "re: christmas xxx..." where "xxx..." varies with each re-boot or re-connect to the internet. I'm guessing it's a DoS attack. It doesn't seem to activate until it detects an internet connection, and then it's quite persistent.
I haven't scanned in Safe Mode, though.


----------



## valis (Sep 24, 2004)

I think you will have to end up running sd fix, but again, wait until instructed to. By any chance, do they use IRC?


----------



## justchange (Oct 18, 2004)

Sorry for the delay... market/bank run!
I'm not sure... I'll ask.
(He doesn't know, for sure, but he didn't "deliberately" install and use an IRC client. If that is required to chat during online gaming sessions, then yes, he did. I know he likes to play games like Conquer; Infinity, etc., but we have a true computer novice here. AND English is not his first language so, many times, he just "goes for it" without knowing/understanding the consequences of not reading/comprehending the details.)
However, I have to admire his adventuresome spirit!:up:


----------



## Byteman (Jan 24, 2002)

Hi, I'm qualified to help, but not as expert as some here, I can attempt to begin though!

Can you upload that file for a quick *few seconds* exam at one or both of these places:

http://virusscan.jotti.org/

http://www.kaspersky.com/scanforvirus.html

For either, use the Browse button, navigate to the temp folder where the file is, so that you highlight that file, be careful you don't want to run it...just so it is entered into the Upload box at either Jotti or Kaspersky one file scanner sites, then Submit that file for a quick check by several antivirus companies, and, be sure you copy and paste the results to a Notepad text file and then post it here please, if it is found infected.

Someone will be along shortly I am sure, that perhaps has dealt with this one...

[This entry is not exactly right either, but>>>*do not fix anything just yet! You should also have this file checked, be careful, there is one in System32 that is the same, and normal, but this one is in System folder, and not right, I think...
O4 - HKLM\..\Run: [.nvsvc] C:\WINDOWS\system\smss.exe /w

*


----------



## valis (Sep 24, 2004)

thanks byteman....switching to lurker mode now....this one is going to be fun to watch.


----------



## justchange (Oct 18, 2004)

thanks... I'll go give it a try and let you know the results.


----------



## Byteman (Jan 24, 2002)

I've PMd an expert, but it's late and they may have gone offline for this evening, we will do what we can for you soon as you get results.


----------



## justchange (Oct 18, 2004)

This is an infection of Biblical proportions... "our name is Legion".
Yikes!! There's a bunch of them!
trojan downloaders: Win32.Zlob; Win32.Zlob.anj; PSW.Legendmir.NDP; PSW.Lmir.bfy; PSW.Wow; Swizzor.Gen; Isbar.457; PSW.LdPinch.74; and others simply identified as DLOADER.Trojan


----------



## justchange (Oct 18, 2004)

I'll get better info posted in a few minutes.


----------



## justchange (Oct 18, 2004)

Contents of [user]/temp/:

Directory of C:\Documents and Settings\Nice Person\Local Settings\Temp

~DF3DAD.tmp 16,384 11/24/2006 A
~DF4003.tmp 16,384 11/24/2006 A
~DF5675.tmp 540,672 11/24/2006 A
~DF567B.tmp 16,384 11/24/2006 A
~DF6460.tmp 655,360 11/24/2006 A
~DF6465.tmp 16,384 11/24/2006 A
~DF6869.tmp 589,824 11/24/2006 A
~DF7883.tmp 16,384 11/24/2006 A
~DFDFCB.tmp 655,360 11/24/2006 A
~DFDFD1.tmp 16,384 11/24/2006 A
~DFFE40.tmp 655,360 11/24/2006 A
16exhdd.l.exe 25,088 11/24/2006 A
21exinjs.q.exe 35,328 11/24/2006 A
26exmodul32e.q.exe 37,376 11/24/2006 A
26exssd32.o.exe 23,552 11/24/2006 A
2exmodul32e.q.exe 37,376 11/24/2006 A
32exinjs.q.exe 35,328 11/24/2006 A
35exssd32.o.exe 23,552 11/24/2006 A
36exhdd.l.exe 25,088 11/24/2006 A
39exssd32.o.exe 23,552 11/24/2006 A
40exhdd.l.exe 25,088 11/24/2006 A
40exmodul32e.q.exe 37,376 11/24/2006 A
45exhdd.l.exe 25,088 11/24/2006 A
49exmodul32e.q.exe 37,376 11/24/2006 A
4exhdd.l.exe 25,088 11/24/2006 A
51exinjs.q.exe 35,328 11/24/2006 A
57exmodul32e.q.exe 37,376 11/24/2006 A
58exhdd.l.exe 25,088 11/24/2006 A
60exhdd.l.exe 25,088 11/24/2006 A
64exssd32.o.exe 23,552 11/24/2006 A
65exinjs.q.exe 35,328 11/24/2006 A
69exhdd.l.exe 25,088 11/24/2006 A
6exinjs.q.exe 35,328 11/24/2006 A
72exssd32.o.exe 23,552 11/24/2006 A
74exmodul32e.q.exe 37,376 11/24/2006 A
75exmodul32e.q.exe 37,376 11/24/2006 A
75exssd32.o.exe 23,552 11/24/2006 A
78exinjs.q.exe 35,328 11/24/2006 A
82exinjs.q.exe 35,328 11/24/2006 A
83exmodul32e.q.exe 37,376 11/24/2006 A
84exinjs.q.exe 35,328 11/24/2006 A
85exhdd.l.exe 25,088 11/24/2006 A
98exmodul32e.q.exe 37,376 11/24/2006 A
99exhdd.l.exe 25,088 11/24/2006 A
99exssd32.o.exe 23,552 11/24/2006 A
autorun.inf 43 11/24/2006 A
DFC5A2B2.TMP 107 11/21/2006 A
domains.txt 368,243 11/24/2006 A
domains.txt.cab 126,354 11/24/2006 A
fnames.txt 88,071 11/24/2006 A
fnames.txt.cab 28,894 11/24/2006 A
hdd.l.exe.conf 48 11/24/2006 A
injs.q.exe.conf 49 11/24/2006 A
java_install_reg.log 416 11/24/2006 A
lnames.txt 187,993 11/24/2006 A
lnames.txt.cab 85,470 11/24/2006 A
modul32e.q.exe.conf 53 11/24/2006 A
Perflib_Perfdata_290.dat 16,384 11/24/2006 
Perflib_Perfdata_674.dat 16,384 11/24/2006 
Perflib_Perfdata_884.dat 16,384 11/24/2006 
setup.exe 38,912 11/24/2006 A
ssd32.o.exe.conf 50 11/24/2006 A
zbdwdols.uno 327,763 11/24/2006

63 file(s) found
Total file size 5,531,250 bytes


----------



## justchange (Oct 18, 2004)

Contents of Windows/temp/:
Volume in drive C:\ is Tony's Baby
Directory of C:\WINDOWS\Temp\

Perflib_Perfdata_108.dat 17 KB	10/20/2006
Perflib_Perfdata_110.dat 17 KB	8/26/2006
Perflib_Perfdata_114.dat 17 KB	11/19/2006
Perflib_Perfdata_11c.dat 17 KB	8/14/2006
Perflib_Perfdata_1a8.dat 17 KB	11/19/2006
Perflib_Perfdata_264.dat 17 KB	9/16/2006
Perflib_Perfdata_278.dat 17 KB	9/8/2006
Perflib_Perfdata_29c.dat 17 KB	10/10/2006
Perflib_Perfdata_2a4.dat 17 KB	8/31/2006
Perflib_Perfdata_2b8.dat 17 KB	9/14/2006
Perflib_Perfdata_2bc.dat 17 KB	8/17/2006
Perflib_Perfdata_2c0.dat 17 KB	9/21/2006
Perflib_Perfdata_2c8.dat 17 KB	8/28/2006
Perflib_Perfdata_2e4.dat 17 KB	8/27/2006
Perflib_Perfdata_2e8.dat 17 KB	11/1/2006
Perflib_Perfdata_2ec.dat 17 KB	9/17/2006
Perflib_Perfdata_2f0.dat 17 KB	11/18/2006
Perflib_Perfdata_2f4.dat 17 KB	9/14/2006
Perflib_Perfdata_2fc.dat 17 KB	8/19/2006
Perflib_Perfdata_300.dat 17 KB	10/19/2006
Perflib_Perfdata_304.dat 17 KB	11/20/2006
Perflib_Perfdata_308.dat 17 KB	10/4/2006
Perflib_Perfdata_30c.dat 17 KB	9/1/2006
Perflib_Perfdata_310.dat 17 KB	9/16/2006
Perflib_Perfdata_318.dat 17 KB	9/5/2006
Perflib_Perfdata_3a8.dat 17 KB	9/1/2006
Perflib_Perfdata_518.dat 17 KB	9/15/2006
Perflib_Perfdata_570.dat 17 KB	11/24/2006
Perflib_Perfdata_670.dat 17 KB	8/13/2006
Perflib_Perfdata_678.dat 17 KB	8/19/2006
Perflib_Perfdata_680.dat 17 KB	9/16/2006
Perflib_Perfdata_684.dat 17 KB	8/17/2006
Perflib_Perfdata_688.dat 17 KB	9/23/2006
Perflib_Perfdata_68c.dat 17 KB	11/8/2006
Perflib_Perfdata_750.dat 17 KB	10/19/2006
Perflib_Perfdata_758.dat 17 KB	11/20/2006
Perflib_Perfdata_75c.dat 17 KB	10/9/2006
Perflib_Perfdata_7cc.dat 17 KB	11/24/2006
Perflib_Perfdata_7d8.dat 17 KB	11/24/2006
Perflib_Perfdata_80.dat 17 KB	11/17/2006
Perflib_Perfdata_90c.dat 17 KB	10/18/2006
Perflib_Perfdata_b4.dat 17 KB	8/17/2006
Perflib_Perfdata_e0.dat 17 KB	11/24/2006
Perflib_Perfdata_f54.dat 17 KB	10/9/2006
ZLT01744.TMP 1 KB	11/24/2006
ZLT029d7.TMP 1 KB	11/24/2006
ZLT02a63.TMP 1 KB	11/24/2006
ZLT050e2.TMP 1 KB	11/24/2006
ZLT05f31.TMP 1 KB	11/24/2006
ZLT066f4.TMP 1 KB	11/24/2006


50 file(s)
Total filesize 706 KB
207736144 kilobytes free


----------



## Cookiegal (Aug 27, 2003)

Download *WinPFind.exe* to your desktop and double click on it open it and then select extract to extract the files. This will create a folder named *WinPFind* on your desktop.

*Start in Safe Mode Using the F8 method:*


Restart the computer.
As soon as the BIOS is loaded begin tapping the *F8* key until the boot menu appears.
Use the arrow keys to select the *Safe Mode* menu item.
Press the *Enter* key.

Double click on the WinPFind folder on your desktop to open it and then double click on the *WinPFind.exe* file to start the program.


Click Configure scan options
Under Run AdOns select the following:
Policies.def
Security.def

Click apply
Click "*Start Scan*"
*It will scan the entire System, so please be patient and let it complete.*

When the scan is complete reboot normally and post the *WinPFind.txt* file (located in the WinPFind folder).


----------



## justchange (Oct 18, 2004)

Thank you. Wilco.


----------



## justchange (Oct 18, 2004)

The forum prog tells me that the file is too large (~54K) and to reduce it <30K. 
Should I split it? Or upload it as an attachment?


----------



## Cookiegal (Aug 27, 2003)

Either one would be fine. You can put it in two posts or upload it as an attachment.


----------



## justchange (Oct 18, 2004)

Here's the split version 1 of 2: (attachment to follow)

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows sometimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Logfile created on: 11/25/2006 11:44:17 AM
WinPFind v1.5.0	Folder = C:\Documents and Settings\Nice Person\Desktop\WinPFind\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 6.0.2900.2180)

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
WSUD 6/18/2004 12:32:34 AM 15684608 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL (Realtek Semiconductor Corp.)
UPX! 9/25/2006 7:45:08 AM 666240 C:\WINDOWS\SYSTEM32\aswBoot.exe ()
PEC2 8/23/2001 4:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc ()
PTech 6/27/2006 4:40:02 AM 571184 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll (Microsoft Corporation)
PTech 6/2/2006 12:39:54 PM 579888 C:\WINDOWS\SYSTEM32\LegitCheckControl.old (Microsoft Corporation)
PECompact2 11/15/2006 9:20:40 PM 10474920 C:\WINDOWS\SYSTEM32\MRT.exe (Microsoft Corporation)
aspack 11/15/2006 9:20:40 PM 10474920 C:\WINDOWS\SYSTEM32\MRT.exe (Microsoft Corporation)
WSUD 8/3/2004 11:56:54 PM 1200128 C:\WINDOWS\SYSTEM32\ntbackup.exe (Microsoft Corporation)
aspack 8/3/2004 11:56:36 PM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll (Microsoft Corporation)
WSUD 8/3/2004 11:56:58 PM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl (Microsoft Corporation)
Umonitor 8/3/2004 11:56:44 PM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll (Microsoft Corporation)
winsync 8/23/2001 4:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu ()

Checking %System%\Drivers folder and sub-folders...
PTech 8/3/2004 9:41:38 PM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys (Smart Link)

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
11/25/2006 11:42:36 AM S 2048 C:\WINDOWS\bootstat.dat ()
11/23/2006 6:13:28 PM HS 7680 C:\WINDOWS\Thumbs.db ()
10/13/2006 9:01:30 PM RH 0 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\index22.dat ()
10/13/2006 9:01:32 PM RH 0 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\index23.dat ()
11/22/2006 12:49:42 PM S 64 C:\WINDOWS\CSC\00000001 ()
11/22/2006 9:25:02 AM S 64 C:\WINDOWS\CSC\00000002 ()
11/25/2006 11:41:46 AM H 48882 C:\WINDOWS\system32\vsconfig.xml ()
11/24/2006 12:02:40 PM H 4212 C:\WINDOWS\system32\zllictbl.dat ()
10/16/2006 7:35:46 AM S 10965 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB920213.cat ()
10/13/2006 4:55:52 AM S 10965 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB923980.cat ()
10/13/2006 5:33:10 AM S 10259 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB924270.cat ()
11/25/2006 11:42:32 AM H 8192 C:\WINDOWS\system32\config\default.LOG ()
11/25/2006 11:42:42 AM H 1024 C:\WINDOWS\system32\config\SAM.LOG ()
11/25/2006 11:42:38 AM H 16384 C:\WINDOWS\system32\config\SECURITY.LOG ()
11/25/2006 11:43:00 AM H 69632 C:\WINDOWS\system32\config\software.LOG ()
11/25/2006 11:42:40 AM H 1105920 C:\WINDOWS\system32\config\system.LOG ()
11/24/2006 10:35:36 AM H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG ()
11/24/2006 5:43:38 PM S 688 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\60E31627FDA0A46932B0E5948949F2A5 ()
11/18/2006 10:07:36 PM S 558 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\A44F4E7CB3133FF765C39A53AD8FCFDD ()
11/24/2006 5:43:38 PM S 41774 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\A8FABA189DB7D25FBA7CAC806625FD30 ()
11/24/2006 5:43:38 PM S 94 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\60E31627FDA0A46932B0E5948949F2A5 ()
11/18/2006 10:07:36 PM S 146 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\A44F4E7CB3133FF765C39A53AD8FCFDD ()
11/24/2006 5:43:38 PM S 124 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\A8FABA189DB7D25FBA7CAC806625FD30 ()
10/19/2006 9:00:36 AM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\e2942726-9a99-4e4e-89a6-bfcbc2059d08 ()
10/19/2006 9:00:36 AM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred ()
11/25/2006 11:41:56 AM H 6 C:\WINDOWS\Tasks\SA.DAT ()

Checking for CPL files...
8/3/2004 11:56:58 PM 68608 C:\WINDOWS\SYSTEM32\access.cpl (Microsoft Corporation)
6/18/2004 12:32:34 AM 15684608 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL (Realtek Semiconductor Corp.)
8/3/2004 11:56:58 PM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl (Microsoft Corporation)
8/3/2004 11:56:58 PM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl (Microsoft Corporation)
8/3/2004 11:56:58 PM 135168 C:\WINDOWS\SYSTEM32\desk.cpl (Microsoft Corporation)
8/3/2004 11:56:58 PM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl (Microsoft Corporation)
8/3/2004 11:56:58 PM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl (Microsoft Corporation)
8/3/2004 11:56:58 PM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl (Microsoft Corporation)
8/3/2004 11:56:58 PM 129536 C:\WINDOWS\SYSTEM32\intl.cpl (Microsoft Corporation)
8/3/2004 11:56:58 PM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl (Microsoft Corporation)
8/3/2004 11:56:58 PM 68608 C:\WINDOWS\SYSTEM32\joy.cpl (Microsoft Corporation)
11/10/2005 12:03:50 PM  49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl (Sun Microsystems, Inc.)
8/23/2001 4:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl (Microsoft Corporation)
8/3/2004 11:56:58 PM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl (Microsoft Corporation)
8/23/2001 4:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl (Microsoft Corporation)
8/3/2004 11:56:58 PM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl (Microsoft Corporation)
8/3/2004 11:56:58 PM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl (Microsoft Corporation)
8/23/2001 4:00:00 AM 36864 C:\WINDOWS\SYSTEM32\nwc.cpl (Microsoft Corporation)
8/3/2004 11:56:58 PM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl (Microsoft Corporation)
8/3/2004 11:56:58 PM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl (Microsoft Corporation)
8/3/2004 11:56:58 PM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl (Microsoft Corporation)
8/23/2001 4:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl (Microsoft Corporation)
8/3/2004 11:56:58 PM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl (Microsoft Corporation)
8/3/2004 11:56:58 PM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl (Microsoft Corporation)
5/26/2005 3:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl (Microsoft Corporation)
8/23/2001 4:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl (Microsoft Corporation)
8/23/2001 4:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl (Microsoft Corporation)
8/23/2001 4:00:00 AM 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl (Microsoft Corporation)
8/23/2001 4:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl (Microsoft Corporation)

Checking for Downloaded Program Files...
{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - QuickTime Object - CodeBase = http://www.apple.com/qtactivex/qtplugin.cab
{0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - CKAVWebScan Object - CodeBase = http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
{166B1BCA-3F9C-11CF-8075-444553540000} - Shockwave ActiveX Control - CodeBase = http://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
{193C772A-87BE-4B19-A7BB-445B226FE9A1} - ewidoOnlineScan Control - CodeBase = http://download.ewido.net/ewidoOnlineScan.cab
{2D337EB0-3BFB-42A3-B314-A24BBA8C085B} - YAutoImport Class - CodeBase = http://download.yahoo.com/dl/mail/yautoiol1.cab
{3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} - WebGameLoader Class - CodeBase = http://www.shockwave.com/content/ricochetlostworlds/ReflexiveWebGameLoader.cab
{7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - MJLauncherCtrl Class - CodeBase = http://www.shockwave.com/content/luxor/mjolauncher.cab
{87056D28-9730-4A47-B9F9-7E890B62C58A} - WildfireActiveXHost Class - CodeBase = http://www.shockwave.com/content/tumblebugs/axhost.cab
{89981B1D-07DA-43C3-9770-06C51E7E5DCE} - NostaleWebStarter Control - CodeBase = http://game.nostale.com/sso/NostaleWebLauncher.cab
{B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - - CodeBase = http://www.trendmicro.com/spyware-scan/as4web.cab
{D27CDB6E-AE6D-11CF-96B8-444553540000} - - CodeBase = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
{D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} - Logout Class - CodeBase = http://www.gamengame.com/KALogoutComponent.cab
{F7899FAE-51C9-4EF5-B98C-A64997635235} - GSPRunGame Class - CodeBase = http://www.playinfinity.net/cab/WindyGSPAx.cab
DirectAnimation Java Classes - - CodeBase = file://C:\WINDOWS\Java\classes\dajava.cab
Microsoft XML Parser for Java - - CodeBase = file://C:\WINDOWS\Java\classes\xmldso.cab

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
6/30/2006 12:52:52 PM 1768 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk ()
7/23/2005 9:48:20 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini ()

Checking files in %ALLUSERSPROFILE%\Application Data folder...
7/23/2005 2:36:04 PM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini ()
1/15/2006 3:47:06 PM 2898 C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache ()

Checking files in %USERPROFILE%\Startup folder...
7/23/2005 9:48:20 PM HS 84 C:\Documents and Settings\Nice Person\Start Menu\Programs\Startup\desktop.ini ()
11/25/2006 10:43:54 AM 679 C:\Documents and Settings\Nice Person\Start Menu\Programs\Startup\MemTurbo.lnk ()

Checking files in %USERPROFILE%\Application Data folder...
7/25/2005 10:48:42 AM 877 C:\Documents and Settings\Nice Person\Application Data\AdobeDLM.log ()
7/23/2005 2:36:04 PM HS 62 C:\Documents and Settings\Nice Person\Application Data\desktop.ini ()
7/25/2005 10:48:42 AM 0 C:\Documents and Settings\Nice Person\Application Data\dm.ini ()

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

>>> Internet Explorer Settings <<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
\\Start Page - http://www.yahoo.com/
\\Search Page - http://www.google.com
\\Default_Page_URL - http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
\\Default_Search_URL - http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
\\Local Page - %SystemRoot%\system32\blank.htm

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
\\Start Page - http://www.yahoo.com/
\\Search Page - http://www.google.com
\\Local Page - C:\WINDOWS\system32\blank.htm

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
\\CustomizeSearch - http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
\\SearchAssistant - http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
\\{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Microsoft Url Search Hook = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation)

>>> BHO's <<<
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
\{53707962-6F74-2D53-2644-206D7942484F} - = C:\PROGRA~1\SPYBOT~1\SDHelper.dll (Safer Networking Limited)

>>> Internet Explorer Bars, Toolbars and Extensions <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
\{4D5C8C25-D075-11d0-B416-00C04FB90376} - &Tip of the Day = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
\{30D02401-6A81-11D0-8274-00C04FD5AE38} - Search Band = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
\{32683183-48a0-441b-a342-7c2a440a9478} - = ()
\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1} - File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
\{EFA24E61-B078-11D0-89E4-00C04FC9E26E} - Favorites Band = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation)
\{EFA24E64-B078-11D0-89E4-00C04FC9E26E} - Explorer Band = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
\\{ACB1E670-3217-45C4-A021-6B829A8A27CB} - McAfee VirusScan = C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll (Network Associates, Inc.)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
\ShellBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
\ShellBrowser\\{0E5CBF21-D15F-11D0-8301-00AA005B4383} - &Links = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
\WebBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
\WebBrowser\\{0E5CBF21-D15F-11D0-8301-00AA005B4383} - &Links = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
\WebBrowser\\{4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} - = ()

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\CmdMapping]
\\NEXTID - 8197
\\{FB5F1910-F110-11d2-BB9E-00C04F795683} - 8193 = Windows Messenger
\\{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - 8194 = PartyPoker.com
\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - 8195 = Sun Java Console
\\{2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - 8196 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - MenuText: Sun Java Console = C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll (Sun Microsystems, Inc.)
\{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - ButtonText: PartyPoker.com = c:\program files\PartyGaming\PartyPoker\RunApp.exe ()
\{FB5F1910-F110-11d2-BB9E-00C04F795683} - ButtonText: Messenger = C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)

>>> Approved Shell Extensions (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
\\{42071714-76d4-11d1-8b24-00a0c9068ff3} - Display Panning CPL Extension = deskpan.dll ()
\\{764BF0E1-F219-11ce-972D-00AA00A14F56} - Shell extensions for file compression = ()
\\{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} - Encryption Context Menu = ()
\\{88895560-9AA2-1069-930E-00AA0030EBC8} - HyperTerminal Icon Ext = C:\WINDOWS\System32\hticons.dll (Hilgraeve, Inc.)
\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} - Taskbar and Start Menu = ()
\\{32683183-48a0-441b-a342-7c2a440a9478} - Media Band = ()
\\{7A9D77BD-5403-11d2-8785-2E0420524153} - User Accounts = ()
\\{B41DB860-8EE4-11D2-9906-E49FADC173CA} - WinRAR shell extension = C:\Program Files\WinRAR\rarext.dll ()
\\{472083B0-C522-11CF-8763-00608CC02F24} - avast = C:\Program Files\Alwil Software\Avast4\ashShell.dll (ALWIL Software)
\\{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} - iTunes = C:\Program Files\iTunes\iTunesMiniPlayer.dll (Apple Computer, Inc.)
\\{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} - OpenOffice.org Column Handler = "C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll" (Sun Microsystems, Inc.)
\\{087B3AE3-E237-4467-B8DB-5A38AB959AC9} - OpenOffice.org Infotip Handler = "C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll" (Sun Microsystems, Inc.)
\\{63542C48-9552-494A-84F7-73AA6A7C99C1} - OpenOffice.org Property Sheet Handler = "C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll" (Sun Microsystems, Inc.)
\\{3B092F0C-7696-40E3-A80F-68D74DA84210} - OpenOffice.org Thumbnail Viewer = "C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll" (Sun Microsystems, Inc.)
\\{B327765E-D724-4347-8B16-78AE18552FC3} - NeroDigitalIconHandler = C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll (Nero AG)
\\{7F1CF152-04F8-453A-B34C-E609530A9DC8} - NeroDigitalPropSheetHandler = C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll (Nero AG)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

>>> Context Menu Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers]
\avast - {472083B0-C522-11CF-8763-00608CC02F24} = C:\Program Files\Alwil Software\Avast4\ashShell.dll (ALWIL Software)
\WinRAR - {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll ()
\{97F51F2B-E87A-4349-84B1-2D91CB2C0C1B} - = C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll (Network Associates, Inc.)
\{EB4D3CFE-E2AA-4C6E-B2FE-2A749F95D208} - = C:\Program Files\Nero\Nero 7\Nero BackItUp\NBShell.dll (Nero AG)

[HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers]

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\shellex\ContextMenuHandlers]
\WinRAR - {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll ()

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\BackGround\shellex\ContextMenuHandlers]
\ACE - {5E2121EE-0300-11D4-8D3B-444553540000} = ()

[HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers]
\avast - {472083B0-C522-11CF-8763-00608CC02F24} = C:\Program Files\Alwil Software\Avast4\ashShell.dll (ALWIL Software)
\WinRAR - {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll ()
\{97F51F2B-E87A-4349-84B1-2D91CB2C0C1B} - = C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll (Network Associates, Inc.)
\{EB4D3CFE-E2AA-4C6E-B2FE-2A749F95D208} - = C:\Program Files\Nero\Nero 7\Nero BackItUp\NBShell.dll (Nero AG)

>>> Column Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
\{7D4D6379-F301-4311-BEBA-E26EB0561882} - NeroDigitalExt.NeroDigitalColumnHandler = C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll (Nero AG)
\{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} - OpenOffice.org Column Handler = "C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll" (Sun Microsystems, Inc.)
\{F9DB5320-233E-11D1-9F84-707F02C10627} - PDF Column Info = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll (Adobe Systems, Inc.)

>>> Registry Run Keys <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
SoundMan - C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
Logitech Utility - C:\WINDOWS\Logi_MwX.Exe (Logitech Inc.)
LVCOMSX - C:\WINDOWS\system32\LVCOMSX.EXE (Logitech Inc.)
avast! - C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe ()
iTunesHelper - C:\Program Files\iTunes\iTunesHelper.exe (Apple Computer, Inc.)
QuickTime Task - C:\Program Files\QuickTime\qttask.exe (Apple Computer, Inc.)
RemoteControl - C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe (Cyberlink Corp.)
ATICCC - C:\Program Files\ATI Technologies\ATI.ACE\cli.exe (ATI Technologies Inc.)
NWEReboot - Reg Data missing or invalid ()
NeroFilterCheck - C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
.nvsvc - C:\WINDOWS\system\smss.exe ()
Zone Labs Client - C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe (Zone Labs, LLC)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
MSMSGS - C:\Program Files\Messenger\MSMSGS.EXE (Microsoft Corporation)
PhotoShow Deluxe Media Manager - C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe ()
- Reg Data missing or invalid ()
SpybotSD TeaTimer - C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)
SsAAD.exe - C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe ()

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

>>> Startup Links <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\Common Startup]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini ()

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\Startup]
C:\Documents and Settings\Nice Person\Start Menu\Programs\Startup\desktop.ini ()
C:\Documents and Settings\Nice Person\Start Menu\Programs\Startup\MemTurbo.lnk - C:\Program Files\MemTurbo\MemTurbo.exe (SoftwareOnline.com, Inc.)

>>> MSConfig Disabled Items <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[All Users Startup Folder Disabled Items]

[Current User Startup Folder Disabled Items]

>>> User Agent Post Platform <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
\\SV1 -

>>> AppInit Dll's <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs]

>>> Image File Execution Options <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
\Your Image File Name Here without a path - Debugger = ntsd -d

>>> Shell Service Object Delay Load <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
\\PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
\\CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} = ()
\\WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll (Microsoft Corporation)
\\SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll (Microsoft Corporation)

>>> Shell Execute Hooks <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} - URL Exec Hook = shell32.dll (Microsoft Corporation)

>>> Shared Task Scheduler <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
\\{438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
\\{8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)


----------



## justchange (Oct 18, 2004)

Here's the split version 2 of 2: (attachment to follow)

>>> Winlogon <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
\\UserInit = C:\WINDOWS\system32\userinit.exe,
\\Shell = Explorer.exe
\\System =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
\AtiExtEvent - Ati2evxx.dll = (ATI Technologies Inc.)
\crypt32chain - crypt32.dll = (Microsoft Corporation)
\cryptnet - cryptnet.dll = (Microsoft Corporation)
\cscdll - cscdll.dll = (Microsoft Corporation)
\ScCertProp - wlnotify.dll = (Microsoft Corporation)
\Schedule - wlnotify.dll = (Microsoft Corporation)
\sclgntfy - sclgntfy.dll = (Microsoft Corporation)
\SensLogn - WlNotify.dll = (Microsoft Corporation)
\termsrv - wlnotify.dll = (Microsoft Corporation)
\wlballoon - wlnotify.dll = (Microsoft Corporation)

>>> DNS Name Servers <<<
{2ED82DDA-81CA-4229-84D2-12E0600AC18F} - (Actiontec Gateway)
{508E6AB4-9EBB-4BB2-B95E-C4B458FFF495} - (Actiontec Gateway)
{9680D9A8-0B05-4CF5-9A31-B4C616337842} - (Intel(R) PRO/100 WfM PCI Adapter)
{C1485B73-1642-43F9-9B18-CA40A7EACFC3} - ()
{D72A594F-57A9-468D-B734-C84A73126DCA} - (Actiontec Gateway)
{FC288D9E-67B0-4602-B55F-A56DB164EFE0} - ()

>>> All Winsock2 Catalogs <<<
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries]
\000000000001\\LibraryPath - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation)
\000000000002\\LibraryPath - %SystemRoot%\System32\winrnr.dll (Microsoft Corporation)
\000000000003\\LibraryPath - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries]
\000000000001\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000002\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000003\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000004\\PackedCatalogItem - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation)
\000000000005\\PackedCatalogItem - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation)
\000000000006\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000007\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000008\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000009\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000010\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000011\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000012\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000013\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000014\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000015\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000016\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000017\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000018\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000019\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000020\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000021\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000022\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000023\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000024\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000025\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)

>>> Protocol Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler]
\ipp - ()
\msdaipp - ()

>>> Protocol Filters (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter]

>>> Selected AddOn's <<<

>>>>Output for AddOn file Policies.def<<<<
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies - Include SUBKEYS
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]
policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} - 1
policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} - 1073741857
policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} - 32
policies\system\\dontdisplaylastusername - 0
policies\system\\legalnoticecaption - 
policies\system\\legalnoticetext - 
policies\system\\shutdownwithoutlogon - 1
policies\system\\undockwithoutlogon - 1

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies - Include SUBKEYS
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]
policies\Explorer\\NoDriveTypeAutoRun - 0
policies\System\\DisableRegistryTools - 0

>>>>Output for AddOn file Security.def<<<<
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center - Include SUBKEYS
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
Security Center\\AntiVirusDisableNotify - 0
Security Center\\FirewallDisableNotify - 0
Security Center\\UpdatesDisableNotify - 0
Security Center\\AntiVirusOverride - 0
Security Center\\FirewallOverride - 0
Security Center\Monitoring\ZoneLabsFirewall\\DisableMonitoring - 1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS - Include SUBKEYS
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS]
BITS\\Type - 32
BITS\\Start - 3
BITS\\ErrorControl - 1
BITS\\ImagePath - %SystemRoot%\System32\svchost.exe -k netsvcs
BITS\\DisplayName - Background Intelligent Transfer Service
BITS\\DependOnService - Rpcss;
BITS\\DependOnGroup - 
BITS\\ObjectName - LocalSystem
BITS\\Description - Transfers files in the background using idle network bandwidth. If the service is stopped, features such as Windows Update, and MSN Explorer will be unable to automatically download programs and other information. If this service is disabled, any services that explicitly depend on it may fail to transfer files if they do not have a fail safe mechanism to transfer files directly through IE in case BITS has been disabled.
BITS\\FailureActions - 00 00 00 00 00 00 00 00 00 00 00 00 03 00 00 00 68 E3 0C 00 01 00 00 00 60 EA 00 00 01 00 00 00 60 EA 00 00 01 00 00 00 60 EA 00 00 
BITS\Parameters\\ServiceDll - C:\WINDOWS\system32\qmgr.dll
BITS\Security\\Security - 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 
BITS\Enum\\0 - Root\LEGACY_BITS\0000
BITS\Enum\\Count - 1
BITS\Enum\\NextInstance - 1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess - Include SUBKEYS
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]
SharedAccess\\Type - 32
SharedAccess\\Start - 2
SharedAccess\\ErrorControl - 1
SharedAccess\\ImagePath - %SystemRoot%\System32\svchost.exe -k netsvcs
SharedAccess\\DisplayName - Windows Firewall/Internet Connection Sharing (ICS)
SharedAccess\\DependOnService - Netman;WinMgmt;
SharedAccess\\DependOnGroup - 
SharedAccess\\ObjectName - LocalSystem
SharedAccess\\Description - Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network.
SharedAccess\Epoch\\Epoch - 12314
SharedAccess\Parameters\\ServiceDll - %SystemRoot%\System32\ipnathlp.dll
SharedAccess\Parameters\\SharedAutoDial - 0
SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\%windir%\system32\sessmgr.exe - %windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019
SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\139:TCP - 139:TCP:*:Enabledxpsp2res.dll,-22004
SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\445:TCP - 445:TCP:*:Enabledxpsp2res.dll,-22005
SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\137:UDP - 137:UDP:*:Enabledxpsp2res.dll,-22001
SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\138:UDP - 138:UDP:*:Enabledxpsp2res.dll,-22002
SharedAccess\Parameters\FirewallPolicy\StandardProfile\\EnableFirewall - 0
SharedAccess\Parameters\FirewallPolicy\StandardProfile\\DoNotAllowExceptions - 0
SharedAccess\Parameters\FirewallPolicy\StandardProfile\\DisableNotifications - 0
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\system32\sessmgr.exe - C:\WINDOWS\system32\sessmgr.exe:*isabledxpsp2res.dll,-22019
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\America's Army\System\ArmyOps.exe - C:\Program Files\America's Army\System\ArmyOps.exe:*:Enabled:ArmyOps
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\NovaLogic\Joint Operations Beta Demo\jodemo.exe - C:\Program Files\NovaLogic\Joint Operations Beta Demo\jodemo.exe:*isabled:jodemo
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Sierra On-Line\SIGSPat.exe - C:\Program Files\Sierra On-Line\SIGSPat.exe:*:Enabled:SIGSPat
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Skype\Phone\Skype.exe - C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe:*isabled:backWeb-8876480
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\iTunes\iTunes.exe - C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Xfire\Xfire.exe - C:\Program Files\Xfire\Xfire.exe:*:Enabled:Xfire
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\EA Games\American McGee's Alice\alice.exe - C:\Program Files\EA Games\American McGee's Alice\alice.exe:*:Enabled:American McGee's Alice
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Ahead\Nero ShowTime\ShowTime.exe - C:\Program Files\Ahead\Nero ShowTime\ShowTime.exe:*:Enabled:Nero ShowTime
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Internet Explorer\iexplore.exe - C:\Program Files\Internet Explorer\iexplore.exe:*:Enabled:Internet Explorer
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\BitComet\BitComet.exe - C:\Program Files\BitComet\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Azureus\Azureus.exe - C:\Program Files\Azureus\Azureus.exe:*:Enabled:Azureus
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\system32\javaw.exe - C:\WINDOWS\system32\javaw.exe:*:Enabled:javaw.exe
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\system32\svchost.exe - C:\WINDOWS\system32\svchost.exe:*:Enabled:Microsoft Update
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\62ex4.modul32.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\62ex4.modul32.exe:*:Enabled:Microsoft Update
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\89ex4.modul32.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\89ex4.modul32.exe:*:Enabled:Microsoft Update
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\%windir%\system32\sessmgr.exe - %windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\eMule\emule.exe - C:\Program Files\eMule\emule.exe:*:Enabled:eMule
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\system32\ActionDump\Support_Files\INITCONN.EXE - C:\WINDOWS\system32\ActionDump\Support_Files\INITCONN.EXE:*:Enabled:INITCONN
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Documents and Settings\Nice Person\Desktop\Downloads\Calba\CabalTemp\ESTdnheadless.exe - C:\Documents and Settings\Nice Person\Desktop\Downloads\Calba\CabalTemp\ESTdnheadless.exe:*:Enabled:EST! download engine
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Documents and Settings\Nice Person\Desktop\Downloads\Cabal\CabalTemp\ESTdnheadless.exe - C:\Documents and Settings\Nice Person\Desktop\Downloads\Cabal\CabalTemp\ESTdnheadless.exe:*:Enabled:EST! download engine
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Cabal_GSP\update\ESTdnheadless.exe - C:\Program Files\Cabal_GSP\update\ESTdnheadless.exe:*:Enabled:EST! download engine
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\infinity_eng\xclient.exe - C:\Program Files\infinity_eng\xclient.exe:*:Enabled:xclient
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\GPotato\SpaceCowboy\SpaceCowboy.exe - C:\Program Files\GPotato\SpaceCowboy\SpaceCowboy.exe:*:Enabled:SpaceCowboy
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Softnyx\Rakion\Bin\rakion.bin - C:\Program Files\Softnyx\Rakion\Bin\rakion.bin:*:Enabled:rakion
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\69exinjs.p.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\69exinjs.p.exe:*:Enabled:Microsoft Update
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\76exinjs.p.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\76exinjs.p.exe:*:Enabled:Microsoft Update
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\43exinjs.p.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\43exinjs.p.exe:*:Enabled:Microsoft Update
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\72exinjs.p.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\72exinjs.p.exe:*:Enabled:Microsoft Update
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\96exinjs.p.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\96exinjs.p.exe:*:Enabled:Microsoft Update
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\87exinjs.p.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\87exinjs.p.exe:*:Enabled:Microsoft Update
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\21exinjs.p.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\21exinjs.p.exe:*:Enabled:Microsoft Update
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\58exinjs.p.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\58exinjs.p.exe:*:Enabled:Microsoft Update
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\52exinjs.p.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\52exinjs.p.exe:*:Enabled:Microsoft Update
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\77exinjs.p.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\77exinjs.p.exe:*:Enabled:Microsoft Update
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\92exinjs.p.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\92exinjs.p.exe:*:Enabled:Microsoft Update
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\94exinjs.p.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\94exinjs.p.exe:*:Enabled:Microsoft Update
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\62exinjs.p.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\62exinjs.p.exe:*:Enabled:Microsoft Update
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\24exinjs.p.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\24exinjs.p.exe:*:Enabled:Microsoft Update
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\54exinjs.p.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\54exinjs.p.exe:*:Enabled:Microsoft Update
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\5exinjs.p.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\5exinjs.p.exe:*:Enabled:Microsoft Update
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\49exinjs.p.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\49exinjs.p.exe:*:Enabled:Microsoft Update
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\53exinjs.p.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\53exinjs.p.exe:*:Enabled:Microsoft Update
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\48exinjs.p.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\48exinjs.p.exe:*:Enabled:Microsoft Update
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\67exinjs.p.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\67exinjs.p.exe:*:Enabled:Microsoft Update
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\71exinjs.p.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\71exinjs.p.exe:*:Enabled:Microsoft Update
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\39exinjs.p.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\39exinjs.p.exe:*:Enabled:Microsoft Update
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\50exinjs.p.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\50exinjs.p.exe:*:Enabled:Microsoft Update
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\80exinjs.p.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\80exinjs.p.exe:*:Enabled:Microsoft Update
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\27exinjs.p.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\27exinjs.p.exe:*:Enabled:Microsoft Update
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\25exinjs.p.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\25exinjs.p.exe:*:Enabled:Microsoft Update
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\4exinjs.p.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\4exinjs.p.exe:*:Enabled:Microsoft Update
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\47exinjs.p.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\47exinjs.p.exe:*:Enabled:Microsoft Update
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\7exinjs.p.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\7exinjs.p.exe:*:Enabled:Microsoft Update
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\11exinjs.p.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\11exinjs.p.exe:*:Enabled:Microsoft Update
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\6exinjs.p.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\6exinjs.p.exe:*:Enabled:Microsoft Update
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\82exinjs.p.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\82exinjs.p.exe:*:Enabled:Microsoft Update
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\3exinjs.p.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\3exinjs.p.exe:*:Enabled:Microsoft Update
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\63exinjs.p.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\63exinjs.p.exe:*:Enabled:Microsoft Update
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\32exinjs.q.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\32exinjs.q.exe:*:Enabled:Microsoft Update
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\57exinjs.q.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\57exinjs.q.exe:*:Enabled:Microsoft Update
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\84exinjs.q.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\84exinjs.q.exe:*:Enabled:Microsoft Update
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\82exinjs.q.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\82exinjs.q.exe:*:Enabled:Microsoft Update
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\51exinjs.q.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\51exinjs.q.exe:*:Enabled:Microsoft Update
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\65exinjs.q.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\65exinjs.q.exe:*:Enabled:Microsoft Update
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\21exinjs.q.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\21exinjs.q.exe:*:Enabled:Microsoft Update
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\6exinjs.q.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\6exinjs.q.exe:*:Enabled:Microsoft Update
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\78exinjs.q.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\78exinjs.q.exe:*:Enabled:Microsoft Update
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\74exinjs.q.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\74exinjs.q.exe:*:Enabled:Microsoft Update
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\72exinjs.q.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\72exinjs.q.exe:*:Enabled:Microsoft Update
SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\1900:UDP - 1900:UDP:LocalSubNet:Enabledxpsp2res.dll,-22007
SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\2869:TCP - 2869:TCP:LocalSubNet:Enabledxpsp2res.dll,-22008
SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\4662:TCP - 4662:TCP:*:Enabled:eMule TCP Incoming
SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\4661:TCP - 4661:TCP:*:Enabled:eMule TCP outgoing
SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\14985:TCP - 14985:TCP:*:Enabled:BitComet 14985 TCP
SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\14985:UDP - 14985:UDP:*:Enabled:BitComet 14985 UDP
SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\10201:TCP - 10201:TCP:*:Enabled:BitComet 10201 TCP
SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\10201:UDP - 10201:UDP:*:Enabled:BitComet 10201 UDP
SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\139:TCP - 139:TCP:LocalSubNetisabledxpsp2res.dll,-22004
SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\445:TCP - 445:TCP:LocalSubNetisabledxpsp2res.dll,-22005
SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\137:UDP - 137:UDP:LocalSubNetisabledxpsp2res.dll,-22001
SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\138:UDP - 138:UDP:LocalSubNetisabledxpsp2res.dll,-22002
SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\4711:UDP - 4711:UDP:*:Enabled:eMule UDP outgoing
SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\4665:UDP - 4665:UDP:*:Enabled:eMule UDP incoming
SharedAccess\Security\\Security - 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 
SharedAccess\Setup\\ServiceUpgrade - 1
SharedAccess\Setup\InterfacesUnfirewalledAtUpdate\\{C1485B73-1642-43F9-9B18-CA40A7EACFC3} - 1
SharedAccess\Setup\InterfacesUnfirewalledAtUpdate\\{6A4076B6-D49E-44F9-AAE8-6426AE3A5C59} - 1
SharedAccess\Setup\InterfacesUnfirewalledAtUpdate\\{FC288D9E-67B0-4602-B55F-A56DB164EFE0} - 1
SharedAccess\Enum\\0 - Root\LEGACY_SHAREDACCESS\0000
SharedAccess\Enum\\Count - 1
SharedAccess\Enum\\NextInstance - 1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv - Include SUBKEYS
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv]
wuauserv\\Type - 32
wuauserv\\Start - 4
wuauserv\\ErrorControl - 1
wuauserv\\ImagePath - %systemroot%\system32\svchost.exe -k netsvcs
wuauserv\\DisplayName - Automatic Updates
wuauserv\\ObjectName - LocalSystem
wuauserv\\Description - Enables the download and installation of critical Windows updates. If the service is disabled, the operating system can be manually updated at the Windows Update Web site.
wuauserv\Parameters\\ServiceDll - C:\WINDOWS\System32\wuauserv.dll
wuauserv\Security\\Security - 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 
wuauserv\Enum\\0 - Root\LEGACY_WUAUSERV\0000
wuauserv\Enum\\Count - 1
wuauserv\Enum\\NextInstance - 1

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


----------



## justchange (Oct 18, 2004)

Here's the complete WinPFind.txt file.


----------



## Cookiegal (Aug 27, 2003)

Since you already have AVG Anti-Spyware, please do this:


On the main screen select the icon "*Update*" then select the "*Update now*" link.
Next select the "*Start Update*" button. The update will start and a progress bar will show the updates being installed.
Once the update has completed, select the "*Scanner*" icon at the top of the screen, then select the "*Settings*" tab.
Once in the Settings screen click on "*Recommended actions*" and then select "*Quarantine*".
Under "*Reports*"
Select "*Automatically generate report after every scan*"
Un-Select "*Only if threats were found*"

Close AVG Anti-Spyware. Do Not run a scan just yet, we will run it in safe mode.
Reboot your computer into *Safe Mode*. You can do this by restarting your computer and continually tapping the *F8* key until a menu appears. Use your up arrow key to highlight *Safe Mode* then hit enter.

*IMPORTANT:* Do not open any other windows or programs while AVG Anti-Spyware is scanning as it may interfere with the scanning process:

Launch AVG Anti-Spyware by double clicking the icon on your desktop.
Select the "*Scanner*" icon at the top and then the "*Scan*" tab then click on "*Complete System Scan*".
AVG will now begin the scanning process. Please be patient as this may take a little time.
*Once the scan is complete, do the following:*
If you have any infections you will be prompted. Then select "*Apply all actions.*"
Next select the "*Reports*" icon at the top.
Select the "*Save report as*" button in the lower lef- hand of the screen and save it to a text file on your system (make sure to remember where you saved that file. This is important).
Close AVG Anti-Spyware and reboot your system back into Normal Mode.

Please go *HERE* to run Panda's ActiveScan
Once you are on the Panda site click the *Scan your PC* button
A new window will open...click the *Check Now* button
Enter your *Country*
Enter your *State/Province*
Enter your *e-mail address* and click *send*
Select either *Home User* or *Company*
Click the big *Scan Now* button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on *My Computer* to start the scan
When the scan completes, if anything malicious is detected, click the *See Report* button, *then Save Report* and save it to a convenient location. Post the contents of the ActiveScan report

Download GMER from http://www.gmer.net

Save it somewhere safe & unzip it to desktop

Double click the gmer.exe to run it and select the rootkit tab, press scan and when it has finished press save and copy the log back here please.

*Come back here and post a new HijackThis log along with the logs from the AVG and Panda scans and the GMER log.*


----------



## justchange (Oct 18, 2004)

multi-tasking today... helping another neighbor move.
I'll follow these instructions and post the logs, shortly.
Thank you for your commitment to help.


----------



## Cookiegal (Aug 27, 2003)

That's fine. :up:


----------



## justchange (Oct 18, 2004)

Here are the reports you requested.

BTW, we've noticed a non-MS smss.exe (39.5k) in the Windows/System/ folder, dated 11-19-2006, about the time this started. There is another, larger file in the ../System32/ folder. Important?


----------



## valis (Sep 24, 2004)

dang, panda keeps earning my respect.......


----------



## justchange (Oct 18, 2004)

I just noticed the AVG log appears empty. There was a single tracking cookie identified.
If necessary, I can go run the scan again and then verify that the report contains readable data.
[edited spelling]


----------



## Cookiegal (Aug 27, 2003)

Please post a new HijackThis log after having done the above and also a new WinpFind log.


----------



## justchange (Oct 18, 2004)

Sorry for the slow response. I have been away all day. (And Tony _really_ wants his computer back!)



justchange said:


> I just noticed the AVG log appears empty. There was a single tracking cookie identified...


There was actually data available in the file. I don't know why it didn't upload.
Let's try it, again, along with the fresh AVG, WinPFind and HJT logs. (All run in Safe Mode.)
Thanks for your persistence!


----------



## justchange (Oct 18, 2004)

I don't understand why the AVG[...].txt files appear (to me) to be blank, though the filesize is reported accurately.
I've saved yesterday's file as .pdf, let's try that.

(Since there have been no new connnections to the internet, there are no new entries in today's AVG scan log.)


----------



## Cookiegal (Aug 27, 2003)

Please post a HijackThis log from normal mode and a new Panda scan.


----------



## justchange (Oct 18, 2004)

Okay... Tony's home, so I can do this right now. Results soon.
Thanks!


----------



## justchange (Oct 18, 2004)

I ran HJT before and after the Panda scan.
The Panda scan returned no new results / no report.

We have been suspicious of this entry "O4 - HKLM\..\Run: [.nvsvc] C:\WINDOWS\system\smss.exe /w" and submitted it to http://www.kaspersky.com/scanforvirus.html with this result:
"Trojan.Proxy.Win32.Horst.or"

I did not delete it, yet. I want to be sure that we do this thoroughly.
Thanks, again.


----------



## Cookiegal (Aug 27, 2003)

justchange said:


> We have been suspicious of this entry "O4 - HKLM\..\Run: [.nvsvc] C:\WINDOWS\system\smss.exe /w" and submitted it to http://www.kaspersky.com/scanforvirus.html with this result:
> "Trojan.Proxy.Win32.Horst.or"


Yes, I know. 

*Click Here* and download Killbox and save it to your desktop but dont run it yet.

Rescan with HijackThis, close all browser windows except HijackThis, put a check mark beside these entries and click *fix checked*.

* 
O4 - HKLM\..\Run: [.nvsvc] C:\WINDOWS\system\smss.exe /w
*

Then boot to safe mode:

 *How to restart to safe mode*

Double-click on Killbox.exe to run it. 

Put a tick by *Standard File Kill*. 
In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time:

* C:\WINDOWS\system\smss.exe *

Click on the button that has the red circle with the X in the middle after you enter each file. 
It will ask for confirmation to delete the file. 
Click Yes. 
Continue with that procedure until you have pasted all of these in the "Paste Full Path of File to Delete" box.
Killbox may tell you that one or more files do not exist. 
If that happens, just continue on with all the files. Be sure you don't miss any.
Next in Killbox go to *Tools > Delete Temp Files*
In the window that pops up, put a check by *ALL* the options there *except* these three:
XP Prefetch
Recent
History

Now click the *Delete Selected Temp Files* button.
Exit the Killbox.

Boot back to Windows normally and post another HijackThis log along with a new WinpFind log please.

This makes changes to the registry to allow the nasty stuff through the Windows firewall. Even though you're not using it because you have zone Alarm, we need to remove those entries but I need to see the new WinpFind log first.

I would also like you to run Bit Defender:

Go *here* and do the BitDefender online virus scan.

Click "I Agree" to agree to the EULA.
Allow the ActiveX control to install when prompted.
Click "Click here to scan" to begin the scan.
Please refrain from using the computer until the scan is finished.
When the scan is finished, click on "Click here to export the scan results"
Save the report to your desktop then come back here and *attach* it to your next reply along with a new Hijack This log..

*Note:* You have to use Internet Explorer to do the online scan.


----------



## justchange (Oct 18, 2004)

Thank you!
I'll go and get after this list right now.


----------



## Cookiegal (Aug 27, 2003)

I'm signing off for the night but will check back in the morning.


----------



## justchange (Oct 18, 2004)

Ran HJT; killed this entry: "O4 - HKLM\..\Run: [.nvsvc] C:\WINDOWS\system\smss.exe /w".
Re-booted to Safe Mode and ran Killbox; deleted this file: "C:\WINDOWS\system\smss.exe ".

Ran HJT; Ran WinPfind; logs attached here.

Running BitDefender... looks like it will be another 3 hours-to-eternity.
I'll re-scan with HJT and post both logs tomorrow (or whenever!)

(Are you testing my endurance?)


----------



## justchange (Oct 18, 2004)

Apparently that many-hour projection was just a soft guess by the program... it finished in just under 1½ hours.
The BDOS report and HJT log are attached. (BDOS saved the file as HTML; I changed it to PDF to upload.)

Woot! We're making progress !! :up: *sips his eggnog*


----------



## Cookiegal (Aug 27, 2003)

There will probably be more to fix but let's start with this:

I'm attaching a Fixjustchange.zip file to this post. Save it to your desktop. Unzip it and double click the Fixjustchange.reg file and allow it to enter into the registry.


Reboot and post a new HijackThis log please along with a new WinpFind scan log.


----------



## justchange (Oct 18, 2004)

Merged Regfile; rebooted; Ran WinPFind; Ran HJT. Logs attached.

_At the end of this process, can you help me with suggestions to pass along to reduce the chances of such infections? I keep my system pretty well locked down and, so far, I've only been hit once this year. Usually, my various defenses seem to work well. (I don't know what Tony is doing differently, though.) Thanks, again._

BTW
What's her favorite cookie?


----------



## Cookiegal (Aug 27, 2003)

Please run the attached Fixjustchange2.reg file the same way you did the first one.


Then reboot and post a new WinpFind log please.


Cookies? Chocolate chip, of course!


----------



## justchange (Oct 18, 2004)

I have to run out for awhile, so I'll get to that next step when I return.
In the meantime, enjoy a few on me! (And be sure to share... )


----------



## Cookiegal (Aug 27, 2003)

Yummmm.....I can't guarantee there'll be any left when you get back though.


----------



## justchange (Oct 18, 2004)

Merged RegistryData v.2; re-booted; Ran WinPFind; log attached.

So, they were pretty good, huh?


----------



## Cookiegal (Aug 27, 2003)

You didn't include the security add-ons in that last one. Please run it again and be sure to select the same add-ons as before.


----------



## justchange (Oct 18, 2004)

Hmmm.. Don't know how that happened... I thought I was being careful to include those add-ons. Anyway, since you didn't specify, I ran WinPFind in Safe Mode, then normal mode. Both results are attached.


----------



## Cookiegal (Aug 27, 2003)

The first regfix I had you run was actually the correct one but since it didn't work, I tried something else in the second one, which didn't work either.

Do you have administrator rights?


----------



## justchange (Oct 18, 2004)

Yes.


----------



## justchange (Oct 18, 2004)

BTW,
Should I reverse those registry entries?


----------



## Cookiegal (Aug 27, 2003)

What do you mean reverse them?

Are you comfortable editing the registry manually?


----------



## justchange (Oct 18, 2004)

[edit] I meant removing those entries. (Since they "didn't work", do they need to stay?)
Yes, I am "comfortable editing the registry manually". [/edit]
Though not an expert, I understand the need to be careful.

[edit2]
NOTE:
Out of curiosity, I reviewed the content of the two regfiles you sent and saw they appeared to be entries to prevent running the various trojan(?) files. I assumed the list was of known files associated with this bugger.
Beyond that, I'm not sure what's going on.  [/edit2]


----------



## Cookiegal (Aug 27, 2003)

No, they are entries (policies) created by the infection to allow the nasty files through the firewall.

Let's create a backup of the registry first.

Go to Start > Run
Type:
*regedit*
Click OK.
On the left side, click to highlight *My Computer* at the top. 
Go up to "*File > Export*"
Make sure in that window there is a tick next to "All" under Export Branch.
Leave the "Save As Type" as "Registration Files".
Under "Filename" put *backup*

Choose to save it to *C:\* or somewhere else safe so that you will remember where you put it (don't put it on the desktop!)
Click save and then go to File > Exit.
This is so the registry can be restored to this point if we need it. It may take a minute. Just let it go until it's done.

Navigate to this registry key:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

In the right-hand pane, right-click ONLY the ones I listed in the regfix and select "delete".

When you're finished with that, reboot and post a new WinpFind log please.


----------



## justchange (Oct 18, 2004)

Gotta go work! Back in About 3hours.
Thanks


----------



## Cookiegal (Aug 27, 2003)

That's fine. :up:


----------



## justchange (Oct 18, 2004)

I couldn't get at the computer last night, so had to make the Registry changes this morning.

Here's the info: Using Regedit, removed 56 keys (see attached regfile... it's an export of the affected branch.) Re-booted and ran WinPFind: log attached.

Thanks for all your time.
Hope you have a great weekend!


----------



## Cookiegal (Aug 27, 2003)

That looks much nicer! :up:

There is just one more that you need to delete under the same key:

*C:\WINDOWS\system32\svchost.exe - C:\WINDOWS\system32\svchost.exe:*:Enabled:Microsoft Update*

May I see a new HijackThis log please?


----------



## justchange (Oct 18, 2004)

Yay! I finally got to the 'puter, again!

Cleared that Reg entry; Re-booted; Ran both WinPFind and HJT: logs attached.

PS
He's surfing again. No new replicants noticed. We must be doing something right! 
(Yikes!, what a monster this has been!  )


----------



## Cookiegal (Aug 27, 2003)

Pasting the log for easier viewing:

Logfile of HijackThis v1.99.1
Scan saved at 11:51:38 AM, on 12/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\LVCOMSX.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\MemTurbo\MemTurbo.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Nice Person\Desktop\Downloads\Tool\HijackThis!\HijackThis1991.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - Startup: MemTurbo.lnk = C:\Program Files\MemTurbo\MemTurbo.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.shockwave.com/content/ricochetlostworlds/ReflexiveWebGameLoader.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.shockwave.com/content/luxor/mjolauncher.cab
O16 - DPF: {87056D28-9730-4A47-B9F9-7E890B62C58A} (WildfireActiveXHost Class) - http://www.shockwave.com/content/tumblebugs/axhost.cab
O16 - DPF: {89981B1D-07DA-43C3-9770-06C51E7E5DCE} (NostaleWebStarter Control) - http://game.nostale.com/sso/NostaleWebLauncher.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O16 - DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} (Logout Class) - http://www.gamengame.com/KALogoutComponent.cab
O16 - DPF: {F7899FAE-51C9-4EF5-B98C-A64997635235} (GSPRunGame Class) - http://www.playinfinity.net/cab/WindyGSPAx.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Unknown owner - C:\Program Files\Trend Micro\Internet Security\PccPfw.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Unknown owner - C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe (file missing)
O23 - Service: Trend Micro Proxy Service (tmproxy) - Unknown owner - C:\Program Files\Trend Micro\Internet Security\tmproxy.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


----------



## Cookiegal (Aug 27, 2003)

You did a good job! 

You also need to replace your Sun java with newest version. There are more vulnerabilities in the older versions that can be exploited.

Go to Add/Remove programs and uninstall all previous versions.

Now go *here* and install the latest version of Java.

Now you should turn system restore off to flush out all previous system restore points, then turn it back on and create a new restore point:

To turn off system restore, on the Desktop, right click on *My Computer* and click on *Properties.*
Click the *System Restore* tab.
Check *Turn off System Restore.*
Click Apply and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a new restore point, click on *Start*  *All Programs*  *Accessories*  *System Tools* and then select *System Restore*.

In the System Restore wizard, select *Create a restore point* and click the Next button.

Type a name for your new restore point then click on Create.

I also recommend downloading  *SPYWAREBLASTER* for added protection.

*Read here* for info on how to tighten your security.

*Delete your temporary files:*

In safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit - Select All then Edit - Delete to delete the entire contents of the Temp folder.

Go to Start - Run and type *%temp%* in the Run box. The Temp folder will open. Click *Edit - Select All* then hit *Delete* to delete the entire contents of the Temp folder.

Finally go to Control Panel - Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK (this option does not exist in IE7). Click Apply then OK.

*Empty the recycle bin*.


----------



## justchange (Oct 18, 2004)

Followed all of your instructions, above.

You didn't ask for any scans/logs/reports! Are we done?!


----------



## Cookiegal (Aug 27, 2003)

Yes we are unless you still have some problems.


----------



## justchange (Oct 18, 2004)

I'm nearly speechless... but if any occassion demands a speech, this one surely qualifies!

You have been absolutely AWESOME !!, in your patience, perseverance, and professionalism. (And especially in your tolerance of my terrible attemps at humor.)

Tony's much happier, now that he's been saved from re-formatting his hdd and starting over.
And I've picked up quite a few new tricks to apply to my own (sorely abused) system.

While it doesn't adequately express the depth of my gratitude, is there a way?/ is it necessary? to flag this thread as "Resolved"?

Oh! and ... thank you! thank you! thank you! thank you! thank you! thank you!


----------



## Cookiegal (Aug 27, 2003)

You're welcome and thank YOU. You're so sweet.  

You can mark your thread solved by clicking on "thread tools" and then selecting "mark solved" from the drop down menu.


----------

