# Solved: Help please!



## Killazys (Feb 9, 2007)

I recently got a computer moved to my room and it was running slowly, so I scanned it with Windows Live OneCare (the trial version). It was found that I was infected by Trojan.Downloader.CR64Loader. I restarted my computer and scanned it with Prevx1, AdAware SE Personal, and Spybot S&D, but nothing came up. What should I do?


----------



## Cheeseball81 (Mar 3, 2004)

Hi and welcome 

* *Click here* to download *HJTsetup.exe*.
Save HJTsetup.exe to your desktop.

Double click on the HJTsetup.exe icon on your desktop.
By default it will install to *C:\Program Files\Hijack This*.
Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
Put a check by Create a desktop icon then click Next again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click Finish and it will launch Hijack This.
Click on the *Do a system scan and save a log file* button. It will scan and then ask you to save the log.
Click Save to save the log file and then the log will open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
*DO NOT* have Hijack This fix anything yet. Most of what it finds will be harmless or even required.


----------



## Killazys (Feb 9, 2007)

Sorry for the long response time, I am now actually using the infected computer!
Logfile of HijackThis v1.99.1
Scan saved at 5:01:29 PM, on 2/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$ADVANCEPRO\Binn\sqlservr.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Prevx1\PXConsole.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\Documents and Settings\username\My Documents\My Downloads\hijackthis\HijackThis.exe

R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://nefeli.com/"); (C:\Documents and Settings\username\Application Data\Mozilla\Profiles\default\6eye0hh4.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\username\Application Data\Mozilla\Profiles\default\6eye0hh4.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - https://bba.bloomberg.net/Citrix/ICAWEB/en/ica32/wficat.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9602.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://www.shockwave.com/content/feedingfrenzy/SproutLauncher.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe


----------



## Killazys (Feb 9, 2007)

I have made a thread about this before about the same thing called "Help please!" and was told to download HJT, but the moderator logged off. I am not sure if this is allowed but I feel the need to fix this computer ASAP. The problem was that I scanned my computer with Windows Live OneCare (browser/trial version) and it found Trojan.Downloader.CR64Loader but was unable to delete. I rescanned with Spybot S & D, AdAware SE Personal, and Prevx1, but it only found tracking cookies. What now?
Logfile of HijackThis v1.99.1
Scan saved at 8:50:01 PM, on 2/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$ADVANCEPRO\Binn\sqlservr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\username\My Documents\My Downloads\hijackthis\HijackThis.exe

R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://nefeli.com/"); (C:\Documents and Settings\username\Application Data\Mozilla\Profiles\default\6eye0hh4.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\username\Application Data\Mozilla\Profiles\default\6eye0hh4.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - https://bba.bloomberg.net/Citrix/ICAWEB/en/ica32/wficat.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9602.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://www.shockwave.com/content/feedingfrenzy/SproutLauncher.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe


----------



## EAFiedler (Apr 25, 2000)

Hi *Killazys*

I have merged your threads, only a helper with a gold shield can assist you.
Thank you for your patience.


----------



## Killazys (Feb 9, 2007)

Thank you!


----------



## Killazys (Feb 9, 2007)

Bump?! C'mon someone please help me!


----------



## Cheeseball81 (Mar 3, 2004)

You need to be patient. This isn't live tech support. 
What location was Trojan.Downloader.CR64Loader found?


----------



## Killazys (Feb 9, 2007)

Sorry. I am rescanning with Windows Live OneCare to see if it finds the Trojan again and then if it does, I will relay the file location, but it may take some time.


----------



## Killazys (Feb 9, 2007)

I am really, really scared now. I scanned with Windows Live OneCare and it found no viruses or spyware. However, there were 15 missing reg items, and when I went on to fix the problem, since it was in-browser, it said "Error: Dropdown IE menu. The application could not be 'written'. Press OK to terminate the program or Cancel to debug." Scanned with Spybot S&D and found nothing except registry keys by: Ahead Nero Burning Rom, Internet Explorer, Cookies (err), Logs of system startups, shutdowns, and programs I've never heard of, MS Direct 3D, MS DirectDraw, Ms DirectInput, MS MediaPlayer, MS Office 10 (startup), MS Office 11 for excel, word, and Doc imaging, Nikon View, SmartFTP, Windows Media SDK, Windows.OpenWith, and Windows Installation Paths, what should I keep/delete? Also, I checked the startup processes and found a fake ctfmon.exe, apparently I am infected by a password stealing Trojan PWSteal.Raidys, as well as crypt32.dll, cryptnet.dll, cscdll which was not found on Bleeping Computer startup programs site, ScCertProp/wlnotify.dll was not found either, neither was Schedule/wlnotify.dll,sclgntfy,SensLogn/wlnotify.dll,termsrv/wlnotify.dll,wlballoon/wlnotify.dll,nor was WgaLogon, which should I disable?


----------



## Cheeseball81 (Mar 3, 2004)

That ctfmon.exe in Startup is the legit one.

Please post the SpyBot log.


----------



## Killazys (Feb 9, 2007)

Alright, implementing new rule into head: (ALWAYS SAVE LOG FILES) I am now going to rescan with spybot, sorry so much. Also, the ctfmon.exe file path goes into system32, is that correct?


----------



## Killazys (Feb 9, 2007)

There are 2 recent logs, so here is the first one.
--- Report generated: 2007-02-10 11:13 ---

Microsoft.WindowsSecurityCenter_disabled: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Start!=W=2

Common Dialogs: History (24 files) (Registry key, nothing done)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU

MS Office 9.0: Recently used files (7 files) (Directory, nothing done)
C:\Documents and Settings\username\Application Data\Microsoft\Office\Recent\

Log: Activity: COM+.log (Backup file, nothing done)
C:\WINDOWS\COM+.log

Log: Activity: SchedLgU.Txt (Backup file, nothing done)
C:\WINDOWS\SchedLgU.Txt

Log: Activity: imsins.log (Backup file, nothing done)
C:\WINDOWS\imsins.log

Log: Activity: OEWABLog.txt (Backup file, nothing done)
C:\WINDOWS\OEWABLog.txt

Log: Install: comsetup.log (Backup file, nothing done)
C:\WINDOWS\comsetup.log

Log: Install: Directx.log (Backup file, nothing done)
C:\WINDOWS\Directx.log

Log: Install: ocgen.log (Backup file, nothing done)
C:\WINDOWS\ocgen.log

Log: Install: setupact.log (Backup file, nothing done)
C:\WINDOWS\setupact.log

Log: Install: setupapi.log (Backup file, nothing done)
C:\WINDOWS\setupapi.log

Log: Install: svcpack.log (Backup file, nothing done)
C:\WINDOWS\svcpack.log

Log: Install: wmsetup.log (Backup file, nothing done)
C:\WINDOWS\wmsetup.log

Log: Install: DtcInstall.log (Backup file, nothing done)
C:\WINDOWS\DtcInstall.log

Log: Shutdown: System32\wbem\logs\mofcomp.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\mofcomp.log

Log: Shutdown: System32\wbem\logs\setup.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\setup.log

Log: Shutdown: System32\wbem\logs\wbemcore.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemcore.log

Log: Shutdown: System32\wbem\logs\wbemess.lo_ (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemess.lo_

Log: Shutdown: System32\wbem\logs\wbemess.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemess.log

Log: Shutdown: System32\wbem\logs\wbemprox.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemprox.log

Log: Shutdown: System32\wbem\logs\winmgmt.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\winmgmt.log

Log: Shutdown: System32\wbem\logs\wmiadap.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wmiadap.log

Log: Shutdown: System32\wbem\logs\wmiprov.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wmiprov.log

Ahead Nero Burning Rom: Image directory (Registry change, nothing done)
HKEY_LOCAL_MACHINE\Software\Ahead\Nero - Burning Rom\Settings\ImageDir!=

Ahead Nero Burning Rom: Compilation directory (Registry change, nothing done)
HKEY_LOCAL_MACHINE\Software\Ahead\Nero - Burning Rom\Settings\NeroCompilation!=

Ahead Nero Burning Rom: Image directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Ahead\Nero - Burning Rom\Settings\ImageDir!=

Ahead Nero Burning Rom: Compilation directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Ahead\Nero - Burning Rom\Settings\NeroCompilation!=

Ahead Nero Burning Rom: Browser directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Ahead\Nero - Burning Rom\Settings\BrowserDir!=

Ahead Nero Burning Rom: Working directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Ahead\Nero - Burning Rom\Settings\WorkingDir!=

Internet Explorer: Typed URL list (7 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Internet Explorer\TypedURLs

Internet Explorer: Download directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Internet Explorer\Download Directory!=

Internet Explorer: User agent (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent!=Mozilla/4.0 (compatible; MSIE; Win32)

Internet Explorer: User agent (Registry change, nothing done)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent!=Mozilla/4.0 (compatible; MSIE; Win32)

Internet Explorer: User agent (Registry change, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent!=Mozilla/4.0 (compatible; MSIE; Win32)

Internet Explorer: User agent (Registry change, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent!=Mozilla/4.0 (compatible; MSIE; Win32)

Internet Explorer: User agent (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent!=Mozilla/4.0 (compatible; MSIE; Win32)

Internet Explorer: AutoComplete data (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Internet Explorer\IntelliForms\SPW

MS Media Player: Application data file (global) () (File, nothing done)
C:\Documents and Settings\All Users\Application Data\Microsoft\Media Index\wmplibrary_v_0_12.db

MS Media Player: Client ID (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\MediaPlayer\Player\Settings\Client ID!=

MS Media Player: Client ID (Registry change, nothing done)
HKEY_USERS\S-1-5-19\Software\Microsoft\MediaPlayer\Player\Settings\Client ID!=

MS Media Player: Client ID (Registry change, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\MediaPlayer\Player\Settings\Client ID!=

MS Media Player: Client ID (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\MediaPlayer\Player\Settings\Client ID!=

MS Media Player: Anonymous ID (Registry change, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\MediaPlayer\Preferences\SendUserGUID!=B=0

MS Direct3D: Most recent application (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Direct3D\MostRecentApplication\Name!=

MS Direct3D: Most recent application (Registry change, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Direct3D\MostRecentApplication\Name!=

MS DirectDraw: Most recent application (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication\Name!=

MS DirectInput: Most recent application (Registry change, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\DirectInput\MostRecentApplication\Name!=

MS DirectInput: Most recent application ID (Registry change, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\DirectInput\MostRecentApplication\Id!=

MS Office 9.0: Internet history (Registry value, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Office\9.0\Common\Internet\LocationOfComponents

MS Office 9.0: Access recent file (25 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Office\9.0\Access\Settings

MS Office 9.0 (Word): Recently used file list (Registry value, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Office\9.0\Word\Data\Settings

MS Office 10.0 (Office Startup Assistant): Last used directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Office\10.0\Osa\FindFile\Place!=

MS Office 11.0: Last opened-from-web file (Registry value, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Office\11.0\Common\Internet\UseRWHlinkNavigation

MS Office 11.0 (Document Imaging): Persistent filename list (4 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\MSPaper 11.0\Persist File Name

MS Office 11.0 (Document Imaging): Recent file list (4 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\MSPaper 11.0\Recent File List

MS Office 11.0 (Excel): Recent file list (4 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Office\11.0\Excel\Recent Files

MS Office 11.0 (Office Startup Assistant): Last search location (Registry value, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Office\11.0\Osa\FindFile\Place

MS Office 11.0 (Word): Recent file list (Registry value, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Office\11.0\Word\Data\Settings

MS Office 11.0 (Word): Letter wizard details (4 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Office\11.0\Word\Wizards\Letter Wizard\1033

MS Search Assistant: Typed search terms history (Registry key, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Search Assistant\ACMru

Nikon View: Last used folder (Registry value, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Nikon\Nikon View\Browser\LastSettings\FolderPath

Nikon View: Recent transfer folder list (11 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Nikon\Nikon View\Common\Destination

SmartFTP: Connection servers history (Registry key, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\SmartFTP\Connection Data

SmartFTP: Last saved queue (Registry change, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\SmartFTP\Queue\Last File!=

Windows: Drivers installation paths (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Installation Sources!=

Windows.OpenWith: Open with list - .ADP extension (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ADP\OpenWithList

Windows.OpenWith: Open with list - .AI extension (4 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.AI\OpenWithList

Windows.OpenWith: Open with list - .BIN extension (3 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.BIN\OpenWithList

Windows.OpenWith: Open with list - .BMP extension (5 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.BMP\OpenWithList

Windows.OpenWith: Open with list - .CSS extension (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CSS\OpenWithList

Windows.OpenWith: Open with list - .CSV extension (3 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CSV\OpenWithList

Windows Explorer: Recent wallpaper list (416 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper\MRU

Windows Explorer: Network map history (3 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU

Windows Explorer: Run history (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

Windows Explorer: Stream history (127 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU

Windows Explorer: User Assistant history IE (64 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count

Windows Explorer: User Assistant history files (1849 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count

Windows Explorer: Last visited history (3 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU

Windows Explorer: Recent file global history (Registry key, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

Windows Explorer: Last Copy/MoveTo folder (Registry value, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\CopyMoveTo\LastFolder

Windows Media SDK: Computer name (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows Media\WMSDK\General\ComputerName!=ComputerName

Windows Media SDK: Computer name (Registry change, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Windows Media\WMSDK\General\ComputerName!=ComputerName

Windows Media SDK: Computer name (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows Media\WMSDK\General\ComputerName!=ComputerName

Windows Media SDK: Unique ID (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows Media\WMSDK\General\UniqueID!={00000000-0000-0000-0000-000000000000}

Windows Media SDK: Unique ID (Registry change, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Windows Media\WMSDK\General\UniqueID!={00000000-0000-0000-0000-000000000000}

Windows Media SDK: Unique ID (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows Media\WMSDK\General\UniqueID!={00000000-0000-0000-0000-000000000000}

Windows Media SDK: Volume serial number (Registry value, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows Media\WMSDK\General\VolumeSerialNumber

Windows Media SDK: Volume serial number (Registry value, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Windows Media\WMSDK\General\VolumeSerialNumber

Windows Media SDK: Volume serial number (Registry value, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows Media\WMSDK\General\VolumeSerialNumber

Cookie: Cookie (9) (Cookie, nothing done)


Cache: Cache (1041) (Cache, nothing done)


Cookie: Cookie (596) (Cookie, nothing done)


Cookie: Cookie (231) (Cookie, nothing done)



--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2007-02-08 unins000.exe (51.41.0.0)
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-05-31 Update.exe (1.4.0.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-01-15 advcheck.dll (1.2.1.0)
2007-01-02 Tools.dll (2.0.1.0)
2007-02-07 Includes\Cookies.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2007-02-07 Includes\Revision.sbi (*)
2005-02-17 Includes\Tracks.uti (*)
2007-02-07 Includes\DialerC.sbi (*)
2007-02-07 Includes\HijackersC.sbi (*)
2007-02-07 Includes\KeyloggersC.sbi (*)
2007-02-07 Includes\MalwareC.sbi (*)
2007-02-07 Includes\PUPSC.sbi (*)
2007-02-07 Includes\SecurityC.sbi (*)
2007-02-07 Includes\SpybotsC.sbi (*)
2007-02-07 Includes\TrojansC.sbi (*)
2006-12-08 Includes\Dialer.sbi (*)
2007-02-07 Includes\Hijackers.sbi (*)
2006-10-27 Includes\Keyloggers.sbi (*)
2007-01-12 Includes\Malware.sbi (*)
2007-01-19 Includes\PUPS.sbi (*)
2006-12-08 Includes\Security.sbi (*)
2007-02-02 Includes\Spybots.sbi (*)
2006-12-08 Includes\Trojans.sbi (*)
Second one coming right when it finishes!


----------



## Killazys (Feb 9, 2007)

I'm including fix logs in case I deleted something that could harm my system.
--- Report generated: 2007-02-08 20:58 ---

Microsoft.WindowsSecurityCenter.AntiVirusDisableNotify: Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify!=dword:0

Microsoft.WindowsSecurityCenter.AntiVirusOverride: Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride!=dword:0

Microsoft.WindowsSecurityCenter.FirewallDisableNotify: Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify!=dword:0

Microsoft.WindowsSecurityCenter_disabled: Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Start!=W=2

FastClick: Tracking cookie (Internet Explorer: username) (Cookie, fixed)


DoubleClick: Tracking cookie (Internet Explorer: username) (Cookie, fixed)


TagASaurus: Tracking cookie (Internet Explorer: username) (Cookie, fixed)


MediaPlex: Tracking cookie (Internet Explorer: username) (Cookie, fixed)


HitBox: Tracking cookie (Internet Explorer: username) (Cookie, fixed)


Avenue A, Inc.: Tracking cookie (Internet Explorer: username) (Cookie, fixed)


Advertising.com: Tracking cookie (Internet Explorer: username) (Cookie, fixed)


HitBox: Tracking cookie (Internet Explorer: username) (Cookie, fixed)


Marketengines: Tracking cookie (Internet Explorer: username) (Cookie, fixed)


FastClick: Tracking cookie (Internet Explorer: username) (Cookie, fixed)


CasaleMedia: Tracking cookie (Internet Explorer: username) (Cookie, fixed)


TagASaurus: Tracking cookie (Firefox: default) (Cookie, fixed)


TagASaurus: Tracking cookie (Firefox: default) (Cookie, fixed)


TagASaurus: Tracking cookie (Firefox: default) (Cookie, fixed)


TagASaurus: Tracking cookie (Firefox: default) (Cookie, fixed)


AdRevolver: Tracking cookie (Firefox: default) (Cookie, fixed)


Advertising.com: Tracking cookie (Firefox: default) (Cookie, fixed)


Advertising.com: Tracking cookie (Firefox: default) (Cookie, fixed)


Advertising.com: Tracking cookie (Firefox: default) (Cookie, fixed)


Advertising.com: Tracking cookie (Firefox: default) (Cookie, fixed)


Advertising.com: Tracking cookie (Firefox: default) (Cookie, fixed)


MediaPlex: Tracking cookie (Firefox: default) (Cookie, fixed)


MediaPlex: Tracking cookie (Firefox: default) (Cookie, fixed)


Avenue A, Inc.: Tracking cookie (Firefox: default) (Cookie, fixed)


BFast: Tracking cookie (Firefox: default) (Cookie, fixed)


CasaleMedia: Tracking cookie (Firefox: default) (Cookie, fixed)


CoreMetrics: Tracking cookie (Firefox: default) (Cookie, fixed)


DoubleClick: Tracking cookie (Firefox: default) (Cookie, fixed)


HitBox: Tracking cookie (Firefox: default) (Cookie, fixed)


HitBox: Tracking cookie (Firefox: default) (Cookie, fixed)


HitBox: Tracking cookie (Firefox: default) (Cookie, fixed)


HitBox: Tracking cookie (Firefox: default) (Cookie, fixed)


HitBox: Tracking cookie (Firefox: default) (Cookie, fixed)


HitBox: Tracking cookie (Firefox: default) (Cookie, fixed)


FastClick: Tracking cookie (Firefox: default) (Cookie, fixed)


HitBox: Tracking cookie (Firefox: default) (Cookie, fixed)


LinkSynergy: Tracking cookie (Firefox: default) (Cookie, fixed)


LinkSynergy: Tracking cookie (Firefox: default) (Cookie, fixed)


MediaPlex: Tracking cookie (Firefox: default) (Cookie, fixed)


MediaPlex: Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: default) (Cookie, fixed)


WebTrends live: Tracking cookie (Firefox: default) (Cookie, fixed)


WebTrends live: Tracking cookie (Firefox: default) (Cookie, fixed)


TargetNet: Tracking cookie (Firefox: default) (Cookie, fixed)


Tradedoubler: Tracking cookie (Firefox: default) (Cookie, fixed)


Mediaplex: Tracking cookie (Firefox: default) (Cookie, fixed)


Mediaplex: Tracking cookie (Firefox: default) (Cookie, fixed)


Mediaplex: Tracking cookie (Firefox: default) (Cookie, fixed)


Zedo: Tracking cookie (Firefox: default) (Cookie, fixed)


Zedo: Tracking cookie (Firefox: default) (Cookie, fixed)


HitsLink: Tracking cookie (Firefox: default) (Cookie, fixed)


HitsLink: Tracking cookie (Firefox: default) (Cookie, fixed)


HitsLink: Tracking cookie (Firefox: default) (Cookie, fixed)


HitsLink: Tracking cookie (Firefox: default) (Cookie, fixed)


AdRevolver: Tracking cookie (Firefox: default) (Cookie, fixed)


AdRevolver: Tracking cookie (Firefox: default) (Cookie, fixed)


AdRevolver: Tracking cookie (Firefox: default) (Cookie, fixed)


AdRevolver: Tracking cookie (Firefox: default) (Cookie, fixed)


WebTrends live: Tracking cookie (Firefox: default) (Cookie, fixed)


AdRevolver: Tracking cookie (Mozilla: default) (Cookie, fixed)


Advertising.com: Tracking cookie (Mozilla: default) (Cookie, fixed)


Advertising.com: Tracking cookie (Mozilla: default) (Cookie, fixed)


Advertising.com: Tracking cookie (Mozilla: default) (Cookie, fixed)


Advertising.com: Tracking cookie (Mozilla: default) (Cookie, fixed)


MediaPlex: Tracking cookie (Mozilla: default) (Cookie, fixed)


MediaPlex: Tracking cookie (Mozilla: default) (Cookie, fixed)


Avenue A, Inc.: Tracking cookie (Mozilla: default) (Cookie, fixed)


CasaleMedia: Tracking cookie (Mozilla: default) (Cookie, fixed)


DoubleClick: Tracking cookie (Mozilla: default) (Cookie, fixed)


FastClick: Tracking cookie (Mozilla: default) (Cookie, fixed)


HitBox: Tracking cookie (Mozilla: default) (Cookie, fixed)


HitBox: Tracking cookie (Mozilla: default) (Cookie, fixed)


LinkSynergy: Tracking cookie (Mozilla: default) (Cookie, fixed)


LinkSynergy: Tracking cookie (Mozilla: default) (Cookie, fixed)


MediaPlex: Tracking cookie (Mozilla: default) (Cookie, fixed)


MediaPlex: Tracking cookie (Mozilla: default) (Cookie, fixed)


Mediaplex: Tracking cookie (Mozilla: default) (Cookie, fixed)


Mediaplex: Tracking cookie (Mozilla: default) (Cookie, fixed)


Mediaplex: Tracking cookie (Mozilla: default) (Cookie, fixed)


Zedo: Tracking cookie (Mozilla: default) (Cookie, fixed)


Zedo: Tracking cookie (Mozilla: default) (Cookie, fixed)


CoreMetrics: Tracking cookie (Mozilla: default) (Cookie, fixed)


AdRevolver: Tracking cookie (Mozilla: default) (Cookie, fixed)


AdRevolver: Tracking cookie (Mozilla: default) (Cookie, fixed)


AdRevolver: Tracking cookie (Mozilla: default) (Cookie, fixed)


AdRevolver: Tracking cookie (Mozilla: default) (Cookie, fixed)


Win32.Small.ddx: Bookmark (Mozilla: default) (Bookmark, fixed)



--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2007-02-08 unins000.exe (51.41.0.0)
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-05-31 Update.exe (1.4.0.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-01-15 advcheck.dll (1.2.1.0)
2007-01-02 Tools.dll (2.0.1.0)
2007-02-07 Includes\Cookies.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2007-02-07 Includes\Revision.sbi (*)
2005-02-17 Includes\Tracks.uti
2007-02-07 Includes\DialerC.sbi (*)
2007-02-07 Includes\HijackersC.sbi (*)
2007-02-07 Includes\KeyloggersC.sbi (*)
2007-02-07 Includes\MalwareC.sbi (*)
2007-02-07 Includes\PUPSC.sbi (*)
2007-02-07 Includes\SecurityC.sbi (*)
2007-02-07 Includes\SpybotsC.sbi (*)
2007-02-07 Includes\TrojansC.sbi (*)
2006-12-08 Includes\Dialer.sbi (*)
2007-02-07 Includes\Hijackers.sbi (*)
2006-10-27 Includes\Keyloggers.sbi (*)
2007-01-12 Includes\Malware.sbi (*)
2007-01-19 Includes\PUPS.sbi (*)
2006-12-08 Includes\Security.sbi (*)
2007-02-02 Includes\Spybots.sbi (*)
2006-12-08 Includes\Trojans.sbi (*)

--- Report generated: 2007-02-10 11:53 ---

Microsoft.WindowsSecurityCenter_disabled: Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Start!=W=2

Common Dialogs: History (24 files) (Registry key, fixed)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU

MS Office 9.0: Recently used files (7 files) (Directory, nothing done)
C:\Documents and Settings\username\Application Data\Microsoft\Office\Recent\

Log: Activity: COM+.log (Backup file, nothing done)
C:\WINDOWS\COM+.log

Log: Activity: SchedLgU.Txt (Backup file, nothing done)
C:\WINDOWS\SchedLgU.Txt

Log: Activity: imsins.log (Backup file, nothing done)
C:\WINDOWS\imsins.log

Log: Activity: OEWABLog.txt (Backup file, nothing done)
C:\WINDOWS\OEWABLog.txt

Log: Install: comsetup.log (Backup file, nothing done)
C:\WINDOWS\comsetup.log

Log: Install: Directx.log (Backup file, nothing done)
C:\WINDOWS\Directx.log

Log: Install: ocgen.log (Backup file, nothing done)
C:\WINDOWS\ocgen.log

Log: Install: setupact.log (Backup file, nothing done)
C:\WINDOWS\setupact.log

Log: Install: setupapi.log (Backup file, nothing done)
C:\WINDOWS\setupapi.log

Log: Install: svcpack.log (Backup file, nothing done)
C:\WINDOWS\svcpack.log

Log: Install: wmsetup.log (Backup file, nothing done)
C:\WINDOWS\wmsetup.log

Log: Install: DtcInstall.log (Backup file, nothing done)
C:\WINDOWS\DtcInstall.log

Log: Shutdown: System32\wbem\logs\mofcomp.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\mofcomp.log

Log: Shutdown: System32\wbem\logs\setup.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\setup.log

Log: Shutdown: System32\wbem\logs\wbemcore.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemcore.log

Log: Shutdown: System32\wbem\logs\wbemess.lo_ (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemess.lo_

Log: Shutdown: System32\wbem\logs\wbemess.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemess.log

Log: Shutdown: System32\wbem\logs\wbemprox.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemprox.log

Log: Shutdown: System32\wbem\logs\winmgmt.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\winmgmt.log

Log: Shutdown: System32\wbem\logs\wmiadap.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wmiadap.log

Log: Shutdown: System32\wbem\logs\wmiprov.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wmiprov.log

Ahead Nero Burning Rom: Image directory (Registry change, nothing done)
HKEY_LOCAL_MACHINE\Software\Ahead\Nero - Burning Rom\Settings\ImageDir!=

Ahead Nero Burning Rom: Compilation directory (Registry change, nothing done)
HKEY_LOCAL_MACHINE\Software\Ahead\Nero - Burning Rom\Settings\NeroCompilation!=

Ahead Nero Burning Rom: Image directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Ahead\Nero - Burning Rom\Settings\ImageDir!=

Ahead Nero Burning Rom: Compilation directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Ahead\Nero - Burning Rom\Settings\NeroCompilation!=

Ahead Nero Burning Rom: Browser directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Ahead\Nero - Burning Rom\Settings\BrowserDir!=

Ahead Nero Burning Rom: Working directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Ahead\Nero - Burning Rom\Settings\WorkingDir!=

Internet Explorer: Typed URL list (7 files) (Registry key, fixed)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Internet Explorer\TypedURLs

Internet Explorer: Download directory (Registry change, fixed)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Internet Explorer\Download Directory!=

Internet Explorer: User agent (Registry change, fixed)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent!=Mozilla/4.0 (compatible; MSIE; Win32)

Internet Explorer: User agent (Registry change, fixed)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent!=Mozilla/4.0 (compatible; MSIE; Win32)

Internet Explorer: User agent (Registry change, fixed)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent!=Mozilla/4.0 (compatible; MSIE; Win32)

Internet Explorer: User agent (Registry change, fixed)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent!=Mozilla/4.0 (compatible; MSIE; Win32)

Internet Explorer: User agent (Registry change, fixed)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent!=Mozilla/4.0 (compatible; MSIE; Win32)

Internet Explorer: AutoComplete data (2 files) (Registry key, fixed)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Internet Explorer\IntelliForms\SPW

MS Media Player: Application data file (global) () (File, nothing done)
C:\Documents and Settings\All Users\Application Data\Microsoft\Media Index\wmplibrary_v_0_12.db

MS Media Player: Client ID (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\MediaPlayer\Player\Settings\Client ID!=

MS Media Player: Client ID (Registry change, nothing done)
HKEY_USERS\S-1-5-19\Software\Microsoft\MediaPlayer\Player\Settings\Client ID!=

MS Media Player: Client ID (Registry change, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\MediaPlayer\Player\Settings\Client ID!=

MS Media Player: Client ID (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\MediaPlayer\Player\Settings\Client ID!=

MS Media Player: Anonymous ID (Registry change, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\MediaPlayer\Preferences\SendUserGUID!=B=0

MS Direct3D: Most recent application (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Direct3D\MostRecentApplication\Name!=

MS Direct3D: Most recent application (Registry change, fixed)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Direct3D\MostRecentApplication\Name!=

MS DirectDraw: Most recent application (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication\Name!=

MS DirectInput: Most recent application (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\DirectInput\MostRecentApplication\Name!=

MS DirectInput: Most recent application ID (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\DirectInput\MostRecentApplication\Id!=

MS Office 9.0: Internet history (Registry value, fixed)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Office\9.0\Common\Internet\LocationOfComponents

MS Office 9.0: Access recent file (25 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Office\9.0\Access\Settings

MS Office 9.0 (Word): Recently used file list (Registry value, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Office\9.0\Word\Data\Settings

MS Office 10.0 (Office Startup Assistant): Last used directory (Registry change, fixed)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Office\10.0\Osa\FindFile\Place!=

MS Office 11.0: Last opened-from-web file (Registry value, fixed)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Office\11.0\Common\Internet\UseRWHlinkNavigation

MS Office 11.0 (Document Imaging): Persistent filename list (4 files) (Registry key, fixed)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\MSPaper 11.0\Persist File Name

MS Office 11.0 (Document Imaging): Recent file list (4 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\MSPaper 11.0\Recent File List

MS Office 11.0 (Excel): Recent file list (4 files) (Registry key, fixed)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Office\11.0\Excel\Recent Files

MS Office 11.0 (Office Startup Assistant): Last search location (Registry value, fixed)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Office\11.0\Osa\FindFile\Place

MS Office 11.0 (Word): Recent file list (Registry value, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Office\11.0\Word\Data\Settings

MS Office 11.0 (Word): Letter wizard details (4 files) (Registry key, fixed)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Office\11.0\Word\Wizards\Letter Wizard\1033

MS Search Assistant: Typed search terms history (Registry key, fixed)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Search Assistant\ACMru

Nikon View: Last used folder (Registry value, fixed)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Nikon\Nikon View\Browser\LastSettings\FolderPath

Nikon View: Recent transfer folder list (11 files) (Registry key, fixed)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Nikon\Nikon View\Common\Destination

SmartFTP: Connection servers history (Registry key, fixed)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\SmartFTP\Connection Data

SmartFTP: Last saved queue (Registry change, fixed)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\SmartFTP\Queue\Last File!=

Windows: Drivers installation paths (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Installation Sources!=

Windows.OpenWith: Open with list - .ADP extension (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ADP\OpenWithList

Windows.OpenWith: Open with list - .AI extension (4 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.AI\OpenWithList

Windows.OpenWith: Open with list - .BIN extension (3 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.BIN\OpenWithList

Windows.OpenWith: Open with list - .BMP extension (5 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.BMP\OpenWithList

Windows.OpenWith: Open with list - .CSS extension (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CSS\OpenWithList

Windows.OpenWith: Open with list - .CSV extension (3 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CSV\OpenWithList

Windows Explorer: Recent wallpaper list (416 files) (Registry key, fixed)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper\MRU

Windows Explorer: Network map history (3 files) (Registry key, fixed)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU

Windows Explorer: Run history (2 files) (Registry key, fixed)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

Windows Explorer: Stream history (127 files) (Registry key, fixed)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU

Windows Explorer: User Assistant history IE (64 files) (Registry key, fixing failed)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count

Windows Explorer: User Assistant history files (1849 files) (Registry key, fixing failed)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count

Windows Explorer: Last visited history (3 files) (Registry key, fixed)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU

Windows Explorer: Recent file global history (Registry key, fixed)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

Windows Explorer: Last Copy/MoveTo folder (Registry value, fixed)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\CopyMoveTo\LastFolder

Windows Media SDK: Computer name (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows Media\WMSDK\General\ComputerName!=ComputerName

Windows Media SDK: Computer name (Registry change, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Windows Media\WMSDK\General\ComputerName!=ComputerName

Windows Media SDK: Computer name (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows Media\WMSDK\General\ComputerName!=ComputerName

Windows Media SDK: Unique ID (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows Media\WMSDK\General\UniqueID!={00000000-0000-0000-0000-000000000000}

Windows Media SDK: Unique ID (Registry change, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Windows Media\WMSDK\General\UniqueID!={00000000-0000-0000-0000-000000000000}

Windows Media SDK: Unique ID (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows Media\WMSDK\General\UniqueID!={00000000-0000-0000-0000-000000000000}

Windows Media SDK: Volume serial number (Registry value, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows Media\WMSDK\General\VolumeSerialNumber

Windows Media SDK: Volume serial number (Registry value, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Windows Media\WMSDK\General\VolumeSerialNumber

Windows Media SDK: Volume serial number (Registry value, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows Media\WMSDK\General\VolumeSerialNumber

Cookie: Cookie (9) (Cookie, fixed)


Cache: Cache (1041) (Cache, nothing done)


Cookie: Cookie (596) (Cookie, fixed)


Cookie: Cookie (231) (Cookie, fixed)



--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2007-02-08 unins000.exe (51.41.0.0)
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-05-31 Update.exe (1.4.0.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-01-15 advcheck.dll (1.2.1.0)
2007-01-02 Tools.dll (2.0.1.0)
2007-02-07 Includes\Cookies.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2007-02-07 Includes\Revision.sbi (*)
2005-02-17 Includes\Tracks.uti (*)
2007-02-07 Includes\DialerC.sbi (*)
2007-02-07 Includes\HijackersC.sbi (*)
2007-02-07 Includes\KeyloggersC.sbi (*)
2007-02-07 Includes\MalwareC.sbi (*)
2007-02-07 Includes\PUPSC.sbi (*)
2007-02-07 Includes\SecurityC.sbi (*)
2007-02-07 Includes\SpybotsC.sbi (*)
2007-02-07 Includes\TrojansC.sbi (*)
2006-12-08 Includes\Dialer.sbi (*)
2007-02-07 Includes\Hijackers.sbi (*)
2006-10-27 Includes\Keyloggers.sbi (*)
2007-01-12 Includes\Malware.sbi (*)
2007-01-19 Includes\PUPS.sbi (*)
2006-12-08 Includes\Security.sbi (*)
2007-02-02 Includes\Spybots.sbi (*)
2006-12-08 Includes\Trojans.sbi (*)


----------



## Killazys (Feb 9, 2007)

--- Report generated: 2007-02-10 11:53 ---

Microsoft.WindowsSecurityCenter_disabled: Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Start!=W=2

Common Dialogs: History (24 files) (Registry key, fixed)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU

MS Office 9.0: Recently used files (7 files) (Directory, nothing done)
C:\Documents and Settings\username\Application Data\Microsoft\Office\Recent\

Log: Activity: COM+.log (Backup file, nothing done)
C:\WINDOWS\COM+.log

Log: Activity: SchedLgU.Txt (Backup file, nothing done)
C:\WINDOWS\SchedLgU.Txt

Log: Activity: imsins.log (Backup file, nothing done)
C:\WINDOWS\imsins.log

Log: Activity: OEWABLog.txt (Backup file, nothing done)
C:\WINDOWS\OEWABLog.txt

Log: Install: comsetup.log (Backup file, nothing done)
C:\WINDOWS\comsetup.log

Log: Install: Directx.log (Backup file, nothing done)
C:\WINDOWS\Directx.log

Log: Install: ocgen.log (Backup file, nothing done)
C:\WINDOWS\ocgen.log

Log: Install: setupact.log (Backup file, nothing done)
C:\WINDOWS\setupact.log

Log: Install: setupapi.log (Backup file, nothing done)
C:\WINDOWS\setupapi.log

Log: Install: svcpack.log (Backup file, nothing done)
C:\WINDOWS\svcpack.log

Log: Install: wmsetup.log (Backup file, nothing done)
C:\WINDOWS\wmsetup.log

Log: Install: DtcInstall.log (Backup file, nothing done)
C:\WINDOWS\DtcInstall.log

Log: Shutdown: System32\wbem\logs\mofcomp.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\mofcomp.log

Log: Shutdown: System32\wbem\logs\setup.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\setup.log

Log: Shutdown: System32\wbem\logs\wbemcore.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemcore.log

Log: Shutdown: System32\wbem\logs\wbemess.lo_ (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemess.lo_

Log: Shutdown: System32\wbem\logs\wbemess.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemess.log

Log: Shutdown: System32\wbem\logs\wbemprox.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemprox.log

Log: Shutdown: System32\wbem\logs\winmgmt.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\winmgmt.log

Log: Shutdown: System32\wbem\logs\wmiadap.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wmiadap.log

Log: Shutdown: System32\wbem\logs\wmiprov.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wmiprov.log

Ahead Nero Burning Rom: Image directory (Registry change, nothing done)
HKEY_LOCAL_MACHINE\Software\Ahead\Nero - Burning Rom\Settings\ImageDir!=

Ahead Nero Burning Rom: Compilation directory (Registry change, nothing done)
HKEY_LOCAL_MACHINE\Software\Ahead\Nero - Burning Rom\Settings\NeroCompilation!=

Ahead Nero Burning Rom: Image directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Ahead\Nero - Burning Rom\Settings\ImageDir!=

Ahead Nero Burning Rom: Compilation directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Ahead\Nero - Burning Rom\Settings\NeroCompilation!=

Ahead Nero Burning Rom: Browser directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Ahead\Nero - Burning Rom\Settings\BrowserDir!=

Ahead Nero Burning Rom: Working directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Ahead\Nero - Burning Rom\Settings\WorkingDir!=

Internet Explorer: Typed URL list (7 files) (Registry key, fixed)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Internet Explorer\TypedURLs

Internet Explorer: Download directory (Registry change, fixed)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Internet Explorer\Download Directory!=

Internet Explorer: User agent (Registry change, fixed)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent!=Mozilla/4.0 (compatible; MSIE; Win32)

Internet Explorer: User agent (Registry change, fixed)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent!=Mozilla/4.0 (compatible; MSIE; Win32)

Internet Explorer: User agent (Registry change, fixed)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent!=Mozilla/4.0 (compatible; MSIE; Win32)

Internet Explorer: User agent (Registry change, fixed)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent!=Mozilla/4.0 (compatible; MSIE; Win32)

Internet Explorer: User agent (Registry change, fixed)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent!=Mozilla/4.0 (compatible; MSIE; Win32)

Internet Explorer: AutoComplete data (2 files) (Registry key, fixed)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Internet Explorer\IntelliForms\SPW

MS Media Player: Application data file (global) () (File, nothing done)
C:\Documents and Settings\All Users\Application Data\Microsoft\Media Index\wmplibrary_v_0_12.db

MS Media Player: Client ID (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\MediaPlayer\Player\Settings\Client ID!=

MS Media Player: Client ID (Registry change, nothing done)
HKEY_USERS\S-1-5-19\Software\Microsoft\MediaPlayer\Player\Settings\Client ID!=

MS Media Player: Client ID (Registry change, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\MediaPlayer\Player\Settings\Client ID!=

MS Media Player: Client ID (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\MediaPlayer\Player\Settings\Client ID!=

MS Media Player: Anonymous ID (Registry change, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\MediaPlayer\Preferences\SendUserGUID!=B=0

MS Direct3D: Most recent application (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Direct3D\MostRecentApplication\Name!=

MS Direct3D: Most recent application (Registry change, fixed)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Direct3D\MostRecentApplication\Name!=

MS DirectDraw: Most recent application (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication\Name!=

MS DirectInput: Most recent application (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\DirectInput\MostRecentApplication\Name!=

MS DirectInput: Most recent application ID (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\DirectInput\MostRecentApplication\Id!=

MS Office 9.0: Internet history (Registry value, fixed)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Office\9.0\Common\Internet\LocationOfComponents

MS Office 9.0: Access recent file (25 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Office\9.0\Access\Settings

MS Office 9.0 (Word): Recently used file list (Registry value, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Office\9.0\Word\Data\Settings

MS Office 10.0 (Office Startup Assistant): Last used directory (Registry change, fixed)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Office\10.0\Osa\FindFile\Place!=

MS Office 11.0: Last opened-from-web file (Registry value, fixed)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Office\11.0\Common\Internet\UseRWHlinkNavigation

MS Office 11.0 (Document Imaging): Persistent filename list (4 files) (Registry key, fixed)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\MSPaper 11.0\Persist File Name

MS Office 11.0 (Document Imaging): Recent file list (4 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\MSPaper 11.0\Recent File List

MS Office 11.0 (Excel): Recent file list (4 files) (Registry key, fixed)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Office\11.0\Excel\Recent Files

MS Office 11.0 (Office Startup Assistant): Last search location (Registry value, fixed)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Office\11.0\Osa\FindFile\Place

MS Office 11.0 (Word): Recent file list (Registry value, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Office\11.0\Word\Data\Settings

MS Office 11.0 (Word): Letter wizard details (4 files) (Registry key, fixed)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Office\11.0\Word\Wizards\Letter Wizard\1033

MS Search Assistant: Typed search terms history (Registry key, fixed)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Search Assistant\ACMru

Nikon View: Last used folder (Registry value, fixed)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Nikon\Nikon View\Browser\LastSettings\FolderPath

Nikon View: Recent transfer folder list (11 files) (Registry key, fixed)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Nikon\Nikon View\Common\Destination

SmartFTP: Connection servers history (Registry key, fixed)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\SmartFTP\Connection Data

SmartFTP: Last saved queue (Registry change, fixed)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\SmartFTP\Queue\Last File!=

Windows: Drivers installation paths (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Installation Sources!=

Windows.OpenWith: Open with list - .ADP extension (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ADP\OpenWithList

Windows.OpenWith: Open with list - .AI extension (4 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.AI\OpenWithList

Windows.OpenWith: Open with list - .BIN extension (3 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.BIN\OpenWithList

Windows.OpenWith: Open with list - .BMP extension (5 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.BMP\OpenWithList

Windows.OpenWith: Open with list - .CSS extension (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CSS\OpenWithList

Windows.OpenWith: Open with list - .CSV extension (3 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CSV\OpenWithList

Windows Explorer: Recent wallpaper list (416 files) (Registry key, fixed)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper\MRU

Windows Explorer: Network map history (3 files) (Registry key, fixed)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU

Windows Explorer: Run history (2 files) (Registry key, fixed)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

Windows Explorer: Stream history (127 files) (Registry key, fixed)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU

Windows Explorer: User Assistant history IE (64 files) (Registry key, fixing failed)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count

Windows Explorer: User Assistant history files (1849 files) (Registry key, fixing failed)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count

Windows Explorer: Last visited history (3 files) (Registry key, fixed)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU

Windows Explorer: Recent file global history (Registry key, fixed)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

Windows Explorer: Last Copy/MoveTo folder (Registry value, fixed)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\CopyMoveTo\LastFolder

Windows Media SDK: Computer name (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows Media\WMSDK\General\ComputerName!=ComputerName

Windows Media SDK: Computer name (Registry change, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Windows Media\WMSDK\General\ComputerName!=ComputerName

Windows Media SDK: Computer name (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows Media\WMSDK\General\ComputerName!=ComputerName

Windows Media SDK: Unique ID (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows Media\WMSDK\General\UniqueID!={00000000-0000-0000-0000-000000000000}

Windows Media SDK: Unique ID (Registry change, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Windows Media\WMSDK\General\UniqueID!={00000000-0000-0000-0000-000000000000}

Windows Media SDK: Unique ID (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows Media\WMSDK\General\UniqueID!={00000000-0000-0000-0000-000000000000}

Windows Media SDK: Volume serial number (Registry value, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows Media\WMSDK\General\VolumeSerialNumber

Windows Media SDK: Volume serial number (Registry value, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Windows Media\WMSDK\General\VolumeSerialNumber

Windows Media SDK: Volume serial number (Registry value, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows Media\WMSDK\General\VolumeSerialNumber

Cookie: Cookie (9) (Cookie, fixed)


Cache: Cache (1041) (Cache, nothing done)


Cookie: Cookie (596) (Cookie, fixed)


Cookie: Cookie (231) (Cookie, fixed)



--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2007-02-08 unins000.exe (51.41.0.0)
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-05-31 Update.exe (1.4.0.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-01-15 advcheck.dll (1.2.1.0)
2007-01-02 Tools.dll (2.0.1.0)
2007-02-07 Includes\Cookies.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2007-02-07 Includes\Revision.sbi (*)
2005-02-17 Includes\Tracks.uti (*)
2007-02-07 Includes\DialerC.sbi (*)
2007-02-07 Includes\HijackersC.sbi (*)
2007-02-07 Includes\KeyloggersC.sbi (*)
2007-02-07 Includes\MalwareC.sbi (*)
2007-02-07 Includes\PUPSC.sbi (*)
2007-02-07 Includes\SecurityC.sbi (*)
2007-02-07 Includes\SpybotsC.sbi (*)
2007-02-07 Includes\TrojansC.sbi (*)
2006-12-08 Includes\Dialer.sbi (*)
2007-02-07 Includes\Hijackers.sbi (*)
2006-10-27 Includes\Keyloggers.sbi (*)
2007-01-12 Includes\Malware.sbi (*)
2007-01-19 Includes\PUPS.sbi (*)
2006-12-08 Includes\Security.sbi (*)
2007-02-02 Includes\Spybots.sbi (*)
2006-12-08 Includes\Trojans.sbi (*)


----------



## Cheeseball81 (Mar 3, 2004)

Yes system32 is the correct location for it.
Is SpyBot up to date with its definitions?


----------



## Killazys (Feb 9, 2007)

This is the recent, new scan I just did.
--- Report generated: 2007-02-10 13:42 ---

Common Dialogs: History (8 files) (Registry key, nothing done)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU

MS Office 9.0: Recently used files (1 files) (Directory, nothing done)
C:\Documents and Settings\username\Application Data\Microsoft\Office\Recent\

Log: Activity: COM+.log (Backup file, nothing done)
C:\WINDOWS\COM+.log

Log: Activity: SchedLgU.Txt (Backup file, nothing done)
C:\WINDOWS\SchedLgU.Txt

Log: Activity: imsins.log (Backup file, nothing done)
C:\WINDOWS\imsins.log

Log: Activity: OEWABLog.txt (Backup file, nothing done)
C:\WINDOWS\OEWABLog.txt

Log: Install: comsetup.log (Backup file, nothing done)
C:\WINDOWS\comsetup.log

Log: Install: Directx.log (Backup file, nothing done)
C:\WINDOWS\Directx.log

Log: Install: ocgen.log (Backup file, nothing done)
C:\WINDOWS\ocgen.log

Log: Install: setupact.log (Backup file, nothing done)
C:\WINDOWS\setupact.log

Log: Install: setupapi.log (Backup file, nothing done)
C:\WINDOWS\setupapi.log

Log: Install: svcpack.log (Backup file, nothing done)
C:\WINDOWS\svcpack.log

Log: Install: wmsetup.log (Backup file, nothing done)
C:\WINDOWS\wmsetup.log

Log: Install: DtcInstall.log (Backup file, nothing done)
C:\WINDOWS\DtcInstall.log

Log: Shutdown: System32\wbem\logs\mofcomp.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\mofcomp.log

Log: Shutdown: System32\wbem\logs\setup.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\setup.log

Log: Shutdown: System32\wbem\logs\wbemcore.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemcore.log

Log: Shutdown: System32\wbem\logs\wbemess.lo_ (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemess.lo_

Log: Shutdown: System32\wbem\logs\wbemess.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemess.log

Log: Shutdown: System32\wbem\logs\wbemprox.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemprox.log

Log: Shutdown: System32\wbem\logs\winmgmt.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\winmgmt.log

Log: Shutdown: System32\wbem\logs\wmiadap.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wmiadap.log

Log: Shutdown: System32\wbem\logs\wmiprov.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wmiprov.log

Ahead Nero Burning Rom: Image directory (Registry change, nothing done)
HKEY_LOCAL_MACHINE\Software\Ahead\Nero - Burning Rom\Settings\ImageDir!=

Ahead Nero Burning Rom: Compilation directory (Registry change, nothing done)
HKEY_LOCAL_MACHINE\Software\Ahead\Nero - Burning Rom\Settings\NeroCompilation!=

Ahead Nero Burning Rom: Image directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Ahead\Nero - Burning Rom\Settings\ImageDir!=

Ahead Nero Burning Rom: Compilation directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Ahead\Nero - Burning Rom\Settings\NeroCompilation!=

Ahead Nero Burning Rom: Browser directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Ahead\Nero - Burning Rom\Settings\BrowserDir!=

Ahead Nero Burning Rom: Working directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Ahead\Nero - Burning Rom\Settings\WorkingDir!=

Internet Explorer: Typed URL list (7 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Internet Explorer\TypedURLs

MS Media Player: Application data file (global) () (File, nothing done)
C:\Documents and Settings\All Users\Application Data\Microsoft\Media Index\wmplibrary_v_0_12.db

MS Media Player: Client ID (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\MediaPlayer\Player\Settings\Client ID!=

MS Media Player: Client ID (Registry change, nothing done)
HKEY_USERS\S-1-5-19\Software\Microsoft\MediaPlayer\Player\Settings\Client ID!=

MS Media Player: Client ID (Registry change, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\MediaPlayer\Player\Settings\Client ID!=

MS Media Player: Client ID (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\MediaPlayer\Player\Settings\Client ID!=

MS Media Player: Anonymous ID (Registry change, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\MediaPlayer\Preferences\SendUserGUID!=B=0

MS DirectDraw: Most recent application (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication\Name!=

MS Office 9.0: Access recent file (25 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Office\9.0\Access\Settings

MS Office 9.0 (Word): Recently used file list (Registry value, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Office\9.0\Word\Data\Settings

MS Office 11.0 (Document Imaging): Recent file list (4 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\MSPaper 11.0\Recent File List

MS Office 11.0 (Word): Recent file list (Registry value, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Office\11.0\Word\Data\Settings

MS Search Assistant: Typed search terms history (Registry key, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Search Assistant\ACMru

Windows: Drivers installation paths (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Installation Sources!=

Windows.OpenWith: Open with list - .ADP extension (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ADP\OpenWithList

Windows.OpenWith: Open with list - .AI extension (4 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.AI\OpenWithList

Windows.OpenWith: Open with list - .BIN extension (3 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.BIN\OpenWithList

Windows.OpenWith: Open with list - .BMP extension (5 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.BMP\OpenWithList

Windows.OpenWith: Open with list - .CSS extension (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CSS\OpenWithList

Windows.OpenWith: Open with list - .CSV extension (3 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CSV\OpenWithList

Windows Explorer: User Assistant history IE (6 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count

Windows Explorer: User Assistant history files (11 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count

Windows Explorer: Last visited history (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU

Windows Explorer: Recent file global history (Registry key, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

Windows Media SDK: Computer name (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows Media\WMSDK\General\ComputerName!=ComputerName

Windows Media SDK: Computer name (Registry change, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Windows Media\WMSDK\General\ComputerName!=ComputerName

Windows Media SDK: Computer name (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows Media\WMSDK\General\ComputerName!=ComputerName

Windows Media SDK: Unique ID (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows Media\WMSDK\General\UniqueID!={00000000-0000-0000-0000-000000000000}

Windows Media SDK: Unique ID (Registry change, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Windows Media\WMSDK\General\UniqueID!={00000000-0000-0000-0000-000000000000}

Windows Media SDK: Unique ID (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows Media\WMSDK\General\UniqueID!={00000000-0000-0000-0000-000000000000}

Windows Media SDK: Volume serial number (Registry value, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows Media\WMSDK\General\VolumeSerialNumber

Windows Media SDK: Volume serial number (Registry value, nothing done)
HKEY_USERS\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Windows Media\WMSDK\General\VolumeSerialNumber

Windows Media SDK: Volume serial number (Registry value, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows Media\WMSDK\General\VolumeSerialNumber

Cookie: Cookie (5) (Cookie, nothing done)


Cache: Cache (983) (Cache, nothing done)


Congratulations!: No immediate threats were found. ()



--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2007-02-08 unins000.exe (51.41.0.0)
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-05-31 Update.exe (1.4.0.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-01-15 advcheck.dll (1.2.1.0)
2007-01-02 Tools.dll (2.0.1.0)
2007-02-07 Includes\Cookies.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2007-02-07 Includes\Revision.sbi (*)
2005-02-17 Includes\Tracks.uti (*)
2007-02-07 Includes\DialerC.sbi (*)
2007-02-07 Includes\HijackersC.sbi (*)
2007-02-07 Includes\KeyloggersC.sbi (*)
2007-02-07 Includes\MalwareC.sbi (*)
2007-02-07 Includes\PUPSC.sbi (*)
2007-02-07 Includes\SecurityC.sbi (*)
2007-02-07 Includes\SpybotsC.sbi (*)
2007-02-07 Includes\TrojansC.sbi (*)
2006-12-08 Includes\Dialer.sbi (*)
2007-02-07 Includes\Hijackers.sbi (*)
2006-10-27 Includes\Keyloggers.sbi (*)
2007-01-12 Includes\Malware.sbi (*)
2007-01-19 Includes\PUPS.sbi (*)
2006-12-08 Includes\Security.sbi (*)
2007-02-02 Includes\Spybots.sbi (*)
2006-12-08 Includes\Trojans.sbi (*)
My Spybot is up to date.


----------



## Killazys (Feb 9, 2007)

Also, when I unchecked the crypt32chain (crypt32.dll) from starting up with the system, it * I think * duplicated and had no command line. Now I have TWO crypt32chain startup processes in Spybot S & D, but one has no file path. Same thing happened with cryptnet.dll. What does that mean? Also, I just finished scanning with Norton Internet Security 2007 with up-to-date definitions, nothing was found. Should I post a log?


----------



## Cookiegal (Aug 27, 2003)

You definitely should not be trying to delete crypt32.dll or any of the others you mentioned. If you did then you should restore them.

You are scanning with Spybot for "Usage Tracks" which is not necessary.

Open Spybot and click on *Mode *and select *Advanced Mode*. Then click on *Settings *and select *File Sets*. Uncheck the last two items (*Usage tracking *and *tracks.uti*). Now perform another scan and post the results please but do NOT fix anything yourself.


----------



## Killazys (Feb 9, 2007)

Here it is:
--- Report generated: 2007-02-10 18:36 ---

Microsoft.WindowsSecurityCenter_disabled: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Start!=W=2


--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2007-02-08 unins000.exe (51.41.0.0)
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-05-31 Update.exe (1.4.0.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-01-15 advcheck.dll (1.2.1.0)
2007-01-02 Tools.dll (2.0.1.0)
2007-02-07 Includes\Cookies.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2007-02-07 Includes\Revision.sbi (*)
2005-02-17 Includes\Tracks.uti
2007-02-07 Includes\DialerC.sbi (*)
2007-02-07 Includes\HijackersC.sbi (*)
2007-02-07 Includes\KeyloggersC.sbi (*)
2007-02-07 Includes\MalwareC.sbi (*)
2007-02-07 Includes\PUPSC.sbi (*)
2007-02-07 Includes\SecurityC.sbi (*)
2007-02-07 Includes\SpybotsC.sbi (*)
2007-02-07 Includes\TrojansC.sbi (*)
2006-12-08 Includes\Dialer.sbi (*)
2007-02-07 Includes\Hijackers.sbi (*)
2006-10-27 Includes\Keyloggers.sbi (*)
2007-01-12 Includes\Malware.sbi (*)
2007-01-19 Includes\PUPS.sbi (*)
2006-12-08 Includes\Security.sbi (*)
2007-02-02 Includes\Spybots.sbi (*)
2006-12-08 Includes\Trojans.sbi (*)


----------



## Cookiegal (Aug 27, 2003)

Download *WinPFind.exe* to your desktop and double click on it open it and then select extract to extract the files. This will create a folder named *WinPFind* on your desktop.

*Start in Safe Mode Using the F8 method:*


Restart the computer.
As soon as the BIOS is loaded begin tapping the *F8* key until the boot menu appears.
Use the arrow keys to select the *Safe Mode* menu item.
Press the *Enter* key.

Double click on the WinPFind folder on your desktop to open it and then double click on the *WinPFind.exe* file to start the program.


Click Configure scan options
Under Run AdOns select the following:
Policies.def
Security.def

Click apply
Click "*Start Scan*"
*It will scan the entire System, so please be patient and let it complete.*

When the scan is complete reboot normally and post the *WinPFind.txt* file (located in the WinPFind folder) back here along with a new HijackThis log.


----------



## Killazys (Feb 9, 2007)

Sorry for the slow response, had connection problems.
WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows sometimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

遙遙遙遙遙遙遙遙?Windows OS and Versions 遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙?
Logfile created on: 2/10/2007 7:28:07 PM
WinPFind v1.5.0	Folder = C:\Documents and Settings\username\Desktop\WinPFind\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 7.0.5730.11)

遙遙遙遙遙遙遙遙?Checking Selected Standard Folders 遙遙遙遙遙遙遙遙遙遙

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 12/21/1999 7:58:02 AM 21312 C:\WINDOWS\choice.exe ()

Checking %System% folder...
PECompact2 1/2/2007 3:19:46 PM 10980776 C:\WINDOWS\SYSTEM32\MRT.exe (Microsoft Corporation)
aspack 1/2/2007 3:19:46 PM 10980776 C:\WINDOWS\SYSTEM32\MRT.exe (Microsoft Corporation)
Umonitor 8/4/2004 3:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll (Microsoft Corporation)
aspack 11/29/2006 1:06:18 PM 3426072 C:\WINDOWS\SYSTEM32\d3dx9_32.dll (Microsoft Corporation)
PEC2 8/18/2001 12:00:00 PM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc ()
aspack 8/4/2004 3:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll (Microsoft Corporation)
PTech 6/19/2006 4:19:42 PM 571184 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll (Microsoft Corporation)
PTech 6/19/2006 4:19:26 PM 304944 C:\WINDOWS\SYSTEM32\WgaTray.exe (Microsoft Corporation)
winsync 8/18/2001 12:00:00 PM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu ()
WSUD 8/4/2004 3:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl (Microsoft Corporation)

Checking %System%\Drivers folder and sub-folders...
PTech 8/4/2004 1:41:38 AM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys (Smart Link)

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
2/10/2007 7:24:44 PM S 2048 C:\WINDOWS\bootstat.dat ()
2/10/2007 7:18:50 PM H 1040384 C:\WINDOWS\system32\config\system.LOG ()
2/10/2007 7:18:50 PM H 77824 C:\WINDOWS\system32\config\software.LOG ()
2/10/2007 7:18:50 PM H 8192 C:\WINDOWS\system32\config\default.LOG ()
2/10/2007 7:25:42 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG ()
2/10/2007 7:24:46 PM H 16384 C:\WINDOWS\system32\config\SECURITY.LOG ()
2/4/2007 8:54:38 PM H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG ()
2/7/2007 7:16:28 PM S 136 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\904590238400AD963F77FAAAADC9BAB5 ()
2/7/2007 7:16:28 PM S 126 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\303572DF538EDD8B1D606185F1D559B8 ()
2/7/2007 7:16:28 PM S 98 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\79841F8EF00FBA86D33CC5A47696F165 ()
2/7/2007 7:18:54 PM S 146 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\A44F4E7CB3133FF765C39A53AD8FCFDD ()
2/10/2007 10:55:04 AM S 94 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\60E31627FDA0A46932B0E5948949F2A5 ()
2/10/2007 10:55:06 AM S 124 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\A8FABA189DB7D25FBA7CAC806625FD30 ()
2/7/2007 7:16:28 PM S 574 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\904590238400AD963F77FAAAADC9BAB5 ()
2/7/2007 7:16:28 PM S 341 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\303572DF538EDD8B1D606185F1D559B8 ()
2/7/2007 7:16:28 PM S 413 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\79841F8EF00FBA86D33CC5A47696F165 ()
2/7/2007 7:18:54 PM S 558 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\A44F4E7CB3133FF765C39A53AD8FCFDD ()
2/10/2007 10:55:04 AM S 688 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\60E31627FDA0A46932B0E5948949F2A5 ()
2/10/2007 10:55:06 AM S 47932 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\A8FABA189DB7D25FBA7CAC806625FD30 ()
12/22/2006 11:53:02 AM S 7894 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB929969.cat ()
2/4/2007 5:27:48 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\Preferred ()
2/4/2007 5:27:48 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\2c42b09d-76f1-4d24-9368-901c240ced42 ()
2/4/2007 5:39:32 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred ()
2/4/2007 5:39:32 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\8ebfe4e0-1498-465b-a1a2-ee55d56956ab ()
2/8/2007 4:53:34 PM H 0 C:\WINDOWS\inf\oem25.inf ()
2/10/2007 7:08:22 PM HS 1081344 C:\WINDOWS\Temp\teu3j1ny.TMP ()
2/10/2007 7:13:54 PM H 6 C:\WINDOWS\Tasks\SA.DAT ()
2/10/2007 3:43:38 PM RH 0 C:\WINDOWS\assembly\pubpol1.dat ()
2/10/2007 3:43:38 PM RH 0 C:\WINDOWS\assembly\PublisherPolicy.tme ()
2/10/2007 4:42:26 PM RH 0 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\index46.dat ()
2/10/2007 4:42:30 PM RH 0 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\index47.dat ()

Checking for CPL files...
11/9/2006 3:07:28 PM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl (Sun Microsystems, Inc.)
8/4/2004 3:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl (Microsoft Corporation)
5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl (Microsoft Corporation)
8/4/2004 3:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl (Microsoft Corporation)
8/4/2004 3:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl (Microsoft Corporation)
8/18/2001 12:00:00 PM 187904 C:\WINDOWS\SYSTEM32\main.cpl (Microsoft Corporation)
8/4/2004 3:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl (Microsoft Corporation)
8/18/2001 12:00:00 PM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl (Microsoft Corporation)
8/18/2001 12:00:00 PM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl (Microsoft Corporation)
8/4/2004 3:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl (Microsoft Corporation)
8/4/2004 3:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl (Microsoft Corporation)
8/4/2004 3:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl (Microsoft Corporation)
8/4/2004 3:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl (Microsoft Corporation)
10/17/2006 12:05:48 PM 1817088 C:\WINDOWS\SYSTEM32\inetcpl.cpl (Microsoft Corporation)
8/4/2004 3:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl (Microsoft Corporation)
8/4/2004 3:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl (Microsoft Corporation)
10/30/2006 3:33:58 AM 26112 C:\WINDOWS\SYSTEM32\infocardcpl.cpl (Microsoft Corporation)
5/2/2002 11:01:00 PM 901120 C:\WINDOWS\SYSTEM32\Tablet.cpl (Wacom Technology, Corp.)
10/23/2000 7:00:00 AM 49152 C:\WINDOWS\SYSTEM32\setnote.cpl (IBM Corporation)
8/4/2004 3:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl (Microsoft Corporation)
8/4/2004 3:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl (Microsoft Corporation)
8/4/2004 3:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl (Microsoft Corporation)
8/4/2004 3:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl (Microsoft Corporation)
6/6/2002 9:14:00 AM 45175 C:\WINDOWS\SYSTEM32\plugincpl140_01.cpl (Sun Microsystems)
8/4/2004 3:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl (Microsoft Corporation)
8/4/2004 3:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl (Microsoft Corporation)
8/4/2004 3:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl (Microsoft Corporation)
5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl (Microsoft Corporation)
10/17/2006 12:05:48 PM 1817088 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl (Microsoft Corporation)
8/18/2001 12:00:00 PM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl (Microsoft Corporation)
8/18/2001 12:00:00 PM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl (Microsoft Corporation)
8/18/2001 12:00:00 PM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl (Microsoft Corporation)

Checking for Downloaded Program Files...
{238F6F83-B8B4-11CF-8771-00A024541EE3} - - CodeBase = https://bba.bloomberg.net/Citrix/ICAWEB/en/ica32/wficat.cab
{5ED80217-570B-4DA9-BF44-BE107C0EC166} - Windows Live Safety Center Base Module - CodeBase = http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9602.cab
{8AD9C840-044E-11D1-B3E9-00805F499D93} - Java Plug-in 1.5.0_10 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
{9F1C11AA-197B-4942-BA54-47A8489BB47F} - - CodeBase = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37865.5957175926
{B942A249-D1E7-4C11-98AE-FCB76B08747F} - RealArcadeRdxIE Class - CodeBase = http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
{CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} - Java Plug-in 1.4.0_01 - CodeBase = http://java.sun.com/products/plugin/autodl/jinstall-1_4_0_01-win.cab
{CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} - Java Plug-in 1.4.1_02 - CodeBase = http://java.sun.com/update/1.4.1/jinstall-1_4_1_02-windows-i586.cab
{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - Java Plug-in 1.5.0_10 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - Java Plug-in 1.5.0_10 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
{CD995117-98E5-4169-9920-6C12D4C0B548} - HGPlugin9USA Class - CodeBase = http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
{D27CDB6E-AE6D-11CF-96B8-444553540000} - - CodeBase = http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
{D54160C3-DB7B-4534-9B65-190EE4A9C7F7} - SproutLauncherCtrl Class - CodeBase = http://www.shockwave.com/content/feedingfrenzy/SproutLauncher.cab

遙遙遙遙遙遙遙遙?Checking Selected Startup Folders 遙遙遙遙遙遙遙遙遙遙?

Checking files in %ALLUSERSPROFILE%\Startup folder...
10/22/2002 3:09:52 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini ()
7/19/2006 4:28:22 PM 1712 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk.disabled ()
5/21/2006 12:09:14 AM 1812 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk ()

Checking files in %ALLUSERSPROFILE%\Application Data folder...
10/23/2002 2:52:08 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini ()
7/19/2006 4:28:56 PM 430 C:\Documents and Settings\All Users\Application Data\hpzinstall.log ()

Checking files in %USERPROFILE%\Startup folder...
10/22/2002 3:09:52 PM HS 84 C:\Documents and Settings\username\Start Menu\Programs\Startup\desktop.ini ()
6/5/2006 2:42:36 PM 1571 C:\Documents and Settings\username\Start Menu\Programs\Startup\Stardock ObjectDock.lnk.disabled ()

Checking files in %USERPROFILE%\Application Data folder...
10/23/2002 2:52:08 AM HS 62 C:\Documents and Settings\username\Application Data\desktop.ini ()
2/10/2007 8:59:18 AM 262 C:\Documents and Settings\username\Application Data\WinssCookie.txt ()

遙遙遙遙遙遙遙遙?Checking Selected Registry Keys 遙遙遙遙遙遙遙遙遙遙遙?

>>> Internet Explorer Settings <<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
\\Start Page - http://go.microsoft.com/fwlink/?LinkId=69157
\\Search Page - http://go.microsoft.com/fwlink/?LinkId=54896
\\Default_Page_URL - http://go.microsoft.com/fwlink/?LinkId=69157
\\Default_Search_URL - http://go.microsoft.com/fwlink/?LinkId=54896
\\Local Page - %SystemRoot%\system32\blank.htm

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
\\Start Page - http://www.yahoo.com/
\\Search Bar - http://www.google.com/ie
\\Search Page - http://www.google.com
\\Local Page - C:\WINDOWS\system32\blank.htm

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
\\CustomizeSearch - http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
\\SearchAssistant - http://www.google.com/ie

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
\\{EA756889-2338-43DB-8F07-D1CA6FB9C90D} - AOLTBSearch Class = C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (America Online, Inc.)
\\{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Microsoft Url Search Hook = C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)

>>> BHO's <<<
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - AcroIEHlprObj Class = C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
\{1E8A6170-7264-4D0F-BEAE-D42A53123C75} - = C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll (Symantec Corporation)
\{4A368E80-174F-4872-96B5-0B27DDD11DB2} - = ()
\{53707962-6F74-2D53-2644-206D7942484F} - = C:\PROGRA~1\SPYBOT~1\SDHelper.dll (Safer Networking Limited)
\{55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - URLDetector Class = C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll (Prevx Ltd.)
\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - SSVHelper Class = C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll (Sun Microsystems, Inc.)
\{7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - AOL Toolbar Launcher = C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (America Online, Inc.)
\{7E853D72-626A-48EC-A868-BA8D5E23E045} - = ()
\{9030D464-4C02-4ABF-8ECC-5164760863C6} - Windows Live Sign-in Helper = C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
\{AA58ED58-01DD-4d91-8333-CF10577473F7} - Google Toolbar Helper = c:\program files\google\googletoolbar1.dll (Google Inc.)
\{AE7CD045-E861-484f-8273-0445EE161910} - AcroIEToolbarHelper Class = C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
\{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - Windows Live Toolbar Helper = C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)

>>> Internet Explorer Bars, Toolbars and Extensions <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
\{182EC0BE-5110-49C8-A062-BEB1D02A220B} - Adobe PDF = C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
\{4D5C8C25-D075-11d0-B416-00C04FB90376} - &Tip of the Day = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
\{32683183-48a0-441b-a342-7c2a440a9478} - = ()
\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1} - File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
\{EFA24E61-B078-11D0-89E4-00C04FC9E26E} - Favorites Band = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation)
\{EFA24E64-B078-11D0-89E4-00C04FC9E26E} - Explorer Band = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF = C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
\\{DE9C389F-3316-41A7-809B-AA305ED9D922} - AOL Toolbar = C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (America Online, Inc.)
\\{90222687-F593-4738-B738-FBEE9C7B26DF} - Show Norton Toolbar = C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll (Symantec Corporation)
\\{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google = c:\program files\google\googletoolbar1.dll (Google Inc.)
\\{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - Windows Live Toolbar = C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
\ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - = ()
\ShellBrowser\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF = C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
\WebBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
\WebBrowser\\{0E5CBF21-D15F-11D0-8301-00AA005B4383} - &Links = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
\WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} - &Yahoo! Toolbar = ()
\WebBrowser\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF = C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
\WebBrowser\\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - = ()
\WebBrowser\\{DE9C389F-3316-41A7-809B-AA305ED9D922} - AOL Toolbar = C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (America Online, Inc.)
\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} - &Google = c:\program files\google\googletoolbar1.dll (Google Inc.)
\WebBrowser\\{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - Windows Live Toolbar = C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\CmdMapping]
\\NEXTID - 8199
\\{4B30061A-5B39-11D3-80F8-0090276F843F} - 8193 = 
\\{FB5F1910-F110-11d2-BB9E-00C04F795683} - 8194 = Windows Messenger
\\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - 8195 = 
\\{3369AF0D-62E9-4bda-8103-B4C75499B578} - 8196 = 
\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - 8197 = Sun Java Console
\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} - 8198 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - MenuText: Sun Java Console = C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll (Sun Microsystems, Inc.)
\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - MenuText: Sun Java Console = C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll (Sun Microsystems, Inc.)(HKCU CLSID)
\{3369AF0D-62E9-4bda-8103-B4C75499B578} - ButtonText: AOL Toolbar = 
\{92780B25-18CC-41C8-B9BE-3C9C571A8263} - ButtonText: Research = 
\{e2e2dd38-d088-4134-82b7-f2ba38496583} - MenuText: @xpsp3res.dll,-20001 = ()
\{FB5F1910-F110-11d2-BB9E-00C04F795683} - ButtonText: Messenger = C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)

>>> Approved Shell Extensions (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
\\{42071714-76d4-11d1-8b24-00a0c9068ff3} - Display Panning CPL Extension = ()
\\{764BF0E1-F219-11ce-972D-00AA00A14F56} - Shell extensions for file compression = ()
\\{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} - Encryption Context Menu = ()
\\{88895560-9AA2-1069-930E-00AA0030EBC8} - HyperTerminal Icon Ext = C:\WINDOWS\System32\hticons.dll (Hilgraeve, Inc.)
\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} - Taskbar and Start Menu = ()
\\{32683183-48a0-441b-a342-7c2a440a9478} - Media Band = ()
\\{7A9D77BD-5403-11d2-8785-2E0420524153} - User Accounts = ()
\\{A4DF5659-0801-4A60-9607-1C48695EFDA9} - Share-to-Web Upload Folder = C:\Program Files\Hewlett-Packard\HP Share-to-Web\HPGS2WNS.DLL (Hewlett-Packard)
\\{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} - Adobe.Acrobat.ContextMenu = C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat Elements\ContextMenu.dll (Adobe Systems Inc.)
\\{B8323370-FF27-11D2-97B6-204C4F4F5020} - SmartFTP Shell Extension DLL = C:\Program Files\SmartFTP Client 2.0\smarthook.dll (SmartFTP)
\\{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} - iTunes = C:\Program Files\iTunes\iTunesMiniPlayer.dll (Apple Computer, Inc.)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

>>> Context Menu Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers]
\Adobe.Acrobat.ContextMenu - {D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} = C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat Elements\ContextMenu.dll (Adobe Systems Inc.)
\Symantec.Norton.Antivirus.IEContextMenu - {FAD61B3D-699D-49B2-BE16-7F82CB4C59CA} = C:\PROGRA~1\NORTON~2\NORTON~1\NavShExt.dll (Symantec Corporation)

[HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers]

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\shellex\ContextMenuHandlers]

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\BackGround\shellex\ContextMenuHandlers]

[HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers]
\Symantec.Norton.Antivirus.IEContextMenu - {FAD61B3D-699D-49B2-BE16-7F82CB4C59CA} = C:\PROGRA~1\NORTON~2\NORTON~1\NavShExt.dll (Symantec Corporation)

>>> Column Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]

>>> Registry Run Keys <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ccApp - C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
osCheck - C:\Program Files\Norton Internet Security\osCheck.exe (Symantec Corporation)
iTunesHelper - C:\Program Files\iTunes\iTunesHelper.exe (Apple Computer, Inc.)
SunJavaUpdateSched - C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe (Sun Microsystems, Inc.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL	Installed = 1
MAPI	Installed = 1
MSFS	Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
SpybotSD TeaTimer - C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)
ctfmon.exe - C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

>>> Startup Links <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\Common Startup]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini ()
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk.disabled ()
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\Startup]
C:\Documents and Settings\username\Start Menu\Programs\Startup\desktop.ini ()
C:\Documents and Settings\username\Start Menu\Programs\Startup\Stardock ObjectDock.lnk.disabled ()

>>> MSConfig Disabled Items <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HPAiODevice(hp officejet d series) - 1.lnk
path	C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HPAiODevice(hp officejet d series) - 1.lnk
backup	C:\WINDOWS\pss\HPAiODevice(hp officejet d series) - 1.lnkCommon Startup
location	Common Startup
command	C:\PROGRA~1\HEWLET~1\AiO\HPOFFI~1\Bin\hpoojd07.exe -DeviceID 1035520573
item	HPAiODevice(hp officejet d series) - 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk
path	C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup	C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
location	Common Startup
command	C:\PROGRA~1\MICROS~2\Office\OSA9.EXE -b -l
item	Microsoft Office

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PenPower PenKeyboard.lnk
path	C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PenPower PenKeyboard.lnk
backup	C:\WINDOWS\pss\PenPower PenKeyboard.lnkCommon Startup
location	Common Startup
command	C:\PPENSB\Win32\PenKeybd.exe 
item	PenPower PenKeyboard

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PenPower Start-Up.lnk
path	C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PenPower Start-Up.lnk
backup	C:\WINDOWS\pss\PenPower Start-Up.lnkCommon Startup
location	Common Startup
command	C:\PPENSB\Win32\ppshell.exe 
item	PenPower Start-Up

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^username^Start Menu^Programs^Startup^Hewlett-Packard Recorder.lnk
path	C:\Documents and Settings\username\Start Menu\Programs\Startup\Hewlett-Packard Recorder.lnk
backup	C:\WINDOWS\pss\Hewlett-Packard Recorder.lnkStartup
location	Startup
command	C:\PROGRA~1\HEWLET~1\AiO\HPOFFI~1\FRU\Remind32.exe 
item	Hewlett-Packard Recorder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AdobeVersionCue
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	VersionCueTray
hkey	HKLM
command	C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\atwtusb
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	atwtusb
hkey	HKLM
command	atwtusb.exe beta
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\C-Media Mixer
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	Mixer
hkey	HKLM
command	Mixer.exe /startup
inimapping	0
Second part coming.


----------



## Killazys (Feb 9, 2007)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ctfmon.exe
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	ctfmon
hkey	HKCU
command	C:\WINDOWS\System32\ctfmon.exe
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\IMJPMIG8.1
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	IMJPMIG
hkey	HKLM
command	C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MSMSGS
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	msmsgs
hkey	HKCU
command	"C:\Program Files\Messenger\msmsgs.exe" /background
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MSPY2002
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	ImScInst
hkey	HKLM
command	C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\NeroCheck
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	NeroCheck
hkey	HKLM
command	C:\WINDOWS\System32\NeroCheck.exe
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\PHIME2002A
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	TINTSETP
hkey	HKLM
command	C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\PHIME2002ASync
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	TINTSETP
hkey	HKLM
command	C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	qttask
hkey	HKLM
command	"C:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\RealTray
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	RealPlay
hkey	HKLM
command	C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Run
key	SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
item	freeime
hkey	HKCU
command	C:\PPENSB\win32\freeime.exe 
inimapping	1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Share-to-Web Namespace Daemon
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	hpgs2wnd
hkey	HKLM
command	C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Symantec NetDriver Monitor
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	SNDMon
hkey	HKLM
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\WinampAgent
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	Winampa
hkey	HKLM
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini	0
win.ini	0
bootini	0
services	0
startup	2

[All Users Startup Folder Disabled Items]

[Current User Startup Folder Disabled Items]

>>> User Agent Post Platform <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

>>> AppInit Dll's <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs]

>>> Image File Execution Options <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
\Your Image File Name Here without a path - Debugger = ntsd -d

>>> Shell Service Object Delay Load <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
\\PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
\\CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
\\WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = C:\WINDOWS\system32\webcheck.dll (Microsoft Corporation)
\\SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll (Microsoft Corporation)
\\UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} = C:\WINDOWS\system32\upnpui.dll (Microsoft Corporation)

>>> Shell Execute Hooks <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} - URL Exec Hook = shell32.dll (Microsoft Corporation)

>>> Shared Task Scheduler <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
\\{438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
\\{8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)

>>> Winlogon <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
\\UserInit = C:\WINDOWS\system32\userinit.exe,
\\Shell = Explorer.exe
\\System =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
\crypt32chain - = ()
\cryptnet - = ()
\cscdll - cscdll.dll = (Microsoft Corporation)
\ScCertProp - wlnotify.dll = (Microsoft Corporation)
\Schedule - wlnotify.dll = (Microsoft Corporation)
\sclgntfy - sclgntfy.dll = (Microsoft Corporation)
\SensLogn - WlNotify.dll = (Microsoft Corporation)
\termsrv - wlnotify.dll = (Microsoft Corporation)
\WgaLogon - WgaLogon.dll = (Microsoft Corporation)
\wlballoon - wlnotify.dll = (Microsoft Corporation)

>>> DNS Name Servers <<<
{734B0EA7-86D3-4CBD-A08E-61B0BAAE7AED} - (Linksys Wireless-G PCI Adapter with SpeedBooster)
{EAA48EAE-DFA5-42BD-8ADF-A6FF1F6323A2} - (SiS 900-Based PCI Fast Ethernet Adapter)

>>> All Winsock2 Catalogs <<<
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries]
\000000000001\\LibraryPath - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation)
\000000000002\\LibraryPath - %SystemRoot%\System32\winrnr.dll (Microsoft Corporation)
\000000000003\\LibraryPath - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries]
\000000000001\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000002\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000003\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000004\\PackedCatalogItem - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation)
\000000000005\\PackedCatalogItem - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation)
\000000000006\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000007\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000008\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000009\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000010\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000011\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000012\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000013\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000014\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000015\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000016\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000017\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)

>>> Protocol Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler]
\cetihpz - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company)
\ipp - ()
\msdaipp - ()

>>> Protocol Filters (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter]

>>> Selected AddOn's <<<

>>>>Output for AddOn file Policies.def<<<<
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies - Include SUBKEYS
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]
policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} - 1
policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} - 1073741857
policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} - 32
policies\system\\dontdisplaylastusername - 0
policies\system\\legalnoticecaption - 
policies\system\\legalnoticetext - 
policies\system\\shutdownwithoutlogon - 1
policies\system\\undockwithoutlogon - 1

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies - Include SUBKEYS
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]
policies\Explorer\\NoDriveTypeAutoRun - 145

>>>>Output for AddOn file Security.def<<<<
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center - Include SUBKEYS
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
Security Center\\AntiVirusDisableNotify - 0
Security Center\\FirewallDisableNotify - 0
Security Center\\UpdatesDisableNotify - 0
Security Center\\AntiVirusOverride - 0
Security Center\\FirewallOverride - 0
Security Center\Monitoring\\DisableMonitoring - 1
Security Center\Monitoring\SymantecAntiVirus\\DisableMonitoring - 1
Security Center\Monitoring\SymantecFirewall\\DisableMonitoring - 1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS - Include SUBKEYS
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS]
BITS\\Type - 32
BITS\\Start - 3
BITS\\ErrorControl - 1
BITS\\ImagePath - %SystemRoot%\System32\svchost.exe -k netsvcs
BITS\\DisplayName - Background Intelligent Transfer Service
BITS\\DependOnService - Rpcss;
BITS\\DependOnGroup - 
BITS\\ObjectName - LocalSystem
BITS\\Description - Transfers files in the background using idle network bandwidth. If the service is stopped, features such as Windows Update, and MSN Explorer will be unable to automatically download programs and other information. If this service is disabled, any services that explicitly depend on it may fail to transfer files if they do not have a fail safe mechanism to transfer files directly through IE in case BITS has been disabled.
BITS\\FailureActions - 00 00 00 00 00 00 00 00 00 00 00 00 03 00 00 00 68 E3 0C 00 01 00 00 00 60 EA 00 00 01 00 00 00 60 EA 00 00 01 00 00 00 60 EA 00 00 
BITS\Parameters\\ServiceDll - C:\WINDOWS\System32\qmgr.dll
BITS\Security\\Security - 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 
BITS\Enum\\0 - Root\LEGACY_BITS\0000
BITS\Enum\\Count - 1
BITS\Enum\\NextInstance - 1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess - Include SUBKEYS
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]
SharedAccess\\Type - 32
SharedAccess\\Start - 2
SharedAccess\\ErrorControl - 1
SharedAccess\\ImagePath - %SystemRoot%\System32\svchost.exe -k netsvcs
SharedAccess\\DisplayName - Windows Firewall/Internet Connection Sharing (ICS)
SharedAccess\\DependOnService - Netman;WinMgmt;
SharedAccess\\DependOnGroup - 
SharedAccess\\ObjectName - LocalSystem
SharedAccess\\Description - Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network.
SharedAccess\Epoch\\Epoch - 21771
SharedAccess\Parameters\\ServiceDll - %SystemRoot%\System32\ipnathlp.dll
SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\%windir%\system32\sessmgr.exe - %windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019
SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\C:\Program Files\Common Files\AOL\Loader\aolload.exe - C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader
SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\C:\Program Files\Common Files\AOL\1125751903\ee\AOLServiceHost.exe - C:\Program Files\Common Files\AOL\1125751903\ee\AOLServiceHost.exe:*:Enabled:AOL Services
SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\C:\Program Files\WebConference.com\Version51239\webconference.exe - C:\Program Files\WebConference.com\Version51239\webconference.exe:*:Enabled:WebConference.com
SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\C:\Program Files\AIM\aim.exe - C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger
SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\C:\Program Files\MSN Messenger\msnmsgr.exe - C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1
SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\C:\Program Files\MSN Messenger\livecall.exe - C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)
SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\%windir%\Network Diagnostic\xpnetdiag.exe - %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000
SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\139:TCP - 139:TCP:*:Enabledxpsp2res.dll,-22004
SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\445:TCP - 445:TCP:*:Enabledxpsp2res.dll,-22005
SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\137:UDP - 137:UDP:*:Enabledxpsp2res.dll,-22001
SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\138:UDP - 138:UDP:*:Enabledxpsp2res.dll,-22002
SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\1900:UDP - 1900:UDP:LocalSubNet:Enabledxpsp2res.dll,-22007
SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\2869:TCP - 2869:TCP:LocalSubNet:Enabledxpsp2res.dll,-22008
SharedAccess\Parameters\FirewallPolicy\StandardProfile\\EnableFirewall - 0
SharedAccess\Parameters\FirewallPolicy\StandardProfile\\DoNotAllowExceptions - 0
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\%windir%\system32\sessmgr.exe - %windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Marble Blast Gold\MarbleBlast.exe - C:\Program Files\Marble Blast Gold\MarbleBlast.exe:*:Enabled:MarbleBlast
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\SmartFTP\SmartFTP.exe - C:\Program Files\SmartFTP\SmartFTP.exe:*:Enabled:SmartFTP
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Common Files\AOL\Loader\aolload.exe - C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Common Files\AOL\1125751903\ee\AOLServiceHost.exe - C:\Program Files\Common Files\AOL\1125751903\ee\AOLServiceHost.exe:*:Enabled:AOL Services
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Messenger\msmsgs.exe - C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\WebConference.com\Version51239\webconference.exe - C:\Program Files\WebConference.com\Version51239\webconference.exe:*:Enabled:WebConference.com
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\LimeWire\LimeWire.exe - C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\AIM\aim.exe - C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\iTunes\iTunes.exe - C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\SmartFTP Client 2.0\SmartFTP.exe - C:\Program Files\SmartFTP Client 2.0\SmartFTP.exe:*:Enabled:SmartFTP Client 2.0
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\StubInstaller.exe - C:\StubInstaller.exe:*:Enabled:LimeWire swarmed installer
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\MSN Messenger\msnmsgr.exe - C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\MSN Messenger\livecall.exe - C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\%windir%\Network Diagnostic\xpnetdiag.exe - %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000
SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\139:TCP - 139:TCP:LocalSubNet:Enabledxpsp2res.dll,-22004
SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\445:TCP - 445:TCP:LocalSubNet:Enabledxpsp2res.dll,-22005
SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\137:UDP - 137:UDP:LocalSubNet:Enabledxpsp2res.dll,-22001
SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\138:UDP - 138:UDP:LocalSubNet:Enabledxpsp2res.dll,-22002
SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\1900:UDP - 1900:UDP:LocalSubNet:Enabledxpsp2res.dll,-22007
SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\2869:TCP - 2869:TCP:LocalSubNet:Enabledxpsp2res.dll,-22008
SharedAccess\Security\\Security - 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 
SharedAccess\Setup\\ServiceUpgrade - 1
SharedAccess\Setup\InterfacesUnfirewalledAtUpdate\\{EAA48EAE-DFA5-42BD-8ADF-A6FF1F6323A2} - 1
SharedAccess\Enum\\0 - Root\LEGACY_SHAREDACCESS\0000
SharedAccess\Enum\\Count - 1
SharedAccess\Enum\\NextInstance - 1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv - Include SUBKEYS
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv]
wuauserv\\Type - 32
wuauserv\\Start - 2
wuauserv\\ErrorControl - 1
wuauserv\\ImagePath - %SystemRoot%\system32\svchost.exe -k netsvcs
wuauserv\\DisplayName - Automatic Updates
wuauserv\\ObjectName - LocalSystem
wuauserv\\Description - Enables the download and installation of critical Windows updates. If the service is disabled, the operating system can be manually updated at the Windows Update Web site.
wuauserv\Parameters\\ServiceDll - C:\WINDOWS\system32\wuauserv.dll
wuauserv\Security\\Security - 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 
wuauserv\Enum\\0 - Root\LEGACY_WUAUSERV\0000
wuauserv\Enum\\Count - 1
wuauserv\Enum\\NextInstance - 1

遙遙遙遙遙遙遙遙遙遙遙遙 Scan Complete 遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙


----------



## Killazys (Feb 9, 2007)

Here is HijackThis Log (why is the WinPFind partly in Chinese)?
Logfile of HijackThis v1.99.1
Scan saved at 7:56:20 PM, on 2/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$ADVANCEPRO\Binn\sqlservr.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\username\My Documents\My Downloads\hijackthis\HijackThis.exe

R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://nefeli.com/"); (C:\Documents and Settings\username\Application Data\Mozilla\Profiles\default\6eye0hh4.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\username\Application Data\Mozilla\Profiles\default\6eye0hh4.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: (no name) - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Stardock ObjectDock.lnk.disabled
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://www.download.com
O15 - Trusted Zone: http://mail.google.com
O15 - Trusted Zone: http://gunz.ijji.com
O15 - Trusted Zone: http://www.majorgeeks.com
O15 - Trusted Zone: http://forums.techguy.org
O15 - Trusted Zone: http://www.techguy.org
O15 - Trusted Zone: http://www.yahoo.com
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - https://bba.bloomberg.net/Citrix/ICAWEB/en/ica32/wficat.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9602.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://www.shockwave.com/content/feedingfrenzy/SproutLauncher.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe


----------



## Cookiegal (Aug 27, 2003)

Open up Spybot Search and Destroy and click on "Recovery". From the list put a check mark besides the following and then click on "Recover Selected Items" to restore those two items you deleted.

Download *ComboFix* to your Desktop.

Reboot to Safe mode:

Restart your computer and begin tapping the F8 key on your keyboard just before Windows starts to load. If done properly a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.

Perform the following actions in *Safe Mode*.

Double click *combofix.exe * and follow the prompts.
When finished, it will produce a log for you. Post that log and a new *HijackThis* log in your next reply
*Note: Do not mouseclick combofix's window while it's running as that may cause it to stall*


----------



## Killazys (Feb 9, 2007)

What two things are you talking about, crypt32.dll? I simply changed it so they wouldn't start up with my computer... but I already changed back before I scanned the computer with WinPFind. What are you talking about? (Should I just restore everything?) Also, I ran CCleaner... but I saved a registry file. Should I restore that? If so, how?


----------



## Cookiegal (Aug 27, 2003)

I'm sorry, I meant to include the items to be restored:

*crypt32.dll
cryptnet.dll*

But now you've lost me. Are you saying you didn't delete these two items with SpyBot? What exactly did you do with them?

I didn't say to run CCleaner and I don't know what you mean when you say you saved a registry file and should you restore it. Please clarify that.


----------



## Killazys (Feb 9, 2007)

OK. In Spybot S&D (Advanced) under Tools, there is something called System Startup. There, I matched every single process in the lilutilities Startup Processes library and stopped some processes from starting up with my computer. Crypt32dll and the other one were 2 of those processes. I am just stating I ran CCleaner some time ago, and I was just wondering if restoring that registry file would help in any way. Thanks.


----------



## Cookiegal (Aug 27, 2003)

Recheck those two items in the startup list in Spybot then. I'd also like to know which others you unchecked there please.

I don't know what registry file you would be restoring so let's leave CCleaner for now.

Please proceed with ComboFix.

I'm signing off for the night now, Cheeseball81 may check in later. If not, I'll check back in the morning.


----------



## Killazys (Feb 9, 2007)

I have unchecked: everything to do with HP because I no longer use that printer/software. HPHmon06,HPHUPD06,HPDJ Taskbar Utility, swg(Google ToolbarNotifier), Stardock ObjectDock.lnk(C:\Program Files\Stardock\ObjectDock\ObjectDock.exe, PenPowerKeyboard and PenPowerStartup are named "Startup(disabled)" under the Key column, so is OSA9.exe(Microsoft Office), and Aim6(C:\Program Files\Common Files\AOL\Launch) there is no filename. I am proceeding with ComboFix.


----------



## Killazys (Feb 9, 2007)

Here is the ComboFix:
"username" - 07-02-10 21:42:43 Service Pack 2
ComboFix 07-02-11 - Running from: "C:\Documents and Settings\username\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2007-01-10 to 2007-02-10 ))))))))))))))))))))))))))))))))))

2007-02-10 16:08 d--------	C:\Program Files\MSBuild
2007-02-10 16:01 d--------	C:\WINDOWS\system32\XPSViewer
2007-02-10 15:59 d--------	C:\Program Files\Reference Assemblies
2007-02-10 15:57	14,048	---------	C:\WINDOWS\system32\spmsg2.dll
2007-02-10 15:56 d--------	C:\b3b91a1308af95b3aa307099
2007-02-10 15:55 d--------	C:\WINDOWS\network diagnostic
2007-02-10 15:26	60,416	---------	C:\WINDOWS\system32\tzchange.exe
2007-02-10 14:34	94,208	--a------	C:\WINDOWS\system32\d3dGearLoad.dll
2007-02-10 14:34	323,584	--a------	C:\WINDOWS\system32\d3dGearUtility.dll
2007-02-10 14:34	3,502,080	--a------	C:\WINDOWS\system32\d3dGear.dll
2007-02-10 14:34	3,426,072	--a------	C:\WINDOWS\system32\d3dx9_32.dll
2007-02-10 14:34 d--------	C:\Program Files\D3DGear
2007-02-10 14:13 d--------	C:\Program Files\CCleaner
2007-02-09 22:49	21,312	--a------	C:\WINDOWS\choice.exe
2007-02-09 22:48 d--------	C:\ie-spyad
2007-02-09 22:45 d--------	C:\Program Files\SpywareGuard
2007-02-09 22:38 d--------	C:\Program Files\SpywareBlaster
2007-02-08 19:38 d--------	C:\DOCUME~1\ALLUSE~1\Application Data\Spybot - Search & Destroy
2007-02-08 18:06 d--------	C:\DOCUME~1\ALLUSE~1\Application Data\TEMP
2007-02-08 17:20 d--------	C:\DOCUME~1\username\Application Data\Prevx
2007-02-08 17:19	7,680	--a------	C:\WINDOWS\system32\drivers\pxinst.dll
2007-02-08 17:19	7,552	--a------	C:\WINDOWS\system32\drivers\pxcom.sys
2007-02-08 17:19	276,992	--a------	C:\WINDOWS\system32\drivers\pxfsf.sys
2007-02-08 17:19	18,560	--a------	C:\WINDOWS\system32\drivers\pxtdi.sys
2007-02-08 17:19	13,952	--a------	C:\WINDOWS\system32\drivers\pxrd.sys
2007-02-08 17:19	100,864	--a------	C:\WINDOWS\system32\drivers\PxEmu.sys
2007-02-08 17:19 d--------	C:\Program Files\Prevx1
2007-02-08 17:19 d--------	C:\DOCUME~1\ALLUSE~1\Application Data\Prevx
2007-02-08 16:53	178,408	--a------	C:\WINDOWS\system32\muweb.dll
2007-02-08 16:53	127,208	--a------	C:\WINDOWS\system32\mucltui.dll
2007-02-08 16:50 d--hs----	C:\FOUND.000
2007-02-07 19:36 d--------	C:\Program Files\Windows Live Safety Center
2007-02-07 19:32 d--------	C:\DOCUME~1\username\Contacts
2007-02-07 19:20 d--------	C:\DOCUME~1\ALLUSE~1\Application Data\Windows Live Toolbar
2007-02-07 19:18 d--------	C:\Program Files\Windows Live Toolbar
2007-02-07 19:16 d--------	C:\WINDOWS\system32\DRVSTORE
2007-02-07 19:15 d--------	C:\Program Files\MSN Messenger
2007-02-06 22:44 d--------	C:\Program Files\Common Files\Java
2007-02-06 22:10 d--------	C:\DOCUME~1\username\.limewire
2007-02-05 17:55	111,227	--a------	C:\WINDOWS\system32\drivers\dump_wmimmc.sys
2007-02-05 17:50 d--------	C:\ijji
2007-02-05 17:20 d--------	C:\Program Files\SmartFTP Client 2.0
2007-02-05 17:19 d--------	C:\Program Files\SmartFTP Client 2.0 Setup Files
2007-02-05 16:40 d--------	C:\DOCUME~1\username\Application Data\Apple Computer
2007-02-05 16:39 d--------	C:\Program Files\iPod
2007-02-05 16:38 d--------	C:\Program Files\iTunes
2007-02-05 16:36 d--------	C:\Program Files\QuickTime
2007-02-05 16:35 d--------	C:\Program Files\Apple Software Update
2007-02-05 16:35 d--------	C:\DOCUME~1\ALLUSE~1\Application Data\Apple Computer
2007-02-04 22:05 d--------	C:\DOCUME~1\username\Application Data\acccore
2007-02-04 22:05 d--------	C:\DOCUME~1\ALLUSE~1\Application Data\AOL OCP
2007-02-04 22:04 d--------	C:\Program Files\AIM6
2007-02-04 22:03 d--------	C:\DOCUME~1\ALLUSE~1\Application Data\AOL Downloads
2007-02-04 21:43 d--------	C:\DOCUME~1\username\Application Data\Google
2007-02-04 21:42 d--------	C:\Program Files\Google
2007-02-04 21:42 d--------	C:\DOCUME~1\ALLUSE~1\Application Data\Google
2007-02-04 21:17 d--------	C:\Program Files\Lavasoft
2007-02-04 20:59 d--------	C:\WINDOWS\WBEM
2007-02-04 20:59 d--------	C:\WINDOWS\system32\en-US
2007-02-04 20:56 d--h-----	C:\WINDOWS\ie7
2007-02-04 20:54	121,856	---------	C:\WINDOWS\system32\xmllite.dll
2007-02-04 20:08 d--------	C:\Program Files\MSXML 4.0
2007-02-04 20:07 d--h-----	C:\WINDOWS\PIF
2007-02-04 20:07 d--------	C:\49fafc230e99a6b0484f
2007-02-04 19:33 d--------	C:\Program Files\Norton Internet Security
2007-02-04 18:42 d--------	C:\WINDOWS\system32\LogFiles
2007-02-04 18:05 d--------	C:\DOCUME~1\ALLUSE~1\Symantec Temporary Files
2007-02-04 17:50 d--------	C:\DOCUME~1\username\Application Data\Lavasoft
2007-01-19 12:53	51,056	--a------	C:\WINDOWS\system32\sirenacm.dll
2007-01-12 18:01	276,792	--a------	C:\WINDOWS\system32\drivers\srtspl.sys
2007-01-12 18:01	25,400	--a------	C:\WINDOWS\system32\drivers\srtspx.sys
2007-01-12 18:01	247,608	--a------	C:\WINDOWS\system32\drivers\srtsp.sys

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-02-10 19:46	12530	--a------	C:\WINDOWS\system32\wacom.dat
2007-02-10 08:59	262	--a------	C:\DOCUME~1\username\Application Data\winsscookie.txt
2007-02-05 17:05	480	--a------	C:\WINDOWS\dorp.dat
2007-02-04 19:42	48776	--a------	C:\WINDOWS\system32\s32evnt1.dll
2007-02-04 19:42	115000	--a------	C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2006-12-07 17:02	2174976	--a------	C:\WINDOWS\system32\wmvcore.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"osCheck"="\"C:\\Program Files\\Norton Internet Security\\osCheck.exe\""
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"
"Aim6"="C:\\Program Files\\Common Files\\AOL\\Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"HP Software Update"="\"C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe\""
"HPDJ Taskbar Utility"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb11.exe"
"HPHmon06"="C:\\WINDOWS\\system32\\hphmon06.exe"
"HPHUPD06"="C:\\Program Files\\HP\\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\\hphupd06.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HPAiODevice(hp officejet d series) - 1.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\HPAiODevice(hp officejet d series) - 1.lnk"
"backup"="C:\\WINDOWS\\pss\\HPAiODevice(hp officejet d series) - 1.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\HEWLET~1\\AiO\\HPOFFI~1\\Bin\\hpoojd07.exe -DeviceID 1035520573"
"item"="HPAiODevice(hp officejet d series) - 1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~2\\Office\\OSA9.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PenPower PenKeyboard.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\PenPower PenKeyboard.lnk"
"backup"="C:\\WINDOWS\\pss\\PenPower PenKeyboard.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PPENSB\\Win32\\PenKeybd.exe "
"item"="PenPower PenKeyboard"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PenPower Start-Up.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\PenPower Start-Up.lnk"
"backup"="C:\\WINDOWS\\pss\\PenPower Start-Up.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PPENSB\\Win32\\ppshell.exe "
"item"="PenPower Start-Up"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^username^Start Menu^Programs^Startup^Hewlett-Packard Recorder.lnk]
"path"="C:\\Documents and Settings\\username\\Start Menu\\Programs\\Startup\\Hewlett-Packard Recorder.lnk"
"backup"="C:\\WINDOWS\\pss\\Hewlett-Packard Recorder.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\HEWLET~1\\AiO\\HPOFFI~1\\FRU\\Remind32.exe "
"item"="Hewlett-Packard Recorder"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeVersionCue]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="VersionCueTray"
"hkey"="HKLM"
"command"="C:\\Program Files\\Adobe\\Adobe Version Cue\\ControlPanel\\VersionCueTray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\atwtusb]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="atwtusb"
"hkey"="HKLM"
"command"="atwtusb.exe beta"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Mixer"
"hkey"="HKLM"
"command"="Mixer.exe /startup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctfmon"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\System32\\ctfmon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="IMJPMIG"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ImScInst"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TINTSETP"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TINTSETP"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RealPlay"
"hkey"="HKLM"
"command"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
"key"="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows"
"item"="freeime"
"hkey"="HKCU"
"command"="C:\\PPENSB\\win32\\freeime.exe "
"inimapping"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hpgs2wnd"
"hkey"="HKLM"
"command"="C:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SNDMon"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Winampa"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ALUAlert"="C:\\Program Files\\Symantec\\LiveUpdate\\ALUNotify.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"ALUAlert"="C:\\Program Files\\Symantec\\LiveUpdate\\ALUNotify.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService	REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService	REG_MULTI_SZ DnsCache\0\0
rpcss	REG_MULTI_SZ RpcSs\0\0
imgsvc	REG_MULTI_SZ StiSvc\0\0
termsvcs	REG_MULTI_SZ TermService\0\0
HTTPFilter	REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch	REG_MULTI_SZ DcomLaunch\0TermService\0\0

*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_COMHOST

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton Internet Security - Run Full System Scan - username.job
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job

********************************************************************

catchme 0.1 W2K/XP - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-02-10 21:46:06


----------



## Killazys (Feb 9, 2007)

When I rebooted my computer after starting ComboFix, something was trying to reset (a) my home page to MSN(denied by TeaTimer), then tried to set the home page to "blank"(again denied) but also tried to reset the default search to Windows Live as well as the Search assistant (both denied) and it also deleted the screensaver.exe from the reg(allowed). I went to the desktop settings and reset my screensaver, thus bringing back screensaver.exe. When I started IE, Norton stated that it was no longer the default phishing filter, so I changed that too. Also, this HJT was run in Normal mode, should I have scanned in safe mode?
Logfile of HijackThis v1.99.1
Scan saved at 10:04:14 PM, on 2/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$ADVANCEPRO\Binn\sqlservr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Prevx1\PXAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\username\My Documents\My Downloads\hijackthis\HijackThis.exe

R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://nefeli.com/"); (C:\Documents and Settings\username\Application Data\Mozilla\Profiles\default\6eye0hh4.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\username\Application Data\Mozilla\Profiles\default\6eye0hh4.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: (no name) - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Stardock ObjectDock.lnk.disabled
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://www.download.com
O15 - Trusted Zone: http://mail.google.com
O15 - Trusted Zone: http://gunz.ijji.com
O15 - Trusted Zone: http://www.majorgeeks.com
O15 - Trusted Zone: http://forums.techguy.org
O15 - Trusted Zone: http://www.techguy.org
O15 - Trusted Zone: http://www.yahoo.com
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - https://bba.bloomberg.net/Citrix/ICAWEB/en/ica32/wficat.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9602.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://www.shockwave.com/content/feedingfrenzy/SproutLauncher.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe


----------



## Killazys (Feb 9, 2007)

I just scanned with Uniblue SpyEraser and it found 58 spyware programs. Here is a log:
Start Date:February 11, 2007 at 08:16:09 AM

End Date:February 11, 2007 at 08:20:45 AM

Total Time:4 Mins 36 Secs
Detected Threats

ISTbar
Details: ISTbar is a homepage and search hijacker. It adds itself as a toolbar to Internet Explorer and displays pop-ups, mostly from porn sites. It may also install other adware and spyware. It is an adware application which hijacks the user&#58808; browsing habits and displays targeted advertisements on the desktop. The advertisements can take several forms, including pop-ups, pop-unders, banners, or links embedded within web pages or parts of the Windows interface. This application hides itself fromt he user and stays as a resident in background.
Status:No Action taken
Adware-Adware



Infected registry keys/values detected 
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zo
nemap\domains\searchmiracle.com 
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zo
nemap\domains\my-internet.info 
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zo
nemap\domains\mt-download.com 
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zo
nemap\domains\slotch.com 
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zo
nemap\domains\clickspring.net 
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zo
nemap\domains\searchbarcash.com 
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zo
nemap\domains\ysbweb.com 
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zo
nemap\domains\blazefind.com 
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zo
nemap\domains\flingstone.com 



BearShare
Details: BearShare is actually a file sharing network. The free version of BearShare puts a number of known spyware and adware on your computer.
Status:No Action taken
Software Bundler-Software Bundler



Infected registry keys/values detected 
hkey_local_machine\software\classes\magnet\shell\open\command\\ 
hkey_local_machine\software\classes\magnet\defaulticon\\ 
hkey_classes_root\magnet\shell\open\command\\ 

ViewPoint Media Toolbar
Details: ViewPoint Media Toolbar is specifically designed to integrate with a Web browser that displays pop-up under ads. It links to affiliate sites and installs a search bar that logs usage statistics, including hijacking search results. Viewpoint Corporation: Viewpoint is a leading Internet marketing technology company. The Viewpoint Platform is the technology behind some of the most innovative, visual experiences on the Web and on the desktop with leading clients such as America Online, General Electric, General Motors, Hewlett Packard, Lexus, Samsung, Scion, Sony and Toyota. The Unicast Online Advertising Suite - the Company's next-generation ad deployment and management system - and the Viewpoint Toolbar - the Vision for the Future of Search - are the latest breakthrough technologies using the full power of the Viewpoint Platform. The company has 130 employees principally at its headq
Status:No Action taken
Toolbar-Toolbar



Infected files detected 
c:\program files\viewpoint\viewpoint media player\components\jpegreader.dll 
c:\program files\viewpoint\viewpoint media player\components\waveletreader.dll 
c:\program files\viewpoint\viewpoint media player\components\swfview.dll 
c:\program files\viewpoint\viewpoint media player\components\vmpvideo.dll 
c:\program files\viewpoint\viewpoint media player\components\mts3reader.dll 
c:\program files\viewpoint\viewpoint media player\components\cursors.dll 
c:\program files\viewpoint\viewpoint media player\components\sreedmmx.dll 
c:\program files\viewpoint\viewpoint media player\components\vmgr.dll 
c:\program files\viewpoint\viewpoint media player\components\scenecomponent.dll 
c:\program files\viewpoint\viewpoint media player\componentmgr_03000f11.dll 
c:\program files\viewpoint\viewpoint media player\axmetastream.dll 
c:\program files\viewpoint\viewpoint media player\mtsaxinstaller.exe 
Infected registry keys/values detected 
hkey_local_machine\software\mozillaplugins\@viewpoint.com/vmp\productname\ 
hkey_local_machine\software\mozillaplugins\@viewpoint.com/vmp\xptpath\ 
hkey_local_machine\software\mozillaplugins\@viewpoint.com/vmp\description\ 
hkey_local_machine\software\metastream\metastream3\{03f998b2-0e00-11d3-a498-0010
4b6eb52e}\ 
hkey_local_machine\software\mozillaplugins\@viewpoint.com/vmp\vendor\ 
hkey_local_machine\software\mozillaplugins\@viewpoint.com/vmp\path\ 
hkey_local_machine\software\classes\clsid\{03f998b2-0e00-11d3-a498-00104b6eb52e}
\inprocserver32\threadingmodel\ 
hkey_local_machine\software\microsoft\windows\currentversion\app management\arpc
ache\viewpointmediaplayer\slowinfocache\ 
hkey_local_machine\software\microsoft\windows\currentversion\uninstall\viewpoint
mediaplayer\displayname\ 
hkey_classes_root\clsid\{03f998b2-0e00-11d3-a498-00104b6eb52e}\inprocserver32\\ 
hkey_local_machine\software\viewpoint\\ 
hkey_local_machine\software\microsoft\windows\currentversion\app management\arpc
ache\viewpointmediaplayer\changed\ 
hkey_local_machine\software\microsoft\windows\currentversion\uninstall\viewpoint
mediaplayer\uninstallstring\ 

Proactive Password Auditor
Details: ElcomSoft Co. Ltd founded in 1990 uses powerful algorithms which are under developed. ElcomSoft is a member of the Russian Cryptology Association (RCA), Computer Security Institute, a lifetime member of the Association of Shareware Professionals (ASP) and Microsoft Partner Program.
Status:No Action taken
Adware-Adware



Infected registry keys/values detected 
hkey_classes_root\.hdt\\ 
hkey_local_machine\software\classes\.hdt\\ 

XoloX
Details: XoloX is peer-to-peer file sharing software like KaZaA. It uses adware tactics like banners and floaters. The main software comes along with other spyware. 
Status:No Action taken
Software Bundler-Software Bundler



Infected registry keys/values detected 
hkey_local_machine\software\classes\magnet\\ 
hkey_classes_root\magnet\\ 

StumbledUpon Toolbar
Details: StumbledUpon Toolbar is specifically designed to integrate with a Web browser that displays pop-up under ads. It links to affiliate sites and installs a search bar that logs usage statistics, including hijacking search results. Publisher&#58808; information: The StumbleUpon Toolbar for Internet Explorer allows you to 'channel surf' the Internet and discover great Web sites and Web content according to your interests. Whether it's a Web site, video, picture, game, blog, or wiki, StumbleUpon helps you find interesting stuff recommended by like-minded people with just a single click of the Stumble! button. The more you use it, the better it gets. Join more than 1.3 million users who have rated more than seven million Web sites. All of the content recommended is found by other people who want to share their best finds and favorite sites. With StumbleUpon you can stumble the Internet for g
Status:No Action taken
Toolbar-Toolbar



Infected registry keys/values detected 
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zo
nemap\domains\stumbleupon.com\\ 

CoolWWWSearch
Details: CoolWWWSearch is a hijacker that easily collects demographic and other important information from the user&#58808; computer.It should be removed as soon as possible because more we delay more it will cause a problem, slow down the performance and also disclose all the private information to websites. 
Status:No Action taken
Hijacker-Hijacker



Infected registry keys/values detected 
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zo
nemap\domains\coolwwwsearch.com\\ 

CWS
Details: CWS belongs to Browser Hijacker category. It is defined as a malicious software that is designed to harm those systems that are not specifically VIRUS. It is a Browser Hijacker which installs itself as an Internet Explorer browser helper object, toolbar or shell browser. It hijacks user&#58808; browsing habits and displays pop-up advertisements to display targeted advertising on the desktop.
Status:No Action taken
Hijacker-Hijacker



Infected registry keys/values detected 
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zo
nemap\domains\xxxtoolbar.com 

WildTangent
Details: WildTangent is an Adware application. It is an online gaming plugin bundle that contains the WildTangent Web Driver, WildTangent Multiplayer Library, WildTangent Updater and WildTangent GameChannel. This application is downloaded as a standard setup .exe file or installed by an activeX control from the vendor's web site. Some Internet Service providers install the WildTangent software. Some desktops from HP also comes with WildTangent installed.
Status:No Action taken
Adware-Adware



Infected registry keys/values detected 
hkey_local_machine\software\wildtangent 

GameHouse
Details: GameHouse gives permission to the users to transfer data and information related to free Games and to play free online games with Animated Computer Opponent. It also installs other adwares program prone to advertisements. Such program place unwanted advertisements that pop-up on users' computer screen while the program is running or surfing Internet. Sometimes you may find it generating advertisement even when you are not running the originally desired program. . The rules are same for the game to be played but graphics have improved a lot and difficulties levels have multiplied. Pop-up menus also emerge on your desktop and install other adwares too.
Status:No Action taken
Adware-Adware



Infected registry keys/values detected 
hkey_local_machine\software\gamehouse\\ 

CoolWebSearch
Details: "CoolWebSearch" is a redirection tool that has many variants, leading you to specific Web sites. It targets on browsers like Netscape, Internet Explorer.
Status:No Action taken
Browser Modifier-Browser Modifier



Infected files detected 
c:\documents and settings\username\favorites\education\using chinese herbs and acupuncture to treat hiv-aids an analysis of 201 cases.url 
c:\documents and settings\username\favorites\education\medical writing - guidebook to better medical writing - excerpt from the book.url 
c:\documents and settings\username\favorites\education\http--www.cms.hhs.gov-forms-cms437.pdf.url 
c:\documents and settings\username\favorites\education\national certification board for therapeutic massage and bodywork.url 
c:\documents and settings\username\favorites\education\http--www.ncbtmb.com-cont_education-approved_provider_app_guide.pdf.url 
Infected directories detected 
c:\documents and settings\username\favorites\education 

Multiplicity
Details: Stardock had designed tools for Windows XP/Vista Themes, skins, icons, desktop enhancements and strategy games along with softwares like Dread Lords, KeepSafe, Multiplicity, ObjectDock, IconPackager, Premium Gadgets, Skins, Icons, and Themes.
Status:No Action taken
Remote Control Software-Remote Control Software



Infected directories detected 
c:\program files\stardock\objectdock\docklets\weather\icons 
c:\program files\stardock\objectdock\docklets\weather 
c:\program files\stardock\objectdock\docklets 
c:\program files\stardock\objectdock\last (objectdock) 
c:\program files\stardock\objectdock 
c:\program files\stardock 


--------------------------------------------------------------------------------


----------



## Cookiegal (Aug 27, 2003)

Do you know what this file is?

*C:\WINDOWS\dorp.dat*

If not, right click on it and select "edit" and copy and paste the contents here please.


----------



## Killazys (Feb 9, 2007)

There is no such choice. Perhaps you are thinking of .bat files?


----------



## Cookiegal (Aug 27, 2003)

Yes, sorry. I had batch files on my mind. Let's run it through a scanner but first you will need to unhide files.

Go to Start > Search and under "More advanced search options". 
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Now, go to the following link and upload each of the following files for analysis and let me know what the results are please:

http://virusscan.jotti.org/

*C:\WINDOWS\dorp.dat*


----------



## Killazys (Feb 9, 2007)

MD5|67e4ed5030d7733bfecb2ef8c29ed199
Nothing found...no "packers".


----------



## Killazys (Feb 9, 2007)

Hello? Anyone? Please help!!!! What now!!?!?! (BUMP)


----------



## Cookiegal (Aug 27, 2003)

I would like to get that file checked out further so please do this:

Go to the forum *here* and upload this (these) file(s):

*C:\WINDOWS\dorp.dat *

Here are the directions for uploading the file:

Just click "New Topic", fill in the needed details and post a link to your thread here. Click the "Browse" button. Navigate to the file on your computer. When the file is listed in the window click "Post" to upload the file.

*Click Here* and download Killbox and save it to your desktop but dont run it yet.

Go to Control Panel - Add/Remove programs and remove:

*Viewpoint*

Rescan with HijackThis, close all browser windows except HijackThis, put a check mark beside these entries and click *fix checked*.

* 
O2 - BHO: (no name) - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - (no file)

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
*

Then boot to safe mode:

 *How to restart to safe mode*

Double-click on Killbox.exe to run it. 

Put a tick by *Standard File Kill*. 
In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time:

*C:\WINDOWS\Temp\teu3j1ny.TMP *

Click on the button that has the red circle with the X in the middle after you enter each file. 
It will ask for confirmation to delete the file. 
Click Yes. 
Continue with that procedure until you have pasted all of these in the "Paste Full Path of File to Delete" box.
Killbox may tell you that one or more files do not exist. 
If that happens, just continue on with all the files. Be sure you don't miss any.
Next in Killbox go to *Tools > Delete Temp Files*
In the window that pops up, put a check by *ALL* the options there *except* these three:
XP Prefetch
Recent
History

Now click the *Delete Selected Temp Files* button.
Exit the Killbox.

Reboot back to windows normally and do the following:

Go to Start - Run - type in regedit and click OK to open the registry editor.

Expand the following registry keys by clicking on the + to their left.

hkey_current_user
software
microsoft
windows
currentversion
internet settings
zonemap
domains

Click on the searchmiracle.com key and then in the right-hand pane double click on the icon below the default one. Let me know what digit appears in the box that opens up please but do not change anything.


----------



## Killazys (Feb 9, 2007)

HELP! When I go to the spykiller website and try to upload the file, my IE-7 does NOT show any picture for the verification thing. I have tried right-clicking and clicking "Show picture", copied it and pasted it, requested a new one, AND listening to it! What should I do?!?!!? I will just continue with the Killbox thing. Also, the first BHO you told me to delete: O2 - BHO: (no name) - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - (no file) WAS NOT no name it was SpywareGuard Download Protection and the file was C:\Program Files\SpywareGuard\dllprotect.dll


----------



## Killazys (Feb 9, 2007)

In addition, I DID NOT delete the BHO. Also, in KillBox the file was not found, but I was able to delete the Temporary Internet Files you asked me to delete.
Searchmiracle.com: the Value Name was: an asterisk (*)
the number was 4
it's using Hexadecimal base. What now? Also upon reboot noticed weird process:msn_sl.exe should I terminate it? (Retrying sending dorp.dat to SpyKiller - my other computer is LITERALLY stuck. I click Post (the image loaded) but it loads and the green bar on the bottom got about halfway. And it's not moving. Any ideas?)


----------



## Cookiegal (Aug 27, 2003)

Are you sure the C:\Program Files\SpywareGuard\dllprotect.dll file exists? Because if it does, then we have another bug in HijackThis as it was always showing "no file" correctly for the BHOs.

I don't know anything about IE7 so can't help with that.


Those registry keys showing no. 4 are false positives as they are good entries, probably put there by SpyBot to block dodgy sites.


----------



## Cookiegal (Aug 27, 2003)

msn_sl.exe is the MSN toolbar so it's up to you whether or not you want to allow it.


----------



## Killazys (Feb 9, 2007)

I believe those registry entries were produced by IE-SPYAD, and I am checking the integrity of that dll file now. A suggestion about that, I turned SpywareGuard off before scanning with HJT, so maybe that might be it?


----------



## Killazys (Feb 9, 2007)

OK, that file exists, however it is set as read-only. As a side note: For a few days now, the only things showing on the bottom right of my screen [the currently running programs] were my wireless internet connection, a disconnect Ethernet connection, and Norton. However, if I check Task Manager, I see that Windows Defender, Prevx1, TeaTimer, and SG are all running. What can I do about this? Another thing, I ran EasyCleaner and ran the program to delete "dead" files but it did not delete:C:\Program Files\xerox\nwwia which is an empty folder, it says the folder is in use, same thing with unyt.exe (Yahoo! Toolbar uninstaller). Suggestions?


----------



## Cookiegal (Aug 27, 2003)

Try to delete that empty folder in safe mode.

Please give me a summary now of exactly what problems you are still experiencing and also post a new HijackThis log.


----------



## Killazys (Feb 9, 2007)

Help! After removal of nwwia, the empty folder, I cannot restore internet connection! (Actually, it connects, but there is "no signal" where before it would be 24.0 mbps to 80.0 mbps with good or very good connection.) I have both LSPFix and WinsockFix saved on a floating USB drive, should I use one?


----------



## Cookiegal (Aug 27, 2003)

Let's try repairing the winsock as designed for SP2.

Go to *Start *- *Run *- typein *cmd *and click OK.

At the command prompt type in:

*netsh winsock reset catalog*

Press enter.

then type in:

*netsh int ip reset resetlog.txt*

Press enter.

You will need to reboot afterwards.


----------



## Killazys (Feb 9, 2007)

I am spiking now. I am either connected with very low or No Signal and it's 1.0 mbps. Do you suggest I continue with the fix?


----------



## Killazys (Feb 9, 2007)

Still unable to connect to some internet pages. Here is a logfile some problems are cannot see all running programs in toolbar, preventing safe removal of removable disks, also at startup TeaTimer ALWAYS asks me to allow/block a change to "load" in the NT Startup category, it says "value deleted". Suggestions?
Logfile of HijackThis v1.99.1
Scan saved at 5:56:50 PM, on 2/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$ADVANCEPRO\Binn\sqlservr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Prevx1\PXAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\username\My Documents\My Downloads\hijackthis\HijackThis.exe

R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://nefeli.com/"); (C:\Documents and Settings\username\Application Data\Mozilla\Profiles\default\6eye0hh4.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\username\Application Data\Mozilla\Profiles\default\6eye0hh4.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://www.download.com
O15 - Trusted Zone: http://mail.google.com
O15 - Trusted Zone: http://gunz.ijji.com
O15 - Trusted Zone: http://www.majorgeeks.com
O15 - Trusted Zone: http://forums.techguy.org
O15 - Trusted Zone: http://www.techguy.org
O15 - Trusted Zone: http://www.yahoo.com
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - https://bba.bloomberg.net/Citrix/ICAWEB/en/ica32/wficat.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9602.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://www.shockwave.com/content/feedingfrenzy/SproutLauncher.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe


----------



## Cookiegal (Aug 27, 2003)

What exactly is it that TeaTimer is blocking?

Please open HijackThis.
Click on *Open Misc Tools Section*
Make sure that both boxes beside "Generate StartupList Log" are checked:

*List all minor sections(Full)*
*List Empty Sections(Complete)*
Click *Generate StartupList Log*.
Click *Yes* at the prompt.
It will open a text file. Please copy the entire contents of that page and paste it here.


----------



## Killazys (Feb 9, 2007)

StartupList report, 2/12/2007, 7:58:19 PM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\username\My Documents\My Downloads\hijackthis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.5730.0011)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$ADVANCEPRO\Binn\sqlservr.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\username\My Documents\My Downloads\hijackthis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\username\Start Menu\Programs\Startup]
SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
osCheck = "C:\Program Files\Norton Internet Security\osCheck.exe"
iTunesHelper = "C:\Program Files\iTunes\iTunesHelper.exe"
SunJavaUpdateSched = "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
Windows Defender = "C:\Program Files\Windows Defender\MSASCui.exe" -hide

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

SpybotSD TeaTimer = C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\system32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}] *
StubPath = C:\WINDOWS\system32\ieudinit.exe

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp11.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = C:\WINDOWS\system32\ie4uinit.exe -BaseSettings

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\Windows: run=
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll - {1E8A6170-7264-4D0F-BEAE-D42A53123C75}
SpywareGuard Download Protection - C:\Program Files\SpywareGuard\dlprotect.dll - {4A368E80-174F-4872-96B5-0B27DDD11DB2}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
Malicious Scripts Scanner - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB}
(no name) - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
(no name) - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9}
(no name) - (no file) - {7E853D72-626A-48EC-A868-BA8D5E23E045}
(no name) - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll - {9030D464-4C02-4ABF-8ECC-5164760863C6}
(no name) - c:\program files\google\googletoolbar1.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}
(no name) - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll - {AE7CD045-E861-484f-8273-0445EE161910}
(no name) - C:\Program Files\Windows Live Toolbar\msntb.dll - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Norton Internet Security - Run Full System Scan - username.job
AppleSoftwareUpdate.job
Check Updates for Windows Live Toolbar.job
MP Scheduled Scan.job

--------------------------------------------------

Enumerating Download Program Files:

[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\system32\LegitCheckControl.DLL
CODEBASE = http://download.microsoft.com/downl...-40e1-a617-af65a72a0465/LegitCheckControl.cab

[{238F6F83-B8B4-11CF-8771-00A024541EE3}]
CODEBASE = https://bba.bloomberg.net/Citrix/ICAWEB/en/ica32/wficat.cab

[Windows Live Safety Center Base Module]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\wlscBase.dll
CODEBASE = http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9602.cab

[Java Plug-in 1.5.0_10]
InProcServer32 = C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab

[{9F1C11AA-197B-4942-BA54-47A8489BB47F}]
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37865.5957175926

[RealArcadeRdxIE Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\RealArcadeRdxIE.dll
CODEBASE = http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab

[Java Plug-in 1.4.0_01]
InProcServer32 = C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
CODEBASE = http://java.sun.com/products/plugin/autodl/jinstall-1_4_0_01-win.cab

[Java Plug-in 1.4.1_02]
InProcServer32 = C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.4.1/jinstall-1_4_1_02-windows-i586.cab

[Java Plug-in 1.5.0_10]
InProcServer32 = C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab

[Java Plug-in 1.5.0_10]
InProcServer32 = C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab

[HGPlugin9USA Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\HGPlugin9USA.dll
CODEBASE = http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9b.ocx
CODEBASE = http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

[SproutLauncherCtrl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\SproutWebLauncher.dll
CODEBASE = http://www.shockwave.com/content/feedingfrenzy/SproutLauncher.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
NameSpace #4: C:\WINDOWS\System32\nwprovau.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\mswsock.dll
Protocol #5: C:\WINDOWS\system32\mswsock.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll
Protocol #16: C:\WINDOWS\system32\rsvpsp.dll
Protocol #17: C:\WINDOWS\system32\rsvpsp.dll
*Still limited or no internet connectivity, part 2 to come. - Killazys*


----------



## Killazys (Feb 9, 2007)

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
Adobe LM Service: "C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe" (manual start)
AdobeVersionCue: C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe (manual start)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (system)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
ati2mtag: System32\DRIVERS\ati2mtag.sys (manual start)
atimtag: System32\DRIVERS\atimtag.sys (manual start)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
Automatic LiveUpdate Scheduler: "C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe" (autostart)
basic2: System32\DRIVERS\HSF_BSC2.sys (manual start)
BCM 802.11b Network Adapter Driver: system32\DRIVERS\bcmwl5.sys (manual start)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Symantec Event Manager: "C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (autostart)
Symantec Settings Manager: "C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (autostart)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
.NET Runtime Optimization Service v2.0.50727_X86: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (manual start)
Symantec Lic NetConnect service: "C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (autostart)
C-Media PCI Audio Driver (WDM): system32\drivers\cmaudio.sys (manual start)
COM Host: "C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe" (manual start)
COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
dmio: System32\drivers\dmio.sys (disabled)
dmload: System32\drivers\dmload.sys (disabled)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
MS IEEE-1284.4 Driver: System32\DRIVERS\Dot4.sys (manual start)
Print Class Driver for IEEE-1284.4: System32\DRIVERS\Dot4Prt.sys (manual start)
Scan Class Driver for IEEE-1284.4: System32\DRIVERS\Dot4Scan.sys (manual start)
Dot4USB Filter Dot4USB Filter: System32\DRIVERS\dot4usb.sys (manual start)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
Symantec Eraser Control driver: \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys (system)
EraserUtilRebootDrv: \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
Fallback: System32\DRIVERS\HSF_FALL.sys (autostart)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
FltMgr: system32\drivers\fltmgr.sys (system)
Windows Presentation Foundation Font Cache 3.0.0.0: c:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe (manual start)
Fsks: System32\DRIVERS\HSF_FSKS.sys (autostart)
FsVga: System32\DRIVERS\fsvga.sys (system)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
Game Port Enumerator: System32\DRIVERS\gameenum.sys (manual start)
GEARAspiWDM: System32\Drivers\GEARAspiWDM.sys (manual start)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Google Updater Service: "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe" (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Microsoft HID Class Driver: System32\DRIVERS\hidusb.sys (manual start)
IEEE-1284.4 Driver HPZid412: system32\DRIVERS\HPZid412.sys (manual start)
Print Class Driver for IEEE-1284.4 HPZipr12: system32\DRIVERS\HPZipr12.sys (manual start)
USB to IEEE-1284.4 Translation Driver HPZius12: system32\DRIVERS\HPZius12.sys (manual start)
HSFHWBS2: System32\DRIVERS\HSFBS2S2.sys (manual start)
HSF_DP: System32\DRIVERS\HSFDPSP2.sys (manual start)
hsf_msft: System32\DRIVERS\HSF_MSFT.sys (manual start)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
Windows CardSpace: "C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe" (manual start)
IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)
Intel Processor Driver: System32\DRIVERS\intelppm.sys (system)
IPv6 Windows Firewall Driver: system32\drivers\ip6fw.sys (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
iPod Service: "C:\Program Files\iPod\bin\iPodService.exe" (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Symantec IS Password Validation: "C:\Program Files\Norton Internet Security\isPwdSvc.exe" (manual start)
K56: System32\DRIVERS\HSF_K56K.sys (autostart)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
LiveUpdate: "C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE" (manual start)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Machine Debug Manager: "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE" (autostart)
mdmxsdk: System32\DRIVERS\mdmxsdk.sys (autostart)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: System32\DRIVERS\mouhid.sys (manual start)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\system32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: System32\DRIVERS\mssmbios.sys (manual start)
MSSQL$ADVANCEPRO: C:\Program Files\Microsoft SQL Server\MSSQL$ADVANCEPRO\Binn\sqlservr.exe -sADVANCEPRO (autostart)
MSSQLServerADHelper: C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe (manual start)
NAVENG: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20070212.033\NAVENG.SYS (manual start)
NAVEX15: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20070212.033\NAVEX15.SYS (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBT: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Net.Tcp Port Sharing Service: "C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe" (disabled)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NPPTNT2: \??\C:\WINDOWS\system32\npptNT2.sys (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
Office Source Engine: "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE" (manual start)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
PCIIde: System32\DRIVERS\pciide.sys (system)
Pen Class: System32\Drivers\PenClass.sys (system)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
Pml Driver HPZ12: C:\WINDOWS\system32\HPZipm12.exe (manual start)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Prevx Agent: "C:\Program Files\Prevx1\PXAgent.exe" -f (autostart)
PREVX Kernel Mode Agent: system32\drivers\pxfsf.sys (system)
PREVX Emulator Driver: system32\drivers\pxemu.sys (manual start)
PREVX Tdi filter: system32\drivers\pxtdi.sys (system)
Processor Driver: System32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
PREVX Rootkitscan driver: \??\C:\WINDOWS\system32\drivers\pxrd.sys (system)
qic157: System32\DRIVERS\qic157.sys (manual start)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Rksample: System32\DRIVERS\HSF_SAMP.sys (manual start)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
SIS AGP Bus Filter: System32\DRIVERS\sisagp.sys (system)
SiS PCI Fast Ethernet Adapter Driver: System32\DRIVERS\sisnic.sys (manual start)
SoftFax: System32\DRIVERS\HSF_FAXX.sys (autostart)
SPBBCDrv: \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys (system)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
SQLAgent$ADVANCEPRO: C:\Program Files\Microsoft SQL Server\MSSQL$ADVANCEPRO\Binn\sqlagent.EXE -i ADVANCEPRO (manual start)
System Restore Filter Driver: System32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
SRTSP: System32\Drivers\SRTSP.SYS (manual start)
SRTSPL: System32\Drivers\SRTSPL.SYS (manual start)
SRTSPX: System32\Drivers\SRTSPX.SYS (system)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{3BC38FD1-5B97-4CFC-874D-A6E0A00A2A06} (manual start)
Symantec Core LC: "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" (manual start)
Symantec AppCore Service: "C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe" (autostart)
SYMDNS: \SystemRoot\System32\Drivers\SYMDNS.SYS (manual start)
SymEvent: \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (manual start)
SYMFW: \SystemRoot\System32\Drivers\SYMFW.SYS (manual start)
SYMIDS: \SystemRoot\System32\Drivers\SYMIDS.SYS (manual start)
SYMIDSCO: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\idsdefs\20070124.003\SymIDSCo.sys (manual start)
SYMNDIS: \SystemRoot\System32\Drivers\SYMNDIS.SYS (manual start)
SYMREDRV: \SystemRoot\System32\Drivers\SYMREDRV.SYS (manual start)
SYMTDI: \SystemRoot\System32\Drivers\SYMTDI.SYS (system)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
TabletService: C:\WINDOWS\System32\Tablet.exe (autostart)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Tones: System32\DRIVERS\HSF_TONE.sys (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB Generic Parent Driver: system32\DRIVERS\usbccgp.sys (manual start)
Microsoft USB Standard Hub Driver: System32\DRIVERS\usbhub.sys (manual start)
Microsoft USB Open Host Controller Miniport Driver: System32\DRIVERS\usbohci.sys (manual start)
Microsoft USB PRINTER Class: System32\DRIVERS\usbprint.sys (manual start)
USB Scanner Driver: System32\DRIVERS\usbscan.sys (manual start)
USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
Messenger Sharing Folders USN Journal Reader service: "C:\Program Files\MSN Messenger\usnsvc.exe" (manual start)
User Privilege Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
utblfilt: System32\drivers\utblfilt.sys (manual start)
V124: System32\DRIVERS\HSF_V124.sys (autostart)
VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Winbond Memory Stick Storage (MS) Device Driver: System32\Drivers\WBMS.SYS (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
winachsf: System32\DRIVERS\HSFCXTS2.sys (manual start)
Windows Defender: "C:\Program Files\Windows Defender\MsMpEng.exe" (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
Windows Media Player Network Sharing Service: "C:\Program Files\Windows Media Player\WMPNetwk.exe" (manual start)
Windows Socket 2.0 Non-IFS Service Provider Support Environment: \SystemRoot\System32\drivers\ws2ifsl.sys (disabled)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Automatic Updates: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows Driver Foundation - User-mode Driver Framework Platform Driver: system32\DRIVERS\WudfPf.sys (manual start)
Windows Driver Foundation - User-mode Driver Framework Reflector: system32\DRIVERS\wudfrd.sys (manual start)
Windows Driver Foundation - User-mode Driver Framework: %SystemRoot%\system32\svchost.exe -k WudfServiceGroup (manual start)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
UPnPMonitor: C:\WINDOWS\system32\upnpui.dll
WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

End of report, 39,922 bytes
Report generated in 3.766 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


----------



## Killazys (Feb 9, 2007)

I get internet connection in around 5 minute intervals... this is definitely spiking. Should I get one of those wireless enhancers or do you think it's a deleted spyware problem? Any suggestions?


----------



## Cookiegal (Aug 27, 2003)

I would not download anything else at this point.

Download GMER from: http://majorgeeks.com/download.php?det=5198

Save it somewhere on your hard drive and unzip it to desktop.

Double click the gmer.exe to run it and select the rootkit tab, press scan and when it has finished press save and copy the log back here please.


----------



## Killazys (Feb 9, 2007)

Just a heads-up in case my HJT/anything else logs didn't show it... my file system is FAT32 as opposed to NTFS. So, I don't think there is a point to scan the volume for ADS.
GMER 1.0.12.12027 - http://www.gmer.net
Rootkit scan 2007-02-12 22:45:10
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.12 ----

SSDT 81D6AA48 ZwAlertResumeThread
SSDT 81CD7168 ZwAlertThread
SSDT pxfsf.sys ZwAllocateUserPhysicalPages
SSDT 81D60C80 ZwAllocateVirtualMemory
SSDT pxfsf.sys ZwClose
SSDT pxfsf.sys ZwCompactKeys
SSDT pxfsf.sys ZwCompressKey
SSDT 822B72E8 ZwConnectPort
SSDT pxfsf.sys ZwCreateDirectoryObject
SSDT pxfsf.sys ZwCreateEvent
SSDT pxfsf.sys ZwCreateEventPair
SSDT pxfsf.sys ZwCreateFile
SSDT pxfsf.sys ZwCreateIoCompletion
SSDT pxfsf.sys ZwCreateJobObject
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwCreateKey
SSDT pxfsf.sys ZwCreateMailslotFile
SSDT 81D7A950 ZwCreateMutant
SSDT pxfsf.sys ZwCreateNamedPipeFile
SSDT pxfsf.sys ZwCreatePort
SSDT pxfsf.sys ZwCreateProcess
SSDT pxfsf.sys ZwCreateProcessEx
SSDT pxfsf.sys ZwCreateSection
SSDT pxfsf.sys ZwCreateSemaphore
SSDT pxfsf.sys ZwCreateSymbolicLinkObject
SSDT 81D5D800 ZwCreateThread
SSDT pxfsf.sys ZwCreateTimer
SSDT pxfsf.sys ZwCreateToken
SSDT pxfsf.sys ZwDeleteFile
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwDeleteKey
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwDeleteValueKey
SSDT pxfsf.sys ZwDeviceIoControlFile
SSDT pxfsf.sys  ZwDuplicateObject
SSDT pxfsf.sys ZwEnumerateKey
SSDT pxfsf.sys ZwEnumerateValueKey
SSDT pxfsf.sys ZwFreeUserPhysicalPages
SSDT 81CEA1A8 ZwFreeVirtualMemory
SSDT 81D6D240 ZwImpersonateAnonymousToken
SSDT 81D6BFD0 ZwImpersonateThread
SSDT pxfsf.sys ZwLoadDriver
SSDT pxfsf.sys ZwLoadKey
SSDT pxfsf.sys ZwLoadKey2
SSDT pxfsf.sys ZwLockRegistryKey
SSDT pxfsf.sys ZwLockVirtualMemory
SSDT 81C8E1E8 ZwMapViewOfSection
SSDT 81D7AA18 ZwOpenEvent
SSDT pxfsf.sys ZwOpenFile
SSDT pxfsf.sys ZwOpenKey
SSDT pxfsf.sys ZwOpenProcess
SSDT 81CD1108 ZwOpenProcessToken
SSDT pxfsf.sys ZwOpenSection
SSDT pxfsf.sys ZwOpenThread
SSDT 81D58288 ZwOpenThreadToken
SSDT pxfsf.sys ZwProtectVirtualMemory
SSDT pxfsf.sys ZwQueryInformationProcess
SSDT pxfsf.sys ZwQueryInformationThread
SSDT pxfsf.sys ZwQueryKey
SSDT pxfsf.sys ZwQueryMultipleValueKey
SSDT pxfsf.sys ZwQueryOpenSubKeys
SSDT pxfsf.sys ZwQueryValueKey
SSDT pxfsf.sys ZwQueueApcThread
SSDT pxfsf.sys ZwReadFile
SSDT pxfsf.sys ZwReadVirtualMemory
SSDT pxfsf.sys ZwRenameKey
SSDT pxfsf.sys ZwReplaceKey
SSDT pxfsf.sys ZwRestoreKey
SSDT pxfsf.sys ZwResumeProcess
SSDT 82041DB8 ZwResumeThread
SSDT pxfsf.sys ZwSaveKey
SSDT pxfsf.sys ZwSaveKeyEx
SSDT pxfsf.sys ZwSaveMergedKeys
SSDT 81D63420 ZwSetContextThread
SSDT pxfsf.sys ZwSetInformationKey
SSDT 81C807E0 ZwSetInformationProcess
SSDT 81D63768 ZwSetInformationThread
SSDT pxfsf.sys ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwSetValueKey
SSDT 81D85D48 ZwSuspendProcess
SSDT 81CDA168 ZwSuspendThread
SSDT pxfsf.sys ZwSystemDebugControl
SSDT pxfsf.sys ZwTerminateJobObject
SSDT 81C911D8 ZwTerminateProcess
SSDT 81CD4128 ZwTerminateThread
SSDT pxfsf.sys ZwUnloadDriver
SSDT pxfsf.sys ZwUnloadKey
SSDT pxfsf.sys ZwUnloadKeyEx
SSDT  pxfsf.sys ZwUnlockVirtualMemory
SSDT 81C805F8 ZwUnmapViewOfSection
SSDT pxfsf.sys ZwWriteFile
SSDT 81D60FC0 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.12 ----

.text ntoskrnl.exe!_abnormal_termination + D4 804E2730 24 Bytes [ 79, 48, 76, F9, 83, 48, 76, ... ]
.text ntoskrnl.exe!_abnormal_termination + F0 804E274C 16 Bytes [ D0, 07, 28, F1, BF, 48, 76, ... ]
.text ntoskrnl.exe!_abnormal_termination + 104 804E2760 12 Bytes [ DD, 48, 76, F9, E7, 48, 76, ... ]
.text ntoskrnl.exe!_abnormal_termination + 114 804E2770 24 Bytes [ FB, 48, 76, F9, 05, 49, 76, ... ]
.text ntoskrnl.exe!_abnormal_termination + 1D0 804E282C 12 Bytes [ A5, 49, 76, F9, AF, 49, 76, ... ]
.text ...

---- EOF - GMER 1.0.12 ----


----------



## Cookiegal (Aug 27, 2003)

Open HijackThis and click on the *Open Misc Tools section* button. Click on the *Open Uninstall Manager* button. Click the *Save List* button. Save the list then copy and paste it here.


----------



## Killazys (Feb 9, 2007)

I still have NO internet connection BUT running programs DO appear in the toolbar (TeaTimer still asking me to delete that thing in NT Startup!)
HJT Uninstall Manager List:
?X?i?{AN?y¡ÓM¡P~ac-3.1
?X?iA¢D?g?y
?X?i£g¡±-9.0
Ad-Aware SE Personal
Adobe Acrobat 6.0 Professional
Adobe Creative Suite
Adobe Flash Player 9 ActiveX
Adobe SVG Viewer 3.0
AdvancePro
AIM 6.0
AppCore
Apple Software Update
AV
ccCommon
CCleaner (remove only)
CutePDF Writer 2.5
D3DGear
EasyCleaner
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
HijackThis 1.99.1
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB928388)
HP Image Zone 4.0
hp officejet d series
HP Photo Printing Software
HP Share-to-Web
HP Software Update
ijji - Gunz
iTunes
J2SE Runtime Environment 5.0 Update 10
Java 2 Runtime Environment, SE v1.4.0_01
Java 2 Runtime Environment, SE v1.4.1_02
Java Web Start
Lavasoft VX2 Cleaner
LimeWire 4.12.11
LiveUpdate 3.1 (Symantec Corporation)
Macromedia Dreamweaver 4
Macromedia Extension Manager
Macromedia Shockwave Player
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft .NET Framework 3.0
Microsoft .NET Framework 3.0
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Premium
Microsoft Office Professional Edition 2003
Microsoft SQL Server Desktop Engine (ADVANCEPRO)
Microsoft User-Mode Driver Framework Feature Pack 1.0
MotionDV STUDIO 5.3E LE for DV
MSRedist
MSXML 4.0 SP2 (KB927978)
MSXML 6.0 Parser (KB927977)
Nero - Burning Rom
Nikon Message Center
Nikon View 5
Norton AntiVirus
Norton Confidential Browser Component
Norton Confidential Web Protection Component
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security (Symantec Corporation)
Norton Protection Center
OneCare Advisor (Windows Live Toolbar)
PCI Audio Driver
Photosmart 320,370,7400,8100,8400 Series
PowerDVD
Prevx1
QuickTime
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Shockwave
SmartFTP
SmartFTP Client 2.0
SmartFTP Client 2.0 Setup Files (remove only)
SPBBC 32bit
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
SpywareGuard v2.2
SymNet
Update for Windows XP (KB904942)
Update for Windows XP (KB920342)
Update for Windows XP (KB925876)
USB Tablet Driver
Video Stream Driver for Panasonic DVC
Wacom Tablet Driver
Wacom?A|iaOAX¢XE£g{|!
Windows Communication Foundation
Windows Defender
Windows Imaging Component
Windows Internet Explorer 7
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Live Sign-in Assistant
Windows Live Toolbar
Windows Live Toolbar
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows Media Player 11
Windows Presentation Foundation
Windows Workflow Foundation
Windows XP Service Pack 2


----------



## Cookiegal (Aug 27, 2003)

Do you know what these are?

?X?i?{AN?y¡ÓM¡P~ac-3.1
?X?iA¢D?g?y
?X?i£g¡±-9.0


----------



## Killazys (Feb 9, 2007)

I have absolutely no idea. I didn't even know they were there...


----------



## Cookiegal (Aug 27, 2003)

I think they may be related to your Wacom tablet and HijackThis doesn't recognize the characters as I see this entry as well:

Wacom?A|iaOAX¢XE£g{|!


What is it that is Tea Timer blocking?


----------



## Killazys (Feb 9, 2007)

I have really no clue. It is blocking this (not exactly the actual popup but all the information) 
TeaTimer has detected an important registry change. Would you like to allow it?
Value name: load, Category NT Startup, Value deleted.
Also, Teatimer allows around 10 reg changes every startup, due to my "white list" and it's blocking programs from starting up with the system, but I think I blocked it myself using Spybot's Startup List function. What is Wacom anyway? (I think it came with the PC, not sure though.)
Still no internet waaaaa


----------



## Cookiegal (Aug 27, 2003)

Isn't Wacom the brand name of your tablet?

There should be a log from TeaTimer in Spybot so see if you can get that log pasted here.


----------



## Killazys (Feb 9, 2007)

Yes, but what is a tablet?(sorry for the questions) and I cannot find the log! OH I know what the weird symbols are! They're in Chinese. Somehow, HJT doesn't read chinese!! (It's a chinese program... d'uh)


----------



## Cookiegal (Aug 27, 2003)

In Spybot, under Tools - click on View Report.

A tablet PC is similar to a laptop but you can actually write on it with a stylus pen. Is this not what you have?


----------



## Killazys (Feb 9, 2007)

I have a tower(desktop) PC with a separate attatched monitor. However, I think Wacom is a tablet used to write Chinese on my computer, but I don't need it anymore. Should I delete it? Here is the TeaTimer Log:

2/12/2007 5:04:44 PM Allowed value "swg" (new data: "") deleted in System Startup user entry!
2/12/2007 5:04:44 PM Allowed value "Aim6" (new data: "") deleted in System Startup user entry!
2/12/2007 5:04:44 PM Allowed value "HPDJ Taskbar Utility" (new data: "") deleted in System Startup global entry!
2/12/2007 5:04:44 PM Allowed value "HPHUPD06" (new data: "") deleted in System Startup global entry!
2/12/2007 5:04:45 PM Allowed value "HP Software Update" (new data: "") deleted in System Startup global entry!
2/12/2007 5:04:45 PM Allowed value "HP Component Manager" (new data: "") deleted in System Startup global entry!
2/12/2007 5:04:45 PM Allowed value "HPHmon06" (new data: "") deleted in System Startup global entry!
2/12/2007 5:04:45 PM Allowed value "QuickTime Task" (new data: "") deleted in System Startup global entry!
2/12/2007 5:04:45 PM Allowed value "PrevxOne" (new data: "") deleted in System Startup global entry!
2/12/2007 5:04:46 PM Allowed value "Local Page" (new data: "") deleted in Browser page!
2/12/2007 5:04:58 PM Allowed value "load" (new data: "") deleted in NT startup!
2/12/2007 5:26:06 PM Allowed value "swg" (new data: "") deleted in System Startup user entry!
2/12/2007 5:26:06 PM Allowed value "Aim6" (new data: "") deleted in System Startup user entry!
2/12/2007 5:26:06 PM Allowed value "HPDJ Taskbar Utility" (new data: "") deleted in System Startup global entry!
2/12/2007 5:26:06 PM Allowed value "HPHUPD06" (new data: "") deleted in System Startup global entry!
2/12/2007 5:26:06 PM Allowed value "HP Software Update" (new data: "") deleted in System Startup global entry!
2/12/2007 5:26:06 PM Allowed value "HP Component Manager" (new data: "") deleted in System Startup global entry!
2/12/2007 5:26:06 PM Allowed value "HPHmon06" (new data: "") deleted in System Startup global entry!
2/12/2007 5:26:06 PM Allowed value "QuickTime Task" (new data: "") deleted in System Startup global entry!
2/12/2007 5:26:06 PM Allowed value "PrevxOne" (new data: "") deleted in System Startup global entry!
2/12/2007 5:26:06 PM Allowed value "Local Page" (new data: "") deleted in Browser page!
2/12/2007 5:26:21 PM Allowed value "load" (new data: "") deleted in NT startup!
2/12/2007 6:22:39 PM Allowed value "swg" (new data: "") deleted in System Startup user entry!
2/12/2007 6:22:39 PM Allowed value "Aim6" (new data: "") deleted in System Startup user entry!
2/12/2007 6:22:39 PM Allowed value "HPDJ Taskbar Utility" (new data: "") deleted in System Startup global entry!
2/12/2007 6:22:39 PM Allowed value "HPHUPD06" (new data: "") deleted in System Startup global entry!
2/12/2007 6:22:39 PM Allowed value "HP Software Update" (new data: "") deleted in System Startup global entry!
2/12/2007 6:22:39 PM Allowed value "HP Component Manager" (new data: "") deleted in System Startup global entry!
2/12/2007 6:22:39 PM Allowed value "HPHmon06" (new data: "") deleted in System Startup global entry!
2/12/2007 6:22:39 PM Allowed value "QuickTime Task" (new data: "") deleted in System Startup global entry!
2/12/2007 6:22:39 PM Allowed value "PrevxOne" (new data: "") deleted in System Startup global entry!
2/12/2007 6:22:39 PM Allowed value "Local Page" (new data: "") deleted in Browser page!
2/12/2007 6:22:45 PM Allowed value "load" (new data: "") deleted in NT startup!
2/13/2007 4:56:21 PM Allowed value "swg" (new data: "") deleted in System Startup user entry!
2/13/2007 4:56:21 PM Allowed value "Aim6" (new data: "") deleted in System Startup user entry!
2/13/2007 4:56:21 PM Allowed value "HPDJ Taskbar Utility" (new data: "") deleted in System Startup global entry!
2/13/2007 4:56:21 PM Allowed value "HPHUPD06" (new data: "") deleted in System Startup global entry!
2/13/2007 4:56:21 PM Allowed value "HP Software Update" (new data: "") deleted in System Startup global entry!
2/13/2007 4:56:21 PM Allowed value "HP Component Manager" (new data: "") deleted in System Startup global entry!
2/13/2007 4:56:21 PM Allowed value "HPHmon06" (new data: "") deleted in System Startup global entry!
2/13/2007 4:56:21 PM Allowed value "QuickTime Task" (new data: "") deleted in System Startup global entry!
2/13/2007 4:56:21 PM Allowed value "PrevxOne" (new data: "") deleted in System Startup global entry!
2/13/2007 4:56:21 PM Allowed value "Local Page" (new data: "") deleted in Browser page!
2/13/2007 4:56:26 PM Allowed value "load" (new data: "") deleted in NT startup!
2/13/2007 9:12:40 PM Allowed value "swg" (new data: "") deleted in System Startup user entry!
2/13/2007 9:12:40 PM Allowed value "Aim6" (new data: "") deleted in System Startup user entry!
2/13/2007 9:12:40 PM Allowed value "HPDJ Taskbar Utility" (new data: "") deleted in System Startup global entry!
2/13/2007 9:12:41 PM Allowed value "HPHUPD06" (new data: "") deleted in System Startup global entry!
2/13/2007 9:12:41 PM Allowed value "HP Software Update" (new data: "") deleted in System Startup global entry!
2/13/2007 9:12:41 PM Allowed value "HP Component Manager" (new data: "") deleted in System Startup global entry!
2/13/2007 9:12:41 PM Allowed value "HPHmon06" (new data: "") deleted in System Startup global entry!
2/13/2007 9:12:41 PM Allowed value "QuickTime Task" (new data: "") deleted in System Startup global entry!
2/13/2007 9:12:41 PM Allowed value "PrevxOne" (new data: "") deleted in System Startup global entry!
2/13/2007 9:12:41 PM Allowed value "Local Page" (new data: "") deleted in Browser page!
2/13/2007 9:15:20 PM Allowed value "load" (new data: "") deleted in NT startup!
2/14/2007 4:25:41 PM Allowed value "swg" (new data: "") deleted in System Startup user entry!
2/14/2007 4:25:41 PM Allowed value "Aim6" (new data: "") deleted in System Startup user entry!
2/14/2007 4:25:41 PM Allowed value "HPDJ Taskbar Utility" (new data: "") deleted in System Startup global entry!
2/14/2007 4:25:41 PM Allowed value "HPHUPD06" (new data: "") deleted in System Startup global entry!
2/14/2007 4:25:41 PM Allowed value "HP Software Update" (new data: "") deleted in System Startup global entry!
2/14/2007 4:25:41 PM Allowed value "HP Component Manager" (new data: "") deleted in System Startup global entry!
2/14/2007 4:25:41 PM Allowed value "HPHmon06" (new data: "") deleted in System Startup global entry!
2/14/2007 4:25:42 PM Allowed value "QuickTime Task" (new data: "") deleted in System Startup global entry!
2/14/2007 4:25:42 PM Allowed value "PrevxOne" (new data: "") deleted in System Startup global entry!
2/14/2007 4:25:42 PM Allowed value "Local Page" (new data: "") deleted in Browser page!
2/14/2007 4:25:51 PM Allowed value "load" (new data: "") deleted in NT startup!


----------



## Killazys (Feb 9, 2007)

Anyone?


----------



## Cookiegal (Aug 27, 2003)

*Click here* to download Silent Runners.
Save (do not choose open) it to the desktop.
Run SilentRunners by double clicking the "SilentRunners" icon on your desktop.
You will see a text file appear on the desktop - *it's not done, let it run (it won't appear to be doing anything!)*
Once you receive the prompt *All Done!*, open the text file on the desktop, copy that entire log, and paste it here.
**NOTE* If you receive any warning message about scripts, please choose to allow the script to run.*


----------



## Killazys (Feb 9, 2007)

Please note: I am using a portable USB drive to transport files to my other computer since my other computer has no internet access. Will this affect Silent Runners in any way?


----------



## Cookiegal (Aug 27, 2003)

Can you try this again to see if it restores your Internet connection:

Go to Start - Run - typein cmd and click OK.

At the command prompt type in:

*netsh winsock reset catalog*

Press enter.

then type in:

*netsh int ip reset resetlog.txt*

Press enter.

You will need to reboot afterwards.

I don't think it will be a problem with Silent Runner's on the portable drive.


----------



## Killazys (Feb 9, 2007)

"Silent Runners.vbs", revision R50, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"SpybotSD TeaTimer" = "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"osCheck" = ""C:\Program Files\Norton Internet Security\osCheck.exe"" ["Symantec Corporation"]
"iTunesHelper" = ""C:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Computer, Inc."]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"Windows Defender" = ""C:\Program Files\Windows Defender\MSASCui.exe" -hide" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{1E8A6170-7264-4D0F-BEAE-D42A53123C75}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll" ["Symantec Corporation"]
{4A368E80-174F-4872-96B5-0B27DDD11DB2}\(Default) = "SpywareGuard Download Protection"
-> {HKLM...CLSID} = "SpywareGuardDLBLOCK.CBrowserHelper"
\InProcServer32\(Default) = "C:\Program Files\SpywareGuard\dlprotect.dll" [null data]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{55EA1964-F5E4-4D6A-B9B2-125B37655FCB}\(Default) = "Malicious Scripts Scanner"
-> {HKLM...CLSID} = "URLDetector Class"
\InProcServer32\(Default) = "C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll" ["Prevx Ltd."]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll" ["Sun Microsystems, Inc."]
{7C554162-8CB7-45A4-B8F4-8EA1C75885F9}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AOL Toolbar Launcher"
\InProcServer32\(Default) = "C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll" ["America Online, Inc."]
{9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Windows Live Sign-in Helper"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll" [MS]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Helper"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]
{AE7CD045-E861-484f-8273-0445EE161910}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEToolbarHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Windows Live Toolbar Helper"
\InProcServer32\(Default) = "C:\Program Files\Windows Live Toolbar\msntb.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{A4DF5659-0801-4A60-9607-1C48695EFDA9}" = "Share-to-Web Upload Folder"
-> {HKLM...CLSID} = "Share-to-Web Upload Folder"
\InProcServer32\(Default) = "C:\Program Files\Hewlett-Packard\HP Share-to-Web\HPGS2WNS.DLL" ["Hewlett-Packard"]
"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}" = "Adobe.Acrobat.ContextMenu"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
"{B8323370-FF27-11D2-97B6-204C4F4F5020}" = "SmartFTP Shell Extension DLL"
-> {HKLM...CLSID} = "SmartFTP Shell Extension DLL"
\InProcServer32\(Default) = "C:\Program Files\SmartFTP Client 2.0\smarthook.dll" ["SmartFTP"]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universal Plug and Play Devices"
-> {HKLM...CLSID} = "Universal Plug and Play Devices"
\InProcServer32\(Default) = "C:\WINDOWS\system32\upnpui.dll" [MS]
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
-> {HKLM...CLSID} = "My Sharing Folders"
\InProcServer32\(Default) = "C:\Program Files\MSN Messenger\fsshext.8.1.0178.00.dll" [MS]
"{81559C35-8464-49F7-BB0E-07A383BEF910}" = (no title provided)
-> {HKLM...CLSID} = "SpywareGuard.Handler"
\InProcServer32\(Default) = "C:\Program Files\SpywareGuard\spywareguard.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{81559C35-8464-49F7-BB0E-07A383BEF910}" = (no title provided)
-> {HKLM...CLSID} = "SpywareGuard.Handler"
\InProcServer32\(Default) = "C:\Program Files\SpywareGuard\spywareguard.dll" [null data]
<<!>> "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}" = "Microsoft AntiMalware ShellExecuteHook"
-> {HKLM...CLSID} = "Microsoft AntiMalware ShellExecuteHook"
\InProcServer32\(Default) = "C:\PROGRA~1\WIFD1F~1\MpShHook.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\Software\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA}"
-> {HKLM...CLSID} = "IEContextMenu Class"
\InProcServer32\(Default) = "C:\PROGRA~1\NORTON~2\NORTON~1\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA}"
-> {HKLM...CLSID} = "IEContextMenu Class"
\InProcServer32\(Default) = "C:\PROGRA~1\NORTON~2\NORTON~1\NavShExt.dll" ["Symantec Corporation"]

Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions\

"NoBrowserOptions" = (REG_DWORD) hex:0x00000000
{Tools menu: Disable Internet Options... menu option}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Devices: Allow undock without having to log on}

Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\username\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]

Startup items in "username" & "All Users" startup folders:
----------------------------------------------------------

C:\Documents and Settings\username\Start Menu\Programs\Startup
"SpywareGuard" -> shortcut to: "C:\Program Files\SpywareGuard\sgmain.exe" [null data]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Service Manager" -> shortcut to: "C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe /n" [MS]

Enabled Scheduled Tasks:
------------------------

"Norton Internet Security - Run Full System Scan - username" -> launches: "C:\PROGRA~1\NORTON~2\NORTON~1\Navw32.exe /TASK:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]
"AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -Task" ["Apple Computer, Inc."]
"Check Updates for Windows Live Toolbar" -> launches: "C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE" [MS]
"MP Scheduled Scan" -> launches: "C:\Program Files\Windows Defender\MpCmdRun.exe Scan -RestrictPrivileges" [MS]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 16 - 17

Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}"
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}"
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]
"{DE9C389F-3316-41A7-809B-AA305ED9D922}"
-> {HKLM...CLSID} = "AOL Toolbar"
\InProcServer32\(Default) = "C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll" ["America Online, Inc."]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}"
-> {HKLM...CLSID} = "Windows Live Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Windows Live Toolbar\msntb.dll" [MS]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]
"{DE9C389F-3316-41A7-809B-AA305ED9D922}" = "AOL Toolbar"
-> {HKLM...CLSID} = "AOL Toolbar"
\InProcServer32\(Default) = "C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll" ["America Online, Inc."]
"{90222687-F593-4738-B738-FBEE9C7B26DF}" = "NCO Toolbar"
-> {HKLM...CLSID} = "Show Norton Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll" ["Symantec Corporation"]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" = (no title provided)
-> {HKLM...CLSID} = "Windows Live Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Windows Live Toolbar\msntb.dll" [MS]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{182EC0BE-5110-49C8-A062-BEB1D02A220B}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.5.0_10"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_10"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll" ["Sun Microsystems, Inc."]

{3369AF0D-62E9-4BDA-8103-B4C75499B578}\
"ButtonText" = "AOL Toolbar"
"CLSIDExtension" = "{DE9C389F-3316-41A7-809B-AA305ED9D922}"
-> {HKLM...CLSID} = "AOL Toolbar"
\InProcServer32\(Default) = "C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll" ["America Online, Inc."]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

Miscellaneous IE Hijack Points
------------------------------

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
<<H>> "{EA756889-2338-43DB-8F07-D1CA6FB9C90D}" = "AOL Search"
-> {HKLM...CLSID} = "AOLTBSearch Class"
\InProcServer32\(Default) = "C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll" ["America Online, Inc."]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Automatic LiveUpdate Scheduler, Automatic LiveUpdate Scheduler, ""C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe"" ["Symantec Corporation"]
iPod Service, iPod Service, ""C:\Program Files\iPod\bin\iPodService.exe"" ["Apple Computer, Inc."]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]
MSSQL$ADVANCEPRO, MSSQL$ADVANCEPRO, "C:\Program Files\Microsoft SQL Server\MSSQL$ADVANCEPRO\Binn\sqlservr.exe -sADVANCEPRO" [MS]
Prevx Agent, PREVXAgent, ""C:\Program Files\Prevx1\PXAgent.exe" -f" ["Prevx"]
Symantec AppCore Service, SymAppCore, ""C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe"" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon" ["Symantec Corporation"]
Symantec Lic NetConnect service, CLTNetCnService, ""C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon" ["Symantec Corporation"]
TabletService, TabletService, "C:\WINDOWS\System32\Tablet.exe" ["Wacom Technology, Corp."]
Windows Defender, WinDefend, ""C:\Program Files\Windows Defender\MsMpEng.exe"" [MS]

Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Adobe PDF Port\Driver = "C:\WINDOWS\system32\AdobePDF.dll" ["Adobe Systems Incorporated."]
CutePDF Writer Monitor\Driver = "cpwmon2k.dll" [null data]
hpzlnt11\Driver = "hpzlnt11.dll" ["HP"]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]

----------
<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 83 seconds.
---------- (total run time: 192 seconds)
*The internet is back, but it is stuck on "Acquiring network Address" at 125 mbps (!) so it does not work. - Killazys*


----------



## Killazys (Feb 9, 2007)

Internet is officially connected! I have succesfully uploaded dorp.dat for file review at TheSpyKiller forums!!


----------



## Killazys (Feb 9, 2007)

What now?


----------



## Cookiegal (Aug 27, 2003)

Is the Internet working properly now or just partially?

Go to Start - Run - type in the following and click OK.

C:\Windows\win.ini

A Notepad text of the win.ini file will open up. Please copy and paste the contents here.


----------



## Killazys (Feb 9, 2007)

Here it is... (looks kinda funny to me)
; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
CMC=1
CMCDLLNAME=mapi.dll
CMCDLLNAME32=mapi32.dll
MAPIX=1
MAPIXVER=1.0.0.1
OLEMessaging=1
[MCI Extensions.BAK]
aif=MPEGVideo
aifc=MPEGVideo
aiff=MPEGVideo
asf=MPEGVideo2
asx=MPEGVideo2
au=MPEGVideo
m1v=MPEGVideo
m3u=MPEGVideo2
mp2=MPEGVideo
mp2v=MPEGVideo
mp3=MPEGVideo2
mpa=MPEGVideo
mpe=MPEGVideo
mpeg=MPEGVideo
mpg=MPEGVideo
mpv2=MPEGVideo
snd=MPEGVideo
wax=MPEGVideo2
wm=MPEGVideo2
wma=MPEGVideo2
wmp=MPEGVideo2
wmv=MPEGVideo2
wmx=MPEGVideo2
wvx=MPEGVideo2
wpl=MPEGVideo
m2v=MPEGVideo
mod=MPEGVideo
[IOCR]
exename=READIRIS
fullname=READIRIS
[READIRIS]
exe-path=C:\Program Files\Hewlett-Packard\Readiris\
iris-path=C:\Program Files\Hewlett-Packard\Readiris\
version=500
SN4=43990216
menu=1
language=1
Scanner32=twaino38,1
[MSUCE]
Advanced=0
CodePage=Unicode
Font=LunaITC TT


----------



## Cookiegal (Aug 27, 2003)

No, that looks fine.

Please do a search for this file and let me know if you find it.

*retro64_loader.dll*


----------



## Killazys (Feb 9, 2007)

Nothing found!


----------



## Cookiegal (Aug 27, 2003)

Download pv.zip from *Here* and extract the zip file to your C: drive. Once it is extracted there will be a directory on your C: drive called PV. Inside the C:\PV directory will be a file called runme.bat . Simply double-click on the runme.bat file. A dos window will open. Select option 1 for explorer dlls by typing 1 and then pressing enter. Notepad will open with a log in it. Copy and paste the log into this thread. Usually pretty large and take more than one post. Please do option 2 for Internet Explorer dlls too.


----------



## Killazys (Feb 9, 2007)

Option one says:: 
Module information for 'Explorer.EXE'
MODULE BASE SIZE PATH
Explorer.EXE 1000000 1044480 C:\WINDOWS\Explorer.EXE 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Windows Explorer
ntdll.dll 7c900000 720896 C:\WINDOWS\system32\ntdll.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) NT Layer DLL
kernel32.dll 7c800000 999424 C:\WINDOWS\system32\kernel32.dll 5.1.2600.2945 (xpsp_sp2_gdr.060704-2349) Windows NT BASE API Client DLL
msvcrt.dll 77c10000 360448 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows NT CRT DLL
ADVAPI32.dll 77dd0000 634880 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Advanced Windows 32 Base API
RPCRT4.dll 77e70000 593920 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Remote Procedure Call Runtime
GDI32.dll 77f10000 290816 C:\WINDOWS\system32\GDI32.dll 5.1.2600.2818 (xpsp_sp2_gdr.051228-1427) GDI Client DLL
USER32.dll 77d40000 589824 C:\WINDOWS\system32\USER32.dll 5.1.2600.2622 (xpsp_sp2_gdr.050301-1519) Windows XP USER API Client DLL
SHLWAPI.dll 77f60000 483328 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2900.3020 (xpsp.061023-0222) Shell Light-weight Utility Library
SHELL32.dll 7c9c0000 8474624 C:\WINDOWS\system32\SHELL32.dll 6.00.2900.3051 (xpsp_sp2_gdr.061219-0316) Windows Shell Common Dll
ole32.dll 774e0000 1298432 C:\WINDOWS\system32\ole32.dll 5.1.2600.2726 (xpsp_sp2_gdr.050725-1528) Microsoft OLE for Windows
OLEAUT32.dll 77120000 573440 C:\WINDOWS\system32\OLEAUT32.dll 5.1.2600.2180 
BROWSEUI.dll 75f80000 1036288 C:\WINDOWS\system32\BROWSEUI.dll 6.00.2900.3020 (xpsp.061023-0222) Shell Browser UI Library
SHDOCVW.dll 77760000 1507328 C:\WINDOWS\system32\SHDOCVW.dll 6.00.2900.3020 (xpsp.061023-0222) Shell Doc Object and Control Library
CRYPT32.dll 77a80000 606208 C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.2180 (xpsp_sp2_rtm.040803-2158) Crypto API32
MSASN1.dll 77b20000 73728 C:\WINDOWS\system32\MSASN1.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) ASN.1 Runtime APIs
CRYPTUI.dll 754d0000 524288 C:\WINDOWS\system32\CRYPTUI.dll 5.131.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Trust UI Provider
WINTRUST.dll 76c30000 188416 C:\WINDOWS\system32\WINTRUST.dll 5.131.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Trust Verification APIs
IMAGEHLP.dll 76c90000 163840 C:\WINDOWS\system32\IMAGEHLP.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows NT Image Helper
NETAPI32.dll 5b860000 344064 C:\WINDOWS\system32\NETAPI32.dll 5.1.2600.2976 (xpsp_sp2_gdr.060817-0106) Net Win32 API DLL
WININET.dll 771b0000 847872 C:\WINDOWS\system32\WININET.dll 7.00.6000.16414 (vista_gdr.070108-1520) Internet Extensions for Win32
Normaliz.dll 400000 36864 C:\WINDOWS\system32\Normaliz.dll 6.0.5441.0 (winmain(wmbla).060628-1735) Unicode Normalization DLL
iertutil.dll 6e850000 282624 C:\WINDOWS\system32\iertutil.dll 7.00.6000.16414 (vista_gdr.070108-1520) Run time utility for Internet Explorer
WLDAP32.dll 76f60000 180224 C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Win32 LDAP API DLL
VERSION.dll 77c00000 32768 C:\WINDOWS\system32\VERSION.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Version Checking and File Installation Libraries
UxTheme.dll 5ad70000 229376 C:\WINDOWS\system32\UxTheme.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Microsoft UxTheme Library
ShimEng.dll 5cb70000 155648 C:\WINDOWS\system32\ShimEng.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Shim Engine DLL
AcGenral.DLL 6f880000 1875968 C:\WINDOWS\AppPatch\AcGenral.DLL 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Compatibility DLL
WINMM.dll 76b40000 184320 C:\WINDOWS\system32\WINMM.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) MCI API DLL
MSACM32.dll 77be0000 86016 C:\WINDOWS\system32\MSACM32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft ACM Audio Filter
USERENV.dll 769c0000 733184 C:\WINDOWS\system32\USERENV.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Userenv
IMM32.DLL 76390000 118784 C:\WINDOWS\system32\IMM32.DLL 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows XP IMM32 API Client DLL
LPK.DLL 629c0000 36864 C:\WINDOWS\system32\LPK.DLL 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Language Pack
USP10.dll 74d90000 438272 C:\WINDOWS\system32\USP10.dll 1.0420.2600.2180 (xpsp_sp2_rtm.040803-2158) Uniscribe Unicode script processor
comctl32.dll 773d0000 1060864 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll 6.0 (xpsp.060825-0040) User Experience Controls Library
comctl32.dll 5d090000 630784 C:\WINDOWS\system32\comctl32.dll 5.82 (xpsp.060825-0040) Common Controls Library
msctfime.ime 755c0000 188416 C:\WINDOWS\system32\msctfime.ime 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Text Frame Work Service IME
appHelp.dll 77b40000 139264 C:\WINDOWS\system32\appHelp.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Application Compatibility Client Library
CLBCATQ.DLL 76fd0000 520192 C:\WINDOWS\system32\CLBCATQ.DLL 2001.12.4414.308 
COMRes.dll 77050000 806912 C:\WINDOWS\system32\COMRes.dll 2001.12.4414.258 
cscui.dll 77a20000 344064 C:\WINDOWS\System32\cscui.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Client Side Caching UI
CSCDLL.dll 76600000 118784 C:\WINDOWS\System32\CSCDLL.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Offline Network Agent
themeui.dll 5ba60000 462848 C:\WINDOWS\System32\themeui.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Windows Theme API
Secur32.dll 77fe0000 69632 C:\WINDOWS\System32\Secur32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Security Support Provider Interface
MSIMG32.dll 76380000 20480 C:\WINDOWS\System32\MSIMG32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) GDIEXT Client DLL
xpsp2res.dll 20000000 2904064 C:\WINDOWS\system32\xpsp2res.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Service Pack 2 Messages
msutb.dll 5fc10000 208896 C:\WINDOWS\System32\msutb.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) MSUTB Server DLL
MSCTF.dll 74720000 307200 C:\WINDOWS\System32\MSCTF.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) MSCTF Server DLL
iTunesMiniPlayer.dll 10000000 135168 C:\Program Files\iTunes\iTunesMiniPlayer.dll 7.0.2.16 iTunes Mini Player DLL
iTunesMiniPlayerLocalized.dll 16d0000 57344 C:\Program Files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll 7.0.2.16 iTunes Mini Player Resource Library
iTunesMiniPlayer.dll 1700000 143360 C:\Program Files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll 7.0.2.16 iTunes Mini Player Resource Library
SETUPAPI.dll 77920000 995328 C:\WINDOWS\system32\SETUPAPI.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Setup API
ieframe.dll 7e1e0000 6070272 C:\WINDOWS\system32\ieframe.dll 7.00.6000.16414 (vista_gdr.070108-1520) Internet Explorer
PSAPI.DLL 76bf0000 45056 C:\WINDOWS\system32\PSAPI.DLL 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Process Status Helper
msi.dll 1bf0000 2908160 C:\WINDOWS\system32\msi.dll 3.1.4000.2435 Windows Installer
NETSHELL.dll 76400000 1728512 C:\WINDOWS\system32\NETSHELL.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Network Connections Shell
rtutils.dll 76e80000 57344 C:\WINDOWS\system32\rtutils.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Routing Utilities
credui.dll 76c00000 188416 C:\WINDOWS\system32\credui.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Credential Manager User Interface
WS2_32.dll 71ab0000 94208 C:\WINDOWS\system32\WS2_32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71aa0000 32768 C:\WINDOWS\system32\WS2HELP.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Socket 2.0 Helper for Windows NT
ATL.DLL 76b20000 69632 C:\WINDOWS\system32\ATL.DLL 3.05.2284 ATL Module for Windows XP (Unicode)
iphlpapi.dll 76d60000 102400 C:\WINDOWS\system32\iphlpapi.dll 5.1.2600.2912 (xpsp_sp2_gdr.060519-0003) IP Helper API
tabhook.dll 1ee0000 53248 C:\WINDOWS\System32\tabhook.dll 4.56-6 TabHook
LINKINFO.dll 76980000 32768 C:\WINDOWS\system32\LINKINFO.dll 5.1.2600.2751 (xpsp_sp2_gdr.050831-1520) Windows Volume Tracking
ntshrui.dll 76990000 151552 C:\WINDOWS\system32\ntshrui.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Shell extensions for sharing
SXS.DLL 75e90000 720896 C:\WINDOWS\system32\SXS.DLL 5.1.2600.3019 (xpsp_sp2_gdr.061019-0414) Fusion 2.5
rsaenh.dll ffd0000 163840 C:\WINDOWS\system32\rsaenh.dll 5.1.2600.2161 (xpsp.040706-1629) Microsoft Enhanced Cryptographic Provider
urlmon.dll 61410000 1196032 C:\WINDOWS\system32\urlmon.dll 7.00.6000.16414 (vista_gdr.070108-1520) OLE32 Extensions for Win32
MLANG.dll 75cf0000 593920 C:\WINDOWS\system32\MLANG.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Multi Language Support DLL
WINSTA.dll 76360000 65536 C:\WINDOWS\system32\WINSTA.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Winstation Library
webcheck.dll 74b30000 245760 C:\WINDOWS\system32\webcheck.dll 7.00.6000.16414 (vista_gdr.070108-1520) Web Site Monitor
stobject.dll 76280000 135168 C:\WINDOWS\System32\stobject.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Systray shell service object
BatMeter.dll 74af0000 40960 C:\WINDOWS\System32\BatMeter.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Battery Meter Helper DLL
POWRPROF.dll 74ad0000 32768 C:\WINDOWS\System32\POWRPROF.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Power Profile Helper DLL
WTSAPI32.dll 76f50000 32768 C:\WINDOWS\System32\WTSAPI32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Terminal Server SDK APIs
upnpui.dll 5af80000 249856 C:\WINDOWS\system32\upnpui.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) UPNP Tray Monitor and Folder
upnp.dll 76de0000 143360 C:\WINDOWS\System32\upnp.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Universal Plug and Play API
WINHTTP.dll 4d4f0000 360448 C:\WINDOWS\System32\WINHTTP.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows HTTP Services
SSDPAPI.dll 74f00000 49152 C:\WINDOWS\System32\SSDPAPI.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) SSDP Client API DLL
wdmaud.drv 72d20000 36864 C:\WINDOWS\system32\wdmaud.drv 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) WDM Audio driver mapper
msacm32.drv 72d10000 32768 C:\WINDOWS\system32\msacm32.drv 5.1.2600.0 (xpclient.010817-1148) Microsoft Sound Mapper
midimap.dll 77bd0000 28672 C:\WINDOWS\system32\midimap.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft MIDI Mapper
WPDShServiceObj.dll 164a0000 143360 C:\WINDOWS\system32\WPDShServiceObj.dll 5.2.5721.5145 (WMP_11.061018-2006) Windows Portable Device Shell Service Object
mslbui.dll 605d0000 36864 C:\WINDOWS\system32\mslbui.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) LangageBar Add In
MPR.dll 71b20000 73728 C:\WINDOWS\system32\MPR.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Multiple Provider Router DLL
drprov.dll 75f60000 28672 C:\WINDOWS\System32\drprov.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Terminal Server Network Provider
mydocs.dll 72410000 106496 C:\WINDOWS\System32\mydocs.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) My Documents Folder UI
ntlanman.dll 71c10000 57344 C:\WINDOWS\System32\ntlanman.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) MicrosoftR Lan Manager
NETUI0.dll 71cd0000 94208 C:\WINDOWS\System32\NETUI0.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) NT LM UI Common Code - GUI Classes
NETUI1.dll 71c90000 262144 C:\WINDOWS\System32\NETUI1.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) NT LM UI Common Code - Networking classes
NETRAP.dll 71c80000 28672 C:\WINDOWS\System32\NETRAP.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Net Remote Admin Protocol DLL
SAMLIB.dll 71bf0000 77824 C:\WINDOWS\System32\SAMLIB.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) SAM Library DLL
davclnt.dll 75f70000 36864 C:\WINDOWS\System32\davclnt.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Web DAV Client DLL
smarthook.dll 2cb0000 73728 C:\Program Files\SmartFTP Client 2.0\smarthook.dll 1.0.2.1 SmartFTP Client CopyHook
PortableDeviceTypes.dll 109c0000 180224 C:\WINDOWS\system32\PortableDeviceTypes.dll 5.2.5721.5145 (WMP_11.061018-2006) Windows Portable Device (Parameter) Types Component
PortableDeviceApi.dll 10930000 299008 C:\WINDOWS\system32\PortableDeviceApi.dll 5.2.5721.5145 (WMP_11.061018-2006) Windows Portable Device API Components
WZCSAPI.DLL 73030000 65536 C:\WINDOWS\system32\WZCSAPI.DLL 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Wireless Zero Configuration service API
NSCEXT.dll 6f120000 573440 C:\Program Files\Common Files\Symantec Shared\NPC\NSCEXT.dll 2007.3.00.5 Norton Protection Center ExplorerExtensions
ATL71.DLL 7c120000 102400 C:\WINDOWS\system32\ATL71.DLL 7.10.3077.0 ATL Module for Windows (Unicode)
MSVCP71.dll 7c3a0000 503808 C:\WINDOWS\system32\MSVCP71.dll 7.10.3077.0 MicrosoftR C++ Runtime Library
MSVCR71.dll 7c340000 352256 C:\WINDOWS\system32\MSVCR71.dll 7.10.3052.4 MicrosoftR C Runtime Library
ccL60U.dll 6ae70000 544768 C:\Program Files\Common Files\Symantec Shared\ccL60U.dll 106.1.3.3 Symantec Library
wzcdlg.dll 5df10000 385024 C:\WINDOWS\system32\wzcdlg.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Wireless Zero Configuration Service UI
browselc.dll 3df0000 73728 C:\WINDOWS\system32\browselc.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Shell Browser UI Library
DUSER.dll 6c1b0000 315392 C:\WINDOWS\system32\DUSER.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows DirectUser Engine
NavShExt.dll 69ff0000 167936 C:\PROGRA~1\NORTON~2\NORTON~1\NavShExt.dll 14.0.0.89 Norton AntiVirus Shell Extension Module
ccVrTrst.dll 6b770000 126976 C:\Program Files\Common Files\Symantec Shared\ccVrTrst.dll 106.1.3.3 Symantec Trust Validation Engine
WSOCK32.dll 71ad0000 36864 C:\WINDOWS\system32\WSOCK32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Socket 32-Bit DLL
NavShExt.loc e90000 16384 C:\PROGRA~1\NORTON~2\NORTON~1\NavShExt.loc 
MSGINA.dll 75970000 1011712 C:\WINDOWS\system32\MSGINA.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows NT Logon GINA DLL
ODBC32.dll 74320000 249856 C:\WINDOWS\system32\ODBC32.dll 3.525.1117.0 (xpsp_sp2_rtm.040803-2158) Microsoft Data Access - ODBC Driver Manager
comdlg32.dll 763b0000 299008 C:\WINDOWS\system32\comdlg32.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Common Dialogs DLL
odbcint.dll 4b10000 94208 C:\WINDOWS\system32\odbcint.dll 3.525.1117.0 (xpsp_sp2_rtm.040803-2158) Microsoft Data Access - ODBC Resources
shdoclc.dll 4b80000 557056 C:\WINDOWS\system32\shdoclc.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Shell Doc Object and Control Library
ContextMenu.dll d40000 413696 C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat Elements\ContextMenu.dll 1.0.0.2003051500 Adobe Acrobat Elements
WINSPOOL.DRV 73000000 155648 C:\WINDOWS\system32\WINSPOOL.DRV 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Spooler Driver
MFC42.DLL 73dd0000 1040384 C:\WINDOWS\system32\MFC42.DLL 6.02.4131.0 MFCDLL Shared Library - Retail Version
MSVCP60.dll 76080000 413696 C:\WINDOWS\system32\MSVCP60.dll 6.02.3104.0 Microsoft (R) C++ Runtime Library
actxprxy.dll 71d40000 114688 C:\WINDOWS\system32\actxprxy.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) ActiveX Interface Marshaling Library
NTMARTA.DLL 77690000 135168 C:\WINDOWS\system32\NTMARTA.DLL 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows NT MARTA provider
RASAPI32.dll 76ee0000 245760 C:\WINDOWS\system32\RASAPI32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Remote Access API
rasman.dll 76e90000 73728 C:\WINDOWS\system32\rasman.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Remote Access Connection Manager
TAPI32.dll 76eb0000 192512 C:\WINDOWS\system32\TAPI32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) MicrosoftR Windows(TM) Telephony API Client DLL
tsappcmp.dll 5b430000 65536 C:\WINDOWS\system32\tsappcmp.dll 5.1.2600.0 (xpclient.010817-1148) Terminal Services Application Compatibility DLL
wshext.dll 74ea0000 65536 C:\WINDOWS\system32\wshext.dll 5.6.0.8820 Microsoft (r) Shell Extension for Windows Script Host
MPRAPI.dll 76d40000 98304 C:\WINDOWS\system32\MPRAPI.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows NT MP Router Administration DLL
ACTIVEDS.dll 77cc0000 204800 C:\WINDOWS\system32\ACTIVEDS.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) ADs Router Layer DLL
adsldpc.dll 76e10000 151552 C:\WINDOWS\system32\adsldpc.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) ADs LDAP Provider C DLL
DNSAPI.dll 76f20000 159744 C:\WINDOWS\system32\DNSAPI.dll 5.1.2600.2938 (xpsp_sp2_gdr.060626-0020) DNS Client API DLL
DHCPCSVC.DLL 76d80000 122880 C:\WINDOWS\system32\DHCPCSVC.DLL 5.1.2600.2912 (xpsp_sp2_gdr.060519-0003) DHCP Client Service
sensapi.dll 722b0000 20480 C:\WINDOWS\system32\sensapi.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) SENS Connectivity API DLL
msv1_0.dll 77c70000 143360 C:\WINDOWS\system32\msv1_0.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Authentication Package v1.0
msxml3.dll 74980000 1105920 C:\WINDOWS\system32\msxml3.dll 8.70.1113.0 MSXML 3.0 SP 7
jscript.dll 63380000 491520 c:\windows\system32\jscript.dll 5.7.0.5730 Microsoft (R) JScript
mswsock.dll 71a50000 258048 C:\WINDOWS\System32\mswsock.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Windows Sockets 2.0 Service Provider
rasadhlp.dll 76fc0000 24576 C:\WINDOWS\system32\rasadhlp.dll 5.1.2600.2938 (xpsp_sp2_gdr.060626-0020) Remote Access AutoDial Helper
winrnr.dll 76fb0000 32768 C:\WINDOWS\System32\winrnr.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) LDAP RnR Provider DLL
hnetcfg.dll 662b0000 360448 C:\WINDOWS\system32\hnetcfg.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Home Networking Configuration Manager
wshtcpip.dll 71a90000 32768 C:\WINDOWS\System32\wshtcpip.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Sockets Helper DLL
CFGMGR32.dll 74ae0000 28672 C:\WINDOWS\System32\CFGMGR32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Configuration Manager Forwarder DLL
dfshim.dll 60510000 98304 C:\WINDOWS\system32\dfshim.dll 2.0.50727.42 (RTM.050727-4200) Application Deployment Support Library
mscoree.dll 79000000 282624 C:\WINDOWS\system32\mscoree.dll 2.0.50727.42 (RTM.050727-4200) Microsoft .NET Runtime Execution Engine
MSVCR80.dll 78130000 634880 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\MSVCR80.dll 8.00.50727.163 MicrosoftR C Runtime Library
PRINTUI.dll 74b80000 573440 C:\WINDOWS\system32\PRINTUI.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Print UI DLL
Shfusion.dll 641f0000 118784 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Shfusion.dll 2.0.50727.42 (RTM.050727-4200) Microsoft COM Runtime Fusion Assembly Viewer
Fusion.dll 60610000 24576 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Fusion.dll 2.0.50727.42 (RTM.050727-4200) Assembly manager
culture.dll 60340000 32768 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\culture.dll 2.0.50727.42 (RTM.050727-4200) Microsoft Globalization Support
ShFusRes.dll 64220000 98304 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ShFusRes.dll 2.0.50727.42 (RTM.050727-4200) Microsoft COM Runtime Fusion Assembly Viewer Resources
msadp32.acm 72cf0000 28672 C:\WINDOWS\system32\msadp32.acm 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft ADPCM CODEC for MSACM
spywareguard.dll 22200000 126976 C:\Program Files\SpywareGuard\spywareguard.dll 2.02 SpywareGuard Protection
MSVBVM60.DLL 66000000 1388544 C:\WINDOWS\system32\MSVBVM60.DLL 6.00.8964 Visual Basic Virtual Machine
sti.dll 73ba0000 77824 C:\WINDOWS\System32\sti.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Still Image Devices client DLL 
AcroIEHelper.dll cf0000 45056 C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll 6.0.0.2003051500 Adobe Acrobat IE Helper Version 6.0 for ActivieX
dlprotect.dll 11000000 192512 C:\Program Files\SpywareGuard\dlprotect.dll 2.02 SpywareGuard Download Protection
SDHelper.dll 4200000 872448 C:\PROGRA~1\SPYBOT~1\SDHelper.dll 1, 4, 0, 0 Bad download blocker
olepro32.dll 5edd0000 94208 C:\WINDOWS\system32\olepro32.dll 5.1.2600.2180 
wuapi.dll 506a0000 471040 C:\WINDOWS\system32\wuapi.dll 5.8.0.2469 built by: lab01_n(wmbla) Windows Update Client API
sfc_os.dll 76c60000 172032 C:\WINDOWS\system32\sfc_os.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows File Protection
asfsipc.dll 41f00000 28672 C:\WINDOWS\system32\asfsipc.dll  1.1.00.3917 ASFSipc Object
MSISIP.DLL 60980000 28672 C:\WINDOWS\system32\MSISIP.DLL 3.1.4000.1823 MSI Signature SIP Provider
MCPS.DLL 36d30000 102400 C:\PROGRA~1\MICROS~2\OFFICE11\MCPS.DLL 11.0.5510 Media Catalog Proxy/Stub


----------



## Killazys (Feb 9, 2007)

Option 2 says:: 
Module information for 'iexplore.exe'
MODULE BASE SIZE PATH
iexplore.exe 400000 630784 C:\Program Files\Internet Explorer\iexplore.exe 7.00.6000.16414 (vista_gdr.070108-1520) Internet Explorer
ntdll.dll 7c900000 720896 C:\WINDOWS\system32\ntdll.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) NT Layer DLL
kernel32.dll 7c800000 999424 C:\WINDOWS\system32\kernel32.dll 5.1.2600.2945 (xpsp_sp2_gdr.060704-2349) Windows NT BASE API Client DLL
ADVAPI32.dll 77dd0000 634880 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Advanced Windows 32 Base API
RPCRT4.dll 77e70000 593920 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Remote Procedure Call Runtime
GDI32.dll 77f10000 290816 C:\WINDOWS\system32\GDI32.dll 5.1.2600.2818 (xpsp_sp2_gdr.051228-1427) GDI Client DLL
USER32.dll 77d40000 589824 C:\WINDOWS\system32\USER32.dll 5.1.2600.2622 (xpsp_sp2_gdr.050301-1519) Windows XP USER API Client DLL
msvcrt.dll 77c10000 360448 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows NT CRT DLL
SHLWAPI.dll 77f60000 483328 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2900.3020 (xpsp.061023-0222) Shell Light-weight Utility Library
SHELL32.dll 7c9c0000 8474624 C:\WINDOWS\system32\SHELL32.dll  6.00.2900.3051 (xpsp_sp2_gdr.061219-0316) Windows Shell Common Dll
ole32.dll 774e0000 1298432 C:\WINDOWS\system32\ole32.dll 5.1.2600.2726 (xpsp_sp2_gdr.050725-1528) Microsoft OLE for Windows
urlmon.dll 61410000 1196032 C:\WINDOWS\system32\urlmon.dll 7.00.6000.16414 (vista_gdr.070108-1520) OLE32 Extensions for Win32
OLEAUT32.dll 77120000 573440 C:\WINDOWS\system32\OLEAUT32.dll 5.1.2600.2180 
iertutil.dll 6e850000 282624 C:\WINDOWS\system32\iertutil.dll 7.00.6000.16414 (vista_gdr.070108-1520) Run time utility for Internet Explorer
VERSION.dll 77c00000 32768 C:\WINDOWS\system32\VERSION.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Version Checking and File Installation Libraries
IMM32.DLL 76390000 118784 C:\WINDOWS\system32\IMM32.DLL 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows XP IMM32 API Client DLL
LPK.DLL 629c0000 36864 C:\WINDOWS\system32\LPK.DLL 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Language Pack
USP10.dll 74d90000 438272 C:\WINDOWS\system32\USP10.dll 1.0420.2600.2180 (xpsp_sp2_rtm.040803-2158) Uniscribe Unicode script processor
comctl32.dll 773d0000 1060864 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll 6.0 (xpsp.060825-0040) User Experience Controls Library
comctl32.dll 5d090000 630784 C:\WINDOWS\system32\comctl32.dll 5.82 (xpsp.060825-0040) Common Controls Library
IEFRAME.dll 7e1e0000 6070272 C:\WINDOWS\system32\IEFRAME.dll 7.00.6000.16414 (vista_gdr.070108-1520) Internet Explorer
PSAPI.DLL 76bf0000 45056 C:\WINDOWS\system32\PSAPI.DLL 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Process Status Helper
UxTheme.dll 5ad70000 229376 C:\WINDOWS\system32\UxTheme.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Microsoft UxTheme Library
NSCEXT.dll 6f120000 573440 C:\Program Files\Common Files\Symantec Shared\NPC\NSCEXT.dll 2007.3.00.5 Norton Protection Center ExplorerExtensions
ATL71.DLL 7c120000 102400 C:\WINDOWS\system32\ATL71.DLL 7.10.3077.0 ATL Module for Windows (Unicode)
MSVCP71.dll 7c3a0000 503808 C:\WINDOWS\system32\MSVCP71.dll 7.10.3077.0 MicrosoftR C++ Runtime Library
MSVCR71.dll 7c340000 352256 C:\WINDOWS\system32\MSVCR71.dll 7.10.3052.4 MicrosoftR C Runtime Library
ccL60U.dll 6ae70000 544768 C:\Program Files\Common Files\Symantec Shared\ccL60U.dll 106.1.3.3 Symantec Library
ws2_32.dll 71ab0000 94208 C:\WINDOWS\system32\ws2_32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71aa0000 32768 C:\WINDOWS\system32\WS2HELP.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Socket 2.0 Helper for Windows NT
MSCTF.dll 74720000 307200 C:\WINDOWS\system32\MSCTF.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) MSCTF Server DLL
tabhook.dll 10000000 53248 C:\WINDOWS\System32\tabhook.dll 4.56-6 TabHook
xpsp2res.dll 20000000 2904064 C:\WINDOWS\system32\xpsp2res.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Service Pack 2 Messages
msctfime.ime 755c0000 188416 C:\WINDOWS\system32\msctfime.ime 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Text Frame Work Service IME
IEUI.dll 5dff0000 192512 C:\WINDOWS\system32\IEUI.dll 7.00.5730.11 (winmain(wmbla).061017-1135) Internet Explorer UI Engine
MSIMG32.dll 76380000 20480 C:\WINDOWS\system32\MSIMG32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) GDIEXT Client DLL
gdiplus.dll 4ec50000 1716224 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82\gdiplus.dll 5.1.3102.2180 (xpsp_sp2_rtm.040803-2158) Microsoft GDI+
xmllite.dll 47060000 135168 C:\WINDOWS\system32\xmllite.dll 1.00.1018.0 Microsoft XmlLite Library
apphelp.dll 77b40000 139264 C:\WINDOWS\system32\apphelp.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Application Compatibility Client Library
CLBCATQ.DLL 76fd0000 520192 C:\WINDOWS\system32\CLBCATQ.DLL 2001.12.4414.308 
COMRes.dll 77050000 806912 C:\WINDOWS\system32\COMRes.dll 2001.12.4414.258 
msimtf.dll 746f0000 172032 C:\WINDOWS\System32\msimtf.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Active IMM Server DLL
Secur32.dll 77fe0000 69632 C:\WINDOWS\system32\Secur32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Security Support Provider Interface
mslbui.dll 605d0000 36864 C:\WINDOWS\system32\mslbui.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) LangageBar Add In
cscui.dll 77a20000 344064 C:\WINDOWS\System32\cscui.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Client Side Caching UI
CSCDLL.dll 76600000 118784 C:\WINDOWS\System32\CSCDLL.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Offline Network Agent
SETUPAPI.dll 77920000 995328 C:\WINDOWS\system32\SETUPAPI.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Setup API
msohev.dll 325c0000 73728 C:\Program Files\Microsoft Office\OFFICE11\msohev.dll 11.0.5510 Microsoft Office 2003 component
sptip.dll 5c2c0000 262144 C:\WINDOWS\ime\sptip.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) SAPI5.0/CTF layer DLL
OLEACC.dll 74c80000 180224 C:\WINDOWS\system32\OLEACC.dll 4.2.5406.0 (xpclient.010817-1148) Active Accessibility Core Component
MSVCP60.dll 76080000 413696 C:\WINDOWS\system32\MSVCP60.dll 6.02.3104.0 Microsoft (R) C++ Runtime Library
SPGRMR.DLL 1640000 69632 C:\WINDOWS\IME\SPGRMR.DLL 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) SPTIP Grammar DLL
msi.dll 1660000 2908160 C:\WINDOWS\system32\msi.dll 3.1.4000.2435 Windows Installer
SKCHUI.DLL 1930000 372736 C:\Program Files\Common Files\Microsoft Shared\INK\SKCHUI.DLL 1.0.1038.0 Draw Pen Tip
ieproxy.dll 61930000 303104 C:\Program Files\Internet Explorer\ieproxy.dll 7.00.5730.11 (winmain(wmbla).061017-1135) IE ActiveX Interface Marshaling Library
shdocvw.dll 77760000 1507328 C:\WINDOWS\system32\shdocvw.dll 6.00.2900.3020 (xpsp.061023-0222) Shell Doc Object and Control Library
CRYPT32.dll 77a80000 606208 C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.2180 (xpsp_sp2_rtm.040803-2158) Crypto API32
MSASN1.dll 77b20000 73728 C:\WINDOWS\system32\MSASN1.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) ASN.1 Runtime APIs
CRYPTUI.dll 754d0000 524288 C:\WINDOWS\system32\CRYPTUI.dll 5.131.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Trust UI Provider
WINTRUST.dll 76c30000 188416 C:\WINDOWS\system32\WINTRUST.dll 5.131.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Trust Verification APIs
IMAGEHLP.dll 76c90000 163840 C:\WINDOWS\system32\IMAGEHLP.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows NT Image Helper
NETAPI32.dll 5b860000 344064 C:\WINDOWS\system32\NETAPI32.dll 5.1.2600.2976 (xpsp_sp2_gdr.060817-0106) Net Win32 API DLL
WININET.dll 771b0000 847872 C:\WINDOWS\system32\WININET.dll 7.00.6000.16414 (vista_gdr.070108-1520) Internet Extensions for Win32
Normaliz.dll 2050000 36864 C:\WINDOWS\system32\Normaliz.dll 6.0.5441.0 (winmain(wmbla).060628-1735) Unicode Normalization DLL
WLDAP32.dll 76f60000 180224 C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Win32 LDAP API DLL
SXS.DLL 75e90000 720896 C:\WINDOWS\system32\SXS.DLL  5.1.2600.3019 (xpsp_sp2_gdr.061019-0414) Fusion 2.5
MLANG.dll 75cf0000 593920 C:\WINDOWS\system32\MLANG.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Multi Language Support DLL
aoltb.dll 23f0000 532480 C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll 2.0.4239.61 AOL IE Toolbar DLL (UNICODE) 
msxml3.dll 74980000 1105920 C:\WINDOWS\system32\msxml3.dll 8.70.1113.0 MSXML 3.0 SP 7
googletoolbar1.dll 2960000 3665920 c:\program files\google\googletoolbar1.dll 4, 0, 1601, 4978 Google IE Client Toolbar
WINMM.dll 76b40000 184320 C:\WINDOWS\system32\WINMM.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) MCI API DLL
WSOCK32.dll 71ad0000 36864 C:\WINDOWS\system32\WSOCK32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Socket 32-Bit DLL
USERENV.dll 769c0000 733184 C:\WINDOWS\system32\USERENV.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Userenv
DBGHELP.DLL 59a60000 659456 C:\WINDOWS\system32\DBGHELP.DLL 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Image Helper
ntshrui.dll 76990000 151552 C:\WINDOWS\system32\ntshrui.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Shell extensions for sharing
ATL.DLL 76b20000 69632 C:\WINDOWS\system32\ATL.DLL 3.05.2284 ATL Module for Windows XP (Unicode)
MPR.dll 71b20000 73728 C:\WINDOWS\system32\MPR.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Multiple Provider Router DLL
drprov.dll 75f60000 28672 C:\WINDOWS\System32\drprov.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Terminal Server Network Provider
ntlanman.dll 71c10000 57344 C:\WINDOWS\System32\ntlanman.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) MicrosoftR Lan Manager
NETUI0.dll 71cd0000 94208 C:\WINDOWS\System32\NETUI0.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) NT LM UI Common Code - GUI Classes
NETUI1.dll 71c90000 262144 C:\WINDOWS\System32\NETUI1.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) NT LM UI Common Code - Networking classes
NETRAP.dll 71c80000 28672 C:\WINDOWS\System32\NETRAP.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Net Remote Admin Protocol DLL
SAMLIB.dll 71bf0000 77824 C:\WINDOWS\System32\SAMLIB.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) SAM Library DLL
davclnt.dll 75f70000 36864 C:\WINDOWS\System32\davclnt.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Web DAV Client DLL
RASAPI32.dll 76ee0000 245760 C:\WINDOWS\system32\RASAPI32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Remote Access API
rasman.dll 76e90000 73728 C:\WINDOWS\system32\rasman.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Remote Access Connection Manager
TAPI32.dll 76eb0000 192512 C:\WINDOWS\system32\TAPI32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) MicrosoftR Windows(TM) Telephony API Client DLL
rtutils.dll 76e80000 57344 C:\WINDOWS\system32\rtutils.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Routing Utilities
msv1_0.dll 77c70000 143360 C:\WINDOWS\system32\msv1_0.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Authentication Package v1.0
iphlpapi.dll 76d60000 102400 C:\WINDOWS\system32\iphlpapi.dll 5.1.2600.2912 (xpsp_sp2_gdr.060519-0003) IP Helper API
sensapi.dll 722b0000 20480 C:\WINDOWS\system32\sensapi.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) SENS Connectivity API DLL
rsaenh.dll ffd0000 163840 C:\WINDOWS\system32\rsaenh.dll 5.1.2600.2161 (xpsp.040706-1629) Microsoft Enhanced Cryptographic Provider
PortableDeviceApi.dll 10930000 299008 C:\WINDOWS\system32\PortableDeviceApi.dll 5.2.5721.5145 (WMP_11.061018-2006) Windows Portable Device API Components
MSGINA.dll 75970000 1011712 C:\WINDOWS\system32\MSGINA.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows NT Logon GINA DLL
WINSTA.dll 76360000 65536 C:\WINDOWS\system32\WINSTA.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Winstation Library
ODBC32.dll 74320000 249856 C:\WINDOWS\system32\ODBC32.dll 3.525.1117.0 (xpsp_sp2_rtm.040803-2158) Microsoft Data Access - ODBC Driver Manager
comdlg32.dll 763b0000 299008 C:\WINDOWS\system32\comdlg32.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Common Dialogs DLL
odbcint.dll 3360000 94208 C:\WINDOWS\system32\odbcint.dll 3.525.1117.0 (xpsp_sp2_rtm.040803-2158) Microsoft Data Access - ODBC Resources
sti.dll 73ba0000 77824 C:\WINDOWS\System32\sti.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Still Image Devices client DLL 
CFGMGR32.dll 74ae0000 28672 C:\WINDOWS\System32\CFGMGR32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Configuration Manager Forwarder DLL
msntb.dll 64830000 552960 C:\Program Files\Windows Live Toolbar\msntb.dll 03.01.0000.0068 Windows Live Toolbar for Internet Explorer
mtbres.dll.mui 2d30000 24576 C:\Program Files\Windows Live Toolbar\en-us\mtbres.dll.mui 03.01.0000.0068 Windows Live Toolbar resource library
mtbres.dll 2d40000 40960 C:\Program Files\Windows Live Toolbar\mtbres.dll 03.01.0000.0068 Windows Live Toolbar resource library
Tem.dll 64750000 462848 C:\Program Files\Windows Live Toolbar\Tem.dll 03.01.0000.0068 Windows Live Toolbar Search Toolbar Extension Manager
searchboxRes.dll.mui 2d70000 8192 C:\Program Files\Windows Live Toolbar\en-us\searchboxRes.dll.mui 03.01.0000.0068 Windows Live Toolbar Resource Library
searchboxRes.dll 2d80000 40960 C:\Program Files\Windows Live Toolbar\searchboxRes.dll 03.01.0000.0068 Windows Live Toolbar Resource Library
wlscres.dll.mui 2d90000 151552 C:\Program Files\Windows Live Toolbar\Components\en-us\wlscres.dll.mui 03.01.0000.0072 Windows Live OneCare Advisor
CMRes.dll.mui 2dc0000 294912 C:\Program Files\Windows Live Toolbar\en-us\CMRes.dll.mui 03.01.0000.0068 Component Manager Resource Library
CMRes.dll 2f30000 16384 C:\Program Files\Windows Live Toolbar\CMRes.dll 03.01.0000.0068 Component Manager Resource Library
msn_slrs.DLL.mui 3c30000 8192 C:\Program Files\Windows Live Toolbar\en-us\msn_slrs.DLL.mui 03.01.0000.0068 Windows Live Toolbar Helper Resources
msn_slrs.DLL 3c40000 12288 C:\Program Files\Windows Live Toolbar\msn_slrs.DLL 03.01.0000.0068 Windows Live Toolbar Helper Resources
CBRes.dll.mui 3c50000 12288 C:\Program Files\Windows Live Toolbar\en-us\CBRes.dll.mui 03.01.0000.0068 Windows Live Toolbar Resource Library
CBRes.dll 3c60000 12288 C:\Program Files\Windows Live Toolbar\CBRes.dll 03.01.0000.0068 Windows Live Toolbar Resource Library
AcroIEHelper.dll 3c70000 45056 C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll 6.0.0.2003051500 Adobe Acrobat IE Helper Version 6.0 for ActivieX
NppBho.dll 66e50000 98304 C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll 2007.1.00.133 NcoBHO
AppMgr32.dll 6fb20000 204800 C:\Program Files\Common Files\Symantec Shared\AppCore\AppMgr32.dll 1.0.00.101 Symantec Application Core Manager
AppSet32.dll 6fbd0000 53248 C:\Program Files\Common Files\Symantec Shared\AppCore\AppSet32.dll 1.0.00.101 Symantec AppCore ccSetting
ccVrTrst.dll 6b770000 126976 C:\Program Files\Common Files\Symantec Shared\ccVrTrst.dll 106.1.3.3 Symantec Trust Validation Engine
ccSvc.dll 6b4f0000 290816 C:\Program Files\Common Files\Symantec Shared\ccSvc.dll 106.1.3.3 Symantec ccService Engine
BrRules.dll 66950000 159744 C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\BrRules.dll 2007.1.00.133 BrRules
BrCore.dll 66930000 77824 C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\BrCore.dll 2007.1.00.133 BrCore
nppwUI.dll 66f30000 155648 C:\Program Files\Common Files\Symantec Shared\coShared\WP\1.0\nppwUI.dll 2007.1.00.133 Web Protection
UIBHO.dll 67380000 520192 C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll 2007.1.00.133 UIBhoImpl
RICHED20.DLL 74e30000 442368 C:\WINDOWS\system32\RICHED20.DLL 5.30.23.1228 Rich Text Edit Control, v3.0
UIBHORes.loc 42d0000 471040 C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHORes.loc 2007.1.00.133 UIBhoImplRes
nppwBHO.dll 4350000 151552 C:\Program Files\Common Files\Symantec Shared\coShared\WP\1.0\nppwBHO.dll 2006, 1, 0, 41 Norton Confidential (WCID) v2006.1 NT5 Build (2006,1,0,41)
nppw.dll 43a0000 626688 c:\program files\common files\symantec shared\coshared\wp\1.0\nppw.dll 2006, 1, 0, 41 Norton Confidential (WCID) v2006.1 NT5 Build (2006,1,0,41)
Cabinet.dll 75150000 81920 C:\WINDOWS\system32\Cabinet.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) MicrosoftR Cabinet File API
AVIfc.dll 6fdd0000 274432 C:\Program Files\Common Files\Symantec Shared\AntiVirus\AVIfc.dll 1.0.00.194 Symantec AntiVirus Interface
dlprotect.dll 11000000 192512 C:\Program Files\SpywareGuard\dlprotect.dll 2.02 SpywareGuard Download Protection
MSVBVM60.DLL 66000000 1388544 C:\WINDOWS\system32\MSVBVM60.DLL 6.00.8964 Visual Basic Virtual Machine
SDHelper.dll 49d0000 872448 C:\PROGRA~1\SPYBOT~1\SDHelper.dll 1, 4, 0, 0 Bad download blocker
olepro32.dll 5edd0000 94208 C:\WINDOWS\system32\olepro32.dll 5.1.2600.2180 
pxbho.dll 4bc0000 98304 C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll 1.0.0.3 Prevx Malicious URL Detector
ssv.dll 6d600000 434176 C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll 5.0.100.3 Java(TM) 2 Platform Standard Edition binary
WindowsLiveLogin.dll 29500000 331776 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll 4.100.313.1 WindowsLiveLogin.dll
msidcrl40.dll 27500000 819200 C:\Program Files\Common Files\Microsoft Shared\Windows Live\msidcrl40.dll 4.100.313.1 IDCRL Dynamic Link Library
cryptnet.dll 75e60000 77824 C:\WINDOWS\system32\cryptnet.dll 5.131.2600.2180 (xpsp_sp2_rtm.040803-2158) Crypto Network Related API
WINHTTP.dll 4d4f0000 360448 C:\WINDOWS\system32\WINHTTP.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows HTTP Services
AcroIEFavClient.dll 5280000 147456 C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll 
searchbox.dll 44a0000 368640 C:\Program Files\Windows Live Toolbar\searchbox.dll 03.01.0000.0068 Windows Live Toolbar Unified Search Box
stmain.dll 648c0000 163840 C:\Program Files\Windows Live Toolbar\stmain.dll 03.01.0000.0068 Windows Live Toolbar Search Toolbar Helper
wlsctb.dll 4530000 196608 C:\Program Files\Windows Live Toolbar\Components\wlsctb.dll 03.01.0000.0072 Windows Live OneCare Advisor
cm.dll 55c0000 368640 C:\Program Files\Windows Live Toolbar\cm.dll 03.01.0000.0068 Windows Live Toolbar Component Manager Library
msn_slps.dll 64900000 225280 C:\Program Files\Windows Live Toolbar\msn_slps.dll 03.01.0000.0068 Windows Live Toolbar Helper Proxy
CB.dll 5750000 266240 C:\Program Files\Windows Live Toolbar\CB.dll 03.01.0000.0068 Windows Live ToolbarCustom Buttons
MSOXMLMF.DLL 5e00000 45056 C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL 11.0.5510 Microsoft Office XML MIME Filter
mswsock.dll 71a50000 258048 C:\WINDOWS\System32\mswsock.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Windows Sockets 2.0 Service Provider
rasadhlp.dll 76fc0000 24576 C:\WINDOWS\system32\rasadhlp.dll  5.1.2600.2938 (xpsp_sp2_gdr.060626-0020) Remote Access AutoDial Helper
DNSAPI.dll 76f20000 159744 C:\WINDOWS\system32\DNSAPI.dll 5.1.2600.2938 (xpsp_sp2_gdr.060626-0020) DNS Client API DLL
hnetcfg.dll 662b0000 360448 C:\WINDOWS\system32\hnetcfg.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Home Networking Configuration Manager
wshtcpip.dll 71a90000 32768 C:\WINDOWS\System32\wshtcpip.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Sockets Helper DLL
isRes.dll 67e30000 1019904 C:\Program Files\Norton Internet Security\isRes.dll 10.0.0.247 Firewall Shared Localization
mshtml.dll 7e830000 3600384 C:\WINDOWS\system32\mshtml.dll 7.00.6000.16414 (vista_gdr.070108-1520) Microsoft (R) HTML Viewer
msls31.dll 746c0000 167936 C:\WINDOWS\system32\msls31.dll 3.10.349.0 Microsoft Line Services library file
actxprxy.dll 71d40000 114688 C:\WINDOWS\system32\actxprxy.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) ActiveX Interface Marshaling Library
jscript.dll 63380000 491520 c:\windows\system32\jscript.dll 5.7.0.5730 Microsoft (R) JScript
iepeers.dll 58760000 204800 C:\WINDOWS\system32\iepeers.dll 7.00.5730.11 (winmain(wmbla).061017-1135) Internet Explorer Peer Objects
WINSPOOL.DRV 73000000 155648 C:\WINDOWS\system32\WINSPOOL.DRV 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Spooler Driver
vbscript.dll 73300000 413696 C:\WINDOWS\system32\vbscript.dll 5.7.0.5730 Microsoft (R) VBScript
Flash9b.ocx 30000000 3072000 C:\WINDOWS\system32\Macromed\Flash\Flash9b.ocx 9,0,28,0 Adobe Flash Player 9.0 r28
wdmaud.drv 72d20000 36864 C:\WINDOWS\system32\wdmaud.drv 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) WDM Audio driver mapper
msacm32.drv 72d10000 32768 C:\WINDOWS\system32\msacm32.drv 5.1.2600.0 (xpclient.010817-1148) Microsoft Sound Mapper
MSACM32.dll 77be0000 86016 C:\WINDOWS\system32\MSACM32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft ACM Audio Filter
midimap.dll 77bd0000 28672 C:\WINDOWS\system32\midimap.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft MIDI Mapper
ImgUtil.dll 1b000000 49152 C:\WINDOWS\system32\ImgUtil.dll 7.00.5730.11 (winmain(wmbla).061017-1135) IE plugin image decoder support DLL
pngfilt.dll 1b060000 57344 C:\WINDOWS\system32\pngfilt.dll 7.00.5730.11 (winmain(wmbla).061017-1135) IE PNG plugin image decoder
mshtmled.dll 76200000 487424 C:\WINDOWS\system32\mshtmled.dll 7.00.6000.16414 (vista_gdr.070108-1520) MicrosoftR HTML Editing Component
Dxtrans.dll 35c50000 233472 C:\WINDOWS\system32\Dxtrans.dll 7.00.5730.11 (winmain(wmbla).061017-1135) DirectX Media -- DirectX Transform Core
ddrawex.dll 6d430000 40960 C:\WINDOWS\System32\ddrawex.dll 5.03.2600.2180 (xpsp_sp2_rtm.040803-2158) Direct Draw Ex
DDRAW.dll 73760000 299008 C:\WINDOWS\System32\DDRAW.dll 5.03.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft DirectDraw
DCIMAN32.dll 73bc0000 24576 C:\WINDOWS\System32\DCIMAN32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) DCI Manager
Dxtmsft.dll 35cb0000 356352 C:\WINDOWS\system32\Dxtmsft.dll 7.00.5730.11 (winmain(wmbla).061017-1135) DirectX Media -- Image DirectX Transforms
schannel.dll 767f0000 159744 C:\WINDOWS\system32\schannel.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) TLS / SSL Security Provider
wuapi.dll 506a0000 471040 C:\WINDOWS\system32\wuapi.dll 5.8.0.2469 built by: lab01_n(wmbla) Windows Update Client API
sfc_os.dll 76c60000 172032 C:\WINDOWS\system32\sfc_os.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows File Protection


----------



## Cookiegal (Aug 27, 2003)

Please post a new WinpFind log with the same two add-ons.


----------



## Killazys (Feb 9, 2007)

You mean, from safe mode correct?


----------



## Cookiegal (Aug 27, 2003)

Yes please.


----------



## Killazys (Feb 9, 2007)

Slower than normal startup this time.
WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows sometimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

遙遙遙遙遙遙遙遙?Windows OS and Versions 遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙?
Logfile created on: 2/15/2007 6:51:13 PM
WinPFind v1.5.0	Folder = C:\Documents and Settings\username\Desktop\WinPFind\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 7.0.5730.11)

遙遙遙遙遙遙遙遙?Checking Selected Standard Folders 遙遙遙遙遙遙遙遙遙遙

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 12/21/1999 7:58:02 AM 21312 C:\WINDOWS\choice.exe ()

Checking %System% folder...
PECompact2 2/7/2007 5:01:44 PM 12293536 C:\WINDOWS\SYSTEM32\MRT.exe (Microsoft Corporation)
aspack 2/7/2007 5:01:44 PM 12293536 C:\WINDOWS\SYSTEM32\MRT.exe (Microsoft Corporation)
Umonitor 8/4/2004 3:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll (Microsoft Corporation)
aspack 11/29/2006 1:06:18 PM 3426072 C:\WINDOWS\SYSTEM32\d3dx9_32.dll (Microsoft Corporation)
PEC2 8/18/2001 12:00:00 PM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc ()
aspack 8/4/2004 3:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll (Microsoft Corporation)
PTech 12/12/2006 10:45:04 AM 1474864 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL (Microsoft Corporation)
PTech 6/19/2006 4:19:26 PM 304944 C:\WINDOWS\SYSTEM32\WgaTray.exe (Microsoft Corporation)
winsync 8/18/2001 12:00:00 PM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu ()
PEC2 10/18/2006 9:47:20 PM 8231936 C:\WINDOWS\SYSTEM32\wmploc.dll (Microsoft Corporation)
WSUD 10/18/2006 9:47:20 PM 8231936 C:\WINDOWS\SYSTEM32\wmploc.dll (Microsoft Corporation)
WSUD 8/4/2004 3:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl (Microsoft Corporation)

Checking %System%\Drivers folder and sub-folders...
PTech 8/4/2004 1:41:38 AM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys (Smart Link)

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
2/15/2007 6:49:50 PM S 2048 C:\WINDOWS\bootstat.dat ()
2/15/2007 6:48:54 PM H 1089536 C:\WINDOWS\system32\config\system.LOG ()
2/15/2007 6:48:54 PM H 77824 C:\WINDOWS\system32\config\software.LOG ()
2/15/2007 6:48:54 PM H 8192 C:\WINDOWS\system32\config\default.LOG ()
2/15/2007 6:50:10 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG ()
2/15/2007 6:49:54 PM H 16384 C:\WINDOWS\system32\config\SECURITY.LOG ()
2/13/2007 9:06:00 PM H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG ()
2/7/2007 7:16:28 PM S 136 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\904590238400AD963F77FAAAADC9BAB5 ()
2/7/2007 7:16:28 PM S 126 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\303572DF538EDD8B1D606185F1D559B8 ()
2/7/2007 7:16:28 PM S 98 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\79841F8EF00FBA86D33CC5A47696F165 ()
2/7/2007 7:18:54 PM S 146 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\A44F4E7CB3133FF765C39A53AD8FCFDD ()
2/10/2007 10:55:04 AM S 94 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\60E31627FDA0A46932B0E5948949F2A5 ()
2/10/2007 10:55:06 AM S 124 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\A8FABA189DB7D25FBA7CAC806625FD30 ()
2/7/2007 7:16:28 PM S 574 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\904590238400AD963F77FAAAADC9BAB5 ()
2/7/2007 7:16:28 PM S 341 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\303572DF538EDD8B1D606185F1D559B8 ()
2/7/2007 7:16:28 PM S 413 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\79841F8EF00FBA86D33CC5A47696F165 ()
2/7/2007 7:18:54 PM S 558 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\A44F4E7CB3133FF765C39A53AD8FCFDD ()
2/10/2007 10:55:04 AM S 688 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\60E31627FDA0A46932B0E5948949F2A5 ()
2/10/2007 10:55:06 AM S 47932 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\A8FABA189DB7D25FBA7CAC806625FD30 ()
2/10/2007 11:58:24 PM H 0 C:\WINDOWS\system32\drivers\UMDF\MsftWdf_user_01_00_00.Wdf ()
12/22/2006 11:53:02 AM S 7894 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB929969.cat ()
1/23/2007 2:41:28 PM S 11284 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB928843.cat ()
1/19/2007 3:29:24 PM S 12986 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB924667.cat ()
12/19/2006 6:53:00 PM S 9906 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB928255.cat ()
12/19/2006 2:10:06 PM S 8847 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB927802.cat ()
1/17/2007 2:40:04 PM S 18377 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB928090-IE7.cat ()
12/26/2006 9:00:56 AM S 10965 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB927779.cat ()
1/29/2007 9:26:26 AM S 11284 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB931836.cat ()
2/4/2007 5:27:48 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\Preferred ()
2/4/2007 5:27:48 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\2c42b09d-76f1-4d24-9368-901c240ced42 ()
2/4/2007 5:39:32 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred ()
2/4/2007 5:39:32 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\8ebfe4e0-1498-465b-a1a2-ee55d56956ab ()
2/8/2007 4:53:34 PM H 0 C:\WINDOWS\inf\oem25.inf ()
2/12/2007 4:50:52 PM H 400 C:\WINDOWS\network diagnostic\Sqm\NetDiag00.sqm ()
2/15/2007 6:48:40 PM H 6 C:\WINDOWS\Tasks\SA.DAT ()
2/10/2007 3:43:38 PM RH 0 C:\WINDOWS\assembly\pubpol1.dat ()
2/10/2007 3:43:38 PM RH 0 C:\WINDOWS\assembly\PublisherPolicy.tme ()
2/11/2007 12:20:20 AM RH 0 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\index54.dat ()
2/11/2007 12:20:26 AM RH 0 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\index55.dat ()

Checking for CPL files...
11/9/2006 3:07:28 PM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl (Sun Microsystems, Inc.)
8/4/2004 3:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl (Microsoft Corporation)
5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl (Microsoft Corporation)
8/4/2004 3:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl (Microsoft Corporation)
8/4/2004 3:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl (Microsoft Corporation)
8/18/2001 12:00:00 PM 187904 C:\WINDOWS\SYSTEM32\main.cpl (Microsoft Corporation)
8/4/2004 3:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl (Microsoft Corporation)
8/18/2001 12:00:00 PM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl (Microsoft Corporation)
8/18/2001 12:00:00 PM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl (Microsoft Corporation)
8/4/2004 3:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl (Microsoft Corporation)
8/4/2004 3:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl (Microsoft Corporation)
1/8/2007 7:02:10 PM 1823744 C:\WINDOWS\SYSTEM32\inetcpl.cpl (Microsoft Corporation)
8/4/2004 3:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl (Microsoft Corporation)
8/4/2004 3:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl (Microsoft Corporation)
8/4/2004 3:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl (Microsoft Corporation)
8/4/2004 3:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl (Microsoft Corporation)
10/30/2006 3:33:58 AM 26112 C:\WINDOWS\SYSTEM32\infocardcpl.cpl (Microsoft Corporation)
5/2/2002 11:01:00 PM 901120 C:\WINDOWS\SYSTEM32\Tablet.cpl (Wacom Technology, Corp.)
10/23/2000 7:00:00 AM 49152 C:\WINDOWS\SYSTEM32\setnote.cpl (IBM Corporation)
8/4/2004 3:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl (Microsoft Corporation)
8/4/2004 3:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl (Microsoft Corporation)
8/4/2004 3:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl (Microsoft Corporation)
8/4/2004 3:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl (Microsoft Corporation)
6/6/2002 9:14:00 AM 45175 C:\WINDOWS\SYSTEM32\plugincpl140_01.cpl (Sun Microsystems)
8/4/2004 3:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl (Microsoft Corporation)
8/4/2004 3:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl (Microsoft Corporation)
8/4/2004 3:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl (Microsoft Corporation)
5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl (Microsoft Corporation)
1/8/2007 7:02:10 PM 1823744 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl (Microsoft Corporation)
8/18/2001 12:00:00 PM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl (Microsoft Corporation)
8/18/2001 12:00:00 PM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl (Microsoft Corporation)
8/18/2001 12:00:00 PM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl (Microsoft Corporation)

Checking for Downloaded Program Files...
{17492023-C23A-453E-A040-C7C580BBF700} - Windows Genuine Advantage Validation Tool - CodeBase = http://download.microsoft.com/downl...-40e1-a617-af65a72a0465/LegitCheckControl.cab
{238F6F83-B8B4-11CF-8771-00A024541EE3} - - CodeBase = https://bba.bloomberg.net/Citrix/ICAWEB/en/ica32/wficat.cab
{5ED80217-570B-4DA9-BF44-BE107C0EC166} - Windows Live Safety Center Base Module - CodeBase = http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9602.cab
{8AD9C840-044E-11D1-B3E9-00805F499D93} - Java Plug-in 1.5.0_10 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
{9F1C11AA-197B-4942-BA54-47A8489BB47F} - - CodeBase = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37865.5957175926
{B942A249-D1E7-4C11-98AE-FCB76B08747F} - RealArcadeRdxIE Class - CodeBase = http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
{CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} - Java Plug-in 1.4.0_01 - CodeBase = http://java.sun.com/products/plugin/autodl/jinstall-1_4_0_01-win.cab
{CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} - Java Plug-in 1.4.1_02 - CodeBase = http://java.sun.com/update/1.4.1/jinstall-1_4_1_02-windows-i586.cab
{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - Java Plug-in 1.5.0_10 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - Java Plug-in 1.5.0_10 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
{CD995117-98E5-4169-9920-6C12D4C0B548} - HGPlugin9USA Class - CodeBase = http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
{D27CDB6E-AE6D-11CF-96B8-444553540000} - - CodeBase = http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
{D54160C3-DB7B-4534-9B65-190EE4A9C7F7} - SproutLauncherCtrl Class - CodeBase = http://www.shockwave.com/content/feedingfrenzy/SproutLauncher.cab

遙遙遙遙遙遙遙遙?Checking Selected Startup Folders 遙遙遙遙遙遙遙遙遙遙?

Checking files in %ALLUSERSPROFILE%\Startup folder...
10/22/2002 3:09:52 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini ()
5/21/2006 12:09:14 AM 1812 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk ()

Checking files in %ALLUSERSPROFILE%\Application Data folder...
10/23/2002 2:52:08 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini ()
7/19/2006 4:28:56 PM 430 C:\Documents and Settings\All Users\Application Data\hpzinstall.log ()

Checking files in %USERPROFILE%\Startup folder...
10/22/2002 3:09:52 PM HS 84 C:\Documents and Settings\username\Start Menu\Programs\Startup\desktop.ini ()
2/10/2007 10:21:54 PM 554 C:\Documents and Settings\username\Start Menu\Programs\Startup\SpywareGuard.lnk ()

Checking files in %USERPROFILE%\Application Data folder...
10/23/2002 2:52:08 AM HS 62 C:\Documents and Settings\username\Application Data\desktop.ini ()
2/10/2007 8:59:18 AM 262 C:\Documents and Settings\username\Application Data\WinssCookie.txt ()

遙遙遙遙遙遙遙遙?Checking Selected Registry Keys 遙遙遙遙遙遙遙遙遙遙遙?

>>> Internet Explorer Settings <<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
\\Start Page - http://go.microsoft.com/fwlink/?LinkId=69157
\\Search Page - http://go.microsoft.com/fwlink/?LinkId=54896
\\Default_Page_URL - http://go.microsoft.com/fwlink/?LinkId=69157
\\Default_Search_URL - http://go.microsoft.com/fwlink/?LinkId=54896
\\Local Page - %SystemRoot%\system32\blank.htm

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
\\Start Page - http://www.yahoo.com/
\\Search Bar - http://www.google.com/ie
\\Search Page - http://www.google.com

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
\\CustomizeSearch - http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
\\SearchAssistant - http://www.google.com/ie

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
\\{EA756889-2338-43DB-8F07-D1CA6FB9C90D} - AOLTBSearch Class = C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (America Online, Inc.)
\\{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Microsoft Url Search Hook = C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)

>>> BHO's <<<
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - AcroIEHlprObj Class = C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
\{1E8A6170-7264-4D0F-BEAE-D42A53123C75} - = C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll (Symantec Corporation)
\{4A368E80-174F-4872-96B5-0B27DDD11DB2} - SpywareGuardDLBLOCK.CBrowserHelper = C:\Program Files\SpywareGuard\dlprotect.dll ()
\{53707962-6F74-2D53-2644-206D7942484F} - = C:\PROGRA~1\SPYBOT~1\SDHelper.dll (Safer Networking Limited)
\{55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - URLDetector Class = C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll (Prevx Ltd.)
\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - SSVHelper Class = C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll (Sun Microsystems, Inc.)
\{7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - AOL Toolbar Launcher = C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (America Online, Inc.)
\{7E853D72-626A-48EC-A868-BA8D5E23E045} - = ()
\{9030D464-4C02-4ABF-8ECC-5164760863C6} - Windows Live Sign-in Helper = C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
\{AA58ED58-01DD-4d91-8333-CF10577473F7} - Google Toolbar Helper = c:\program files\google\googletoolbar1.dll (Google Inc.)
\{AE7CD045-E861-484f-8273-0445EE161910} - AcroIEToolbarHelper Class = C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
\{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - Windows Live Toolbar Helper = C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)

>>> Internet Explorer Bars, Toolbars and Extensions <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
\{182EC0BE-5110-49C8-A062-BEB1D02A220B} - Adobe PDF = C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
\{4D5C8C25-D075-11d0-B416-00C04FB90376} - &Tip of the Day = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
\{32683183-48a0-441b-a342-7c2a440a9478} - = ()
\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1} - File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
\{EFA24E61-B078-11D0-89E4-00C04FC9E26E} - Favorites Band = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation)
\{EFA24E64-B078-11D0-89E4-00C04FC9E26E} - Explorer Band = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF = C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
\\{DE9C389F-3316-41A7-809B-AA305ED9D922} - AOL Toolbar = C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (America Online, Inc.)
\\{90222687-F593-4738-B738-FBEE9C7B26DF} - Show Norton Toolbar = C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll (Symantec Corporation)
\\{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google = c:\program files\google\googletoolbar1.dll (Google Inc.)
\\{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - Windows Live Toolbar = C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
\ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - = ()
\ShellBrowser\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF = C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
\WebBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
\WebBrowser\\{0E5CBF21-D15F-11D0-8301-00AA005B4383} - &Links = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
\WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} - &Yahoo! Toolbar = ()
\WebBrowser\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF = C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
\WebBrowser\\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - = ()
\WebBrowser\\{DE9C389F-3316-41A7-809B-AA305ED9D922} - AOL Toolbar = C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (America Online, Inc.)
\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} - &Google = c:\program files\google\googletoolbar1.dll (Google Inc.)
\WebBrowser\\{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - Windows Live Toolbar = C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\CmdMapping]
\\NEXTID - 8199
\\{4B30061A-5B39-11D3-80F8-0090276F843F} - 8193 = 
\\{FB5F1910-F110-11d2-BB9E-00C04F795683} - 8194 = Windows Messenger
\\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - 8195 = 
\\{3369AF0D-62E9-4bda-8103-B4C75499B578} - 8196 = 
\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - 8197 = Sun Java Console
\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} - 8198 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - MenuText: Sun Java Console = C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll (Sun Microsystems, Inc.)
\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - MenuText: Sun Java Console = C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll (Sun Microsystems, Inc.)(HKCU CLSID)
\{3369AF0D-62E9-4bda-8103-B4C75499B578} - ButtonText: AOL Toolbar = 
\{92780B25-18CC-41C8-B9BE-3C9C571A8263} - ButtonText: Research = 
\{e2e2dd38-d088-4134-82b7-f2ba38496583} - MenuText: @xpsp3res.dll,-20001 = ()
\{FB5F1910-F110-11d2-BB9E-00C04F795683} - ButtonText: Messenger = C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)

>>> Approved Shell Extensions (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
\\{42071714-76d4-11d1-8b24-00a0c9068ff3} - Display Panning CPL Extension = ()
\\{764BF0E1-F219-11ce-972D-00AA00A14F56} - Shell extensions for file compression = ()
\\{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} - Encryption Context Menu = ()
\\{88895560-9AA2-1069-930E-00AA0030EBC8} - HyperTerminal Icon Ext = C:\WINDOWS\System32\hticons.dll (Hilgraeve, Inc.)
\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} - Taskbar and Start Menu = ()
\\{32683183-48a0-441b-a342-7c2a440a9478} - Media Band = ()
\\{7A9D77BD-5403-11d2-8785-2E0420524153} - User Accounts = ()
\\{A4DF5659-0801-4A60-9607-1C48695EFDA9} - Share-to-Web Upload Folder = C:\Program Files\Hewlett-Packard\HP Share-to-Web\HPGS2WNS.DLL (Hewlett-Packard)
\\{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} - Adobe.Acrobat.ContextMenu = C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat Elements\ContextMenu.dll (Adobe Systems Inc.)
\\{B8323370-FF27-11D2-97B6-204C4F4F5020} - SmartFTP Shell Extension DLL = C:\Program Files\SmartFTP Client 2.0\smarthook.dll (SmartFTP)
\\{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} - iTunes = C:\Program Files\iTunes\iTunesMiniPlayer.dll (Apple Computer, Inc.)
\\{81559C35-8464-49F7-BB0E-07A383BEF910} - = C:\Program Files\SpywareGuard\spywareguard.dll ()

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

>>> Context Menu Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers]
\Adobe.Acrobat.ContextMenu - {D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} = C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat Elements\ContextMenu.dll (Adobe Systems Inc.)
\Symantec.Norton.Antivirus.IEContextMenu - {FAD61B3D-699D-49B2-BE16-7F82CB4C59CA} = C:\PROGRA~1\NORTON~2\NORTON~1\NavShExt.dll (Symantec Corporation)

[HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers]

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\shellex\ContextMenuHandlers]

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\BackGround\shellex\ContextMenuHandlers]

[HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers]
\Symantec.Norton.Antivirus.IEContextMenu - {FAD61B3D-699D-49B2-BE16-7F82CB4C59CA} = C:\PROGRA~1\NORTON~2\NORTON~1\NavShExt.dll (Symantec Corporation)

>>> Column Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]

>>> Registry Run Keys <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ccApp - C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
osCheck - C:\Program Files\Norton Internet Security\osCheck.exe (Symantec Corporation)
iTunesHelper - C:\Program Files\iTunes\iTunesHelper.exe (Apple Computer, Inc.)
SunJavaUpdateSched - C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe (Sun Microsystems, Inc.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL	Installed = 1
MAPI	Installed = 1
MSFS	Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
SpybotSD TeaTimer - C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)
ctfmon.exe - C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation)
Aim6 - C:\Program Files\AIM6\aim6.exe (AOL LLC)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]
Second part coming.


----------



## Killazys (Feb 9, 2007)

>>> Startup Links <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\Common Startup]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini ()
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\Startup]
C:\Documents and Settings\username\Start Menu\Programs\Startup\desktop.ini ()
C:\Documents and Settings\username\Start Menu\Programs\Startup\SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe ()

>>> MSConfig Disabled Items <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HPAiODevice(hp officejet d series) - 1.lnk
path	C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HPAiODevice(hp officejet d series) - 1.lnk
backup	C:\WINDOWS\pss\HPAiODevice(hp officejet d series) - 1.lnkCommon Startup
location	Common Startup
command	C:\PROGRA~1\HEWLET~1\AiO\HPOFFI~1\Bin\hpoojd07.exe -DeviceID 1035520573
item	HPAiODevice(hp officejet d series) - 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk
path	C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup	C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
location	Common Startup
command	C:\PROGRA~1\MICROS~2\Office\OSA9.EXE -b -l
item	Microsoft Office

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PenPower PenKeyboard.lnk
path	C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PenPower PenKeyboard.lnk
backup	C:\WINDOWS\pss\PenPower PenKeyboard.lnkCommon Startup
location	Common Startup
command	C:\PPENSB\Win32\PenKeybd.exe 
item	PenPower PenKeyboard

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PenPower Start-Up.lnk
path	C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PenPower Start-Up.lnk
backup	C:\WINDOWS\pss\PenPower Start-Up.lnkCommon Startup
location	Common Startup
command	C:\PPENSB\Win32\ppshell.exe 
item	PenPower Start-Up

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^username^Start Menu^Programs^Startup^Hewlett-Packard Recorder.lnk
path	C:\Documents and Settings\username\Start Menu\Programs\Startup\Hewlett-Packard Recorder.lnk
backup	C:\WINDOWS\pss\Hewlett-Packard Recorder.lnkStartup
location	Startup
command	C:\PROGRA~1\HEWLET~1\AiO\HPOFFI~1\FRU\Remind32.exe 
item	Hewlett-Packard Recorder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AdobeVersionCue
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	VersionCueTray
hkey	HKLM
command	C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\atwtusb
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	atwtusb
hkey	HKLM
command	atwtusb.exe beta
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\C-Media Mixer
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	Mixer
hkey	HKLM
command	Mixer.exe /startup
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ctfmon.exe
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	ctfmon
hkey	HKCU
command	C:\WINDOWS\System32\ctfmon.exe
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\IMJPMIG8.1
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	IMJPMIG
hkey	HKLM
command	C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MSMSGS
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	msmsgs
hkey	HKCU
command	"C:\Program Files\Messenger\msmsgs.exe" /background
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MSPY2002
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	ImScInst
hkey	HKLM
command	C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\NeroCheck
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	NeroCheck
hkey	HKLM
command	C:\WINDOWS\System32\NeroCheck.exe
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\PHIME2002A
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	TINTSETP
hkey	HKLM
command	C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\PHIME2002ASync
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	TINTSETP
hkey	HKLM
command	C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	qttask
hkey	HKLM
command	"C:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\RealTray
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	RealPlay
hkey	HKLM
command	C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Run
key	SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
item	freeime
hkey	HKCU
command	C:\PPENSB\win32\freeime.exe 
inimapping	1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Share-to-Web Namespace Daemon
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	hpgs2wnd
hkey	HKLM
command	C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Symantec NetDriver Monitor
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	SNDMon
hkey	HKLM
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\WinampAgent
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	Winampa
hkey	HKLM
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini	0
win.ini	0
bootini	0
services	0
startup	2

[All Users Startup Folder Disabled Items]

[Current User Startup Folder Disabled Items]

>>> User Agent Post Platform <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

>>> AppInit Dll's <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs]

>>> Image File Execution Options <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
\Your Image File Name Here without a path - Debugger = ntsd -d

>>> Shell Service Object Delay Load <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
\\PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
\\CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
\\WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = C:\WINDOWS\system32\webcheck.dll (Microsoft Corporation)
\\SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll (Microsoft Corporation)
\\UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} = C:\WINDOWS\system32\upnpui.dll (Microsoft Corporation)
\\WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} = C:\WINDOWS\system32\WPDShServiceObj.dll (Microsoft Corporation)

>>> Shell Execute Hooks <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} - URL Exec Hook = shell32.dll (Microsoft Corporation)
\\{81559C35-8464-49F7-BB0E-07A383BEF910} - SpywareGuard.Handler = C:\Program Files\SpywareGuard\spywareguard.dll ()

>>> Shared Task Scheduler <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
\\{438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
\\{8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)

>>> Winlogon <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
\\UserInit = C:\WINDOWS\system32\userinit.exe,
\\Shell = Explorer.exe
\\System =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
\crypt32chain - = ()
\cryptnet - = ()
\cscdll - cscdll.dll = (Microsoft Corporation)
\ScCertProp - wlnotify.dll = (Microsoft Corporation)
\Schedule - wlnotify.dll = (Microsoft Corporation)
\sclgntfy - sclgntfy.dll = (Microsoft Corporation)
\SensLogn - WlNotify.dll = (Microsoft Corporation)
\termsrv - wlnotify.dll = (Microsoft Corporation)
\WgaLogon - WgaLogon.dll = (Microsoft Corporation)
\wlballoon - wlnotify.dll = (Microsoft Corporation)

>>> DNS Name Servers <<<
{734B0EA7-86D3-4CBD-A08E-61B0BAAE7AED} - (Linksys Wireless-G PCI Adapter with SpeedBooster)
{EAA48EAE-DFA5-42BD-8ADF-A6FF1F6323A2} - (SiS 900-Based PCI Fast Ethernet Adapter)

>>> All Winsock2 Catalogs <<<
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries]
\000000000001\\LibraryPath - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation)
\000000000002\\LibraryPath - %SystemRoot%\System32\winrnr.dll (Microsoft Corporation)
\000000000003\\LibraryPath - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation)
\000000000004\\LibraryPath - %SystemRoot%\System32\nwprovau.dll (Microsoft Corporation)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries]
\000000000001\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000002\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000003\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000004\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000005\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000006\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000007\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000008\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000009\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000010\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000011\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000012\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000013\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000014\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000015\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000016\\PackedCatalogItem - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation)
\000000000017\\PackedCatalogItem - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation)

>>> Protocol Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler]
\cetihpz - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company)
\ipp - ()
\msdaipp - ()

>>> Protocol Filters (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter]

>>> Selected AddOn's <<<

>>>>Output for AddOn file Policies.def<<<<
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies - Include SUBKEYS
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]
policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} - 1
policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} - 1073741857
policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} - 32
policies\system\\dontdisplaylastusername - 0
policies\system\\legalnoticecaption - 
policies\system\\legalnoticetext - 
policies\system\\shutdownwithoutlogon - 1
policies\system\\undockwithoutlogon - 1

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies - Include SUBKEYS
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]
policies\Explorer\\NoDriveTypeAutoRun - 145

>>>>Output for AddOn file Security.def<<<<
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center - Include SUBKEYS
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
Security Center\\AntiVirusDisableNotify - 0
Security Center\\FirewallDisableNotify - 0
Security Center\\UpdatesDisableNotify - 0
Security Center\\AntiVirusOverride - 0
Security Center\\FirewallOverride - 0
Security Center\Monitoring\\DisableMonitoring - 1
Security Center\Monitoring\SymantecAntiVirus\\DisableMonitoring - 1
Security Center\Monitoring\SymantecFirewall\\DisableMonitoring - 1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS - Include SUBKEYS
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS]
BITS\\Type - 32
BITS\\Start - 3
BITS\\ErrorControl - 1
BITS\\ImagePath - %SystemRoot%\System32\svchost.exe -k netsvcs
BITS\\DisplayName - Background Intelligent Transfer Service
BITS\\DependOnService - Rpcss;
BITS\\DependOnGroup - 
BITS\\ObjectName - LocalSystem
BITS\\Description - Transfers files in the background using idle network bandwidth. If the service is stopped, features such as Windows Update, and MSN Explorer will be unable to automatically download programs and other information. If this service is disabled, any services that explicitly depend on it may fail to transfer files if they do not have a fail safe mechanism to transfer files directly through IE in case BITS has been disabled.
BITS\\FailureActions - 00 00 00 00 00 00 00 00 00 00 00 00 03 00 00 00 68 E3 0C 00 01 00 00 00 60 EA 00 00 01 00 00 00 60 EA 00 00 01 00 00 00 60 EA 00 00 
BITS\Parameters\\ServiceDll - C:\WINDOWS\System32\qmgr.dll
BITS\Security\\Security - 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 
BITS\Enum\\0 - Root\LEGACY_BITS\0000
BITS\Enum\\Count - 1
BITS\Enum\\NextInstance - 1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess - Include SUBKEYS
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]
SharedAccess\\Type - 32
SharedAccess\\Start - 2
SharedAccess\\ErrorControl - 1
SharedAccess\\ImagePath - %SystemRoot%\System32\svchost.exe -k netsvcs
SharedAccess\\DisplayName - Windows Firewall/Internet Connection Sharing (ICS)
SharedAccess\\DependOnService - Netman;WinMgmt;
SharedAccess\\DependOnGroup - 
SharedAccess\\ObjectName - LocalSystem
SharedAccess\\Description - Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network.
SharedAccess\Epoch\\Epoch - 22299
SharedAccess\Parameters\\ServiceDll - %SystemRoot%\System32\ipnathlp.dll
SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\%windir%\system32\sessmgr.exe - %windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019
SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\C:\Program Files\Common Files\AOL\Loader\aolload.exe - C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader
SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\C:\Program Files\Common Files\AOL\1125751903\ee\AOLServiceHost.exe - C:\Program Files\Common Files\AOL\1125751903\ee\AOLServiceHost.exe:*:Enabled:AOL Services
SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\C:\Program Files\WebConference.com\Version51239\webconference.exe - C:\Program Files\WebConference.com\Version51239\webconference.exe:*:Enabled:WebConference.com
SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\C:\Program Files\AIM\aim.exe - C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger
SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\C:\Program Files\MSN Messenger\msnmsgr.exe - C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1
SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\C:\Program Files\MSN Messenger\livecall.exe - C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)
SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\%windir%\Network Diagnostic\xpnetdiag.exe - %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000
SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\139:TCP - 139:TCP:*:Enabledxpsp2res.dll,-22004
SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\445:TCP - 445:TCP:*:Enabledxpsp2res.dll,-22005
SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\137:UDP - 137:UDP:*:Enabledxpsp2res.dll,-22001
SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\138:UDP - 138:UDP:*:Enabledxpsp2res.dll,-22002
SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\1900:UDP - 1900:UDP:LocalSubNet:Enabledxpsp2res.dll,-22007
SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\2869:TCP - 2869:TCP:LocalSubNet:Enabledxpsp2res.dll,-22008
SharedAccess\Parameters\FirewallPolicy\StandardProfile\\EnableFirewall - 0
SharedAccess\Parameters\FirewallPolicy\StandardProfile\\DoNotAllowExceptions - 0
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\%windir%\system32\sessmgr.exe - %windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Marble Blast Gold\MarbleBlast.exe - C:\Program Files\Marble Blast Gold\MarbleBlast.exe:*:Enabled:MarbleBlast
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\SmartFTP\SmartFTP.exe - C:\Program Files\SmartFTP\SmartFTP.exe:*:Enabled:SmartFTP
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Common Files\AOL\Loader\aolload.exe - C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Common Files\AOL\1125751903\ee\AOLServiceHost.exe - C:\Program Files\Common Files\AOL\1125751903\ee\AOLServiceHost.exe:*:Enabled:AOL Services
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Messenger\msmsgs.exe - C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\WebConference.com\Version51239\webconference.exe - C:\Program Files\WebConference.com\Version51239\webconference.exe:*:Enabled:WebConference.com
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\LimeWire\LimeWire.exe - C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\AIM\aim.exe - C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\iTunes\iTunes.exe - C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\SmartFTP Client 2.0\SmartFTP.exe - C:\Program Files\SmartFTP Client 2.0\SmartFTP.exe:*:Enabled:SmartFTP Client 2.0
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\StubInstaller.exe - C:\StubInstaller.exe:*:Enabled:LimeWire swarmed installer
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\MSN Messenger\msnmsgr.exe - C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\MSN Messenger\livecall.exe - C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\%windir%\Network Diagnostic\xpnetdiag.exe - %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000
SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\139:TCP - 139:TCP:LocalSubNet:Enabledxpsp2res.dll,-22004
SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\445:TCP - 445:TCP:LocalSubNet:Enabledxpsp2res.dll,-22005
SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\137:UDP - 137:UDP:LocalSubNet:Enabledxpsp2res.dll,-22001
SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\138:UDP - 138:UDP:LocalSubNet:Enabledxpsp2res.dll,-22002
SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\1900:UDP - 1900:UDP:LocalSubNet:Enabledxpsp2res.dll,-22007
SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\2869:TCP - 2869:TCP:LocalSubNet:Enabledxpsp2res.dll,-22008
SharedAccess\Security\\Security - 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 
SharedAccess\Setup\\ServiceUpgrade - 1
SharedAccess\Setup\InterfacesUnfirewalledAtUpdate\\{EAA48EAE-DFA5-42BD-8ADF-A6FF1F6323A2} - 1
SharedAccess\Enum\\0 - Root\LEGACY_SHAREDACCESS\0000
SharedAccess\Enum\\Count - 1
SharedAccess\Enum\\NextInstance - 1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv - Include SUBKEYS
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv]
wuauserv\\Type - 32
wuauserv\\Start - 2
wuauserv\\ErrorControl - 1
wuauserv\\ImagePath - %SystemRoot%\system32\svchost.exe -k netsvcs
wuauserv\\DisplayName - Automatic Updates
wuauserv\\ObjectName - LocalSystem
wuauserv\\Description - Enables the download and installation of critical Windows updates. If the service is disabled, the operating system can be manually updated at the Windows Update Web site.
wuauserv\Parameters\\ServiceDll - C:\WINDOWS\system32\wuauserv.dll
wuauserv\Security\\Security - 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 
wuauserv\Enum\\0 - Root\LEGACY_WUAUSERV\0000
wuauserv\Enum\\Count - 1
wuauserv\Enum\\NextInstance - 1

遙遙遙遙遙遙遙遙遙遙遙遙 Scan Complete 遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙


----------



## Cookiegal (Aug 27, 2003)

martingreg3,

Please refer to the rules concerning malware removal and this thread that's stickied in the Security forum.

http://www.techguy.org/rules.html


> *Log Analysis/Malware Removal *- In order to ensure that advice given to users is consistent and of the highest quality, those who wish to assist with security related matters must first graduate from one of the malware boot camp training universities or be approved by the administration as already being qualified. Those authorized to help with malware issues have a gold shield
> 
> 
> 
> ...


Please refrain from replying to security related matters on this forum until you have presented evidence to one of the moderators or admins here that proves you to be qualified to do so. If you are not yet qualified and interested in being trained, we will be glad to help you get enrolled at one of the free online training facilities. Just PM me or one of the other moderators that work Security and we'll point you in the right direction.

Thanks in advance for your cooperation.


----------



## Cookiegal (Aug 27, 2003)

I'd like to check these two registry entries as they don't look right.

Expand these keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

Click on crypt32chain and in the right-hand pane do you see the crypt32.dll under the data column on the DllName line?

Click on cryptnet and in the right-hand pane do you see the cryptnet.dll in the same place?


----------



## Killazys (Feb 9, 2007)

on crypt32chain, there is exactly this under "Data": "(no value set)" and its "Name" is "default"
cryptnet is in the same folder, but it also has "(no value set)" and the "Name" is "default, both are Reg_SZ
i also noticed a separate folder below notify called "Notify_Disabled" AND THE TWO THINGS THERE WERE CRYPT32CHAIN AND CRYPTNET! 
under crypt32chain, the name was "dllname", and it was crypt32.dll and under cryptnet, it is cryptnet.dll
should i export these registry keys because there are a lot more things in that folder?
(As a side note: After I booted into Safe Mode, I saw a different account other than the one I use. The "hidden" account does not show up when I use the normal startup. Should I look into that account and scan it for possible malware/viruses?)


----------



## Cookiegal (Aug 27, 2003)

Yes, please export the contents of Notify_Disabled for those two values to your desktop and copy and paste their contents here.


What is the name of the user you're referring to? It's normal to have the Administrator account only visible in safe mode.


----------



## martingreg3 (Feb 15, 2007)

No cookiegal, I have no retro64_loader.dll,

What is the significnce of a retro64 loader ? Not lookoing for old men are you ? You will have to wait four years for me to get there !

martingreg3


----------



## Cookiegal (Aug 27, 2003)

martingreg3 said:


> No cookiegal, I have no retro64_loader.dll,
> 
> What is the significnce of a retro64 loader ? Not lookoing for old men are you ? You will have to wait four years for me to get there !
> 
> martingreg3


I did not ask you any about any files. This thread belongs to Killazys.

If you require assistance with something, please start your own thread in the appropriate forum.


----------



## Killazys (Feb 9, 2007)

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify_Disabled\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"
That is the crypt32chain.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify_Disabled\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"
This is crypnet.


----------



## Killazys (Feb 9, 2007)

Bump!!!


----------



## Cookiegal (Aug 27, 2003)

Let's make a backup of the registry.

Go to Start > Run
Type:
*regedit*
Click OK.
On the left side, click to highlight *My Computer* at the top. 
Go up to "*File > Export*"
Make sure in that window there is a tick next to "All" under Export Branch.
Leave the "Save As Type" as "Registration Files".
Under "Filename" put *backup*

Choose to save it to *C:\* or somewhere else safe so that you will remember where you put it (don't put it on the desktop!)
Click save and then go to File > Exit.
This is so the registry can be restored to this point if we need it. It may take a minute. Just let it go until it's done.

I'm attaching a FixKillazys.zip file to this post. Save it to your desktop. Unzip it and double click the FixKillazys.reg file and allow it to enter into the registry.

Reboot and then run another scan with WinpFind and post the log please.


----------



## Killazys (Feb 9, 2007)

The scan with WinPFind with Security and Policies checked?


----------



## Cookiegal (Aug 27, 2003)

Yes please.


----------



## Killazys (Feb 9, 2007)

*UNIMAGINABLY (I'm not even kidding)* slow response time on reboot to normal mode, running programs no longer showing in system tray (seems like an on/off thing every reboot or shut down/turn on). TeaTimer no longer pestering me about "load"! Yes, the hidden account is called Administrator, so no problem with that.


----------



## Cookiegal (Aug 27, 2003)

How many user accounts are there on this computer?


----------



## Killazys (Feb 9, 2007)

There is the account with administrative priveleges called "Admin" which is the account I use, an unactivated "Guest" account, and a "hidden" account called "Administrator" only visible when booting to safe mode. There USED to be another account called "bylin" but I deleted it and all the files on the account.


----------



## Cookiegal (Aug 27, 2003)

Download pv.zip from *Here* and extract the zip file to your C: drive. Once it is extracted there will be a directory on your C: drive called PV. Inside the C:\PV directory will be a file called runme.bat . Simply double-click on the runme.bat file. A dos window will open. Select option 1 for explorer dlls by typing 1 and then pressing enter. Notepad will open with a log in it. Copy and paste the log into this thread. Usually pretty large and take more than one post. Please do option 2 for Internet Explorer dlls too.


----------



## Killazys (Feb 9, 2007)

I am using the one I already have.
Module information for 'Explorer.EXE'
MODULE BASE SIZE PATH
Explorer.EXE 1000000 1044480 C:\WINDOWS\Explorer.EXE 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Windows Explorer
ntdll.dll 7c900000 720896 C:\WINDOWS\system32\ntdll.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) NT Layer DLL
kernel32.dll 7c800000 999424 C:\WINDOWS\system32\kernel32.dll 5.1.2600.2945 (xpsp_sp2_gdr.060704-2349) Windows NT BASE API Client DLL
msvcrt.dll 77c10000 360448 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows NT CRT DLL
ADVAPI32.dll 77dd0000 634880 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Advanced Windows 32 Base API
RPCRT4.dll 77e70000 593920 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Remote Procedure Call Runtime
GDI32.dll 77f10000 290816 C:\WINDOWS\system32\GDI32.dll 5.1.2600.2818 (xpsp_sp2_gdr.051228-1427) GDI Client DLL
USER32.dll 77d40000 589824 C:\WINDOWS\system32\USER32.dll 5.1.2600.2622 (xpsp_sp2_gdr.050301-1519) Windows XP USER API Client DLL
SHLWAPI.dll 77f60000 483328 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2900.3020 (xpsp.061023-0222) Shell Light-weight Utility Library
SHELL32.dll 7c9c0000 8474624 C:\WINDOWS\system32\SHELL32.dll 6.00.2900.3051 (xpsp_sp2_gdr.061219-0316) Windows Shell Common Dll
ole32.dll 774e0000 1298432 C:\WINDOWS\system32\ole32.dll 5.1.2600.2726 (xpsp_sp2_gdr.050725-1528) Microsoft OLE for Windows
OLEAUT32.dll 77120000 573440 C:\WINDOWS\system32\OLEAUT32.dll 5.1.2600.2180 
BROWSEUI.dll 75f80000 1036288 C:\WINDOWS\system32\BROWSEUI.dll 6.00.2900.3020 (xpsp.061023-0222) Shell Browser UI Library
SHDOCVW.dll 77760000 1507328 C:\WINDOWS\system32\SHDOCVW.dll 6.00.2900.3020 (xpsp.061023-0222) Shell Doc Object and Control Library
CRYPT32.dll 77a80000 606208 C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.2180 (xpsp_sp2_rtm.040803-2158) Crypto API32
MSASN1.dll 77b20000 73728 C:\WINDOWS\system32\MSASN1.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) ASN.1 Runtime APIs
CRYPTUI.dll 754d0000 524288 C:\WINDOWS\system32\CRYPTUI.dll 5.131.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Trust UI Provider
WINTRUST.dll 76c30000 188416 C:\WINDOWS\system32\WINTRUST.dll 5.131.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Trust Verification APIs
IMAGEHLP.dll 76c90000 163840 C:\WINDOWS\system32\IMAGEHLP.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows NT Image Helper
NETAPI32.dll 5b860000 344064 C:\WINDOWS\system32\NETAPI32.dll 5.1.2600.2976 (xpsp_sp2_gdr.060817-0106) Net Win32 API DLL
WININET.dll 771b0000 847872 C:\WINDOWS\system32\WININET.dll 7.00.6000.16414 (vista_gdr.070108-1520) Internet Extensions for Win32
Normaliz.dll 400000 36864 C:\WINDOWS\system32\Normaliz.dll 6.0.5441.0 (winmain(wmbla).060628-1735) Unicode Normalization DLL
iertutil.dll 6e850000 282624 C:\WINDOWS\system32\iertutil.dll 7.00.6000.16414 (vista_gdr.070108-1520) Run time utility for Internet Explorer
WLDAP32.dll 76f60000 180224 C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Win32 LDAP API DLL
VERSION.dll 77c00000 32768 C:\WINDOWS\system32\VERSION.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Version Checking and File Installation Libraries
UxTheme.dll 5ad70000 229376 C:\WINDOWS\system32\UxTheme.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Microsoft UxTheme Library
ShimEng.dll 5cb70000 155648 C:\WINDOWS\system32\ShimEng.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Shim Engine DLL
AcGenral.DLL 6f880000 1875968 C:\WINDOWS\AppPatch\AcGenral.DLL 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Compatibility DLL
WINMM.dll 76b40000 184320 C:\WINDOWS\system32\WINMM.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) MCI API DLL
MSACM32.dll 77be0000 86016 C:\WINDOWS\system32\MSACM32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft ACM Audio Filter
USERENV.dll 769c0000 733184 C:\WINDOWS\system32\USERENV.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Userenv
IMM32.DLL 76390000 118784 C:\WINDOWS\system32\IMM32.DLL 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows XP IMM32 API Client DLL
LPK.DLL 629c0000 36864 C:\WINDOWS\system32\LPK.DLL 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Language Pack
USP10.dll 74d90000 438272 C:\WINDOWS\system32\USP10.dll 1.0420.2600.2180 (xpsp_sp2_rtm.040803-2158) Uniscribe Unicode script processor
comctl32.dll 773d0000 1060864 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll 6.0 (xpsp.060825-0040) User Experience Controls Library
comctl32.dll 5d090000 630784 C:\WINDOWS\system32\comctl32.dll 5.82 (xpsp.060825-0040) Common Controls Library
msctfime.ime 755c0000 188416 C:\WINDOWS\system32\msctfime.ime 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Text Frame Work Service IME
appHelp.dll 77b40000 139264 C:\WINDOWS\system32\appHelp.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Application Compatibility Client Library
CLBCATQ.DLL 76fd0000 520192 C:\WINDOWS\system32\CLBCATQ.DLL 2001.12.4414.308 
COMRes.dll 77050000 806912 C:\WINDOWS\system32\COMRes.dll 2001.12.4414.258 
cscui.dll 77a20000 344064 C:\WINDOWS\System32\cscui.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Client Side Caching UI
CSCDLL.dll 76600000 118784 C:\WINDOWS\System32\CSCDLL.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Offline Network Agent
themeui.dll 5ba60000 462848 C:\WINDOWS\System32\themeui.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Windows Theme API
Secur32.dll 77fe0000 69632 C:\WINDOWS\System32\Secur32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Security Support Provider Interface
MSIMG32.dll 76380000 20480 C:\WINDOWS\System32\MSIMG32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) GDIEXT Client DLL
xpsp2res.dll 20000000 2904064 C:\WINDOWS\system32\xpsp2res.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Service Pack 2 Messages
msutb.dll 5fc10000 208896 C:\WINDOWS\System32\msutb.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) MSUTB Server DLL
MSCTF.dll 74720000 307200 C:\WINDOWS\System32\MSCTF.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) MSCTF Server DLL
iTunesMiniPlayer.dll 10000000 135168 C:\Program Files\iTunes\iTunesMiniPlayer.dll 7.0.2.16 iTunes Mini Player DLL
iTunesMiniPlayerLocalized.dll 1110000 57344 C:\Program Files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll 7.0.2.16 iTunes Mini Player Resource Library
iTunesMiniPlayer.dll 1140000 143360 C:\Program Files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll 7.0.2.16 iTunes Mini Player Resource Library
SETUPAPI.dll 77920000 995328 C:\WINDOWS\system32\SETUPAPI.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Setup API
ieframe.dll 7e1e0000 6070272 C:\WINDOWS\system32\ieframe.dll 7.00.6000.16414 (vista_gdr.070108-1520) Internet Explorer
PSAPI.DLL 76bf0000 45056 C:\WINDOWS\system32\PSAPI.DLL 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Process Status Helper
msi.dll 1730000 2908160 C:\WINDOWS\system32\msi.dll 3.1.4000.2435 Windows Installer
tabhook.dll 1a00000 53248 C:\WINDOWS\System32\tabhook.dll 4.56-6 TabHook
NETSHELL.dll 76400000 1728512 C:\WINDOWS\system32\NETSHELL.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Network Connections Shell
rtutils.dll 76e80000 57344 C:\WINDOWS\system32\rtutils.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Routing Utilities
credui.dll 76c00000 188416 C:\WINDOWS\system32\credui.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Credential Manager User Interface
WS2_32.dll 71ab0000 94208 C:\WINDOWS\system32\WS2_32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71aa0000 32768 C:\WINDOWS\system32\WS2HELP.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Socket 2.0 Helper for Windows NT
ATL.DLL 76b20000 69632 C:\WINDOWS\system32\ATL.DLL 3.05.2284 ATL Module for Windows XP (Unicode)
iphlpapi.dll 76d60000 102400 C:\WINDOWS\system32\iphlpapi.dll 5.1.2600.2912 (xpsp_sp2_gdr.060519-0003) IP Helper API
LINKINFO.dll 76980000 32768 C:\WINDOWS\system32\LINKINFO.dll 5.1.2600.2751 (xpsp_sp2_gdr.050831-1520) Windows Volume Tracking
ntshrui.dll 76990000 151552 C:\WINDOWS\system32\ntshrui.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Shell extensions for sharing
urlmon.dll  61410000 1196032 C:\WINDOWS\system32\urlmon.dll 7.00.6000.16414 (vista_gdr.070108-1520) OLE32 Extensions for Win32
MLANG.dll 75cf0000 593920 C:\WINDOWS\system32\MLANG.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Multi Language Support DLL
WINSTA.dll 76360000 65536 C:\WINDOWS\system32\WINSTA.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Winstation Library
webcheck.dll 74b30000 245760 C:\WINDOWS\system32\webcheck.dll 7.00.6000.16414 (vista_gdr.070108-1520) Web Site Monitor
stobject.dll 76280000 135168 C:\WINDOWS\System32\stobject.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Systray shell service object
BatMeter.dll 74af0000 40960 C:\WINDOWS\System32\BatMeter.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Battery Meter Helper DLL
POWRPROF.dll 74ad0000 32768 C:\WINDOWS\System32\POWRPROF.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Power Profile Helper DLL
WTSAPI32.dll 76f50000 32768 C:\WINDOWS\System32\WTSAPI32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Terminal Server SDK APIs
upnpui.dll 5af80000 249856 C:\WINDOWS\system32\upnpui.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) UPNP Tray Monitor and Folder
upnp.dll 76de0000 143360 C:\WINDOWS\System32\upnp.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Universal Plug and Play API
WINHTTP.dll 4d4f0000 360448 C:\WINDOWS\System32\WINHTTP.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows HTTP Services
SSDPAPI.dll 74f00000 49152 C:\WINDOWS\System32\SSDPAPI.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) SSDP Client API DLL
rsaenh.dll ffd0000 163840 C:\WINDOWS\system32\rsaenh.dll 5.1.2600.2161 (xpsp.040706-1629) Microsoft Enhanced Cryptographic Provider
wdmaud.drv 72d20000 36864 C:\WINDOWS\system32\wdmaud.drv 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) WDM Audio driver mapper
msacm32.drv 72d10000 32768 C:\WINDOWS\system32\msacm32.drv 5.1.2600.0 (xpclient.010817-1148) Microsoft Sound Mapper
midimap.dll 77bd0000 28672 C:\WINDOWS\system32\midimap.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft MIDI Mapper
mslbui.dll 605d0000 36864 C:\WINDOWS\system32\mslbui.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) LangageBar Add In
MPR.dll 71b20000 73728 C:\WINDOWS\system32\MPR.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Multiple Provider Router DLL
drprov.dll 75f60000 28672 C:\WINDOWS\System32\drprov.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Terminal Server Network Provider
ntlanman.dll 71c10000 57344 C:\WINDOWS\System32\ntlanman.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) MicrosoftR Lan Manager
NETUI0.dll 71cd0000 94208 C:\WINDOWS\System32\NETUI0.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) NT LM UI Common Code - GUI Classes
NETUI1.dll 71c90000 262144 C:\WINDOWS\System32\NETUI1.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) NT LM UI Common Code - Networking classes
NETRAP.dll 71c80000 28672 C:\WINDOWS\System32\NETRAP.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Net Remote Admin Protocol DLL
SAMLIB.dll 71bf0000 77824 C:\WINDOWS\System32\SAMLIB.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) SAM Library DLL
davclnt.dll 75f70000 36864 C:\WINDOWS\System32\davclnt.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Web DAV Client DLL
WPDShServiceObj.dll 164a0000 143360 C:\WINDOWS\system32\WPDShServiceObj.dll 5.2.5721.5145 (WMP_11.061018-2006) Windows Portable Device Shell Service Object
PortableDeviceTypes.dll 109c0000 180224 C:\WINDOWS\system32\PortableDeviceTypes.dll 5.2.5721.5145 (WMP_11.061018-2006) Windows Portable Device (Parameter) Types Component
PortableDeviceApi.dll 10930000 299008 C:\WINDOWS\system32\PortableDeviceApi.dll 5.2.5721.5145 (WMP_11.061018-2006) Windows Portable Device API Components
NSCEXT.dll 6f120000 573440 C:\Program Files\Common Files\Symantec Shared\NPC\NSCEXT.dll 2007.3.00.5 Norton Protection Center ExplorerExtensions
ATL71.DLL 7c120000 102400 C:\WINDOWS\system32\ATL71.DLL 7.10.3077.0 ATL Module for Windows (Unicode)
MSVCP71.dll 7c3a0000 503808 C:\WINDOWS\system32\MSVCP71.dll 7.10.3077.0 MicrosoftR C++ Runtime Library
MSVCR71.dll 7c340000 352256 C:\WINDOWS\system32\MSVCR71.dll 7.10.3052.4 MicrosoftR C Runtime Library
ccL60U.dll 6ae70000 544768 C:\Program Files\Common Files\Symantec Shared\ccL60U.dll 106.1.3.3 Symantec Library
WZCSAPI.DLL 73030000 65536 C:\WINDOWS\system32\WZCSAPI.DLL 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Wireless Zero Configuration service API
SXS.DLL 75e90000 720896 C:\WINDOWS\system32\SXS.DLL 5.1.2600.3019 (xpsp_sp2_gdr.061019-0414) Fusion 2.5
browselc.dll 29c0000 73728 C:\WINDOWS\system32\browselc.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Shell Browser UI Library
SDHelper.dll 2fb0000 872448 C:\PROGRA~1\SPYBOT~1\SDHelper.dll 1, 4, 0, 0 Bad download blocker
olepro32.dll 5edd0000 94208 C:\WINDOWS\system32\olepro32.dll 5.1.2600.2180 
DUSER.dll 6c1b0000 315392 C:\WINDOWS\system32\DUSER.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows DirectUser Engine
MSGINA.dll 75970000 1011712 C:\WINDOWS\system32\MSGINA.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows NT Logon GINA DLL
ODBC32.dll 74320000 249856 C:\WINDOWS\system32\ODBC32.dll 3.525.1117.0 (xpsp_sp2_rtm.040803-2158) Microsoft Data Access - ODBC Driver Manager
comdlg32.dll 763b0000 299008 C:\WINDOWS\system32\comdlg32.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Common Dialogs DLL
odbcint.dll 3bd0000 94208 C:\WINDOWS\system32\odbcint.dll 3.525.1117.0 (xpsp_sp2_rtm.040803-2158) Microsoft Data Access - ODBC Resources
actxprxy.dll 71d40000 114688 C:\WINDOWS\system32\actxprxy.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) ActiveX Interface Marshaling Library
wzcdlg.dll 5df10000 385024 C:\WINDOWS\system32\wzcdlg.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Wireless Zero Configuration Service UI
tsappcmp.dll 5b430000 65536 C:\WINDOWS\system32\tsappcmp.dll 5.1.2600.0 (xpclient.010817-1148) Terminal Services Application Compatibility DLL
AcroIEHelper.dll cb0000 45056 C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll 6.0.0.2003051500 Adobe Acrobat IE Helper Version 6.0 for ActivieX
dlprotect.dll 11000000 192512 C:\Program Files\SpywareGuard\dlprotect.dll 2.02 SpywareGuard Download Protection
MSVBVM60.DLL 66000000 1388544 C:\WINDOWS\system32\MSVBVM60.DLL 6.00.8964 Visual Basic Virtual Machine
sti.dll 73ba0000 77824 C:\WINDOWS\System32\sti.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Still Image Devices client DLL 
CFGMGR32.dll 74ae0000 28672 C:\WINDOWS\System32\CFGMGR32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Configuration Manager Forwarder DLL
spywareguard.dll 22200000 126976 C:\Program Files\SpywareGuard\spywareguard.dll 2.02 SpywareGuard Protection
asfsipc.dll 41f00000 28672 C:\WINDOWS\system32\asfsipc.dll 1.1.00.3917 ASFSipc Object
MSISIP.DLL 60980000 28672 C:\WINDOWS\system32\MSISIP.DLL 3.1.4000.1823 MSI Signature SIP Provider
wshext.dll 74ea0000 65536 C:\WINDOWS\system32\wshext.dll 5.6.0.8820 Microsoft (r) Shell Extension for Windows Script Host
MFC42.DLL 73dd0000 1040384 C:\WINDOWS\system32\MFC42.DLL 6.02.4131.0 MFCDLL Shared Library - Retail Version
MCPS.DLL 36d30000 102400 C:\PROGRA~1\MICROS~2\OFFICE11\MCPS.DLL 11.0.5510 Media Catalog Proxy/Stub
This is the first choice.


----------



## Killazys (Feb 9, 2007)

Module information for 'iexplore.exe'
MODULE BASE SIZE PATH
iexplore.exe 400000 630784 C:\Program Files\Internet Explorer\iexplore.exe 7.00.6000.16414 (vista_gdr.070108-1520) Internet Explorer
ntdll.dll 7c900000 720896 C:\WINDOWS\system32\ntdll.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) NT Layer DLL
kernel32.dll 7c800000 999424 C:\WINDOWS\system32\kernel32.dll 5.1.2600.2945 (xpsp_sp2_gdr.060704-2349) Windows NT BASE API Client DLL
ADVAPI32.dll 77dd0000 634880 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Advanced Windows 32 Base API
RPCRT4.dll 77e70000 593920 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Remote Procedure Call Runtime
GDI32.dll 77f10000 290816 C:\WINDOWS\system32\GDI32.dll 5.1.2600.2818 (xpsp_sp2_gdr.051228-1427) GDI Client DLL
USER32.dll 77d40000 589824 C:\WINDOWS\system32\USER32.dll 5.1.2600.2622 (xpsp_sp2_gdr.050301-1519) Windows XP USER API Client DLL
msvcrt.dll 77c10000 360448 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows NT CRT DLL
SHLWAPI.dll 77f60000 483328 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2900.3020 (xpsp.061023-0222) Shell Light-weight Utility Library
SHELL32.dll 7c9c0000 8474624 C:\WINDOWS\system32\SHELL32.dll 6.00.2900.3051 (xpsp_sp2_gdr.061219-0316) Windows Shell Common Dll
ole32.dll 774e0000 1298432 C:\WINDOWS\system32\ole32.dll 5.1.2600.2726 (xpsp_sp2_gdr.050725-1528) Microsoft OLE for Windows
urlmon.dll 61410000 1196032 C:\WINDOWS\system32\urlmon.dll 7.00.6000.16414 (vista_gdr.070108-1520) OLE32 Extensions for Win32
OLEAUT32.dll 77120000 573440 C:\WINDOWS\system32\OLEAUT32.dll 5.1.2600.2180 
iertutil.dll 6e850000 282624 C:\WINDOWS\system32\iertutil.dll 7.00.6000.16414 (vista_gdr.070108-1520) Run time utility for Internet Explorer
VERSION.dll 77c00000 32768 C:\WINDOWS\system32\VERSION.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Version Checking and File Installation Libraries
IMM32.DLL 76390000 118784 C:\WINDOWS\system32\IMM32.DLL 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows XP IMM32 API Client DLL
LPK.DLL 629c0000 36864 C:\WINDOWS\system32\LPK.DLL 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Language Pack
USP10.dll 74d90000 438272 C:\WINDOWS\system32\USP10.dll 1.0420.2600.2180 (xpsp_sp2_rtm.040803-2158) Uniscribe Unicode script processor
comctl32.dll 773d0000 1060864 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll 6.0 (xpsp.060825-0040) User Experience Controls Library
comctl32.dll 5d090000 630784 C:\WINDOWS\system32\comctl32.dll 5.82 (xpsp.060825-0040) Common Controls Library
IEFRAME.dll 7e1e0000 6070272 C:\WINDOWS\system32\IEFRAME.dll 7.00.6000.16414 (vista_gdr.070108-1520) Internet Explorer
PSAPI.DLL 76bf0000 45056 C:\WINDOWS\system32\PSAPI.DLL 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Process Status Helper
UxTheme.dll 5ad70000 229376 C:\WINDOWS\system32\UxTheme.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Microsoft UxTheme Library
NSCEXT.dll 6f120000 573440 C:\Program Files\Common Files\Symantec Shared\NPC\NSCEXT.dll 2007.3.00.5 Norton Protection Center ExplorerExtensions
ATL71.DLL 7c120000 102400 C:\WINDOWS\system32\ATL71.DLL 7.10.3077.0 ATL Module for Windows (Unicode)
MSVCP71.dll 7c3a0000 503808 C:\WINDOWS\system32\MSVCP71.dll 7.10.3077.0 MicrosoftR C++ Runtime Library
MSVCR71.dll 7c340000 352256 C:\WINDOWS\system32\MSVCR71.dll 7.10.3052.4 MicrosoftR C Runtime Library
ccL60U.dll 6ae70000 544768 C:\Program Files\Common Files\Symantec Shared\ccL60U.dll 106.1.3.3 Symantec Library
ws2_32.dll 71ab0000 94208 C:\WINDOWS\system32\ws2_32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71aa0000 32768 C:\WINDOWS\system32\WS2HELP.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Socket 2.0 Helper for Windows NT
MSCTF.dll 74720000 307200 C:\WINDOWS\system32\MSCTF.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) MSCTF Server DLL
tabhook.dll 10000000 53248 C:\WINDOWS\System32\tabhook.dll 4.56-6 TabHook
xpsp2res.dll 20000000 2904064 C:\WINDOWS\system32\xpsp2res.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Service Pack 2 Messages
msctfime.ime 755c0000 188416 C:\WINDOWS\system32\msctfime.ime 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Text Frame Work Service IME
IEUI.dll 5dff0000 192512 C:\WINDOWS\system32\IEUI.dll 7.00.5730.11 (winmain(wmbla).061017-1135) Internet Explorer UI Engine
MSIMG32.dll 76380000 20480 C:\WINDOWS\system32\MSIMG32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) GDIEXT Client DLL
gdiplus.dll 4ec50000 1716224 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82\gdiplus.dll 5.1.3102.2180 (xpsp_sp2_rtm.040803-2158) Microsoft GDI+
xmllite.dll 47060000 135168 C:\WINDOWS\system32\xmllite.dll 1.00.1018.0 Microsoft XmlLite Library
apphelp.dll 77b40000 139264 C:\WINDOWS\system32\apphelp.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Application Compatibility Client Library
CLBCATQ.DLL 76fd0000 520192 C:\WINDOWS\system32\CLBCATQ.DLL 2001.12.4414.308 
COMRes.dll 77050000 806912 C:\WINDOWS\system32\COMRes.dll 2001.12.4414.258 
msimtf.dll 746f0000 172032 C:\WINDOWS\System32\msimtf.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Active IMM Server DLL
Secur32.dll 77fe0000 69632 C:\WINDOWS\system32\Secur32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Security Support Provider Interface
mslbui.dll 605d0000 36864 C:\WINDOWS\system32\mslbui.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) LangageBar Add In
cscui.dll 77a20000 344064 C:\WINDOWS\System32\cscui.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Client Side Caching UI
CSCDLL.dll 76600000 118784 C:\WINDOWS\System32\CSCDLL.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Offline Network Agent
SETUPAPI.dll 77920000 995328 C:\WINDOWS\system32\SETUPAPI.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Setup API
msohev.dll 325c0000 73728 C:\Program Files\Microsoft Office\OFFICE11\msohev.dll 11.0.5510 Microsoft Office 2003 component
sptip.dll 5c2c0000 262144 C:\WINDOWS\ime\sptip.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) SAPI5.0/CTF layer DLL
OLEACC.dll 74c80000 180224 C:\WINDOWS\system32\OLEACC.dll 4.2.5406.0 (xpclient.010817-1148) Active Accessibility Core Component
MSVCP60.dll 76080000 413696 C:\WINDOWS\system32\MSVCP60.dll 6.02.3104.0 Microsoft (R) C++ Runtime Library
SPGRMR.DLL 1640000 69632 C:\WINDOWS\IME\SPGRMR.DLL 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) SPTIP Grammar DLL
msi.dll 1660000 2908160 C:\WINDOWS\system32\msi.dll 3.1.4000.2435 Windows Installer
SKCHUI.DLL 1930000 372736 C:\Program Files\Common Files\Microsoft Shared\INK\SKCHUI.DLL 1.0.1038.0 Draw Pen Tip
ieproxy.dll 61930000 303104 C:\Program Files\Internet Explorer\ieproxy.dll 7.00.5730.11 (winmain(wmbla).061017-1135) IE ActiveX Interface Marshaling Library
shdocvw.dll 77760000 1507328 C:\WINDOWS\system32\shdocvw.dll 6.00.2900.3020 (xpsp.061023-0222) Shell Doc Object and Control Library
CRYPT32.dll 77a80000 606208 C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.2180 (xpsp_sp2_rtm.040803-2158) Crypto API32
MSASN1.dll 77b20000 73728 C:\WINDOWS\system32\MSASN1.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) ASN.1 Runtime APIs
CRYPTUI.dll 754d0000 524288 C:\WINDOWS\system32\CRYPTUI.dll 5.131.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Trust UI Provider
WINTRUST.dll 76c30000 188416 C:\WINDOWS\system32\WINTRUST.dll 5.131.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Trust Verification APIs
IMAGEHLP.dll 76c90000 163840 C:\WINDOWS\system32\IMAGEHLP.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows NT Image Helper
NETAPI32.dll 5b860000 344064 C:\WINDOWS\system32\NETAPI32.dll 5.1.2600.2976 (xpsp_sp2_gdr.060817-0106) Net Win32 API DLL
WININET.dll 771b0000 847872 C:\WINDOWS\system32\WININET.dll 7.00.6000.16414 (vista_gdr.070108-1520) Internet Extensions for Win32
Normaliz.dll 1d00000 36864 C:\WINDOWS\system32\Normaliz.dll 6.0.5441.0 (winmain(wmbla).060628-1735) Unicode Normalization DLL
WLDAP32.dll 76f60000 180224 C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Win32 LDAP API DLL
SXS.DLL 75e90000 720896 C:\WINDOWS\system32\SXS.DLL 5.1.2600.3019 (xpsp_sp2_gdr.061019-0414) Fusion 2.5
MLANG.dll 75cf0000 593920 C:\WINDOWS\system32\MLANG.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Multi Language Support DLL
aoltb.dll 22e0000 532480 C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll 2.0.4239.61 AOL IE Toolbar DLL (UNICODE) 
msxml3.dll 74980000 1105920 C:\WINDOWS\system32\msxml3.dll 8.70.1113.0 MSXML 3.0 SP 7
googletoolbar1.dll 2860000 3665920 c:\program files\google\googletoolbar1.dll 4, 0, 1601, 4978 Google IE Client Toolbar
WINMM.dll 76b40000 184320 C:\WINDOWS\system32\WINMM.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) MCI API DLL
WSOCK32.dll 71ad0000 36864 C:\WINDOWS\system32\WSOCK32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Socket 32-Bit DLL
DBGHELP.DLL 59a60000 659456 C:\WINDOWS\system32\DBGHELP.DLL 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Image Helper
USERENV.dll 769c0000 733184 C:\WINDOWS\system32\USERENV.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Userenv
ntshrui.dll 76990000 151552 C:\WINDOWS\system32\ntshrui.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Shell extensions for sharing
ATL.DLL 76b20000 69632 C:\WINDOWS\system32\ATL.DLL 3.05.2284 ATL Module for Windows XP (Unicode)
MPR.dll 71b20000 73728 C:\WINDOWS\system32\MPR.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Multiple Provider Router DLL
drprov.dll 75f60000 28672 C:\WINDOWS\System32\drprov.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Terminal Server Network Provider
ntlanman.dll 71c10000 57344 C:\WINDOWS\System32\ntlanman.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) MicrosoftR Lan Manager
NETUI0.dll 71cd0000 94208 C:\WINDOWS\System32\NETUI0.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) NT LM UI Common Code - GUI Classes
NETUI1.dll 71c90000 262144 C:\WINDOWS\System32\NETUI1.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) NT LM UI Common Code - Networking classes
NETRAP.dll 71c80000 28672 C:\WINDOWS\System32\NETRAP.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Net Remote Admin Protocol DLL
SAMLIB.dll 71bf0000 77824 C:\WINDOWS\System32\SAMLIB.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) SAM Library DLL
davclnt.dll 75f70000 36864 C:\WINDOWS\System32\davclnt.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Web DAV Client DLL
RASAPI32.dll 76ee0000 245760 C:\WINDOWS\system32\RASAPI32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Remote Access API
rasman.dll 76e90000 73728 C:\WINDOWS\system32\rasman.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Remote Access Connection Manager
TAPI32.dll 76eb0000 192512 C:\WINDOWS\system32\TAPI32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) MicrosoftR Windows(TM) Telephony API Client DLL
rtutils.dll 76e80000 57344 C:\WINDOWS\system32\rtutils.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Routing Utilities
msv1_0.dll 77c70000 143360 C:\WINDOWS\system32\msv1_0.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Authentication Package v1.0
iphlpapi.dll 76d60000 102400 C:\WINDOWS\system32\iphlpapi.dll 5.1.2600.2912 (xpsp_sp2_gdr.060519-0003) IP Helper API
sensapi.dll 722b0000 20480 C:\WINDOWS\system32\sensapi.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) SENS Connectivity API DLL
rsaenh.dll ffd0000 163840 C:\WINDOWS\system32\rsaenh.dll 5.1.2600.2161 (xpsp.040706-1629) Microsoft Enhanced Cryptographic Provider
MSGINA.dll 75970000 1011712 C:\WINDOWS\system32\MSGINA.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows NT Logon GINA DLL
WINSTA.dll 76360000 65536 C:\WINDOWS\system32\WINSTA.dll  5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Winstation Library
ODBC32.dll 74320000 249856 C:\WINDOWS\system32\ODBC32.dll 3.525.1117.0 (xpsp_sp2_rtm.040803-2158) Microsoft Data Access - ODBC Driver Manager
comdlg32.dll 763b0000 299008 C:\WINDOWS\system32\comdlg32.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Common Dialogs DLL
odbcint.dll 3610000 94208 C:\WINDOWS\system32\odbcint.dll 3.525.1117.0 (xpsp_sp2_rtm.040803-2158) Microsoft Data Access - ODBC Resources
msntb.dll 64830000 552960 C:\Program Files\Windows Live Toolbar\msntb.dll 03.01.0000.0068 Windows Live Toolbar for Internet Explorer
mtbres.dll.mui 2c30000 24576 C:\Program Files\Windows Live Toolbar\en-us\mtbres.dll.mui 03.01.0000.0068 Windows Live Toolbar resource library
mtbres.dll 2c40000 40960 C:\Program Files\Windows Live Toolbar\mtbres.dll 03.01.0000.0068 Windows Live Toolbar resource library
Tem.dll 64750000 462848 C:\Program Files\Windows Live Toolbar\Tem.dll 03.01.0000.0068 Windows Live Toolbar Search Toolbar Extension Manager
searchboxRes.dll.mui 2c70000 8192 C:\Program Files\Windows Live Toolbar\en-us\searchboxRes.dll.mui 03.01.0000.0068 Windows Live Toolbar Resource Library
searchboxRes.dll 2c80000 40960 C:\Program Files\Windows Live Toolbar\searchboxRes.dll 03.01.0000.0068 Windows Live Toolbar Resource Library
wlscres.dll.mui 2c90000 151552 C:\Program Files\Windows Live Toolbar\Components\en-us\wlscres.dll.mui 03.01.0000.0072 Windows Live OneCare Advisor
CMRes.dll.mui 2cc0000 294912 C:\Program Files\Windows Live Toolbar\en-us\CMRes.dll.mui 03.01.0000.0068 Component Manager Resource Library
CMRes.dll 2e30000 16384 C:\Program Files\Windows Live Toolbar\CMRes.dll 03.01.0000.0068 Component Manager Resource Library
msn_slrs.DLL.mui 3b30000 8192 C:\Program Files\Windows Live Toolbar\en-us\msn_slrs.DLL.mui 03.01.0000.0068 Windows Live Toolbar Helper Resources
msn_slrs.DLL 3b40000 12288 C:\Program Files\Windows Live Toolbar\msn_slrs.DLL 03.01.0000.0068 Windows Live Toolbar Helper Resources
CBRes.dll.mui 3b50000 12288 C:\Program Files\Windows Live Toolbar\en-us\CBRes.dll.mui 03.01.0000.0068 Windows Live Toolbar Resource Library
CBRes.dll 3b60000 12288 C:\Program Files\Windows Live Toolbar\CBRes.dll 03.01.0000.0068 Windows Live Toolbar Resource Library
AcroIEHelper.dll 3b80000 45056 C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll 6.0.0.2003051500 Adobe Acrobat IE Helper Version 6.0 for ActivieX
NppBho.dll 66e50000 98304 C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll 2007.1.00.133 NcoBHO
AppMgr32.dll 6fb20000 204800 C:\Program Files\Common Files\Symantec Shared\AppCore\AppMgr32.dll 1.0.00.101 Symantec Application Core Manager
AppSet32.dll 6fbd0000 53248 C:\Program Files\Common Files\Symantec Shared\AppCore\AppSet32.dll 1.0.00.101 Symantec AppCore ccSetting
ccVrTrst.dll 6b770000 126976 C:\Program Files\Common Files\Symantec Shared\ccVrTrst.dll 106.1.3.3 Symantec Trust Validation Engine
ccSvc.dll 6b4f0000 290816 C:\Program Files\Common Files\Symantec Shared\ccSvc.dll 106.1.3.3 Symantec ccService Engine
BrRules.dll 66950000 159744 C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\BrRules.dll 2007.1.00.133 BrRules
BrCore.dll 66930000 77824 C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\BrCore.dll 2007.1.00.133 BrCore
nppwUI.dll 66f30000 155648 C:\Program Files\Common Files\Symantec Shared\coShared\WP\1.0\nppwUI.dll 2007.1.00.133 Web Protection
UIBHO.dll 67380000 520192 C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll 2007.1.00.133  UIBhoImpl
RICHED20.DLL 74e30000 442368 C:\WINDOWS\system32\RICHED20.DLL 5.30.23.1228 Rich Text Edit Control, v3.0
UIBHORes.loc 3f60000 471040 C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHORes.loc 2007.1.00.133 UIBhoImplRes
nppwBHO.dll 3fe0000 151552 C:\Program Files\Common Files\Symantec Shared\coShared\WP\1.0\nppwBHO.dll 2006, 1, 0, 41 Norton Confidential (WCID) v2006.1 NT5 Build (2006,1,0,41)
nppw.dll 4030000 626688 c:\program files\common files\symantec shared\coshared\wp\1.0\nppw.dll 2006, 1, 0, 41 Norton Confidential (WCID) v2006.1 NT5 Build (2006,1,0,41)
Cabinet.dll 75150000 81920 C:\WINDOWS\system32\Cabinet.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) MicrosoftR Cabinet File API
AVIfc.dll 6fdd0000 274432 C:\Program Files\Common Files\Symantec Shared\AntiVirus\AVIfc.dll 1.0.00.194 Symantec AntiVirus Interface
dlprotect.dll 11000000 192512 C:\Program Files\SpywareGuard\dlprotect.dll 2.02 SpywareGuard Download Protection
MSVBVM60.DLL 66000000 1388544 C:\WINDOWS\system32\MSVBVM60.DLL 6.00.8964 Visual Basic Virtual Machine
SDHelper.dll 4760000 872448 C:\PROGRA~1\SPYBOT~1\SDHelper.dll 1, 4, 0, 0 Bad download blocker
olepro32.dll 5edd0000 94208 C:\WINDOWS\system32\olepro32.dll 5.1.2600.2180 
pxbho.dll 41f0000 98304 C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll 1.0.0.3 Prevx Malicious URL Detector
ssv.dll 6d600000 434176 C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll 5.0.100.3 Java(TM) 2 Platform Standard Edition binary
WindowsLiveLogin.dll 29500000 331776 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll 4.100.313.1 WindowsLiveLogin.dll
msidcrl40.dll 27500000 819200 C:\Program Files\Common Files\Microsoft Shared\Windows Live\msidcrl40.dll 4.100.313.1 IDCRL Dynamic Link Library
cryptnet.dll 75e60000 77824 C:\WINDOWS\system32\cryptnet.dll 5.131.2600.2180 (xpsp_sp2_rtm.040803-2158) Crypto Network Related API
WINHTTP.dll 4d4f0000 360448 C:\WINDOWS\system32\WINHTTP.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows HTTP Services
AcroIEFavClient.dll 3050000 147456 C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll 
searchbox.dll 30c0000 368640 C:\Program Files\Windows Live Toolbar\searchbox.dll 03.01.0000.0068 Windows Live Toolbar Unified Search Box
stmain.dll 648c0000 163840 C:\Program Files\Windows Live Toolbar\stmain.dll 03.01.0000.0068 Windows Live Toolbar Search Toolbar Helper
wlsctb.dll 4170000 196608 C:\Program Files\Windows Live Toolbar\Components\wlsctb.dll 03.01.0000.0072 Windows Live OneCare Advisor
cm.dll 4230000 368640 C:\Program Files\Windows Live Toolbar\cm.dll 03.01.0000.0068 Windows Live Toolbar Component Manager Library
msn_slps.dll 64900000 225280 C:\Program Files\Windows Live Toolbar\msn_slps.dll 03.01.0000.0068 Windows Live Toolbar Helper Proxy
CB.dll 4290000 266240 C:\Program Files\Windows Live Toolbar\CB.dll 03.01.0000.0068 Windows Live ToolbarCustom Buttons
MSOXMLMF.DLL 5990000 45056 C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL 11.0.5510 Microsoft Office XML MIME Filter
mswsock.dll 71a50000 258048 C:\WINDOWS\System32\mswsock.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Windows Sockets 2.0 Service Provider
rasadhlp.dll 76fc0000 24576 C:\WINDOWS\system32\rasadhlp.dll 5.1.2600.2938 (xpsp_sp2_gdr.060626-0020) Remote Access AutoDial Helper
DNSAPI.dll 76f20000 159744 C:\WINDOWS\system32\DNSAPI.dll 5.1.2600.2938 (xpsp_sp2_gdr.060626-0020) DNS Client API DLL
hnetcfg.dll 662b0000 360448 C:\WINDOWS\system32\hnetcfg.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Home Networking Configuration Manager
wshtcpip.dll 71a90000 32768 C:\WINDOWS\System32\wshtcpip.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Sockets Helper DLL
isRes.dll 67e30000 1019904 C:\Program Files\Norton Internet Security\isRes.dll 10.0.0.247 Firewall Shared Localization
mshtml.dll 7e830000 3600384 C:\WINDOWS\system32\mshtml.dll 7.00.6000.16414 (vista_gdr.070108-1520) Microsoft (R) HTML Viewer
msls31.dll 746c0000 167936 C:\WINDOWS\system32\msls31.dll 3.10.349.0 Microsoft Line Services library file
actxprxy.dll 71d40000 114688 C:\WINDOWS\system32\actxprxy.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) ActiveX Interface Marshaling Library
jscript.dll 63380000 491520 c:\windows\system32\jscript.dll 5.7.0.5730 Microsoft (R) JScript
iepeers.dll 58760000 204800 C:\WINDOWS\system32\iepeers.dll 7.00.5730.11 (winmain(wmbla).061017-1135) Internet Explorer Peer Objects
WINSPOOL.DRV 73000000 155648 C:\WINDOWS\system32\WINSPOOL.DRV 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Spooler Driver
vbscript.dll 73300000 413696 C:\WINDOWS\system32\vbscript.dll 5.7.0.5730 Microsoft (R) VBScript
Flash9b.ocx 30000000 3072000 C:\WINDOWS\system32\Macromed\Flash\Flash9b.ocx 9,0,28,0 Adobe Flash Player 9.0 r28
wdmaud.drv 72d20000 36864 C:\WINDOWS\system32\wdmaud.drv 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) WDM Audio driver mapper
msacm32.drv 72d10000 32768 C:\WINDOWS\system32\msacm32.drv 5.1.2600.0 (xpclient.010817-1148) Microsoft Sound Mapper
MSACM32.dll 77be0000 86016 C:\WINDOWS\system32\MSACM32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft ACM Audio Filter
midimap.dll 77bd0000 28672 C:\WINDOWS\system32\midimap.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft MIDI Mapper
ImgUtil.dll 1b000000 49152 C:\WINDOWS\system32\ImgUtil.dll 7.00.5730.11 (winmain(wmbla).061017-1135) IE plugin image decoder support DLL
Dxtrans.dll 35c50000 233472 C:\WINDOWS\system32\Dxtrans.dll 7.00.5730.11 (winmain(wmbla).061017-1135) DirectX Media -- DirectX Transform Core
pngfilt.dll 1b060000 57344 C:\WINDOWS\system32\pngfilt.dll 7.00.5730.11 (winmain(wmbla).061017-1135) IE PNG plugin image decoder
ddrawex.dll 6d430000 40960 C:\WINDOWS\System32\ddrawex.dll 5.03.2600.2180 (xpsp_sp2_rtm.040803-2158) Direct Draw Ex
DDRAW.dll 73760000 299008 C:\WINDOWS\System32\DDRAW.dll 5.03.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft DirectDraw
DCIMAN32.dll 73bc0000 24576 C:\WINDOWS\System32\DCIMAN32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) DCI Manager
Dxtmsft.dll 35cb0000 356352 C:\WINDOWS\system32\Dxtmsft.dll 7.00.5730.11 (winmain(wmbla).061017-1135) DirectX Media -- Image DirectX Transforms
mshtmled.dll 76200000 487424 C:\WINDOWS\system32\mshtmled.dll 7.00.6000.16414 (vista_gdr.070108-1520) MicrosoftR HTML Editing Component
schannel.dll 767f0000 159744 C:\WINDOWS\system32\schannel.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) TLS / SSL Security Provider
ccSet.dll 6b470000 139264 C:\Program Files\Common Files\Symantec Shared\ccSet.dll 106.1.3.3 Symantec Settings Manager Engine
dispex.dll 6cc60000 45056 C:\WINDOWS\System32\dispex.dll 5.6.0.6626 Microsoft (r) DispEx
LINKINFO.dll 76980000 32768 C:\WINDOWS\system32\LINKINFO.dll 5.1.2600.2751 (xpsp_sp2_gdr.050831-1520) Windows Volume Tracking
This is the second choice...


----------



## Cookiegal (Aug 27, 2003)

Sorry, I wasn't sure if we'd already ran it. I did a search and nothing came up. 

Download *AVG Anti-Spyware* from *HERE* and save that file to your desktop.

When the trial period expires it becomes feature-limited freeware but is still worth keeping as a good on-demand scanner.


Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double click it to launch the set up program.
Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
On the main screen select the icon "*Update*" then select the "*Update now*" link.
Next select the "*Start Update*" button. The update will start and a progress bar will show the updates being installed.

Once the update has completed, select the "*Scanner*" icon at the top of the screen, then select the "*Settings*" tab.
Once in the Settings screen click on "*Recommended actions*" and then select "*Quarantine*".
Under "*Reports*"
Select "*Automatically generate report after every scan*"
Un-Select "*Only if threats were found*"

Close AVG Anti-Spyware. Do Not run a scan just yet, we will run it in safe mode.
Reboot your computer into *Safe Mode*. You can do this by restarting your computer and continually tapping the *F8* key until a menu appears. Use your up arrow key to highlight *Safe Mode* then hit enter.

*IMPORTANT:* Do not open any other windows or programs while AVG Anti-Spyware is scanning as it may interfere with the scanning process:

Launch AVG Anti-Spyware by double clicking the icon on your desktop.
Select the "*Scanner*" icon at the top and then the "*Scan*" tab then click on "*Complete System Scan*".
AVG will now begin the scanning process. Please be patient as this may take a little time.
*Once the scan is complete, do the following:*
If you have any infections you will be prompted. Then select "*Apply all actions.*"
Next select the "*Reports*" icon at the top.
Select the "*Save report as*" button in the lower left-hand of the screen and save it to a text file on your system (make sure to remember where you saved that file. This is important).
Close AVG Anti-Spyware.

While still in safe mode run Killbox on this file:

*C:\WINDOWS\dorp.dat*

Reboot back to normal mode.

Please go *HERE* to run Panda's ActiveScan
You need to use IE to run this scan
Once you are on the Panda site click the *Scan your PC* button
A new window will open...click the *Check Now* button
Enter your *Country*
Enter your *State/Province*
Enter your *e-mail address* and click *send*
Select either *Home User* or *Company*
Click the big *Scan Now* button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on *My Computer* to start the scan
When the scan completes, if anything malicious is detected, click the *See Report* button, *then Save Report* and save it to a convenient location. Post the contents of the ActiveScan report

*Come back here and post a new HijackThis log along with the logs from the AVG and Panda scans.*


----------



## Killazys (Feb 9, 2007)

Logfile of HijackThis v1.99.1
Scan saved at 10:17:55 AM, on 2/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$ADVANCEPRO\Binn\sqlservr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Prevx1\PXAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\username\My Documents\My Downloads\hijackthis\HijackThis.exe

R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://nefeli.com/"); (C:\Documents and Settings\username\Application Data\Mozilla\Profiles\default\6eye0hh4.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\username\Application Data\Mozilla\Profiles\default\6eye0hh4.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://www.download.com
O15 - Trusted Zone: http://mail.google.com
O15 - Trusted Zone: http://gunz.ijji.com
O15 - Trusted Zone: http://www.majorgeeks.com
O15 - Trusted Zone: http://forums.techguy.org
O15 - Trusted Zone: http://www.techguy.org
O15 - Trusted Zone: http://www.yahoo.com
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - https://bba.bloomberg.net/Citrix/ICAWEB/en/ica32/wficat.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9602.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://www.shockwave.com/content/feedingfrenzy/SproutLauncher.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe

Find PandaScan and AVG attatched.


----------



## dvk01 (Dec 14, 2002)

Martinreg

They are NOT missing

HJT has a known bug in that it can't see some files

You are not authorised to deal with security problems

see forum rules



> Log Analysis/Malware Removal - In order to ensure that advice given to users is consistent and of the highest quality, those who wish to assist with security related matters must first graduate from one of the malware boot camp training universities or be approved by the administration as already being qualified. Those authorized to help with malware issues have a gold shield (Username) is authorized to help remove malware. next to their name. Anyone wishing to participate in a training program should contact a Moderator for more information.


You have been asked previously not to interfere & you continue to butt in & much of your advice is incorrect & possibly dangerous

Accordingly I am giving you a 48 hour time out to consider things

if you wish to remain a member stick to the rules


----------



## Killazys (Feb 9, 2007)

Any ideas about those logs? Didn't seem like much stuff was found...


----------



## dvk01 (Dec 14, 2002)

cookiegal will reply to you when she comes on later

I only stepped in to stop the wrong advice by teh interferer


----------



## Cookiegal (Aug 27, 2003)

I don't see anything there but I'm still not happy with those winlogon entries that you deleted. They don't seem to have been restored properly.

Please do a search for these files and let me know the locations where you find them:

*crypt32.dll
cryptnet.dll*


----------



## Killazys (Feb 9, 2007)

Cryptnet.dll found in 3 folder paths:
C:\WINDOWS\system32
C:\WINDOWS\$NtServicePackUninstall$
C:\WINDOWS\ServicePackFiles\i386

Crypt32.dll found in 4 folder paths:
C:\WINDOWS\system32
C:\WINDOWS\$NtUninstallQ329115$
C:\WINDOWS\$NtServicePackUninstall$
C:\WINDOWS\ServicePackFiles\i386


----------



## Cookiegal (Aug 27, 2003)

They seem to be in their correct locations.

Can you tell me what problems remain now?


----------



## Killazys (Feb 9, 2007)

Well, some running programs still do not show in the system toolbar, in the bottom right corner of my screen. The computer is extremely slow during startup. However, TeaTimer no longer asks me about any changes to the registry. Did you check the Uniblue SpyEraser scan log, or is that one of those scanners that produce false positives? Suggestions?


----------



## Killazys (Feb 9, 2007)

After some thought, I think it might just be a RAM problem.


----------



## Cookiegal (Aug 27, 2003)

What makes you suspect a RAM problem?

Try disabling this entry via msconfig and see if there's any improvement:

[osCheck] This is Norton's osCheck which doesn't need to run on startup.


----------



## Killazys (Feb 9, 2007)

Computer is certainly faster on reboot, however, running programs still do not show in the system toolbar on the bottom-right corner of my screen! I mean, the amount of RAM I have is rather low for Windows XP, isn't it?


----------



## Cookiegal (Aug 27, 2003)

How much RAM do you have?


----------



## Cookiegal (Aug 27, 2003)

Also, this thread is very long so without reading back would you please remind me which programs are not in the taskbar?


----------



## Killazys (Feb 9, 2007)

OK. I have 256 MB RAM and the ONLY programs in the taskbar are the wireless internet connection, AVG Anti-Spyware, and Norton suite, but when I open Task Manager, I see that Prevx1, SG, and TeaTimer as well as Spybot are all running.


----------



## Killazys (Feb 9, 2007)

Oh, just perfect. Now, AVG doesn't show up either, and Norton is just a missing space, but still shows up if I double click it. What now?


----------



## Cookiegal (Aug 27, 2003)

Right click in the taskbar and select properties and then "customize". Are they listed there?


----------



## Killazys (Feb 9, 2007)

Yes, they are listed there as "Hide When Inactive". I changed it to "Always Show" but to no avail.


----------



## Cookiegal (Aug 27, 2003)

May I see a new HijackThis log please.


----------



## Killazys (Feb 9, 2007)

Logfile of HijackThis v1.99.1
Scan saved at 8:10:53 PM, on 2/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$ADVANCEPRO\Binn\sqlservr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Prevx1\PXAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Documents and Settings\username\My Documents\My Downloads\hijackthis\HijackThis.exe

R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://nefeli.com/"); (C:\Documents and Settings\username\Application Data\Mozilla\Profiles\default\6eye0hh4.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\username\Application Data\Mozilla\Profiles\default\6eye0hh4.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://www.download.com
O15 - Trusted Zone: http://mail.google.com
O15 - Trusted Zone: http://gunz.ijji.com
O15 - Trusted Zone: http://www.majorgeeks.com
O15 - Trusted Zone: http://forums.techguy.org
O15 - Trusted Zone: http://www.techguy.org
O15 - Trusted Zone: http://www.yahoo.com
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - https://bba.bloomberg.net/Citrix/ICAWEB/en/ica32/wficat.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9602.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://www.shockwave.com/content/feedingfrenzy/SproutLauncher.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe


----------



## Cookiegal (Aug 27, 2003)

Do you log on directly without entering a password?


----------



## Killazys (Feb 9, 2007)

Yes, I log on directly, only one account!


----------



## Cookiegal (Aug 27, 2003)

I have read that this can be a problem for those who log on directly.

Try setting your account up with a password. It's much more secure and I recommend it anyway.


Let me know if that makes any difference please.


----------



## Killazys (Feb 9, 2007)

To give you an idea of how slow the computer was on startup: 20 seconds spent on blue "welcome" screen. About 1 and a half minutes to load Add or Remove Programs. About 2 seconds to minimize/maximize a program window. This is BEFORE I log in with the password. On restart with password, things ran a bit faster, but still rather slow, around a third of the time I wrote before, except for the "welcome" screen, which took one minute. Anyway, all the running programs are showing. However, I still feel that there is something not quite right with my computer, due to its speed. Any suggestions?


----------



## Killazys (Feb 9, 2007)

EDIT: Still 2-3 seconds to minimize/maximize program windows.


----------



## Cookiegal (Aug 27, 2003)

Do I understand correctly then that the programs are now showing in the taskbar?


----------



## Killazys (Feb 9, 2007)

Yes, they are.


----------



## Cookiegal (Aug 27, 2003)

Have you had SpywareGuard installed for a while? That slows down boot time considerably.

How much free space do yo have on the hard drive?


----------



## Killazys (Feb 9, 2007)

I have about 50% free on my hard drive, SpywareGuard has been installed ever since I started this thread. Oh, and the computer says I don't need to defrag, as there is only around 30% fragments, but does Defragging actually move your files around?


----------



## Cookiegal (Aug 27, 2003)

Yes, defragging moves the files.

You could try uninstalling SpywareGuard or stop it from loading on boot to see if that improves boot up time.

How old is the computer?


----------



## Killazys (Feb 9, 2007)

This computer is actually pretty old, I'm not sure, around 2-3 years old, and it was kept in storage for like a year...


----------



## Killazys (Feb 9, 2007)

GMER found a rootkit! Should I post a log?


----------



## Cookiegal (Aug 27, 2003)

Yes, please post it.


----------



## Killazys (Feb 9, 2007)

GMER 1.0.12.12027 - http://www.gmer.net
Rootkit scan 2007-02-20 23:13:38
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.12 ----

SSDT 81D6B9D8 ZwAlertResumeThread
SSDT 81D6BA98 ZwAlertThread
SSDT pxfsf.sys ZwAllocateUserPhysicalPages
SSDT 81D6BF78 ZwAllocateVirtualMemory
SSDT pxfsf.sys ZwClose
SSDT pxfsf.sys ZwCompactKeys
SSDT pxfsf.sys ZwCompressKey
SSDT 82027D98 ZwConnectPort
SSDT pxfsf.sys ZwCreateDirectoryObject
SSDT pxfsf.sys ZwCreateEvent
SSDT pxfsf.sys ZwCreateEventPair
SSDT pxfsf.sys ZwCreateFile
SSDT pxfsf.sys ZwCreateIoCompletion
SSDT pxfsf.sys ZwCreateJobObject
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwCreateKey
SSDT pxfsf.sys ZwCreateMailslotFile
SSDT 81D6B798 ZwCreateMutant
SSDT pxfsf.sys ZwCreateNamedPipeFile
SSDT pxfsf.sys ZwCreatePort
SSDT pxfsf.sys ZwCreateProcess
SSDT pxfsf.sys ZwCreateProcessEx
SSDT pxfsf.sys ZwCreateSection
SSDT pxfsf.sys ZwCreateSemaphore
SSDT pxfsf.sys ZwCreateSymbolicLinkObject
SSDT 82015728 ZwCreateThread
SSDT pxfsf.sys ZwCreateTimer
SSDT pxfsf.sys ZwCreateToken
SSDT pxfsf.sys ZwDeleteFile
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwDeleteKey
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwDeleteValueKey
SSDT pxfsf.sys ZwDeviceIoControlFile
SSDT pxfsf.sys ZwDuplicateObject
SSDT pxfsf.sys ZwEnumerateKey
SSDT pxfsf.sys ZwEnumerateValueKey
SSDT pxfsf.sys ZwFreeUserPhysicalPages
SSDT 8201ACB8 ZwFreeVirtualMemory
SSDT 81D6B858 ZwImpersonateAnonymousToken
SSDT 81D6B918 ZwImpersonateThread
SSDT pxfsf.sys ZwLoadDriver
SSDT pxfsf.sys ZwLoadKey
SSDT pxfsf.sys ZwLoadKey2
SSDT pxfsf.sys ZwLockRegistryKey
SSDT pxfsf.sys ZwLockVirtualMemory
SSDT 820198C0 ZwMapViewOfSection
SSDT 81D6B6D8 ZwOpenEvent
SSDT pxfsf.sys ZwOpenFile
SSDT pxfsf.sys ZwOpenKey
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess
SSDT 820193E8 ZwOpenProcessToken
SSDT pxfsf.sys ZwOpenSection
SSDT pxfsf.sys ZwOpenThread
SSDT 8200FDC0 ZwOpenThreadToken
SSDT pxfsf.sys ZwProtectVirtualMemory
SSDT pxfsf.sys ZwQueryInformationProcess
SSDT pxfsf.sys ZwQueryInformationThread
SSDT pxfsf.sys ZwQueryKey
SSDT pxfsf.sys ZwQueryMultipleValueKey
SSDT pxfsf.sys ZwQueryOpenSubKeys
SSDT pxfsf.sys ZwQueryValueKey
SSDT pxfsf.sys ZwQueueApcThread
SSDT pxfsf.sys ZwReadFile
SSDT pxfsf.sys ZwReadVirtualMemory
SSDT pxfsf.sys ZwRenameKey
SSDT pxfsf.sys ZwReplaceKey
SSDT pxfsf.sys ZwRestoreKey
SSDT pxfsf.sys ZwResumeProcess
SSDT 82018230 ZwResumeThread
SSDT pxfsf.sys ZwSaveKey
SSDT pxfsf.sys ZwSaveKeyEx
SSDT pxfsf.sys ZwSaveMergedKeys
SSDT 82014CE0 ZwSetContextThread
SSDT pxfsf.sys ZwSetInformationKey
SSDT 8200CAE8 ZwSetInformationProcess
SSDT 820180D8 ZwSetInformationThread
SSDT pxfsf.sys ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwSetValueKey
SSDT 81D6B618 ZwSuspendProcess
SSDT 82012190 ZwSuspendThread
SSDT pxfsf.sys ZwSystemDebugControl
SSDT pxfsf.sys ZwTerminateJobObject
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess
SSDT 8200E3C8 ZwTerminateThread
SSDT pxfsf.sys ZwUnloadDriver
SSDT pxfsf.sys ZwUnloadKey
SSDT pxfsf.sys ZwUnloadKeyEx
SSDT pxfsf.sys ZwUnlockVirtualMemory
SSDT 8200E120 ZwUnmapViewOfSection
SSDT pxfsf.sys ZwWriteFile
SSDT 81D6BEE8 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.12 ----

.text ntoskrnl.exe!_abnormal_termination + D4 804E2730 24 Bytes [ 79, 48, 76, F9, 83, 48, 76, ... ]
.text ntoskrnl.exe!_abnormal_termination + F0 804E274C 16 Bytes [ D0, 07, 28, F1, BF, 48, 76, ... ]
.text ntoskrnl.exe!_abnormal_termination + 104 804E2760 12 Bytes [ DD, 48, 76, F9, E7, 48, 76, ... ]
.text ntoskrnl.exe!_abnormal_termination + 114 804E2770 24 Bytes [ FB, 48, 76, F9, 05, 49, 76, ... ]
.text ntoskrnl.exe!_abnormal_termination + 1D0 804E282C 12 Bytes [ A5, 49, 76, F9, AF, 49, 76, ... ]
.text ... 
---- Processes - GMER 1.0.12 ----

Library C:\Program (*** hidden *** ) @ C:\WINDOWS\EXPLORER.EXE [2904] 0x033E0000

---- EOF - GMER 1.0.12 ----


----------



## Killazys (Feb 9, 2007)

On a side note: it took around 30 minutes to boot up the computer, login, open the notepad file, and post it here. Running programs no longer showing in taskbar!!


----------



## Cookiegal (Aug 27, 2003)

Where do you see the rootkit?


----------



## Killazys (Feb 9, 2007)

Library C:\Program (*** hidden *** ) @ C:\WINDOWS\EXPLORER.EXE [2904] 0x033E0000
At least, that's what GMER said.


----------



## Cookiegal (Aug 27, 2003)

Killazys said:


> Library C:\Program (*** hidden *** ) @ C:\WINDOWS\EXPLORER.EXE [2904] 0x033E0000
> At least, that's what GMER said.


I'm not 100% sure about that so I've asked a colleague for his opinion and either he or I will post back here.

In the meantime, let's run another rootkit detector.

Download RootkitRevealer from *here* (link is at the very bottom of the page).
Unzip it to your desktop.
Open the RootkitRevealer folder and double-click *rootkitrevealer.exe*
Click the *Scan* button (bottom right)
It may take a while to scan (don't do anything while it's running)
When it's done, go up to *File - Save*. Choose to save it to your desktop.
Open *RootkitRevealer.txt* on your desktop and copy the entire contents and paste them here.


----------



## dvk01 (Dec 14, 2002)

After consultation with the Gmer developer, we think it is just a minor bug & gmer not being able to read the file path correctly so it doesn't seem to be anything to worry about 

but to be safe we will double check with the other detector cookiegal posted


----------



## Killazys (Feb 9, 2007)

HKU\.DEFAULT\Control Panel\International	2/10/2007 9:46 PM	0 bytes	Security mismatch.
HKU\.DEFAULT\Control Panel\International\Geo	2/10/2007 9:46 PM	0 bytes	Security mismatch.
HKU\S-1-5-21-2000478354-329068152-725345543-1004\Control Panel\International	2/10/2007 9:46 PM	0 bytes	Security mismatch.
HKU\S-1-5-21-2000478354-329068152-725345543-1004\Control Panel\International\Geo	2/10/2007 9:46 PM	0 bytes	Security mismatch.
HKU\S-1-5-21-2000478354-329068152-725345543-1004\Software\Microsoft\Command Processor	2/10/2007 9:46 PM	0 bytes	Security mismatch.
HKU\S-1-5-18\Control Panel\International	2/10/2007 9:46 PM	0 bytes	Security mismatch.
HKU\S-1-5-18\Control Panel\International\Geo	2/10/2007 9:46 PM	0 bytes	Security mismatch.
HKLM\SECURITY\Policy\Secrets\SAC*	10/22/2002 5:38 PM	0 bytes	Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI*	10/22/2002 5:38 PM	0 bytes	Key name contains embedded nulls (*)
HKLM\SOFTWARE\Microsoft\Command Processor	2/10/2007 9:46 PM	0 bytes	Security mismatch.
HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\ADVANCEPRO\MSSQLServer\uptime_time_utc	2/21/2007 1:20 PM	8 bytes	Data mismatch between Windows API and raw hive data.
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\97DAFF0C.TMP	2/21/2007 1:28 PM	0 bytes	Hidden from Windows API.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20070220.019\vscanmsx.dat	2/21/2007 1:35 PM	2.02 KB	Hidden from Windows API.
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb	2/21/2007 1:25 PM	64.00 KB	Visible in Windows API, but not in MFT or directory index.
This is the rootkit reveal log.


----------



## Cookiegal (Aug 27, 2003)

There is no rootkit present there.

Do you have your XP CD?


----------



## Killazys (Feb 9, 2007)

I don't believe so.


----------



## Cookiegal (Aug 27, 2003)

Go to *Start *- *Run *- type in *eventvwr.msc* and click OK. Look under both "application" and "system" to see if there are any errors there indicated in red. If so, please open them and copy them here. To do that, double click the specific error and it will open up. Then click on the icon that looks like two pieces of paper. This copies is to the clipboard. Then paste them into Notepad or Word and eventually paste them all there please.


----------



## Killazys (Feb 9, 2007)

Here are the app errors. For the system, there is literally an error after every other entry, and they are the exact same thing, except for a second apart. Do you want me to copy one entry for each time frame, or copy every single one?


----------



## Cookiegal (Aug 27, 2003)

If the errors are idential then it's not necessary to copy more than one.


----------



## Killazys (Feb 9, 2007)

Please find the system error log attatched.


----------



## Rollin' Rog (Dec 9, 2000)

From the error log I see you are having problems with Office updates -- this might be a sidetrack and to help I need to know exactly what the current issue is. There are some other issues there but I do not know how persistant or relevant they are. Others are just associated with Safe Mode starts

Is it slow booting and slow program opening?

For now let's disable Windows Automatic Updates to rule that out as a factor.

Run *services.msc* and find Automatic Updates there.

Double click it and set the startup mode to disabled and reboot.

Does that change anything?

Also, do this:

If you open the Device Manager (run * devmgmt.msc*) and select the entry for IDE ATA/Atapi and select the Primary IDE > Advanced Settings, does it say the "_*current transfer mode*_" is DMA or PIO?

If it says PIO, first ensure "Use DMA if Available" is selected, then select the driver tab and uninstall the driver and reboot. Then check again.

>> also:

Do ctrl-alt-del to open up the task manager. Select the "performance" tab. Let me know what you see under:

*Physical Memory*

*Total:* this is your total installed ram -- "physical" memory
*Available:* this is the amt of real "physical" memory presently uncommitted

*Commit Charge*

*Total:* this is the combination of total physical and virtual memory currently in use
*Limit:* this is the total physical and virtual memory available
*Peak:* this is the most you have had in use in this session


----------



## Killazys (Feb 9, 2007)

WITH TeaTimer, SG, and Prevx1 open, as well as this page and the Task Manager:
Under Physical Memory:
Total: 261664, Available: 83500, around there, it keeps on changing.
Under Commit Charge:
Total: 453700, around there, it keeps on changing, Limit: 651572, Peak: 549656
It was PIO and i changed it to DMA and uninstalled the driver. Restarting computer now!


----------



## Killazys (Feb 9, 2007)

Ok, changed it to DMA and uninstalled driver, on reboot, noticed that it was a bit faster, and that most running programs were showing on the system toolbar. However, there was a little info bubble that popped up and said that Windows installed the driver again and I had to reboot. On second reboot, boot time was considerably faster, but running programs are no longer showing, and the device was back on PIO! What to do...


----------



## Rollin' Rog (Dec 9, 2000)

Hmmm, well there is some issue with the drive; try it again -- and there is a registry edit that may help as a workaround.

The registry edit is described here, towards the bottom, under "more information":

http://support.microsoft.com/kb/817472/

Also, in the Event Viewer (run eventvwr.msc) > System log are you seeing any "disk" or "atapi" errors?

You should probably also run chkdsk on the drive.

To do that right click on your local drive and select Properties > Tools > error checking.

After chkdsk has completed and you have rebooted, the log is available for viewing in the Applications Log > Winlogon entry.

This is another issue:



> Total: 261664, Available: 83500, around there, it keeps on changing.
> Under Commit Charge:
> Total: 453700, around there, it keeps on changing, Limit: 651572, Peak: 549656


This is showing that you have 256 mb of installed ram -- but your current usage is almost twice that and your peak usage more than twice that.

You need to atleast double your amount of installed ram or reduce the number of programs that are loading.

I don't see what it is in your scanlog that might be chewing up so much memory. You might get a clue from examining the Task Manager Process list and looking under "Peak Mem Usage" and "VM". You will probably have to enable these columns in the View menu.


----------



## Killazys (Feb 9, 2007)

No disk/atapi errors, should I use a RAM card? For the process list, things with high Peak Mem Usage and VM are PXAgent.exe, ccApp.exe, iexplore.exe, SVCHOST.exe, guard.exe, mmc.exe, and EXPLORER.exe


----------



## Killazys (Feb 9, 2007)

Where is this "Applications Log"?


----------



## Rollin' Rog (Dec 9, 2000)

Well, you need to install ram. A memory card won't do anything for you.

The applications log is available through the event viewer (eventvwr.msc)

I would reseat the drive cable.

For now you should try getting it back in ULTRA DMA mode and then promptly perform the registry edit described in the article.


How much memory is Prevx consuming? This might be something you may want to consider uninstalling and just go with Symantec -- or even uninstall Symantec as well and get something less resource hungry such as AVG.

Is Guard a program you started manually? I don't see it in the scanlog.

You can also disable (using msconfig) or delete from automatic startups media programs such as quicktime, HP update schedulers, just about all Adobe startups.


----------



## Killazys (Feb 9, 2007)

I have absolutely NO CLUE what guard.exe is. I am uninstally Prevx1.


----------



## Killazys (Feb 9, 2007)

Running programs are now showing in the system toolbar. On reboot, the Primary IDE Channel is no longer on PIO after using the reg workaround. The boot is considerably faster as well, as is the sign-in time. Thanks a lot! However, I still cannot find that log for the chkdsk.


----------



## Killazys (Feb 9, 2007)

How do I reseat the drive cable?


----------



## Rollin' Rog (Dec 9, 2000)

You would have to open the case up (power off of course) locate the cable that runs from the disk drive to the motherboard and remove and reseat it. If the DMA setting holds up with the registry edit -- you don't need to feel any urgency about it. But if you add more ram -- you should do that while your down there -- and clean out any dust bunnies as well.

Did you run a complete chkdsk and reboot? Run *eventvwr.msc* and open the applications log. Look for a Winlogon entry there, see attachment.

Are you running a server application?

C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

I'm not sure where Guard.exe is coming from, do any of these ring a bell?

http://www.google.com/search?client=opera&rls=en&q=guard.exe&sourceid=opera&ie=utf-8&oe=utf-8

http://www.file.net/process/guard.exe.html

Try finding it, right click on it and select Properties > Version and see what the copyright info is.

By the way, Stardock is another program I have occasionally seen implicated in performance issues and slow booting especially at the logon phase.


----------



## Killazys (Feb 9, 2007)

I'm not sure, I will rerun the dskchk though, but I am really not comfortable with messing with the actual computer, I'll probably get someone else to help me out with it (if I can buy the RAM, that is!)


----------



## Rollin' Rog (Dec 9, 2000)

Although XP will run passably well on 256 mb if you keep your startups trim -- 512 is really a minimum for "good" performance.


----------



## Killazys (Feb 9, 2007)

Oh. Right. Still can't find that chkdsk log. MSSQL is my server, so no problem with that. Guard.exe has been officially verified as AVG Anti-Spyware! I checked the Stardock folder...it was empty. Deleted folder, and there was no problem.


----------



## Rollin' Rog (Dec 9, 2000)

Okedoke, well then are there any more issues we should look at?

If not, feel free to mark the thread "Solved" using the Thread Tools menu.

As for chkdsk, I don't know what to tell you if you can't find a "winlogon" "SOURCE" entry in the Applications log -- that's where it should be if it completed and rebooted.


----------



## Killazys (Feb 9, 2007)

It never rebooted by itself! It just said "Checking Volume for errors, please wait" and then there was a little green progress bar that said "Phase 1" and then it said Completed. Then I clicked done and the window closed, but nothing happened.


----------



## Rollin' Rog (Dec 9, 2000)

Ah, I don't think it completed. There is more than 1 phase. If I recall there are 3 or 4 -- I think the 4th comes if you run chkdsk /r or check the "automatically fix" errors option.


----------



## Killazys (Feb 9, 2007)

No errors with chkdsk! Alright, this problem is officialy *solved!*


----------



## Rollin' Rog (Dec 9, 2000)




----------

