# Oh Why Oh Why



## ColleenA (Feb 18, 2002)

I am running XP. Computer has been running great I haven't had to post here since last August since I got this new machine.

All of a sudden I keep getting an error report popping up saying "Demo MFC Applications has accountered a problem and needs to close. We are sorry for the inconvenience."

I can't seem to get it to stop popping up and I have NO idea what the heck it is. Do I need it how do I get rid of it.

Please help
Thanks
Colleen


----------



## eddie5659 (Mar 19, 2001)

Hiya

Do you know if you've installed a program called Demo in the past?

Lets take a look at a log. go to http://www.thespykiller.co.uk/files/hijackthis_sfx.exe , and download 'Hijack This!'. 
Doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button. 
Press that, save the log somewhere, and please copy & paste its contents to the forum.

It will possibly show other issues deserving our attention, but most of what it lists will be harmless or even required, so do NOT fix anything yet. 
Someone here will be happy to help you analyze the results.

Regards

eddie


----------



## ColleenA (Feb 18, 2002)

Thanks hope this helps

Logfile of HijackThis v1.99.1
Scan saved at 4:35:02 PM, on 6/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ServeHost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\HuaCi\huaci\zsearch.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Documents and Settings\Colleen\Desktop\HiJack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: MonitorURL Class - {08A312BB-5409-49FC-9347-54BB7D069AC6} - C:\PROGRA~1\DESKAD~1\deskipn.dll
O2 - BHO: IE Address Browser Helper - {2A0176FE-008B-4706-90F5-BBA532A49731} - C:\Program Files\SearchNet\SNHpr.dll
O2 - BHO: PopKill Class - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: IE Browser Helper - {3CE496D1-1746-41CD-9489-3C0B93DF10E2} - C:\WINDOWS\Downlo~1\q0tp5k.dll
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [MoveSearch] C:\Program Files\HuaCi\huaci\zsearch.exe
O4 - HKLM\..\Run: [SearchNet_Up] "C:\Program Files\SearchNet\ServeUp.exe"
O4 - HKLM\..\Run: [Desktop] C:\WINDOWS\system32\rundll32.exe "C:\Program Files\DeskAdTop\Run.dll" ,Rundll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Absolute Poker - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: TruePass EPF 7,0,100,717 - https://blrscr3.egs-seg.gc.ca/applets/entrusttruepassapplet-epf.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab46479.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (ZPA_HRTZ Object) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab37625.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.photolab.ca/en/Photo/ImageUploader3.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zpa_shvl.cab46704.cab
O16 - DPF: {A9FDC7FD-FE81-4910-8CF2-FA59EEFE11EC} (ZooInstaller Class) - http://www.zoo-games.com/ClientSite/ZooInstaller.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab36385.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{37C2D4C1-A9A2-4B71-987F-7E1D20FD8E3E}: NameServer = 67.69.184.151 206.47.244.57
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: .Net Boot Service - Unknown owner - C:\WINDOWS\system32\big5_gb2312.exe (file missing)
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Remote Log - Beijing zhongsou online software - C:\WINDOWS\system32\ServeHost.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

Sorry I dont know of a program called demo that was downloaded. But my teenage son has been on this alot lately.

Also just got a message that i have a virus 
W32/Download.TUG

Thanks
Again


----------



## Triple6 (Dec 26, 2002)

Make sure your Freedom Security is up-to-date, manually update the Antivirus and Antispyware programs and do scans with each component - it should take care of most of the problems, because you do have spyware on the system.


----------



## Cookiegal (Aug 27, 2003)

Download the trial version of *Ewido Anti-spyware* from *HERE* and save that file to your desktop. When the trial period expires it becomes freeware with reduced functions but still worth keeping.


Once you have downloaded Ewido Anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
Once the setup is complete you will need run Ewido and update the definition files.
On the main screen select the icon "*Update*" then select the "*Update now*" link.
Next select the "*Start Update*" button, the update will start and a progress bar will show the updates being installed.
Once the update has completed select the "*Scanner*" icon at the top of the screen, then select the "*Settings*" tab.
Once in the Settings screen click on "*Recommended actions*" and then select "*Quarantine*"
Under "*Reports*"
Select "*Automatically generate report after every scan*"
Un-Select "*Only if threats were found*"

Close Ewido Anti-spyware, Do NOT run a scan yet. We will do that later in safe mode.


Reboot your computer into *Safe Mode* now. You can do this by restarting your computer and continually tapping the *F8* key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
*IMPORTANT:* Do not open any other windows or programs while Ewido is scanning as it may interfere with the scanning process:
Launch Ewido Anti-spyware by double-clicking the icon on your desktop.
Select the "*Scanner*" icon at the top and then the "*Scan*" tab then click on "*Complete System Scan*".
Ewido will now begin the scanning process. Be patient this may take a little time.
*Once the scan is complete do the following:*
If you have any infections you will prompted, then select "*Apply all actions*"
Next select the "*Reports*" icon at the top.
Select the "*Save report as*" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
Close Ewido and reboot your system back into Normal Mode.

Run ActiveScan online virus scan: *here*

When the scan is finished, save the results from the scan!

*Come back here and post a new HijackThis log along with the logs from the Ewido and Panda scans.*


----------



## ColleenA (Feb 18, 2002)

Hi

thanks for the help

I ran the Ewido in safe mode and have posted the report.

I couldn't runthe ActiveScan as I kept getting messages that the panda pages can not be displayed. I did do search for other links but kept getting same thing

I have also posted a new hijack log

Hope this helps

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at:	9:31:34 PM 6/23/2006

+ Scan result:

HKU\S-1-5-21-1275210071-854245398-1708537768-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{56F1D444-11BF-4879-A12B-79CF0177F038} -> Adware.180Solutions : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{2A0176FE-008B-4706-90F5-BBA532A49731} -> Adware.Generic : Error during cleaning.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2A0176FE-008B-4706-90F5-BBA532A49731} -> Adware.Generic : Error during cleaning.
HKU\S-1-5-21-1275210071-854245398-1708537768-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2A0176FE-008B-4706-90F5-BBA532A49731} -> Adware.Generic : Error during cleaning.
C:\Program Files\Common Files\PestPatrol\Quarantine\20051010170917.zip/Program Files/newdotnet/newdotnet6_38.dll -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Program Files\Common Files\PestPatrol\Quarantine\20051010170917.zip/Program Files/newdotnet/newdotnet6_38.to_be_deleted -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Program Files\Common Files\PestPatrol\Quarantine\20051010170917.zip/Program Files/newdotnet/newdotnet6_38.to_be_deleted_x -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Program Files\Common Files\PestPatrol\Quarantine\20051010170917.zip/Program Files/newdotnet/newdotnet6_90.dll -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Program Files\Common Files\PestPatrol\Quarantine\20051010170917.zip/Program Files/newdotnet/newdotnet6_90.to_be_deleted -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Program Files\Common Files\PestPatrol\Quarantine\20051010170917.zip/Program Files/newdotnet/uninstall6_38.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Program Files\Common Files\PestPatrol\Quarantine\20051010170917.zip/Program Files/newdotnet/uninstall6_90.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Program Files\Common Files\PestPatrol\Quarantine\20051010170917.zip/WINDOWS/NDNuninstall6_38.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Program Files\Common Files\PestPatrol\Quarantine\20051010170917.zip/WINDOWS/NDNuninstall6_90.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Program Files\Common Files\PestPatrol\Quarantine\20051010170924.zip/Program Files/newdotnet/newdotnet6_38.to_be_deleted -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Program Files\Common Files\PestPatrol\Quarantine\20051010170924.zip/Program Files/newdotnet/newdotnet6_38.to_be_deleted_x -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Program Files\Common Files\PestPatrol\Quarantine\20051010170924.zip/Program Files/newdotnet/newdotnet6_90.to_be_deleted -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Program Files\Common Files\PestPatrol\Quarantine\20051010170924.zip/Program Files/newdotnet/newdotnet6_90.to_be_deleted_x -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Program Files\Common Files\PestPatrol\Quarantine\20051010170926.zip/Program Files/newdotnet/newdotnet6_38.to_be_deleted -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Program Files\Common Files\PestPatrol\Quarantine\20051010170926.zip/Program Files/newdotnet/newdotnet6_38.to_be_deleted_x -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Program Files\Common Files\PestPatrol\Quarantine\20051010170926.zip/Program Files/newdotnet/newdotnet6_90.to_be_deleted -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Program Files\Common Files\PestPatrol\Quarantine\20051010170926.zip/Program Files/newdotnet/newdotnet6_90.to_be_deleted_x -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Program Files\Common Files\PestPatrol\Quarantine\20051010170928.zip/Program Files/newdotnet/newdotnet6_38.to_be_deleted -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Program Files\Common Files\PestPatrol\Quarantine\20051010170928.zip/Program Files/newdotnet/newdotnet6_38.to_be_deleted_x -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Program Files\Common Files\PestPatrol\Quarantine\20051010170928.zip/Program Files/newdotnet/newdotnet6_90.to_be_deleted -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Program Files\Common Files\PestPatrol\Quarantine\20051010170928.zip/Program Files/newdotnet/newdotnet6_90.to_be_deleted_x -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Program Files\Common Files\PestPatrol\Quarantine\20051010170930.zip/Program Files/newdotnet/newdotnet6_38.to_be_deleted -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Program Files\Common Files\PestPatrol\Quarantine\20051010170930.zip/Program Files/newdotnet/newdotnet6_38.to_be_deleted_x -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Program Files\Common Files\PestPatrol\Quarantine\20051010170930.zip/Program Files/newdotnet/newdotnet6_90.to_be_deleted -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Program Files\Common Files\PestPatrol\Quarantine\20051010170930.zip/Program Files/newdotnet/newdotnet6_90.to_be_deleted_x -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Program Files\Common Files\PestPatrol\Quarantine\20051010170933.zip/Program Files/newdotnet/newdotnet6_38.to_be_deleted -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Program Files\Common Files\PestPatrol\Quarantine\20051010170933.zip/Program Files/newdotnet/newdotnet6_38.to_be_deleted_x -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Program Files\Common Files\PestPatrol\Quarantine\20051010170933.zip/Program Files/newdotnet/newdotnet6_90.to_be_deleted -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Program Files\Common Files\PestPatrol\Quarantine\20051010170933.zip/Program Files/newdotnet/newdotnet6_90.to_be_deleted_x -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Program Files\Common Files\PestPatrol\Quarantine\20051010170935.zip/Program Files/newdotnet/newdotnet6_38.to_be_deleted -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Program Files\Common Files\PestPatrol\Quarantine\20051010170935.zip/Program Files/newdotnet/newdotnet6_38.to_be_deleted_x -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Program Files\Common Files\PestPatrol\Quarantine\20051010170935.zip/Program Files/newdotnet/newdotnet6_90.to_be_deleted -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Program Files\Common Files\PestPatrol\Quarantine\20051010170935.zip/Program Files/newdotnet/newdotnet6_90.to_be_deleted_x -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Program Files\Common Files\PestPatrol\Quarantine\20051010170937.zip/Program Files/newdotnet/newdotnet6_38.to_be_deleted -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Program Files\Common Files\PestPatrol\Quarantine\20051010170937.zip/Program Files/newdotnet/newdotnet6_38.to_be_deleted_x -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Program Files\Common Files\PestPatrol\Quarantine\20051010170937.zip/Program Files/newdotnet/newdotnet6_90.to_be_deleted -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Program Files\Common Files\PestPatrol\Quarantine\20051010170937.zip/Program Files/newdotnet/newdotnet6_90.to_be_deleted_x -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Program Files\Common Files\PestPatrol\Quarantine\20051010180017.zip/Program Files/newdotnet/newdotnet6_38.to_be_deleted -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Program Files\Common Files\PestPatrol\Quarantine\20051010180017.zip/Program Files/newdotnet/newdotnet6_38.to_be_deleted_x -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Program Files\Common Files\PestPatrol\Quarantine\20051010180017.zip/Program Files/newdotnet/newdotnet6_90.to_be_deleted -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Program Files\Common Files\PestPatrol\Quarantine\20051010180017.zip/Program Files/newdotnet/newdotnet6_90.to_be_deleted_x -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Downloads\DropExtremeSetup-dm[1].exe -> Adware.Trymedia : Cleaned with backup (quarantined).
C:\Documents and Settings\Nicholas\Local Settings\Temp\msetup.exe -> Adware.WSearch : Cleaned with backup (quarantined).
C:\Documents and Settings\Nicholas\Local Settings\Temp\~ex1.exe -> Adware.WSearch : Cleaned with backup (quarantined).
C:\Documents and Settings\Nicholas\Local Settings\Temp\~ex2.exe -> Adware.WSearch : Cleaned with backup (quarantined).
C:\Documents and Settings\Nicholas\Local Settings\Temp\~ex3.exe -> Adware.WSearch : Cleaned with backup (quarantined).
C:\Documents and Settings\Nicholas\Local Settings\Temp\~ex4.exe -> Adware.WSearch : Cleaned with backup (quarantined).
C:\Documents and Settings\Nicholas\Local Settings\Temp\~ex6.exe/FAD.sys -> Adware.WSearch : Cleaned with backup (quarantined).
C:\Documents and Settings\Nicholas\Local Settings\Temp\~ex8.exe/Mouse1.dll.zgx -> Adware.WSearch : Cleaned with backup (quarantined).
C:\Documents and Settings\Nicholas\Local Settings\Temp\~ex8.exe/SearchM.dll.zgx -> Adware.WSearch : Cleaned with backup (quarantined).
C:\Documents and Settings\Nicholas\Local Settings\Temp\~ex8.exe/abhcop.sys -> Adware.WSearch : Cleaned with backup (quarantined).
C:\Documents and Settings\Nicholas\Local Settings\Temp\~ex8.exe/hcalway.sys -> Adware.WSearch : Cleaned with backup (quarantined).
C:\Documents and Settings\Nicholas\Local Settings\Temp\~ex8.exe/mUin.exe -> Adware.WSearch : Cleaned with backup (quarantined).
C:\Documents and Settings\Nicholas\Local Settings\Temp\~ex8.exe/zsearch.exe -> Adware.WSearch : Cleaned with backup (quarantined).
C:\Documents and Settings\Nicholas\Local Settings\Temp\~ex8.exe/zsup.exe -> Adware.WSearch : Cleaned with backup (quarantined).
C:\Documents and Settings\Nicholas\Local Settings\Temp\~ex9.exe -> Adware.WSearch : Cleaned with backup (quarantined).
C:\Program Files\DeskAdTop\DeskUn.exe -> Adware.WSearch : Cleaned with backup (quarantined).
C:\Program Files\DeskAdTop\Run.dll -> Adware.WSearch : Cleaned with backup (quarantined).
C:\Program Files\HuaCi\huaci\Mouse1.dll -> Adware.WSearch : Error during cleaning.
C:\Program Files\HuaCi\huaci\SearchM.dll -> Adware.WSearch : Error during cleaning.
C:\Program Files\HuaCi\huaci\mUin.exe -> Adware.WSearch : Error during cleaning.
C:\Program Files\HuaCi\huaci\reg.exe -> Adware.WSearch : Error during cleaning.
C:\Program Files\HuaCi\huaci\zsearch.exe -> Adware.WSearch : Error during cleaning.
C:\Program Files\HuaCi\huaci\zsup.exe -> Adware.WSearch : Error during cleaning.
C:\Program Files\HuaCi\update\SearchM.dll.dat/SearchM.dll -> Adware.WSearch : Cleaned with backup (quarantined).
C:\Program Files\HuaCi\update\mUin.exe.dat/mUin.exe -> Adware.WSearch : Cleaned with backup (quarantined).
C:\WINDOWS\system32\drivers\abhcop.sys -> Adware.WSearch : Error during cleaning.
C:\WINDOWS\system32\drivers\hcalway.sys -> Adware.WSearch : Error during cleaning.
C:\Documents and Settings\Nicholas\Local Settings\Temp\~exC.exe -> Adware.Zhongsou : Cleaned with backup (quarantined).
C:\Documents and Settings\Nicholas\Local Settings\Temp\~ex7.exe/big5_gb2312.exe -> Downloader.Agent.abm : Cleaned with backup (quarantined).
C:\Documents and Settings\Nicholas\Local Settings\Temp\~ex6.exe/IEUrldrive.exe -> Logger.Agent.iw : Cleaned with backup (quarantined).
C:\Documents and Settings\Nicholas\Local Settings\Temp\~ex6.exe/SearchNet.exe -> Logger.Agent.iw : Cleaned with backup (quarantined).
C:\Documents and Settings\Nicholas\Local Settings\Temp\~ex6.exe/ServeHost.exe -> Logger.Agent.iw : Cleaned with backup (quarantined).
C:\Documents and Settings\Nicholas\Local Settings\Temp\~ex6.exe/ServeUp.exe -> Logger.Agent.iw : Cleaned with backup (quarantined).
C:\Documents and Settings\Nicholas\Local Settings\Temp\~ex6.exe/SrvNet32.dll.zgx -> Logger.Agent.iw : Cleaned with backup (quarantined).
C:\Documents and Settings\Nicholas\Local Settings\Temp\~ex6.exe/UrlService.exe -> Logger.Agent.iw : Cleaned with backup (quarantined).
C:\Documents and Settings\Nicholas\Local Settings\Temp\~ex6.exe/hprocess.sys -> Logger.Agent.iw : Cleaned with backup (quarantined).
C:\Program Files\SearchNet\SearchNet.exe -> Logger.Agent.iw : Error during cleaning.
C:\Program Files\SearchNet\SrvNet32_Del.dll -> Logger.Agent.iw : Error during cleaning.
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\2L49ALQP\popcaploader_v6[1].cab/PopCapLoader.dll -> Not-A-Virus.Downloader.Win32.PopCap.b : Cleaned with backup (quarantined).

::Report end

Logfile of HijackThis v1.99.1
Scan saved at 9:50:56 PM, on 6/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\HuaCi\huaci\zsearch.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\SearchNet\SearchNet.exe
C:\Documents and Settings\Colleen\Desktop\HiJack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: MonitorURL Class - {08A312BB-5409-49FC-9347-54BB7D069AC6} - C:\PROGRA~1\DESKAD~1\deskipn.dll (file missing)
O2 - BHO: IE Address Browser Helper - {2A0176FE-008B-4706-90F5-BBA532A49731} - C:\Program Files\SearchNet\SNHpr.dll
O2 - BHO: PopKill Class - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: IE Browser Helper - {3CE496D1-1746-41CD-9489-3C0B93DF10E2} - C:\WINDOWS\Downlo~1\q0tp5k.dll
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [MoveSearch] C:\Program Files\HuaCi\huaci\zsearch.exe
O4 - HKLM\..\Run: [SearchNet_Up] "C:\Program Files\SearchNet\ServeUp.exe"
O4 - HKLM\..\Run: [Desktop] C:\WINDOWS\system32\rundll32.exe "C:\Program Files\DeskAdTop\Run.dll" ,Rundll
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [t0d] RunDll32 "C:\WINDOWS\Downlo~1\t0d.dll",Run
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Absolute Poker - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: TruePass EPF 7,0,100,717 - https://blrscr3.egs-seg.gc.ca/applets/entrusttruepassapplet-epf.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab46479.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (ZPA_HRTZ Object) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab37625.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.photolab.ca/en/Photo/ImageUploader3.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zpa_shvl.cab46704.cab
O16 - DPF: {A9FDC7FD-FE81-4910-8CF2-FA59EEFE11EC} (ZooInstaller Class) - http://www.zoo-games.com/ClientSite/ZooInstaller.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab36385.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{37C2D4C1-A9A2-4B71-987F-7E1D20FD8E3E}: NameServer = 67.69.184.151 206.47.244.57
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: .Net Boot Service - Unknown owner - C:\WINDOWS\system32\big5_gb2312.exe (file missing)
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Remote Log - Beijing zhongsou online software - C:\WINDOWS\system32\ServeHost.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

Thanks
Colleen


----------



## Cookiegal (Aug 27, 2003)

Reset your ActiveX security settings like so... Go to Internet Options > Security > Internet, press 'default level', then OK. 
Now press "Custom Level." 
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to 'prompt', and 'Initialize and Script ActiveX controls not marked as safe" to 'disable'. 

Then try to run the Panda scan again please.


----------



## ColleenA (Feb 18, 2002)

Hi Again:
Thanks for being so quick

I reset my ActiveX settings. But still the Panda page is unavailable.


----------



## Cookiegal (Aug 27, 2003)

Download the Hoster from here UnZip the file and press "Restore Original Hosts" and press "OK". Exit Program.

The try Panda again please.


----------



## ColleenA (Feb 18, 2002)

Thanks, I ran the panda program on my local drives and it did not find any problems


New problem occured this morning when I booted up the machine. I got an message:

RUNDLL
Error loading Crogram files\deskAdTop\Rundll

The specified module could not be found.

I just hit ok and it seemed fine.

Thanks


----------



## Cookiegal (Aug 27, 2003)

I see you have Absolute Poker installed. These types of sites are high risk for malware, which often gets installed without your knowledge. So if you're not using it, I recommend you uninstall it.

Click Start - Run - and type in:

*services.msc*

Click OK.

In the services window find *.Net Boot Service*.
Right click and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Start-up Type" in the dropdown menu select "Disabled". Click Apply then OK. Exit the Services utility.

*Note:* You may get an error here when trying to access the properties of the service. If you do get an error, just select the service and look there in the top left of the main service window and click "Stop" to stop the service. If that gives an error or it is already stopped, just skip this step and proceed with the rest.

Repeat the above step for this service as well:

*Remote Log - Beijing zhongsou online software *

*Click Here* and download Killbox and save it to your desktop but dont run it yet.

Rescan with HijackThis, close all browser windows except HijackThis, put a check mark beside these entries and click *fix checked*.

* 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

O2 - BHO: MonitorURL Class - {08A312BB-5409-49FC-9347-54BB7D069AC6} - C:\PROGRA~1\DESKAD~1\deskipn.dll (file missing)

O2 - BHO: IE Address Browser Helper - {2A0176FE-008B-4706-90F5-BBA532A49731} - C:\Program Files\SearchNet\SNHpr.dll

O2 - BHO: IE Browser Helper - {3CE496D1-1746-41CD-9489-3C0B93DF10E2} - C:\WINDOWS\Downlo~1\q0tp5k.dll

O4 - HKLM\..\Run: [MoveSearch] C:\Program Files\HuaCi\huaci\zsearch.exe

O4 - HKLM\..\Run: [SearchNet_Up] "C:\Program Files\SearchNet\ServeUp.exe"

O4 - HKLM\..\Run: [Desktop] C:\WINDOWS\system32\rundll32.exe "C:\Program Files\DeskAdTop\Run.dll" ,Rundll

O4 - HKLM\..\Run: [t0d] RunDll32 "C:\WINDOWS\Downlo~1\t0d.dll",Run

O23 - Service: .Net Boot Service - Unknown owner - C:\WINDOWS\system32\big5_gb2312.exe (file missing)

O23 - Service: Remote Log - Beijing zhongsou online software - C:\WINDOWS\system32\ServeHost.exe
*

Then boot to safe mode:

 *How to restart to safe mode*

Double-click on Killbox.exe to run it. 

Put a tick by *Standard File Kill*. 
In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time:

*
C:\WINDOWS\Downlo~1\q0tp5k.dll

C:\Program Files\HuaCi

C:\Program Files\SearchNet

C:\Program Files\DeskAdTop

C:\WINDOWS\Downlo~1\t0d.dll",Run

C:\WINDOWS\system32\big5_gb2312.exe

C:\WINDOWS\system32\ServeHost.exe

C:\WINDOWS\system32\drivers\abhcop.sys

C:\WINDOWS\system32\drivers\hcalway.sys 
*

Click on the button that has the red circle with the X in the middle after you enter each file. 
It will ask for confirmation to delete the file. 
Click Yes. 
Continue with that procedure until you have pasted all of these in the "Paste Full Path of File to Delete" box.
Killbox may tell you that one or more files do not exist. 
If that happens, just continue on with all the files. Be sure you don't miss any.
Next in Killbox go to *Tools > Delete Temp Files*
In the window that pops up, put a check by *ALL* the options there *except* these three:
XP Prefetch
Recent
History

Now click the *Delete Selected Temp Files* button.
Exit the Killbox.

Go to Start - Run and copy and paste then click OK:

*shell:cache\content.ie5*

This should open your content.ie5 folder. Select everything in there and click delete.

Boot back to Windows normally and post another HijackThis log please.


----------



## ColleenA (Feb 18, 2002)

HI

Oh boy was that an experience. After i did everything you posted to do. I tried to post the response to you, half way through my machine started beeping and I could no longer type anything. I restarted and it went right into AwardBios setup utility. Did not know what to do so I restarted again and it went to my opening screen where i usually press F1 to start but it wouldn't do anything. I left it for awhile and restarted it was fine.

Here is results from your last post.

Did everything you asked, and you were right in the Killbox program there was only 1 file I could delete Crogram Files\deskAdTop deleted fine. The others either said that the file does not seem to exist or this file could not be deleted.

when I finished with that I went to Run to get into the contents of the IE5 folder. Only thing in there was Index DAT File 1,328 KB but it would not let me delete it.

When I finished everything and restarted I got an error message Windows cannot fine C:\windows\temp\a8i.exe\ Make sure you typed the name correctly.........

Here is the most recent Hijack report:

Logfile of HijackThis v1.99.1
Scan saved at 8:15:41 AM, on 6/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\ServeHost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\SearchNet\SearchNet.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Colleen\Desktop\HiJack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IE Address Browser Helper - {2A0176FE-008B-4706-90F5-BBA532A49731} - C:\Program Files\SearchNet\SNHpr.dll
O2 - BHO: PopKill Class - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [SearchNet_Up] "C:\Program Files\SearchNet\ServeUp.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O16 - DPF: TruePass EPF 7,0,100,717 - https://blrscr3.egs-seg.gc.ca/applets/entrusttruepassapplet-epf.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab46479.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (ZPA_HRTZ Object) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab37625.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.photolab.ca/en/Photo/ImageUploader3.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zpa_shvl.cab46704.cab
O16 - DPF: {A9FDC7FD-FE81-4910-8CF2-FA59EEFE11EC} (ZooInstaller Class) - http://www.zoo-games.com/ClientSite/ZooInstaller.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab36385.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Remote Log - ???????????? - C:\WINDOWS\system32\ServeHost.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

Hope this helps

Thanks


----------



## Cookiegal (Aug 27, 2003)

There is more to do but I would like to see a log from WinpFind before proceeding.

Download *WinPFind*
*Right Click* the Zip Folder and Select "*Extract All*"
Extract it somewhere you will remember like the *Desktop*
Dont do anything with it yet!

*Click here* for info on how to boot to safe mode if you don't already know how.

Reboot into Safe Mode.

Double click *WinPFind.exe*
Click "*Start Scan*"
*It will scan the entire System, so please be patient and let it complete.*

Reboot back to Normal Mode!


Go to the *WinPFind folder*
Locate *WinPFind.txt*
Copy and paste WinPFind.txt in your next post here please.


----------



## ColleenA (Feb 18, 2002)

Thanks,

Ill Have to do this in 2 posts, it says too many characters

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
PEC2 8/4/2004 8:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PTech 5/23/2006 5:26:00 PM 579888 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
PECompact2 6/8/2006 9:19:50 PM 5967776 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 6/8/2006 9:19:50 PM 5967776 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 8:00:00 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/4/2004 8:00:00 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 8/4/2004 8:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
PTech 5/23/2006 5:25:52 PM 285488 C:\WINDOWS\SYSTEM32\WgaTray.exe

Checking %System%\Drivers folder and sub-folders...
aspack 1/20/2006 3:40:42 PM R 783984 C:\WINDOWS\SYSTEM32\drivers\css-dvp.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
6/25/2006 11:03:44 AM S 2048 C:\WINDOWS\bootstat.dat
6/23/2006 11:02:42 AM H 54156 C:\WINDOWS\QTFont.qfn
6/17/2006 10:13:24 AM H 65536 C:\WINDOWS\Minidump\Mini061706-01.dmp
5/14/2006 6:21:52 AM S 13309 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB911280.cat
5/5/2006 10:22:46 AM S 12227 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB914389.cat
5/29/2006 12:16:00 PM S 23751 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB916281.cat
5/18/2006 3:15:12 AM S 10925 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB917344.cat
5/4/2006 6:37:36 PM S 7898 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB917734.cat
6/1/2006 4:28:56 PM S 11043 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB918439.cat
5/23/2006 5:27:00 PM S 7160 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\WgaNotify.cat
6/25/2006 11:03:36 AM H 8192 C:\WINDOWS\system32\config\default.LOG
6/25/2006 11:04:10 AM H 1024 C:\WINDOWS\system32\config\SAM.LOG
6/25/2006 11:03:46 AM H 12288 C:\WINDOWS\system32\config\SECURITY.LOG
6/25/2006 11:04:10 AM H 73728 C:\WINDOWS\system32\config\software.LOG
6/25/2006 11:03:50 AM H 843776 C:\WINDOWS\system32\config\system.LOG
6/23/2006 3:15:58 PM H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
5/28/2006 11:29:10 AM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\9b2bfb91-210e-4e5c-add5-a50ad005d879
5/28/2006 11:29:10 AM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\Preferred
5/24/2006 5:51:16 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\d27aec55-df77-497b-9804-47a5571b66f9
5/24/2006 5:51:16 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
6/25/2006 11:01:44 AM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/4/2004 8:00:00 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 4/13/2005 3:48:52 AM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
RealNetworks, Inc. 9/4/2005 9:18:28 PM 24064 C:\WINDOWS\SYSTEM32\prefscpl.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Sony Corporation 12/4/1999 4:11:30 AM 151552 C:\WINDOWS\SYSTEM32\UILib.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 68608 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 549888 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 135168 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 80384 C:\WINDOWS\SYSTEM32\dllcache\firewall.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 155136 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 358400 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 129536 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 68608 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 618496 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 25600 C:\WINDOWS\SYSTEM32\dllcache\netsetup.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 257024 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 32768 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 114688 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 155648 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 298496 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 94208 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 148480 C:\WINDOWS\SYSTEM32\dllcache\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
8/26/2005 12:10:22 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini

Checking files in %ALLUSERSPROFILE%\Application Data folder...
 8/26/2005 7:50:28 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
3/12/2006 6:05:30 PM 1767 C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache

Checking files in %USERPROFILE%\Startup folder...
8/26/2005 12:10:22 PM HS 84 C:\Documents and Settings\Colleen\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
8/28/2005 11:11:42 AM 1558 C:\Documents and Settings\Colleen\Application Data\AdobeDLM.log
8/26/2005 7:50:26 AM HS 62 C:\Documents and Settings\Colleen\Application Data\desktop.ini
8/28/2005 11:11:40 AM 0 C:\Documents and Settings\Colleen\Application Data\dm.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido anti-spyware
{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{FFFFE5C1-34AF-4d4d-B3D3-5BB86A2BAA7B}
= C:\Program Files\Zero Knowledge\Freedom\AVContextR.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\{FFFFE5C1-34AF-4d4d-B3D3-5BB86A2BAA7B}
= C:\Program Files\Zero Knowledge\Freedom\AVContextR.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido anti-spyware
{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\{FFFFE5C1-34AF-4d4d-B3D3-5BB86A2BAA7B}
= C:\Program Files\Zero Knowledge\Freedom\AVContextR.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}
Yahoo! Companion BHO = C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2A0176FE-008B-4706-90F5-BBA532A49731}
IE Address Browser Helper = C:\Program Files\SearchNet\SNHpr.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3C060EA2-E6A9-4E49-A530-D4657B8C449A}
PopKill Class = C:\Program Files\Zero Knowledge\Freedom\pkR.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{56071E0D-C61B-11D3-B41C-00E02927A304}
ZKBho Class = C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\system32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
Real.com = C:\WINDOWS\system32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Companion	: C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address	: %SystemRoot%\system32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links	: %SystemRoot%\system32\SHELL32.dll
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Companion	: C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
{463DF6D5-BEC1-4D67-B217-59DB692DFC53} = :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
HPDJ Taskbar Utility	C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
SsAAD.exe	C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
SearchNet_Up	"C:\Program Files\SearchNet\ServeUp.exe"
MSConfig	C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
!ewido	"C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL	Installed = 1
MAPI	Installed = 1
MSFS	Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
updateMgr	C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk
path	C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup	C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
location	Common Startup
command	C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE 
item	Adobe Reader Speed Launch
path	C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup	C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
location	Common Startup
command	C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE 
item	Adobe Reader Speed Launch

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk
path	C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup	C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
location	Common Startup
command	C:\PROGRA~1\MICROS~2\Office\OSA9.EXE -b -l
item	Microsoft Office
path	C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup	C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
location	Common Startup
command	C:\PROGRA~1\MICROS~2\Office\OSA9.EXE -b -l
item	Microsoft Office

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NetAssistant.lnk
path	C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NetAssistant.lnk
backup	C:\WINDOWS\pss\NetAssistant.lnkCommon Startup
location	Common Startup
command	C:\PROGRA~1\NETASS~1\bin\matcli.exe -boot
item	NetAssistant
path	C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NetAssistant.lnk
backup	C:\WINDOWS\pss\NetAssistant.lnkCommon Startup
location	Common Startup
command	C:\PROGRA~1\NETASS~1\bin\matcli.exe -boot
item	NetAssistant

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Colleen^Start Menu^Programs^Startup^LimeWire On Startup.lnk
path	C:\Documents and Settings\Colleen\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup	C:\WINDOWS\pss\LimeWire On Startup.lnkStartup
location	Startup
command	C:\PROGRA~1\LimeWire\LimeWire.exe -startup
item	LimeWire On Startup
path	C:\Documents and Settings\Colleen\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup	C:\WINDOWS\pss\LimeWire On Startup.lnkStartup
location	Startup
command	C:\PROGRA~1\LimeWire\LimeWire.exe -startup
item	LimeWire On Startup

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\!ewido
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	ewido
hkey	HKLM
command	"C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	ewido
hkey	HKLM
command	"C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\CdnCtr
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	ServeUp
hkey	HKLM
command	"C:\Program Files\SearchNet\ServeUp.exe"
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	ServeUp
hkey	HKLM
command	"C:\Program Files\SearchNet\ServeUp.exe"
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\csrss
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	jusched
hkey	HKLM
command	C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	jusched
hkey	HKLM
command	C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\CXMon
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	Hpi_Monitor
hkey	HKLM
command	"C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	Hpi_Monitor
hkey	HKLM
command	"C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\iTunesHelper
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	iTunesHelper
hkey	HKLM
command	"C:\Program Files\iTunes\iTunesHelper.exe"
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	iTunesHelper
hkey	HKLM
command	"C:\Program Files\iTunes\iTunesHelper.exe"
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\LVCOMS
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	LVCOMS
hkey	HKLM
command	C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	LVCOMS
hkey	HKLM
command	C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Motive SmartBridge
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	MotiveSB
hkey	HKLM
command	C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	MotiveSB
hkey	HKLM
command	C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MoveSearch
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	zsearch
hkey	HKLM
command	C:\Program Files\HuaCi\huaci\zsearch.exe
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	zsearch
hkey	HKLM
command	C:\Program Files\HuaCi\huaci\zsearch.exe
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MSMSGS
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	msmsgs
hkey	HKCU
command	"C:\Program Files\Messenger\msmsgs.exe" /background
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	msmsgs
hkey	HKCU
command	"C:\Program Files\Messenger\msmsgs.exe" /background
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\msnmsgr
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	msnmsgr
hkey	HKCU
command	"C:\Program Files\MSN Messenger\msnmsgr.exe" /background
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	msnmsgr
hkey	HKCU
command	"C:\Program Files\MSN Messenger\msnmsgr.exe" /background
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Mysee Alert
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	Mysee Alert
hkey	HKLM
command	"C:\Program Files\GAOV\Mysee Alert\Mysee Alert.exe" -notray
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	Mysee Alert
hkey	HKLM
command	"C:\Program Files\GAOV\Mysee Alert\Mysee Alert.exe" -notray
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\New.net Startup
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	NEWDOT~2
hkey	HKLM
command	rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	NEWDOT~2
hkey	HKLM
command	rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	qttask
hkey	HKLM
command	"C:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	qttask
hkey	HKLM
command	"C:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\RealTray
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	RealPlay
hkey	HKLM
command	C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	RealPlay
hkey	HKLM
command	C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SearchNet_Up
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	ServeUp
hkey	HKLM
command	"C:\Program Files\SearchNet\ServeUp.exe"
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	ServeUp
hkey	HKLM
command	"C:\Program Files\SearchNet\ServeUp.exe"
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Share-to-Web Namespace Daemon
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	hpgs2wnd
hkey	HKLM
command	C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	hpgs2wnd
hkey	HKLM
command	C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SsAAD.exe
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	SsAAD
hkey	HKLM
command	C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	SsAAD
hkey	HKLM
command	C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SunJavaUpdateSched
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	jusched
hkey	HKLM
command	C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	jusched
hkey	HKLM
command	C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\t0d
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	t0d
hkey	HKLM
command	RunDll32 "C:\WINDOWS\Downlo~1\t0d.dll",Run
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	t0d
hkey	HKLM
command	RunDll32 "C:\WINDOWS\Downlo~1\t0d.dll",Run
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\UserFaultCheck
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	dumprep 0 -u
hkey	HKLM
command	%systemroot%\system32\dumprep 0 -u
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	dumprep 0 -u
hkey	HKLM
command	%systemroot%\system32\dumprep 0 -u
inimapping	0


----------



## ColleenA (Feb 18, 2002)

Here is the second part of the WindFind Report

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\warez
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	warez
hkey	HKCU
command	"C:\Documents and Settings\Nicholas\My Documents\game\Warez P2P Client\warez.exe" -h
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	warez
hkey	HKCU
command	"C:\Documents and Settings\Nicholas\My Documents\game\Warez P2P Client\warez.exe" -h
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\zango
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	zango
hkey	HKLM
command	"c:\program files\zango\zango.exe"
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	zango
hkey	HKLM
command	"c:\program files\zango\zango.exe"
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini	0
win.ini	0
bootini	0
services	0
startup	2

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} = 
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername	0
legalnoticecaption	
legalnoticetext	
shutdownwithoutlogon	1
undockwithoutlogon	1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun	145

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
DisableRegistryTools	0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\system32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit	= C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon
= WgaLogon.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier
= WRLogonNTF.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cdnup.exe
Debugger = C:\WINDOWS\system32\rundll32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1	- Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 6/25/2006 11:13:32 AM


----------



## Cookiegal (Aug 27, 2003)

I see you have LimeWire and Warez. P2P applications are the source of many infections and I recommend that you uninstall them.

Download the LSP Fix just in case you lose your Internet connection as a result of removing New.Net. It shouldn't happen and this is just a precaution but if it does, run the LPS Fix to get the connection back and click the "I know what I'm doing" checkbox. (Don't do anything else).

Then click Finish.

http://cexx.org/lspfix.htm

Go to Control Panel - Add/Remove programs and remove:

*NewDotNet
LimeWire
Warez*

Rescan with HijackThis log and have it fix these entries:

*O2 - BHO: IE Address Browser Helper - {2A0176FE-008B-4706-90F5-BBA532A49731} - C:\Program Files\SearchNet\SNHpr.dll

O4 - HKLM\..\Run: [SearchNet_Up] "C:\Program Files\SearchNet\ServeUp.exe"

O23 - Service: Remote Log - ???????????? - C:\WINDOWS\system32\ServeHost.exe*

Reboot to safe mode and run Killbox on these files/folders:

*C:\Program Files\SearchNet\ServeUp.exe

C:\Program Files\SearchNet\SNHpr.dll
*
*C:\Program Files\HuaCi\huaci\zsearch.exe

C:\Program Files\GAOV

C:\PROGRA~1\NEWDOTNET

C:\WINDOWS\Downlo~1\t0d.dll

c:\program files\zango

C:\Program Files\CNNIC

C:\Program Files\SearchNet

C:\Program Files\HuaCi*

Reboot and post a new HijackThis log and also please do a new scan with WinpFind and post that log as well.


----------



## ColleenA (Feb 18, 2002)

Again I have to do this in two posts as there are too many characters

Sorry for the delay but I haven't been able to start this machine. But think it was my fault, seems maybe the keyboard came loose, my son pushed the usb cord in a little further and it started.

I went to control panel and although I know I have Limewire and warez installed, none of those three programs were listed in the list to add and remove

I ran Killbox in safe mode

but again it only let me delete 2 things.

C:\Program Files\SearchNet\ServeUp.exe - could not be deleted

C:\Program Files\SearchNet\SNHpr.dll

C:\Program Files\HuaCi\huaci\zsearch.exe - could not be deleted

C:\Program Files\GAOV - DELETED

C:\PROGRA~1\NEWDOTNET - Does not exist

C:\WINDOWS\Downlo~1\t0d.dll - DELETED

c:\program files\zango - Does not exist

C:\Program Files\CNNIC - does not exist

C:\Program Files\SearchNet - could not be deleted

C:\Program Files\HuaCi - could not be deleted

Here is the recent HIJACK log:

Logfile of HijackThis v1.99.1
Scan saved at 7:07:09 PM, on 6/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\ServeHost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\SearchNet\SearchNet.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Colleen\Desktop\HiJack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IE Address Browser Helper - {2A0176FE-008B-4706-90F5-BBA532A49731} - C:\Program Files\SearchNet\SNHpr.dll
O2 - BHO: PopKill Class - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [SearchNet_Up] "C:\Program Files\SearchNet\ServeUp.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O16 - DPF: TruePass EPF 7,0,100,717 - https://blrscr3.egs-seg.gc.ca/applets/entrusttruepassapplet-epf.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab46479.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (ZPA_HRTZ Object) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab37625.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.photolab.ca/en/Photo/ImageUploader3.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zpa_shvl.cab46704.cab
O16 - DPF: {A9FDC7FD-FE81-4910-8CF2-FA59EEFE11EC} (ZooInstaller Class) - http://www.zoo-games.com/ClientSite/ZooInstaller.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab36385.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Remote Log - ???????????? - C:\WINDOWS\system32\ServeHost.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

Thanks


----------



## ColleenA (Feb 18, 2002)

Have to do this in a third post sorry

Here is the 2nd post

The WinpFind log

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
PEC2 8/4/2004 8:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PTech 5/23/2006 5:26:00 PM 579888 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
PECompact2 6/8/2006 9:19:50 PM 5967776 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 6/8/2006 9:19:50 PM 5967776 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 8:00:00 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/4/2004 8:00:00 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 8/4/2004 8:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
PTech 5/23/2006 5:25:52 PM 285488 C:\WINDOWS\SYSTEM32\WgaTray.exe

Checking %System%\Drivers folder and sub-folders...
aspack 1/20/2006 3:40:42 PM R 783984 C:\WINDOWS\SYSTEM32\drivers\css-dvp.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
6/25/2006 7:04:34 PM S 2048 C:\WINDOWS\bootstat.dat
6/23/2006 11:02:42 AM H 54156 C:\WINDOWS\QTFont.qfn
6/17/2006 10:13:24 AM H 65536 C:\WINDOWS\Minidump\Mini061706-01.dmp
5/14/2006 6:21:52 AM S 13309 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB911280.cat
5/5/2006 10:22:46 AM S 12227 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB914389.cat
5/29/2006 12:16:00 PM S 23751 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB916281.cat
5/18/2006 3:15:12 AM S 10925 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB917344.cat
5/4/2006 6:37:36 PM S 7898 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB917734.cat
6/1/2006 4:28:56 PM S 11043 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB918439.cat
5/23/2006 5:27:00 PM S 7160 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\WgaNotify.cat
6/25/2006 7:06:30 PM H 1024 C:\WINDOWS\system32\config\default.LOG
6/25/2006 7:05:50 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
6/25/2006 7:06:30 PM H 1024 C:\WINDOWS\system32\config\SECURITY.LOG
6/25/2006 7:07:46 PM H 1024 C:\WINDOWS\system32\config\software.LOG
6/25/2006 7:13:20 PM H 1024 C:\WINDOWS\system32\config\system.LOG
6/23/2006 3:15:58 PM H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
5/28/2006 11:29:10 AM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\9b2bfb91-210e-4e5c-add5-a50ad005d879
5/28/2006 11:29:10 AM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\Preferred
5/24/2006 5:51:16 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\d27aec55-df77-497b-9804-47a5571b66f9
5/24/2006 5:51:16 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
6/25/2006 7:04:40 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/4/2004 8:00:00 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 4/13/2005 3:48:52 AM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
RealNetworks, Inc. 9/4/2005 9:18:28 PM 24064 C:\WINDOWS\SYSTEM32\prefscpl.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Sony Corporation 12/4/1999 4:11:30 AM 151552 C:\WINDOWS\SYSTEM32\UILib.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 68608 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 549888 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 135168 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 80384 C:\WINDOWS\SYSTEM32\dllcache\firewall.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 155136 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 358400 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 129536 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 68608 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 618496 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 25600 C:\WINDOWS\SYSTEM32\dllcache\netsetup.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 257024 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 32768 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 114688 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 155648 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 298496 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 94208 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 148480 C:\WINDOWS\SYSTEM32\dllcache\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
8/26/2005 12:10:22 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini

Checking files in %ALLUSERSPROFILE%\Application Data folder...
8/26/2005 7:50:28 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
3/12/2006 6:05:30 PM 1767 C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache

Checking files in %USERPROFILE%\Startup folder...
8/26/2005 12:10:22 PM HS 84 C:\Documents and Settings\Colleen\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
8/28/2005 11:11:42 AM 1558 C:\Documents and Settings\Colleen\Application Data\AdobeDLM.log
8/26/2005 7:50:26 AM HS 62 C:\Documents and Settings\Colleen\Application Data\desktop.ini
8/28/2005 11:11:40 AM 0 C:\Documents and Settings\Colleen\Application Data\dm.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido anti-spyware
{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{FFFFE5C1-34AF-4d4d-B3D3-5BB86A2BAA7B}
= C:\Program Files\Zero Knowledge\Freedom\AVContextR.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\{FFFFE5C1-34AF-4d4d-B3D3-5BB86A2BAA7B}
= C:\Program Files\Zero Knowledge\Freedom\AVContextR.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido anti-spyware
{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\{FFFFE5C1-34AF-4d4d-B3D3-5BB86A2BAA7B}
= C:\Program Files\Zero Knowledge\Freedom\AVContextR.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}
Yahoo! Companion BHO = C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2A0176FE-008B-4706-90F5-BBA532A49731}
IE Address Browser Helper = C:\Program Files\SearchNet\SNHpr.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3C060EA2-E6A9-4E49-A530-D4657B8C449A}
PopKill Class = C:\Program Files\Zero Knowledge\Freedom\pkR.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{56071E0D-C61B-11D3-B41C-00E02927A304}
ZKBho Class = C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\system32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
Real.com = C:\WINDOWS\system32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Companion	: C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address	: %SystemRoot%\system32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links	: %SystemRoot%\system32\SHELL32.dll
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Companion	: C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
 {463DF6D5-BEC1-4D67-B217-59DB692DFC53} = :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
HPDJ Taskbar Utility	C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
SsAAD.exe	C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
SearchNet_Up	"C:\Program Files\SearchNet\ServeUp.exe"
!ewido	"C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL	Installed = 1
MAPI	Installed = 1
MSFS	Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk
path	C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup	C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
location	Common Startup
command	C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE 
item	Adobe Reader Speed Launch
path	C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup	C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
location	Common Startup
command	C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE 
item	Adobe Reader Speed Launch

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk
path	C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup	C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
location	Common Startup
command	C:\PROGRA~1\MICROS~2\Office\OSA9.EXE -b -l
item	Microsoft Office
path	C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup	C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
location	Common Startup
command	C:\PROGRA~1\MICROS~2\Office\OSA9.EXE -b -l
item	Microsoft Office

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NetAssistant.lnk
path	C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NetAssistant.lnk
backup	C:\WINDOWS\pss\NetAssistant.lnkCommon Startup
location	Common Startup
command	C:\PROGRA~1\NETASS~1\bin\matcli.exe -boot
item	NetAssistant
path	C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NetAssistant.lnk
backup	C:\WINDOWS\pss\NetAssistant.lnkCommon Startup
location	Common Startup
command	C:\PROGRA~1\NETASS~1\bin\matcli.exe -boot
item	NetAssistant

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Colleen^Start Menu^Programs^Startup^LimeWire On Startup.lnk
path	C:\Documents and Settings\Colleen\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup	C:\WINDOWS\pss\LimeWire On Startup.lnkStartup
location	Startup
command	C:\PROGRA~1\LimeWire\LimeWire.exe -startup
item	LimeWire On Startup
path	C:\Documents and Settings\Colleen\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup	C:\WINDOWS\pss\LimeWire On Startup.lnkStartup
location	Startup
command	C:\PROGRA~1\LimeWire\LimeWire.exe -startup
item	LimeWire On Startup

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\!ewido
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	ewido
hkey	HKLM
command	"C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	ewido
hkey	HKLM
command	"C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\CdnCtr
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	ServeUp
hkey	HKLM
command	"C:\Program Files\SearchNet\ServeUp.exe"
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	ServeUp
hkey	HKLM
command	"C:\Program Files\SearchNet\ServeUp.exe"
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\csrss
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	jusched
hkey	HKLM
command	C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	jusched
hkey	HKLM
command	C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\CXMon
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	Hpi_Monitor
hkey	HKLM
command	"C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	Hpi_Monitor
hkey	HKLM
command	"C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\iTunesHelper
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	iTunesHelper
hkey	HKLM
command	"C:\Program Files\iTunes\iTunesHelper.exe"
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	iTunesHelper
hkey	HKLM
command	"C:\Program Files\iTunes\iTunesHelper.exe"
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\LVCOMS
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	LVCOMS
hkey	HKLM
command	C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	LVCOMS
hkey	HKLM
command	C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Motive SmartBridge
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	MotiveSB
hkey	HKLM
command	C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	MotiveSB
hkey	HKLM
command	C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MoveSearch
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	zsearch
hkey	HKLM
command	C:\Program Files\HuaCi\huaci\zsearch.exe
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	zsearch
hkey	HKLM
command	C:\Program Files\HuaCi\huaci\zsearch.exe
inimapping	0


----------



## ColleenA (Feb 18, 2002)

Third post

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MSMSGS
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	msmsgs
hkey	HKCU
command	"C:\Program Files\Messenger\msmsgs.exe" /background
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	msmsgs
hkey	HKCU
command	"C:\Program Files\Messenger\msmsgs.exe" /background
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\msnmsgr
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	msnmsgr
hkey	HKCU
command	"C:\Program Files\MSN Messenger\msnmsgr.exe" /background
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	msnmsgr
hkey	HKCU
command	"C:\Program Files\MSN Messenger\msnmsgr.exe" /background
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Mysee Alert
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	Mysee Alert
hkey	HKLM
command	"C:\Program Files\GAOV\Mysee Alert\Mysee Alert.exe" -notray
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	Mysee Alert
hkey	HKLM
command	"C:\Program Files\GAOV\Mysee Alert\Mysee Alert.exe" -notray
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\New.net Startup
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	NEWDOT~2
hkey	HKLM
command	rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	NEWDOT~2
hkey	HKLM
command	rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	qttask
hkey	HKLM
command	"C:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	qttask
hkey	HKLM
command	"C:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\RealTray
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	RealPlay
hkey	HKLM
command	C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	RealPlay
hkey	HKLM
command	C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SearchNet_Up
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	ServeUp
hkey	HKLM
command	"C:\Program Files\SearchNet\ServeUp.exe"
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	ServeUp
hkey	HKLM
command	"C:\Program Files\SearchNet\ServeUp.exe"
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Share-to-Web Namespace Daemon
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	hpgs2wnd
hkey	HKLM
command	C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	hpgs2wnd
hkey	HKLM
command	C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SsAAD.exe
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	SsAAD
hkey	HKLM
command	C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	SsAAD
hkey	HKLM
command	C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SunJavaUpdateSched
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	jusched
hkey	HKLM
command	C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	jusched
hkey	HKLM
command	C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\t0d
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	t0d
hkey	HKLM
command	RunDll32 "C:\WINDOWS\Downlo~1\t0d.dll",Run
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	t0d
hkey	HKLM
command	RunDll32 "C:\WINDOWS\Downlo~1\t0d.dll",Run
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\UserFaultCheck
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	dumprep 0 -u
hkey	HKLM
command	%systemroot%\system32\dumprep 0 -u
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	dumprep 0 -u
hkey	HKLM
command	%systemroot%\system32\dumprep 0 -u
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\warez
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	warez
hkey	HKCU
command	"C:\Documents and Settings\Nicholas\My Documents\game\Warez P2P Client\warez.exe" -h
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	warez
hkey	HKCU
command	"C:\Documents and Settings\Nicholas\My Documents\game\Warez P2P Client\warez.exe" -h
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\zango
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	zango
hkey	HKLM
command	"c:\program files\zango\zango.exe"
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	zango
hkey	HKLM
command	"c:\program files\zango\zango.exe"
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini	0
win.ini	0
bootini	0
services	0
startup	2

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} = 
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername	0
legalnoticecaption	
legalnoticetext	
shutdownwithoutlogon	1
undockwithoutlogon	1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun	145

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
DisableRegistryTools	0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\system32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit	= C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon
= WgaLogon.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier
= WRLogonNTF.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cdnup.exe
Debugger = C:\WINDOWS\system32\rundll32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1	- Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 6/25/2006 7:14:13 PM


----------



## Cookiegal (Aug 27, 2003)

We will be altering the registry so please do this as a precaution:

Go to Start > Run
Type:
*regedit*
Click OK.
On the left side, click to highlight *My Computer* at the top. 
Go up to "*File > Export*"
Make sure in that window there is a tick next to "All" under Export Branch.
Leave the "Save As Type" as "Registration Files".
Under "Filename" put *backup*

Choose to save it to *C:\* or somewhere else safe so that you will remember where you put it (don't put it on the desktop!)
Click save and then go to File > Exit.
This is so the registry can be restored to this point if we need it. It may take a minute. Just let it go until it's done.

I'm attaching a FixColleen.zip file to this post. Save it to your desktop but don't do anything with it yet. We will use this later in safe mode.

Click Start - Run - and type in:

*services.msc*

Click OK.

In the services window find *Remote Log - ????????????*.
Right click and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Start-up Type" in the dropdown menu select "Disabled". Click Apply then OK. Exit the Services utility.

Open the Task Manager (Ctrl-Alt-Del) and end task on these two processes:

*C:\WINDOWS\system32\ServeHost.exe

C:\Program Files\SearchNet\SearchNet.exe*

Rescan with HijackThis and fix these entries:

*O2 - BHO: IE Address Browser Helper - {2A0176FE-008B-4706-90F5-BBA532A49731} - C:\Program Files\SearchNet\SNHpr.dll

O4 - HKLM\..\Run: [SearchNet_Up] "C:\Program Files\SearchNet\ServeUp.exe"

O23 - Service: Remote Log - ???????????? - C:\WINDOWS\system32\ServeHost.exe*

Reboot to safe mode.

Run Killbox on this folder and file:

*C:\Program Files\SearchNet

C:\WINDOWS\system32\ServeHost.exe*

Unzip the FixColleen.zip file that you saved to your desktop earlier. Double click the FixColleen.reg file and allow it to enter into the registry.

Reboot back into windows normally. Go to *Start *- *Run *- type in *msconfig *- click OK and click on the startup tab. Put a check mark beside everything that's listed there and then post a new HijackThis log.

Also, please run another scan with WinpFind and post the new log as well.


----------



## ColleenA (Feb 18, 2002)

K, Not sure how many posts this will take

killbox could not delete either of those files

Here is the new Hijack

Logfile of HijackThis v1.99.1
Scan saved at 8:51:29 PM, on 6/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\NetAssistant\bin\mpbtn.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\ServeHost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SearchNet\SearchNet.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Colleen\Desktop\HiJack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IE Address Browser Helper - {2A0176FE-008B-4706-90F5-BBA532A49731} - C:\Program Files\SearchNet\SNHpr.dll
O2 - BHO: PopKill Class - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [SearchNet_Up] "C:\Program Files\SearchNet\ServeUp.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [zango] "c:\program files\zango\zango.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [t0d] RunDll32 "C:\WINDOWS\Downlo~1\t0d.dll",Run
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [Mysee Alert] "C:\Program Files\GAOV\Mysee Alert\Mysee Alert.exe" -notray
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [csrss] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [CdnCtr] "C:\Program Files\SearchNet\ServeUp.exe"
O4 - HKCU\..\Run: [warez] "C:\Documents and Settings\Nicholas\My Documents\game\Warez P2P Client\warez.exe" -h
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O16 - DPF: TruePass EPF 7,0,100,717 - https://blrscr3.egs-seg.gc.ca/applets/entrusttruepassapplet-epf.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab46479.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (ZPA_HRTZ Object) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab37625.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.photolab.ca/en/Photo/ImageUploader3.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zpa_shvl.cab46704.cab
O16 - DPF: {A9FDC7FD-FE81-4910-8CF2-FA59EEFE11EC} (ZooInstaller Class) - http://www.zoo-games.com/ClientSite/ZooInstaller.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab36385.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Remote Log - ???????????? - C:\WINDOWS\system32\ServeHost.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

The WinpFind is in the next post

Thanks


----------



## ColleenA (Feb 18, 2002)

here is the Winpfind log

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
PEC2 8/4/2004 8:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PTech 5/23/2006 5:26:00 PM 579888 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
PECompact2 6/8/2006 9:19:50 PM 5967776 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 6/8/2006 9:19:50 PM 5967776 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 8:00:00 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/4/2004 8:00:00 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 8/4/2004 8:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
PTech 5/23/2006 5:25:52 PM 285488 C:\WINDOWS\SYSTEM32\WgaTray.exe

Checking %System%\Drivers folder and sub-folders...
aspack 1/20/2006 3:40:42 PM R 783984 C:\WINDOWS\SYSTEM32\drivers\css-dvp.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
6/25/2006 8:43:34 PM S 2048 C:\WINDOWS\bootstat.dat
6/23/2006 11:02:42 AM H 54156 C:\WINDOWS\QTFont.qfn
6/17/2006 10:13:24 AM H 65536 C:\WINDOWS\Minidump\Mini061706-01.dmp
5/14/2006 6:21:52 AM S 13309 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB911280.cat
5/5/2006 10:22:46 AM S 12227 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB914389.cat
5/29/2006 12:16:00 PM S 23751 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB916281.cat
5/18/2006 3:15:12 AM S 10925 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB917344.cat
5/4/2006 6:37:36 PM S 7898 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB917734.cat
6/1/2006 4:28:56 PM S 11043 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB918439.cat
5/23/2006 5:27:00 PM S 7160 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\WgaNotify.cat
6/25/2006 8:46:06 PM H 1024 C:\WINDOWS\system32\config\default.LOG
6/25/2006 8:43:40 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
6/25/2006 8:53:44 PM H 1024 C:\WINDOWS\system32\config\SECURITY.LOG
6/25/2006 8:52:06 PM H 1024 C:\WINDOWS\system32\config\software.LOG
6/25/2006 8:57:58 PM H 1024 C:\WINDOWS\system32\config\system.LOG
6/23/2006 3:15:58 PM H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
5/28/2006 11:29:10 AM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\9b2bfb91-210e-4e5c-add5-a50ad005d879
5/28/2006 11:29:10 AM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\Preferred
5/24/2006 5:51:16 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\d27aec55-df77-497b-9804-47a5571b66f9
5/24/2006 5:51:16 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
6/25/2006 8:43:38 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/4/2004 8:00:00 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 4/13/2005 3:48:52 AM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
RealNetworks, Inc. 9/4/2005 9:18:28 PM 24064 C:\WINDOWS\SYSTEM32\prefscpl.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Sony Corporation 12/4/1999 4:11:30 AM 151552 C:\WINDOWS\SYSTEM32\UILib.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 68608 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 549888 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 135168 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 80384 C:\WINDOWS\SYSTEM32\dllcache\firewall.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 155136 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 358400 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 129536 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 68608 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 618496 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 25600 C:\WINDOWS\SYSTEM32\dllcache\netsetup.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 257024 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 32768 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 114688 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 155648 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 298496 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 94208 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 148480 C:\WINDOWS\SYSTEM32\dllcache\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
8/28/2005 11:15:28 AM 1757 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
8/26/2005 12:10:22 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
8/26/2005 3:33:14 PM 1725 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
8/26/2005 3:10:16 PM 1672 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NetAssistant.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
8/26/2005 7:50:28 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
3/12/2006 6:05:30 PM 1767 C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache

Checking files in %USERPROFILE%\Startup folder...
8/26/2005 12:10:22 PM HS 84 C:\Documents and Settings\Colleen\Start Menu\Programs\Startup\desktop.ini
10/17/2005 6:11:00 PM 1538 C:\Documents and Settings\Colleen\Start Menu\Programs\Startup\LimeWire On Startup.lnk

Checking files in %USERPROFILE%\Application Data folder...
8/28/2005 11:11:42 AM 1558 C:\Documents and Settings\Colleen\Application Data\AdobeDLM.log
8/26/2005 7:50:26 AM HS 62 C:\Documents and Settings\Colleen\Application Data\desktop.ini
8/28/2005 11:11:40 AM 0 C:\Documents and Settings\Colleen\Application Data\dm.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido anti-spyware
{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{FFFFE5C1-34AF-4d4d-B3D3-5BB86A2BAA7B}
= C:\Program Files\Zero Knowledge\Freedom\AVContextR.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\{FFFFE5C1-34AF-4d4d-B3D3-5BB86A2BAA7B}
= C:\Program Files\Zero Knowledge\Freedom\AVContextR.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido anti-spyware
{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\{FFFFE5C1-34AF-4d4d-B3D3-5BB86A2BAA7B}
= C:\Program Files\Zero Knowledge\Freedom\AVContextR.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}
Yahoo! Companion BHO = C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2A0176FE-008B-4706-90F5-BBA532A49731}
IE Address Browser Helper = C:\Program Files\SearchNet\SNHpr.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3C060EA2-E6A9-4E49-A530-D4657B8C449A}
PopKill Class = C:\Program Files\Zero Knowledge\Freedom\pkR.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{56071E0D-C61B-11D3-B41C-00E02927A304}
ZKBho Class = C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\system32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
Real.com = C:\WINDOWS\system32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Companion	: C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address	: %SystemRoot%\system32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links	: %SystemRoot%\system32\SHELL32.dll
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Companion	: C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
{463DF6D5-BEC1-4D67-B217-59DB692DFC53} = :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
HPDJ Taskbar Utility	C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
SsAAD.exe	C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
SearchNet_Up	"C:\Program Files\SearchNet\ServeUp.exe"
!ewido	"C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
zango	"c:\program files\zango\zango.exe"
UserFaultCheck	%systemroot%\system32\dumprep 0 -u
t0d	RunDll32 "C:\WINDOWS\Downlo~1\t0d.dll",Run
SunJavaUpdateSched	C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
Share-to-Web Namespace Daemon	C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
RealTray	C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
QuickTime Task	"C:\Program Files\QuickTime\qttask.exe" -atboottime
New.net Startup	rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
Mysee Alert	"C:\Program Files\GAOV\Mysee Alert\Mysee Alert.exe" -notray
Motive SmartBridge	C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
LVCOMS	C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
iTunesHelper	"C:\Program Files\iTunes\iTunesHelper.exe"
CXMon	"C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
csrss	C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
CdnCtr	"C:\Program Files\SearchNet\ServeUp.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL	Installed = 1
MAPI	Installed = 1
 MSFS	Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
warez	"C:\Documents and Settings\Nicholas\My Documents\game\Warez P2P Client\warez.exe" -h
msnmsgr	"C:\Program Files\MSN Messenger\msnmsgr.exe" /background
MSMSGS	"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini	0
win.ini	0
bootini	0
services	0
startup	0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} = 
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername	0
legalnoticecaption	
legalnoticetext	
shutdownwithoutlogon	1
undockwithoutlogon	1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun	145

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
DisableRegistryTools	0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\system32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit	= C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon
= WgaLogon.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier
= WRLogonNTF.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1	- Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 6/25/2006 8:59:02 PM


----------



## Cookiegal (Aug 27, 2003)

Do you have administrator rights?

How many user profiles are there on this computer?


----------



## ColleenA (Feb 18, 2002)

yes I have administrator rights. There are 4 profiles counting mine on this


----------



## Cookiegal (Aug 27, 2003)

Open HijackThis and click on the "Open the Misc Tools Section" button. Click on the "Open Uninstall Manager" button. Click the "Save List" botton. Copy and paste that list here please.

Download RootkitRevealer from *here* (link is at the very bottom of the page).
Unzip it to your desktop.
Open the RootkitRevealer folder and double-click *rootkitrevealer.exe*
Click the *Scan* button (bottom right)
It may take a while to scan (don't do anything while it's running)
When it's done, go up to *File - Save*. Choose to save it to your desktop.
Open *RootkitRevealer.txt* on your desktop and copy the entire contents and paste them here.

Then please post a HijackThis log from each of the user profiles and clearly identify each one.


----------



## ColleenA (Feb 18, 2002)

Hi

K, I'm attaching the hijack uninstall list log and the log from my user.

I can't seem to run it on the other 3 users as when I downladed it I put it on my desktop and it doesn't show up on the other three profiles. I even just tried to put it in the programs list and it still didnt show up. Can I download it seperatly on the other three profiles?

Here are my logs

ACDSee
Ad-Aware SE Personal
Adobe Download Manager 2.0 (Remove Only)
Adobe Reader 7.0
ArcSoft Camera Suite 1.3
Canon Camera Support Core Library
Canon Camera Window for ZoomBrowser EX
Canon MovieEdit Task for ZoomBrowser EX
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities PhotoStitch 3.1
Canon Utilities ZoomBrowser EX
ewido anti-spyware 4.0
Freedom Security & Privacy
Gutterball
HijackThis 1.99.1
HP Photo Imaging Software
HP Photo Printing Software
hp photosmart printer series (Remove only)
HP Share-to-Web
IEµØÖ·À¸ËÑË÷
iPod for Windows 2005-09-23
iTunes
J2SE Runtime Environment 5.0 Update 3
KODAK EASYSHARE Gallery Upload ActiveX Control
Labtec WebCam
Macromedia Flash Player 8
Macromedia Shockwave Player
Mario Forever v 2.16 !
Microsoft Office 2000 Premium
MSN
MSN Gaming Zone
MSN Messenger 7.5
Music Visualizer Library 1.4.00
Net MD Simple Burner
NetAssistant
OpenMG Limited Patch 4.1-05-13-31-01
OpenMG Secure Module 4.1.00
Panda ActiveScan
Personal CD Label Kit
PestPatrol SDK
PIXELA ImageMixer
PokerStars.net
Prassi PrimoCD Plus 2.0 (English)
QuickTime
RealPlayer 7 Basic
Reel Deal Slots & Video Poker
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
SonicStage 3.0
TAXWIZ 2005
The Pink Panther's Passport to Peril
Tiger Gaming
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB887797
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
Yahoo! Toolbar
ZooGames

Logfile of HijackThis v1.99.1
Scan saved at 8:57:40 PM, on 6/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\NetAssistant\bin\mpbtn.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\ServeHost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SearchNet\SearchNet.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Colleen\Desktop\HiJack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IE Address Browser Helper - {2A0176FE-008B-4706-90F5-BBA532A49731} - C:\Program Files\SearchNet\SNHpr.dll
O2 - BHO: PopKill Class - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [SearchNet_Up] "C:\Program Files\SearchNet\ServeUp.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [zango] "c:\program files\zango\zango.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [t0d] RunDll32 "C:\WINDOWS\Downlo~1\t0d.dll",Run
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [Mysee Alert] "C:\Program Files\GAOV\Mysee Alert\Mysee Alert.exe" -notray
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [csrss] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [CdnCtr] "C:\Program Files\SearchNet\ServeUp.exe"
O4 - HKCU\..\Run: [warez] "C:\Documents and Settings\Nicholas\My Documents\game\Warez P2P Client\warez.exe" -h
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O16 - DPF: TruePass EPF 7,0,100,717 - https://blrscr3.egs-seg.gc.ca/applets/entrusttruepassapplet-epf.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab46479.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (ZPA_HRTZ Object) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab37625.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.photolab.ca/en/Photo/ImageUploader3.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zpa_shvl.cab46704.cab
O16 - DPF: {A9FDC7FD-FE81-4910-8CF2-FA59EEFE11EC} (ZooInstaller Class) - http://www.zoo-games.com/ClientSite/ZooInstaller.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab36385.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{37C2D4C1-A9A2-4B71-987F-7E1D20FD8E3E}: NameServer = 67.69.184.151 206.47.244.57
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Remote Log - ???????????? - C:\WINDOWS\system32\ServeHost.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

Thanks


----------



## ColleenA (Feb 18, 2002)

K,

Think I got it....here are the other 3 hijack logs

This is Jessica's
Logfile of HijackThis v1.99.1
Scan saved at 9:19:48 PM, on 6/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\ServeHost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\SearchNet\SearchNet.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Documents and Settings\Colleen\Desktop\HiJack\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IE Address Browser Helper - {2A0176FE-008B-4706-90F5-BBA532A49731} - C:\Program Files\SearchNet\SNHpr.dll
O2 - BHO: PopKill Class - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [SearchNet_Up] "C:\Program Files\SearchNet\ServeUp.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [zango] "c:\program files\zango\zango.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [t0d] RunDll32 "C:\WINDOWS\Downlo~1\t0d.dll",Run
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [Mysee Alert] "C:\Program Files\GAOV\Mysee Alert\Mysee Alert.exe" -notray
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [csrss] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [CdnCtr] "C:\Program Files\SearchNet\ServeUp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O16 - DPF: TruePass EPF 7,0,100,717 - https://blrscr3.egs-seg.gc.ca/applets/entrusttruepassapplet-epf.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab46479.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (ZPA_HRTZ Object) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab37625.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.photolab.ca/en/Photo/ImageUploader3.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zpa_shvl.cab46704.cab
O16 - DPF: {A9FDC7FD-FE81-4910-8CF2-FA59EEFE11EC} (ZooInstaller Class) - http://www.zoo-games.com/ClientSite/ZooInstaller.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab36385.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Remote Log - ???????????? - C:\WINDOWS\system32\ServeHost.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

This is Nicholas's
Logfile of HijackThis v1.99.1
Scan saved at 9:21:54 PM, on 6/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\ServeHost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\SearchNet\SearchNet.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\HuaCi\huaci\zsearch.exe
C:\Program Files\HuaCi\huaci\ZsUp.exe
C:\Program Files\NetAssistant\bin\mpbtn.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Colleen\Desktop\HiJack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.whiteninjacomics.com/archive-comics.shtml
F3 - REG:win.ini: load=C:\WINDOWS\system32\ntzwlhyuqk\csrss.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\ntzwlhyuqk\csrss.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IE Address Browser Helper - {2A0176FE-008B-4706-90F5-BBA532A49731} - C:\Program Files\SearchNet\SNHpr.dll
O2 - BHO: PopKill Class - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [SearchNet_Up] "C:\Program Files\SearchNet\ServeUp.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [zango] "c:\program files\zango\zango.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [t0d] RunDll32 "C:\WINDOWS\Downlo~1\t0d.dll",Run
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [Mysee Alert] "C:\Program Files\GAOV\Mysee Alert\Mysee Alert.exe" -notray
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [csrss] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [CdnCtr] "C:\Program Files\SearchNet\ServeUp.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [warez] "C:\Documents and Settings\Nicholas\My Documents\game\Warez P2P Client\warez.exe" -h
O4 - Startup: csrss.lnk = ?
O4 - Startup: »®´ÊËÑË÷.lnk = C:\Program Files\HuaCi\huaci\zsearch.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O16 - DPF: TruePass EPF 7,0,100,717 - https://blrscr3.egs-seg.gc.ca/applets/entrusttruepassapplet-epf.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab46479.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (ZPA_HRTZ Object) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab37625.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.photolab.ca/en/Photo/ImageUploader3.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zpa_shvl.cab46704.cab
O16 - DPF: {A9FDC7FD-FE81-4910-8CF2-FA59EEFE11EC} (ZooInstaller Class) - http://www.zoo-games.com/ClientSite/ZooInstaller.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab36385.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Remote Log - ???????????? - C:\WINDOWS\system32\ServeHost.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

This is Tom's

Logfile of HijackThis v1.99.1
Scan saved at 9:27:28 PM, on 6/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\ServeHost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\SearchNet\SearchNet.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\NetAssistant\bin\mpbtn.exe
C:\Documents and Settings\Colleen\Desktop\HiJack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sympatico.ca/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IE Address Browser Helper - {2A0176FE-008B-4706-90F5-BBA532A49731} - C:\Program Files\SearchNet\SNHpr.dll
O2 - BHO: PopKill Class - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [SearchNet_Up] "C:\Program Files\SearchNet\ServeUp.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [zango] "c:\program files\zango\zango.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [t0d] RunDll32 "C:\WINDOWS\Downlo~1\t0d.dll",Run
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [Mysee Alert] "C:\Program Files\GAOV\Mysee Alert\Mysee Alert.exe" -notray
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [csrss] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [CdnCtr] "C:\Program Files\SearchNet\ServeUp.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O16 - DPF: TruePass EPF 7,0,100,717 - https://blrscr3.egs-seg.gc.ca/applets/entrusttruepassapplet-epf.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab46479.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (ZPA_HRTZ Object) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab37625.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.photolab.ca/en/Photo/ImageUploader3.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zpa_shvl.cab46704.cab
O16 - DPF: {A9FDC7FD-FE81-4910-8CF2-FA59EEFE11EC} (ZooInstaller Class) - http://www.zoo-games.com/ClientSite/ZooInstaller.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab36385.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Remote Log - ???????????? - C:\WINDOWS\system32\ServeHost.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

Hope I did it right

Thanks
Colleen


----------



## Cookiegal (Aug 27, 2003)

OK, I'd like to focus on Nicholas for now as his log seems to be more problematic and that could be preventing the removal.

Log into Nicolas' account please.

Click *Start *> *Run *and type in *sysedit*.

Click OK.

Click on the X in the upper right-hand corner to close out the first two windows that appear until you see the *win.ini* window.

Copy and paste all of the text that is in that window here please.


----------



## ColleenA (Feb 18, 2002)

Here is the log for nicholas from sysedit

; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
CMC=1
CMCDLLNAME=mapi.dll
CMCDLLNAME32=mapi32.dll
MAPIX=1
MAPIXVER=1.0.0.1
OLEMessaging=1
[MCI Extensions.BAK]
aif=MPEGVideo
aifc=MPEGVideo
aiff=MPEGVideo
asf=MPEGVideo
asx=MPEGVideo
au=MPEGVideo
m1v=MPEGVideo
m3u=MPEGVideo
mp2=MPEGVideo
mp2v=MPEGVideo
mp3=MPEGVideo
mpa=MPEGVideo
mpe=MPEGVideo
mpeg=MPEGVideo
mpg=MPEGVideo
mpv2=MPEGVideo
snd=MPEGVideo
wax=MPEGVideo
wm=MPEGVideo
wma=MPEGVideo
wmv=MPEGVideo
wmx=MPEGVideo
wpl=MPEGVideo
wvx=MPEGVideo
[TAXWIZ2005]
Installation=Y
RegCode3=539F33FE00
MediaPath=E:\MEDIA\
FilesDir=C:\Program Files\TAXWIZ 2005\
InstallMedia=CD
InstalledDir=C:\Program Files\TAXWIZ 2005
WebAccess=1
HelpSurvey=1
RegistrationShown=1
WebRegDone=1
WebRegID=100025387638
WebRegIntuCustNum=1116309681
KeepUpToDate=1
CheckedForUpdate=2006/05/08
MatchMode=0
SmallGraph=34 100
Maximize=1
UpdateFileVersion=607
FirstReturn=0
DotTAXFilesDir=C:\Program Files\TAXWIZ 2005\CRA NETFILE\
ShowEOPSurvey=0
MRUfile1=C:\Program Files\TAXWIZ 2005\Colleen&Thomas.t05
MRUfile2=C:\PROGRA~1\TAXWIZ~1\Grace.t05
MRUfile3=C:\Program Files\TAXWIZ 2005\Grace.t05
MRUfile4=C:\PROGRA~1\TAXWIZ~1\COLLEE~1.T05
MRUfile5=C:\Program Files\TAXWIZ 2005\Jessica.t05
InstCode0=85170815036961
ActCode0=20985368892
[PPTPSetup]
UNINST=C:\PERIL\uninst.log
[Drivers.drv]
{3AAE5FBA-5A01-413E-8476-58EEAB002A86}=2828282888250A6828282828BC67085080476250718CFF5078476250
[ActiveScan]
ID = {F8F62C5E-13A3-4E37-B334-EA981E79F8E5}

Thanks

PS last nite you told me to runRootKit Revealer and post the log, I did run it but forgot to mention to you that it said "Scan complete no discrepancies found"


----------



## Cookiegal (Aug 27, 2003)

That's fine about Rootkit Revealer.

Please do this for Nicholas.

Please open HijackThis.
Click on *Open Misc Tools Section*
Make sure that both boxes beside "Generate StartupList Log" are checked:

*List all minor sections(Full)*
*List Empty Sections(Complete)*
Click *Generate StartupList Log*.
Click *Yes* at the prompt.
It will open a text file. Please copy the entire contents of that page and paste it here.


----------



## ColleenA (Feb 18, 2002)

Hope this helps... have to do it in 2 posts though too many characters

StartupList report, 6/27/2006, 7:39:40 PM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Colleen\Desktop\HiJack\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\system32\ServeHost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\SearchNet\SearchNet.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HuaCi\huaci\zsearch.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\winlogon.exe
C:\Documents and Settings\Colleen\Desktop\HiJack\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Nicholas\Start Menu\Programs\Startup]
csrss.lnk = ?
»®´ÊËÑË÷.lnk = C:\Program Files\HuaCi\huaci\zsearch.exe

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

HPDJ Taskbar Utility = C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
SsAAD.exe = C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
SearchNet_Up = "C:\Program Files\SearchNet\ServeUp.exe"
!ewido = "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
zango = "c:\program files\zango\zango.exe"
UserFaultCheck = %systemroot%\system32\dumprep 0 -u
t0d = RunDll32 "C:\WINDOWS\Downlo~1\t0d.dll",Run
SunJavaUpdateSched = C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
Share-to-Web Namespace Daemon = C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
RealTray = C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
New.net Startup = rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
Mysee Alert = "C:\Program Files\GAOV\Mysee Alert\Mysee Alert.exe" -notray
Motive SmartBridge = C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
LVCOMS = C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
iTunesHelper = "C:\Program Files\iTunes\iTunesHelper.exe"
CXMon = "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
csrss = C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
CdnCtr =

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

msnmsgr = "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
warez = "C:\Documents and Settings\Nicholas\My Documents\game\Warez P2P Client\warez.exe" -h
csrss =

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\system32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{4b218e3e-bc98-4770-93d3-2731b9329278}] *
StubPath = %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=C:\WINDOWS\system32\ntzwlhyuqk\csrss.exe
HKCU\..\Windows NT\CurrentVersion\Windows: run=C:\WINDOWS\system32\ntzwlhyuqk\csrss.exe
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\system32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll - {02478D38-C3F9-4efb-9B51-7695ECA05670}
(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\SearchNet\SNHpr.dll - {2A0176FE-008B-4706-90F5-BBA532A49731}
(no name) - C:\Program Files\Zero Knowledge\Freedom\pkR.dll - {3C060EA2-E6A9-4E49-A530-D4657B8C449A}
(no name) - C:\WINDOWS\Downlo~1\q0tp5k.dll - {3CE496D1-1746-41CD-9489-3C0B93DF10E2}
(no name) - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll - {56071E0D-C61B-11D3-B41C-00E02927A304}


----------



## ColleenA (Feb 18, 2002)

here is the 2nd post

Enumerating Task Scheduler jobs:

*No jobs found*

--------------------------------------------------

Enumerating Download Program Files:

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINDOWS\Java\classes\xmldso.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

[TruePass EPF 7,0,100,717]
CODEBASE = https://blrscr3.egs-seg.gc.ca/applets/entrusttruepassapplet-epf.cab
OSD = C:\WINDOWS\Downloaded Program Files\TruePass EPF 7,0,100,717.osd

[QuickTime Object]
InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[StagingUI Object]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\StagingUI.ocx
CODEBASE = http://zone.msn.com/binFrameWork/v10/StagingUI.cab46479.cab

[MessengerStatsClient Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MessengerStatsPAClient.dll
CODEBASE = http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

[Minesweeper Flags Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\minesweeper.dll
CODEBASE = http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab

[ZoneBuddy Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ZBuddy.ocx
CODEBASE = http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab

[Office Update Installation Engine]
InProcServer32 = C:\WINDOWS\opuc.dll
CODEBASE = http://office.microsoft.com/officeupdate/content/opuc3.cab

[ZonePAChat Object]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ZPAChat.ocx
CODEBASE = http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab

[Ofoto Upload Manager Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\axofupld.dll
CODEBASE = http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab

[Java Plug-in 1.5.0_03]
InProcServer32 = C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab

[MessengerStatsClient Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\messengerstatsclient.dll
CODEBASE = http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab

[ZPA_HRTZ Object]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\zpa_hrtz.ocx
CODEBASE = http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab37625.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
CODEBASE = http://acs.pandasoftware.com/activescan/as5free/asinst.cab

[Aurigma Image Uploader 3.5 Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ImageUploader3.ocx
CODEBASE = http://www.photolab.ca/en/Photo/ImageUploader3.cab

[ZPA_SHVL Object]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\zpa_shvl.ocx
CODEBASE = http://zone.msn.com/bingame/zpagames/zpa_shvl.cab46704.cab

[ZooInstaller Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ZooInstaller.dll
CODEBASE = http://www.zoo-games.com/ClientSite/ZooInstaller.cab

[ZoneIntro Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ZIntro.ocx
CODEBASE = http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab

[Java Plug-in 1.5.0_03]
InProcServer32 = C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\flash8a.ocx
CODEBASE = http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

[StadiumProxy Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\StProxy.dll
CODEBASE = http://zone.msn.com/binframework/v10/StProxy.cab41227.cab

[WheelofFortune Object]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\WoF.ocx
CODEBASE = http://messenger.zone.msn.com/binary/WoF.cab31267.cab

[PopCapLoader Object]
InProcServer32 = blank
CODEBASE = http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab

[HeartbeatCtl Class]
InProcServer32 = C:\WINDOWS\DOWNLO~1\hrtbeat.ocx
CODEBASE = http://fdl.msn.com/zone/datafiles/heartbeat.cab

[Solitaire Showdown Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\solitaireshowdown.dll
CODEBASE = http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab

[ZPA_Backgammon Object]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ZPA_Backgammon.ocx
CODEBASE = http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab36385.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll
Protocol #16: C:\WINDOWS\system32\mswsock.dll
Protocol #17: C:\WINDOWS\system32\mswsock.dll
Protocol #18: C:\WINDOWS\system32\mswsock.dll
Protocol #19: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

.Net Boot Service: C:\WINDOWS\system32\big5_gb2312.exe (disabled)
abhcop: system32\drivers\abhcop.sys (system)
Microsoft ACPI Driver: system32\DRIVERS\ACPI.sys (system)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD: \SystemRoot\System32\drivers\afd.sys (system)
Alerter: %SystemRoot%\system32\svchost.exe -k LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
Anfad: system32\drivers\Anfad.sys (system)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
1394 ARP Client Protocol: system32\DRIVERS\arp1394.sys (manual start)
RAS Asynchronous Media Driver: system32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: system32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: system32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: system32\DRIVERS\audstub.sys (manual start)
auyj59s7: system32\drivers\auyj59s7.sys (system)
Background Intelligent Transfer Service: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Computer Browser: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Closed Caption Decoder: system32\DRIVERS\CCDECODE.sys (manual start)
CdaD10BA: \??\C:\WINDOWS\system32\drivers\CdaD10BA.SYS (autostart)
CD-ROM Driver: system32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
COM+ System Application: C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
CSS DVP: system32\DRIVERS\css-dvp.sys (autostart)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Disk Driver: system32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
dmio: System32\drivers\dmio.sys (disabled)
dmload: System32\drivers\dmload.sys (disabled)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\system32\svchost.exe -k NetworkService (autostart)
Dot4 HPH09: system32\DRIVERS\hphid409.sys (manual start)
Print Class Driver for IEEE-1284.4 HPH09: system32\DRIVERS\hphipr09.sys (manual start)
Storage Class Driver for IEEE-1284.4 (HPH09): System32\Drivers\hphs2k09.sys (manual start)
Dot4Usb HPH09: System32\drivers\hphius09.sys (manual start)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
DvpApi: "C:\Program Files\Common Files\Command Software\dvpapi.exe" (autostart)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\system32\svchost.exe -k netsvcs (manual start)
ewido anti-spyware 4.0 driver: \??\C:\Program Files\ewido anti-spyware 4.0\guard.sys (system)
ewido anti-spyware 4.0 guard: C:\Program Files\ewido anti-spyware 4.0\guard.exe (autostart)
FAD: system32\DRIVERS\FAD.sys (system)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Floppy Disk Controller Driver: system32\DRIVERS\fdc.sys (manual start)
VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver: system32\DRIVERS\fetnd5.sys (manual start)
Floppy Disk Driver: system32\DRIVERS\flpydisk.sys (manual start)
FltMgr: system32\DRIVERS\fltMgr.sys (system)
Freedom Miniport: system32\DRIVERS\FREEDOM.SYS (manual start)
Freedom Filter: System32\Drivers\FreeTdi.sys (system)
Volume Manager Driver: system32\DRIVERS\ftdisk.sys (system)
fu1hme04: \??\C:\WINDOWS\system32\drivers\fu1hme04.sys (system)
GEARAspiWDM: System32\Drivers\GEARAspiWDM.sys (manual start)
Generic Packet Classifier: system32\DRIVERS\msgpc.sys (manual start)
hcalway: system32\DRIVERS\hcalway.sys (system)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: system32\DRIVERS\i8042prt.sys (system)
InstallDriver Table Manager: "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe" (manual start)
CD-Burning Filter Driver: system32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\system32\imapi.exe (manual start)
IPv6 Windows Firewall Driver: system32\DRIVERS\Ip6Fw.sys (manual start)
IP Traffic Filter Driver: system32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: system32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: system32\DRIVERS\ipnat.sys (manual start)
iPodService: C:\Program Files\iPod\bin\iPodService.exe (manual start)
IPSEC driver: system32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: system32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: system32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: system32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Messenger: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\system32\mnmsrvc.exe (manual start)
Mouse Class Driver: system32\DRIVERS\mouclass.sys (system)
WebDav Client Redirector: system32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: system32\DRIVERS\mrxsmb.sys (system)
MSCSPTISRV: "C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe" (manual start)
Distributed Transaction Coordinator: C:\WINDOWS\system32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\system32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: system32\DRIVERS\mssmbios.sys (manual start)
Microsoft Streaming Tee/Sink-to-Sink Converter: system32\drivers\MSTEE.sys (manual start)
NABTS/FEC VBI Codec: system32\DRIVERS\NABTSFEC.sys (manual start)
Microsoft TV/Video Connection: system32\DRIVERS\NdisIP.sys (manual start)
Remote Access NDIS TAPI Driver: system32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: system32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: system32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: system32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: system32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\system32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Net MD: System32\Drivers\NETMDUSB.sys (manual start)
1394 Net Driver: system32\DRIVERS\nic1394.sys (manual start)
Network Location Awareness (NLA): %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
NT LM Security Support Provider: %SystemRoot%\system32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
IPX Traffic Filter Driver: system32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: system32\DRIVERS\nwlnkfwd.sys (manual start)
Texas Instruments OHCI Compliant IEEE 1394 Host Controller: system32\DRIVERS\ohci1394.sys (system)
PACSPTISVR: "C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe" (manual start)
Parallel port driver: system32\DRIVERS\parport.sys (manual start)
PCAMPR5 NDIS Protocol Driver: \??\C:\WINDOWS\system32\PCAMPR5.SYS (manual start)
PCI Bus Driver: system32\DRIVERS\pci.sys (system)
PCIIde: system32\DRIVERS\pciide.sys (system)
Padus ASPI Shell: system32\drivers\pfc.sys (manual start)
Logitech QuickCam Express(PID_0920): system32\DRIVERS\LV532AV.SYS (manual start)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
Pml Driver: C:\WINDOWS\system32\HPHipm09.exe (manual start)
IPSEC Services: %SystemRoot%\system32\lsass.exe (autostart)
WAN Miniport (PPTP): system32\DRIVERS\raspptp.sys (manual start)
Processor Driver: system32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
QoS Packet Scheduler: system32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: system32\DRIVERS\ptilink.sys (manual start)
PxHelp20: System32\Drivers\PxHelp20.sys (system)
Remote Access Auto Connection Driver: system32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): system32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: system32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: system32\DRIVERS\raspti.sys (manual start)
Rdbss: system32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: system32\DRIVERS\redbook.sys (system)
Remote Log: system32\ServeHost.exe (autostart)
Routing and Remote Access: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
Remote Procedure Call (RPC) Locator: %SystemRoot%\system32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\system32\rsvp.exe (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: system32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
SiS300i: system32\DRIVERS\sis300ip.sys (manual start)
Service for AC'97 Sample Driver (WDM): system32\drivers\ac97sis.sys (manual start)
SIS AGP Bus Filter: system32\DRIVERS\sisagp.sys (system)
BDA Slip De-Framer: system32\DRIVERS\SLIP.sys (manual start)
Sony USB Filter Driver (SONYPVU1): system32\DRIVERS\SONYPVU1.SYS (manual start)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
Sony SPTI Service: "C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe" (manual start)
System Restore Filter Driver: \SystemRoot\system32\DRIVERS\sr.sys (disabled)
System Restore Service: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
Srv: system32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)
SonicStage SCSI Service: C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\system32\svchost.exe -k imgsvc (autostart)
BDA IPSink: system32\DRIVERS\StreamIP.sys (manual start)
Software Bus Driver: system32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\system32\dllhost.exe /Processid:{3237AAD4-75E7-4BEF-ABFA-CC11C6628ABB} (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: system32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: system32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows User Mode Driver Framework: C:\WINDOWS\system32\wdfmgr.exe (autostart)
Microcode Update Driver: system32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
USB2 Enabled Hub: system32\DRIVERS\usbhub.sys (manual start)
Microsoft USB Open Host Controller Miniport Driver: system32\DRIVERS\usbohci.sys (manual start)
Microsoft USB PRINTER Class: system32\DRIVERS\usbprint.sys (manual start)
USB Scanner Driver: system32\DRIVERS\usbscan.sys (manual start)
USB Mass Storage Driver: system32\DRIVERS\USBSTOR.SYS (manual start)
VgaSave: \SystemRoot\System32\drivers\vga.sys (system)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: system32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\system32\wbem\wmiapsrv.exe (manual start)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
World Standard Teletext Codec: system32\DRIVERS\WSTCODEC.SYS (manual start)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 38,118 bytes
Report generated in 1.723 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


----------



## Cookiegal (Aug 27, 2003)

There is a lot to do here and it may involve editing the registry but I would like to start by just doing this for now please.

This will all be done under Nicholas' profile.

Go to Start - Search and under "More advanced search options". Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools - Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types". Now click "Apply to all folders"
Click "Apply" then "OK"

Boot to safe mode and navigate to this folder:

C:\Documents and Settings\Nicholas\Start Menu\Programs\*Startup*

Open the Startup folder and delete these items:

*csrss.lnk *

*»®´ÊËÑË÷.lnk *

While in safe mode run Killbox on this folder:

*C:\WINDOWS\system32\ntzwlhyuqk*

Reboot and post the following:

1. New HijackThis log
2. New HIjackThis startup log
3. New WinpFind log


----------



## ColleenA (Feb 18, 2002)

K, here are the logs

I will put the WinpFind in a second post

When I went into Nicholas's start up the only file in there was the EENE file the csrss.ink was not there.

Logfile of HijackThis v1.99.1
Scan saved at 9:32:41 PM, on 6/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\NetAssistant\bin\mpbtn.exe
C:\Documents and Settings\Colleen\Desktop\HiJack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.whiteninjacomics.com/archive-comics.shtml
F3 - REG:win.ini: load=C:\WINDOWS\system32\ntzwlhyuqk\csrss.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\ntzwlhyuqk\csrss.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IE Address Browser Helper - {2A0176FE-008B-4706-90F5-BBA532A49731} - C:\Program Files\SearchNet\SNHpr.dll
O2 - BHO: PopKill Class - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: IE Browser Helper - {3CE496D1-1746-41CD-9489-3C0B93DF10E2} - C:\WINDOWS\Downlo~1\q0tp5k.dll
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [SearchNet_Up] "C:\Program Files\SearchNet\ServeUp.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [zango] "c:\program files\zango\zango.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [t0d] RunDll32 "C:\WINDOWS\Downlo~1\t0d.dll",Run
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [Mysee Alert] "C:\Program Files\GAOV\Mysee Alert\Mysee Alert.exe" -notray
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [csrss] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [warez] "C:\Documents and Settings\Nicholas\My Documents\game\Warez P2P Client\warez.exe" -h
O4 - Startup: csrss.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O16 - DPF: TruePass EPF 7,0,100,717 - https://blrscr3.egs-seg.gc.ca/applets/entrusttruepassapplet-epf.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab46479.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (ZPA_HRTZ Object) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab37625.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.photolab.ca/en/Photo/ImageUploader3.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zpa_shvl.cab46704.cab
O16 - DPF: {A9FDC7FD-FE81-4910-8CF2-FA59EEFE11EC} (ZooInstaller Class) - http://www.zoo-games.com/ClientSite/ZooInstaller.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab36385.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{37C2D4C1-A9A2-4B71-987F-7E1D20FD8E3E}: NameServer = 67.69.184.151 206.47.244.57
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Remote Log - Beijing zhongsou online software - C:\WINDOWS\system32\ServeHost.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

StartupList report, 6/27/2006, 9:35:43 PM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Colleen\Desktop\HiJack\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\NetAssistant\bin\mpbtn.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\ServeHost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SearchNet\SearchNet.exe
C:\Documents and Settings\Colleen\Desktop\HiJack\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Nicholas\Start Menu\Programs\Startup]
csrss.lnk = ?

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

HPDJ Taskbar Utility = C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
SsAAD.exe = C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
SearchNet_Up = "C:\Program Files\SearchNet\ServeUp.exe"
!ewido = "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
zango = "c:\program files\zango\zango.exe"
UserFaultCheck = %systemroot%\system32\dumprep 0 -u
t0d = RunDll32 "C:\WINDOWS\Downlo~1\t0d.dll",Run
SunJavaUpdateSched = C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
Share-to-Web Namespace Daemon = C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
RealTray = C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
New.net Startup = rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
Mysee Alert = "C:\Program Files\GAOV\Mysee Alert\Mysee Alert.exe" -notray
Motive SmartBridge = C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
LVCOMS = C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
iTunesHelper = "C:\Program Files\iTunes\iTunesHelper.exe"
CXMon = "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
csrss = C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
CdnCtr =

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

msnmsgr = "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
warez = "C:\Documents and Settings\Nicholas\My Documents\game\Warez P2P Client\warez.exe" -h
csrss =

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=C:\WINDOWS\system32\ntzwlhyuqk\csrss.exe
HKCU\..\Windows NT\CurrentVersion\Windows: run=C:\WINDOWS\system32\ntzwlhyuqk\csrss.exe
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\system32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll - {02478D38-C3F9-4efb-9B51-7695ECA05670}
(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\SearchNet\SNHpr.dll - {2A0176FE-008B-4706-90F5-BBA532A49731}
(no name) - C:\Program Files\Zero Knowledge\Freedom\pkR.dll - {3C060EA2-E6A9-4E49-A530-D4657B8C449A}
(no name) - C:\WINDOWS\Downlo~1\q0tp5k.dll - {3CE496D1-1746-41CD-9489-3C0B93DF10E2}
(no name) - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll - {56071E0D-C61B-11D3-B41C-00E02927A304}

--------------------------------------------------

Enumerating Download Program Files:

[QuickTime Object]
InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[StagingUI Object]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\StagingUI.ocx
CODEBASE = http://zone.msn.com/binFrameWork/v10/StagingUI.cab46479.cab

[MessengerStatsClient Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MessengerStatsPAClient.dll
CODEBASE = http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

[Minesweeper Flags Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\minesweeper.dll
CODEBASE = http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab

[ZoneBuddy Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ZBuddy.ocx
CODEBASE = http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab

[Office Update Installation Engine]
InProcServer32 = C:\WINDOWS\opuc.dll
CODEBASE = http://office.microsoft.com/officeupdate/content/opuc3.cab

[ZonePAChat Object]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ZPAChat.ocx
CODEBASE = http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab

[Ofoto Upload Manager Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\axofupld.dll
CODEBASE = http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab

[MessengerStatsClient Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\messengerstatsclient.dll
CODEBASE = http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab

[ZPA_HRTZ Object]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\zpa_hrtz.ocx
CODEBASE = http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab37625.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
CODEBASE = http://acs.pandasoftware.com/activescan/as5free/asinst.cab

[Aurigma Image Uploader 3.5 Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ImageUploader3.ocx
CODEBASE = http://www.photolab.ca/en/Photo/ImageUploader3.cab

[ZPA_SHVL Object]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\zpa_shvl.ocx
CODEBASE = http://zone.msn.com/bingame/zpagames/zpa_shvl.cab46704.cab

[ZooInstaller Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ZooInstaller.dll
CODEBASE = http://www.zoo-games.com/ClientSite/ZooInstaller.cab

[ZoneIntro Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ZIntro.ocx
CODEBASE = http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\flash8a.ocx
CODEBASE = http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

[StadiumProxy Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\StProxy.dll
CODEBASE = http://zone.msn.com/binframework/v10/StProxy.cab41227.cab

[WheelofFortune Object]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\WoF.ocx
CODEBASE = http://messenger.zone.msn.com/binary/WoF.cab31267.cab

[PopCapLoader Object]
InProcServer32 = blank
CODEBASE = http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab

[HeartbeatCtl Class]
InProcServer32 = C:\WINDOWS\DOWNLO~1\hrtbeat.ocx
CODEBASE = http://fdl.msn.com/zone/datafiles/heartbeat.cab

[Solitaire Showdown Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\solitaireshowdown.dll
CODEBASE = http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab

[ZPA_Backgammon Object]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ZPA_Backgammon.ocx
CODEBASE = http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab36385.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll

--------------------------------------------------
End of report, 11,456 bytes
Report generated in 0.190 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


----------



## ColleenA (Feb 18, 2002)

Here is the WinpFind log

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
PEC2 8/4/2004 8:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PTech 5/23/2006 5:26:00 PM 579888 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
PECompact2 6/8/2006 9:19:50 PM 5967776 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 6/8/2006 9:19:50 PM 5967776 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 8:00:00 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/4/2004 8:00:00 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 8/4/2004 8:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
PTech 5/23/2006 5:25:52 PM 285488 C:\WINDOWS\SYSTEM32\WgaTray.exe

Checking %System%\Drivers folder and sub-folders...
aspack 1/20/2006 3:40:42 PM R 783984 C:\WINDOWS\SYSTEM32\drivers\css-dvp.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
6/27/2006 9:31:34 PM S 2048 C:\WINDOWS\bootstat.dat
6/27/2006 12:08:14 AM H 54156 C:\WINDOWS\QTFont.qfn
6/17/2006 10:13:24 AM H 65536 C:\WINDOWS\Minidump\Mini061706-01.dmp
5/14/2006 6:21:52 AM S 13309 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB911280.cat
5/5/2006 10:22:46 AM S 12227 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB914389.cat
5/29/2006 12:16:00 PM S 23751 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB916281.cat
5/18/2006 3:15:12 AM S 10925 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB917344.cat
5/4/2006 6:37:36 PM S 7898 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB917734.cat
6/1/2006 4:28:56 PM S 11043 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB918439.cat
5/23/2006 5:27:00 PM S 7160 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\WgaNotify.cat
6/27/2006 9:33:28 PM H 1024 C:\WINDOWS\system32\config\default.LOG
6/27/2006 9:31:46 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
6/27/2006 9:41:52 PM H 1024 C:\WINDOWS\system32\config\SECURITY.LOG
6/27/2006 9:37:34 PM H 1024 C:\WINDOWS\system32\config\software.LOG
6/27/2006 9:40:00 PM H 1024 C:\WINDOWS\system32\config\system.LOG
6/23/2006 3:15:58 PM H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
5/28/2006 11:29:10 AM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\9b2bfb91-210e-4e5c-add5-a50ad005d879
5/28/2006 11:29:10 AM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\Preferred
5/24/2006 5:51:16 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\d27aec55-df77-497b-9804-47a5571b66f9
5/24/2006 5:51:16 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
6/27/2006 9:31:38 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/4/2004 8:00:00 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 4/13/2005 3:48:52 AM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
RealNetworks, Inc. 9/4/2005 9:18:28 PM 24064 C:\WINDOWS\SYSTEM32\prefscpl.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Sony Corporation 12/4/1999 4:11:30 AM 151552 C:\WINDOWS\SYSTEM32\UILib.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 68608 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 549888 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 135168 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 80384 C:\WINDOWS\SYSTEM32\dllcache\firewall.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 155136 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 358400 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 129536 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 68608 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 618496 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 25600 C:\WINDOWS\SYSTEM32\dllcache\netsetup.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 257024 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 32768 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 114688 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 155648 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 298496 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 94208 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 148480 C:\WINDOWS\SYSTEM32\dllcache\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
8/28/2005 11:15:28 AM 1757 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
8/26/2005 12:10:22 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
8/26/2005 3:33:14 PM 1725 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
8/26/2005 3:10:16 PM  1672 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NetAssistant.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
8/26/2005 7:50:28 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
3/12/2006 6:05:30 PM 1767 C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache

Checking files in %USERPROFILE%\Startup folder...
11/2/2005 11:54:16 PM HS 80 C:\Documents and Settings\Nicholas\Start Menu\Programs\Startup\csrss.lnk
8/26/2005 12:10:22 PM HS 84 C:\Documents and Settings\Nicholas\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
8/26/2005 7:50:26 AM HS 62 C:\Documents and Settings\Nicholas\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido anti-spyware
{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{FFFFE5C1-34AF-4d4d-B3D3-5BB86A2BAA7B}
= C:\Program Files\Zero Knowledge\Freedom\AVContextR.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\{FFFFE5C1-34AF-4d4d-B3D3-5BB86A2BAA7B}
= C:\Program Files\Zero Knowledge\Freedom\AVContextR.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido anti-spyware
{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\{FFFFE5C1-34AF-4d4d-B3D3-5BB86A2BAA7B}
= C:\Program Files\Zero Knowledge\Freedom\AVContextR.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}
Yahoo! Companion BHO = C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2A0176FE-008B-4706-90F5-BBA532A49731}
IE Address Browser Helper = C:\Program Files\SearchNet\SNHpr.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3C060EA2-E6A9-4E49-A530-D4657B8C449A}
PopKill Class = C:\Program Files\Zero Knowledge\Freedom\pkR.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CE496D1-1746-41CD-9489-3C0B93DF10E2}
IE Browser Helper = C:\WINDOWS\Downlo~1\q0tp5k.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{56071E0D-C61B-11D3-B41C-00E02927A304}
ZKBho Class = C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\system32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
Real.com = C:\WINDOWS\system32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Companion	: C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\system32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address	: %SystemRoot%\system32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links	: %SystemRoot%\system32\SHELL32.dll
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Companion	: C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
{463DF6D5-BEC1-4D67-B217-59DB692DFC53} = :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
HPDJ Taskbar Utility	C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
SsAAD.exe	C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
SearchNet_Up	"C:\Program Files\SearchNet\ServeUp.exe"
!ewido	"C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
zango	"c:\program files\zango\zango.exe"
UserFaultCheck	%systemroot%\system32\dumprep 0 -u
t0d	RunDll32 "C:\WINDOWS\Downlo~1\t0d.dll",Run
SunJavaUpdateSched	C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
Share-to-Web Namespace Daemon	C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
RealTray	C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
QuickTime Task	"C:\Program Files\QuickTime\qttask.exe" -atboottime
New.net Startup	rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
Mysee Alert	"C:\Program Files\GAOV\Mysee Alert\Mysee Alert.exe" -notray
Motive SmartBridge	C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
LVCOMS	C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
iTunesHelper	"C:\Program Files\iTunes\iTunesHelper.exe"
CXMon	"C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
csrss	C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
CdnCtr

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL	Installed = 1
MAPI	Installed = 1
MSFS	Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
msnmsgr	"C:\Program Files\MSN Messenger\msnmsgr.exe" /background
warez	"C:\Documents and Settings\Nicholas\My Documents\game\Warez P2P Client\warez.exe" -h
csrss

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini	0
win.ini	0
bootini	0
services	0
startup	0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} = 
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername	0
legalnoticecaption	
legalnoticetext	
shutdownwithoutlogon	1
undockwithoutlogon	1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun	145

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
DisableRegistryTools	1
NoAdminPage	1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\system32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit	= C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon
= WgaLogon.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier
= WRLogonNTF.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cdnup.exe
Debugger = C:\WINDOWS\system32\rundll32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1	- Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 6/27/2006 9:44:36 PM


----------



## Cookiegal (Aug 27, 2003)

I'm signing off for the night but will study this in the morning.


----------



## Cookiegal (Aug 27, 2003)

Download and unzip BFUzip from http://www.merijn.org/files/bfu.zip
Run the program and click the Web button as shown here:









Use this URL to copy into the address bar of the Download script window:
*http://metallica.geekstogo.com/MediaGateway.BFU*

Make sure all IE windows are closed.

Execute the script by clicking the Execute button.

Go to Start > Run
Type:
*regedit*
Click OK.
On the left side, click to highlight *My Computer* at the top. 
Go up to "*File > Export*"
Make sure in that window there is a tick next to "All" under Export Branch.
Leave the "Save As Type" as "Registration Files".
Under "Filename" put *backup*

Choose to save it to *C:\* or somewhere else safe so that you will remember where you put it (don't put it on the desktop!)
Click save and then go to File > Exit.
This is so the registry can be restored to this point if we need it. It may take a minute. Just let it go until it's done.

Click Start - Run - and type in:

*services.msc*

Click OK.

In the services window find *Remote Log - Beijing zhongsou online software*.
Right click and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Start-up Type" in the dropdown menu select "Disabled". Click Apply then OK. Exit the Services utility.

*Note:* You may get an error here when trying to access the properties of the service. If you do get an error, just select the service and look there in the top left of the main service window and click "Stop" to stop the service. If that gives an error or it is already stopped, just skip this step and proceed with the rest.

I'm attaching a FixColleen2.zip file to this post. Unzip it to your desktop but don't do anything with it yet. We will use it later in safe mode.

Rescan with HijackThis, close all browser windows except HijackThis, put a check mark beside these entries and click *fix checked*.

* 
F3 - REG:win.ini: load=C:\WINDOWS\system32\ntzwlhyuqk\csrss.exe

F3 - REG:win.ini: run=C:\WINDOWS\system32\ntzwlhyuqk\csrss.exe

O2 - BHO: IE Address Browser Helper - {2A0176FE-008B-4706-90F5-BBA532A49731} - C:\Program Files\SearchNet\SNHpr.dll

O2 - BHO: IE Browser Helper - {3CE496D1-1746-41CD-9489-3C0B93DF10E2} - C:\WINDOWS\Downlo~1\q0tp5k.dll

O4 - HKLM\..\Run: [SearchNet_Up] "C:\Program Files\SearchNet\ServeUp.exe"

O4 - HKLM\..\Run: [zango] "c:\program files\zango\zango.exe"

O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKLM\..\Run: [t0d] RunDll32 "C:\WINDOWS\Downlo~1\t0d.dll",Run

O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s

O4 - HKLM\..\Run: [Mysee Alert] "C:\Program Files\GAOV\Mysee Alert\Mysee Alert.exe" -notray

O4 - HKLM\..\Run: [csrss] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

O4 - Startup: csrss.lnk = ?

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/def...ploader_v6.cab

O23 - Service: Remote Log - Beijing zhongsou online software - C:\WINDOWS\system32\ServeHost.exe
*

Reboot to safe mode and run Killbox on these files/folders:

*C:\Program Files\Wsearch

C:\Program Files\searchnet\serveup.exe

C:\Program Files\SearchNet\searchnet.exe

C:\Program Files\SearchNet\uninstall.exe

C:\Program Files\SearchNet\srvnet32.dll

C:\WINDOWS\system32\drivers\anfad.sys

C:\WINDOWS\system32\drivers\fad.sys

C:\WINDOWS\system32\snhpr.dll

C:\WINDOWS\system32\srvnet32.dll

C:\WINDOWS\system32\drivers\xcvmp7.sys

C:\WINDOWS\system32\drivers\anfad.sys

C:\WINDOWS\system32\drivers\svq0hve.sys

C:\WINDOWS\system32\drivers\xcvmp7.sys

C:\WINDOWS\system32\servehost.dat

C:\WINDOWS\system32\servehost.exe

C:\Documents and Settings\Nicholas\Start Menu\Programs\Startup\csrss.lnk

C:\Program Files\SearchNet\SNHpr.dll

C:\WINDOWS\Downlo~1\q0tp5k.dll

C:\WINDOWS\system32\ntzwlhyuqk\csrss.exe

C:\WINDOWS\system32\ntzwlhyuqk

c:\program files\zango\zango.exe

c:\program files\zango

C:\PROGRAM FILES\NEWDOTNET

C:\Program Files\GAOV\Mysee Alert*

While still in safe mode double click on the FixColleen2.reg file that you unzipped to your desktop earlier and allow it to enter into the registry.

Reboot and post a new HijackThis log for Nicholas please.


----------



## ColleenA (Feb 18, 2002)

do i run the BFU on Nicholas profile or mine?


----------



## Cookiegal (Aug 27, 2003)

Run everything while in Nicholas' account please.


----------



## ColleenA (Feb 18, 2002)

K that was a little more confusing even though I could follow it.

First off, when i ran the first Hijack on Nicholas' account to fix the problems. There were two files not there.

O2 - BHO: IE Browser Helper - {3CE496D1-1746-41CD-9489-3C0B93DF10E2} - C:\WINDOWS\Downlo~1\q0tp5k.dll

O4 - HKLM\..\Run: [csrss] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

Then when I rebooted to safe mode I could not get into Nicholas' account to run Killbox, so I ran it on mine but put in the files you indicated (so to me that should be fine 'cause I think it searches the whole machine for the file).
Most of the files did not exist or could not be deleted. Only 2 files were actually deleted. Let me know if you need to know which files did not exist and which ones could not be deleted.

Here is Nicholas' new hijack log

Logfile of HijackThis v1.99.1
Scan saved at 5:33:26 PM, on 6/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\SearchNet\ServeUp.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\NetAssistant\bin\mpbtn.exe
C:\Documents and Settings\Colleen\Desktop\HiJack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.whiteninjacomics.com/archive-comics.shtml
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IE Address Browser Helper - {2A0176FE-008B-4706-90F5-BBA532A49731} - C:\Program Files\SearchNet\SNHpr.dll
O2 - BHO: PopKill Class - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [SearchNet_Up] "C:\Program Files\SearchNet\ServeUp.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [warez] "C:\Documents and Settings\Nicholas\My Documents\game\Warez P2P Client\warez.exe" -h
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O16 - DPF: TruePass EPF 7,0,100,717 - https://blrscr3.egs-seg.gc.ca/applets/entrusttruepassapplet-epf.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab46479.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (ZPA_HRTZ Object) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab37625.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.photolab.ca/en/Photo/ImageUploader3.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zpa_shvl.cab46704.cab
O16 - DPF: {A9FDC7FD-FE81-4910-8CF2-FA59EEFE11EC} (ZooInstaller Class) - http://www.zoo-games.com/ClientSite/ZooInstaller.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab36385.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Remote Log - Beijing zhongsou online software - C:\WINDOWS\system32\ServeHost.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

Thanks


----------



## Cookiegal (Aug 27, 2003)

Alright, we will finish up with Nicholas later.

Let's go back to your account and please post a current HijackThis scan log as well as a HijackThis start up log please.


----------



## ColleenA (Feb 18, 2002)

Here are my two most recent logs. I will have to put the start up log in a separate post

Logfile of HijackThis v1.99.1
Scan saved at 6:48:41 PM, on 6/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\ServeHost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\SearchNet\SearchNet.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Colleen\Desktop\HiJack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IE Address Browser Helper - {2A0176FE-008B-4706-90F5-BBA532A49731} - C:\Program Files\SearchNet\SNHpr.dll
O2 - BHO: PopKill Class - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [SearchNet_Up] "C:\Program Files\SearchNet\ServeUp.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKCU\..\Run: [warez] "C:\Documents and Settings\Nicholas\My Documents\game\Warez P2P Client\warez.exe" -h
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O16 - DPF: TruePass EPF 7,0,100,717 - https://blrscr3.egs-seg.gc.ca/applets/entrusttruepassapplet-epf.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab46479.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (ZPA_HRTZ Object) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab37625.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.photolab.ca/en/Photo/ImageUploader3.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zpa_shvl.cab46704.cab
O16 - DPF: {A9FDC7FD-FE81-4910-8CF2-FA59EEFE11EC} (ZooInstaller Class) - http://www.zoo-games.com/ClientSite/ZooInstaller.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab36385.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{37C2D4C1-A9A2-4B71-987F-7E1D20FD8E3E}: NameServer = 67.69.184.151 206.47.244.57
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Remote Log - Beijing zhongsou online software - C:\WINDOWS\system32\ServeHost.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

Thanks


----------



## ColleenA (Feb 18, 2002)

Here is my start up log it is in 2 separate posts as it is too large.

StartupList report, 6/28/2006, 6:49:14 PM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Colleen\Desktop\HiJack\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\ServeHost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\SearchNet\SearchNet.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Colleen\Desktop\HiJack\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Colleen\Start Menu\Programs\Startup]
LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

HPDJ Taskbar Utility = C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
SsAAD.exe = C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
SearchNet_Up = "C:\Program Files\SearchNet\ServeUp.exe"
!ewido = "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
SunJavaUpdateSched = C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
Share-to-Web Namespace Daemon = C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
RealTray = C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
Motive SmartBridge = C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
LVCOMS = C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
iTunesHelper = "C:\Program Files\iTunes\iTunesHelper.exe"
CXMon = "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

warez = "C:\Documents and Settings\Nicholas\My Documents\game\Warez P2P Client\warez.exe" -h
msnmsgr = "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\system32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{4b218e3e-bc98-4770-93d3-2731b9329278}] *
StubPath = %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=


----------



## ColleenA (Feb 18, 2002)

Here is the second part of start up log

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll - {02478D38-C3F9-4efb-9B51-7695ECA05670}
(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\SearchNet\SNHpr.dll - {2A0176FE-008B-4706-90F5-BBA532A49731}
(no name) - C:\Program Files\Zero Knowledge\Freedom\pkR.dll - {3C060EA2-E6A9-4E49-A530-D4657B8C449A}
(no name) - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll - {56071E0D-C61B-11D3-B41C-00E02927A304}

--------------------------------------------------

Enumerating Task Scheduler jobs:

*No jobs found*

--------------------------------------------------

Enumerating Download Program Files:

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINDOWS\Java\classes\xmldso.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

[TruePass EPF 7,0,100,717]
CODEBASE = https://blrscr3.egs-seg.gc.ca/applets/entrusttruepassapplet-epf.cab
OSD = C:\WINDOWS\Downloaded Program Files\TruePass EPF 7,0,100,717.osd

[QuickTime Object]
InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[StagingUI Object]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\StagingUI.ocx
CODEBASE = http://zone.msn.com/binFrameWork/v10/StagingUI.cab46479.cab

[MessengerStatsClient Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MessengerStatsPAClient.dll
CODEBASE = http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

[Minesweeper Flags Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\minesweeper.dll
CODEBASE = http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab

[ZoneBuddy Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ZBuddy.ocx
CODEBASE = http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab

[Office Update Installation Engine]
InProcServer32 = C:\WINDOWS\opuc.dll
CODEBASE = http://office.microsoft.com/officeupdate/content/opuc3.cab

[ZonePAChat Object]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ZPAChat.ocx
CODEBASE = http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab

[Ofoto Upload Manager Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\axofupld.dll
CODEBASE = http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab

[Java Plug-in 1.5.0_03]
InProcServer32 = C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab

[MessengerStatsClient Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\messengerstatsclient.dll
CODEBASE = http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab

[ZPA_HRTZ Object]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\zpa_hrtz.ocx
CODEBASE = http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab37625.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
CODEBASE = http://acs.pandasoftware.com/activescan/as5free/asinst.cab

[Aurigma Image Uploader 3.5 Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ImageUploader3.ocx
CODEBASE = http://www.photolab.ca/en/Photo/ImageUploader3.cab

[ZPA_SHVL Object]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\zpa_shvl.ocx
CODEBASE = http://zone.msn.com/bingame/zpagames/zpa_shvl.cab46704.cab

[ZooInstaller Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ZooInstaller.dll
CODEBASE = http://www.zoo-games.com/ClientSite/ZooInstaller.cab

[ZoneIntro Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ZIntro.ocx
CODEBASE = http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab

[Java Plug-in 1.5.0_03]
InProcServer32 = C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\flash8a.ocx
CODEBASE = http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

[StadiumProxy Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\StProxy.dll
CODEBASE = http://zone.msn.com/binframework/v10/StProxy.cab41227.cab

[WheelofFortune Object]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\WoF.ocx
CODEBASE = http://messenger.zone.msn.com/binary/WoF.cab31267.cab

[HeartbeatCtl Class]
InProcServer32 = C:\WINDOWS\DOWNLO~1\hrtbeat.ocx
CODEBASE = http://fdl.msn.com/zone/datafiles/heartbeat.cab

[Solitaire Showdown Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\solitaireshowdown.dll
CODEBASE = http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab

[ZPA_Backgammon Object]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ZPA_Backgammon.ocx
CODEBASE = http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab36385.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll
Protocol #16: C:\WINDOWS\system32\mswsock.dll
Protocol #17: C:\WINDOWS\system32\mswsock.dll
Protocol #18: C:\WINDOWS\system32\mswsock.dll
Protocol #19: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

.Net Boot Service: C:\WINDOWS\system32\big5_gb2312.exe (disabled)
abhcop: system32\drivers\abhcop.sys (system)
Microsoft ACPI Driver: system32\DRIVERS\ACPI.sys (system)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD: \SystemRoot\System32\drivers\afd.sys (system)
Alerter: %SystemRoot%\system32\svchost.exe -k LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
Anfad: system32\drivers\Anfad.sys (system)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
1394 ARP Client Protocol: system32\DRIVERS\arp1394.sys (manual start)
RAS Asynchronous Media Driver: system32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: system32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: system32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: system32\DRIVERS\audstub.sys (manual start)
auyj59s7: system32\drivers\auyj59s7.sys (system)
Background Intelligent Transfer Service: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Computer Browser: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Closed Caption Decoder: system32\DRIVERS\CCDECODE.sys (manual start)
CdaD10BA: \??\C:\WINDOWS\system32\drivers\CdaD10BA.SYS (autostart)
CD-ROM Driver: system32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
COM+ System Application: C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
CSS DVP: system32\DRIVERS\css-dvp.sys (autostart)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Disk Driver: system32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
dmio: System32\drivers\dmio.sys (disabled)
dmload: System32\drivers\dmload.sys (disabled)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\system32\svchost.exe -k NetworkService (autostart)
Dot4 HPH09: system32\DRIVERS\hphid409.sys (manual start)
Print Class Driver for IEEE-1284.4 HPH09: system32\DRIVERS\hphipr09.sys (manual start)
Storage Class Driver for IEEE-1284.4 (HPH09): System32\Drivers\hphs2k09.sys (manual start)
Dot4Usb HPH09: System32\drivers\hphius09.sys (manual start)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
DvpApi: "C:\Program Files\Common Files\Command Software\dvpapi.exe" (autostart)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\system32\svchost.exe -k netsvcs (manual start)
ewido anti-spyware 4.0 driver: \??\C:\Program Files\ewido anti-spyware 4.0\guard.sys (system)
ewido anti-spyware 4.0 guard: C:\Program Files\ewido anti-spyware 4.0\guard.exe (autostart)
FAD: system32\DRIVERS\FAD.sys (system)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Floppy Disk Controller Driver: system32\DRIVERS\fdc.sys (manual start)
VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver: system32\DRIVERS\fetnd5.sys (manual start)
Floppy Disk Driver: system32\DRIVERS\flpydisk.sys (manual start)
FltMgr: system32\DRIVERS\fltMgr.sys (system)
Freedom Miniport: system32\DRIVERS\FREEDOM.SYS (manual start)
Freedom Filter: System32\Drivers\FreeTdi.sys (system)
Volume Manager Driver: system32\DRIVERS\ftdisk.sys (system)
fu1hme04: \??\C:\WINDOWS\system32\drivers\fu1hme04.sys (system)
GEARAspiWDM: System32\Drivers\GEARAspiWDM.sys (manual start)
Generic Packet Classifier: system32\DRIVERS\msgpc.sys (manual start)
hcalway: system32\DRIVERS\hcalway.sys (system)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: system32\DRIVERS\i8042prt.sys (system)
InstallDriver Table Manager: "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe" (manual start)
CD-Burning Filter Driver: system32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\system32\imapi.exe (manual start)
IPv6 Windows Firewall Driver: system32\DRIVERS\Ip6Fw.sys (manual start)
IP Traffic Filter Driver: system32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: system32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: system32\DRIVERS\ipnat.sys (manual start)
iPodService: C:\Program Files\iPod\bin\iPodService.exe (manual start)
IPSEC driver: system32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: system32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: system32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: system32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Messenger: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\system32\mnmsrvc.exe (manual start)
Mouse Class Driver: system32\DRIVERS\mouclass.sys (system)
WebDav Client Redirector: system32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: system32\DRIVERS\mrxsmb.sys (system)
MSCSPTISRV: "C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe" (manual start)
Distributed Transaction Coordinator: C:\WINDOWS\system32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\system32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: system32\DRIVERS\mssmbios.sys (manual start)
Microsoft Streaming Tee/Sink-to-Sink Converter: system32\drivers\MSTEE.sys (manual start)
NABTS/FEC VBI Codec: system32\DRIVERS\NABTSFEC.sys (manual start)
Microsoft TV/Video Connection: system32\DRIVERS\NdisIP.sys (manual start)
Remote Access NDIS TAPI Driver: system32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: system32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: system32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: system32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: system32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\system32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Net MD: System32\Drivers\NETMDUSB.sys (manual start)
1394 Net Driver: system32\DRIVERS\nic1394.sys (manual start)
Network Location Awareness (NLA): %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
NT LM Security Support Provider: %SystemRoot%\system32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
IPX Traffic Filter Driver: system32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: system32\DRIVERS\nwlnkfwd.sys (manual start)
Texas Instruments OHCI Compliant IEEE 1394 Host Controller: system32\DRIVERS\ohci1394.sys (system)
PACSPTISVR: "C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe" (manual start)
Parallel port driver: system32\DRIVERS\parport.sys (manual start)
PCAMPR5 NDIS Protocol Driver: \??\C:\WINDOWS\system32\PCAMPR5.SYS (manual start)
PCI Bus Driver: system32\DRIVERS\pci.sys (system)
PCIIde: system32\DRIVERS\pciide.sys (system)
Padus ASPI Shell: system32\drivers\pfc.sys (manual start)
Logitech QuickCam Express(PID_0920): system32\DRIVERS\LV532AV.SYS (manual start)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
Pml Driver: C:\WINDOWS\system32\HPHipm09.exe (manual start)
IPSEC Services: %SystemRoot%\system32\lsass.exe (autostart)
WAN Miniport (PPTP): system32\DRIVERS\raspptp.sys (manual start)
Processor Driver: system32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
QoS Packet Scheduler: system32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: system32\DRIVERS\ptilink.sys (manual start)
PxHelp20: System32\Drivers\PxHelp20.sys (system)
Remote Access Auto Connection Driver: system32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): system32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: system32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: system32\DRIVERS\raspti.sys (manual start)
Rdbss: system32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: system32\DRIVERS\redbook.sys (system)
Remote Log: system32\ServeHost.exe (autostart)
Routing and Remote Access: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
Remote Procedure Call (RPC) Locator: %SystemRoot%\system32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\system32\rsvp.exe (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: system32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
SiS300i: system32\DRIVERS\sis300ip.sys (manual start)
Service for AC'97 Sample Driver (WDM): system32\drivers\ac97sis.sys (manual start)
SIS AGP Bus Filter: system32\DRIVERS\sisagp.sys (system)
BDA Slip De-Framer: system32\DRIVERS\SLIP.sys (manual start)
Sony USB Filter Driver (SONYPVU1): system32\DRIVERS\SONYPVU1.SYS (manual start)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
Sony SPTI Service: "C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe" (manual start)
System Restore Filter Driver: \SystemRoot\system32\DRIVERS\sr.sys (disabled)
System Restore Service: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
Srv: system32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)
SonicStage SCSI Service: C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\system32\svchost.exe -k imgsvc (autostart)
BDA IPSink: system32\DRIVERS\StreamIP.sys (manual start)
Software Bus Driver: system32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\system32\dllhost.exe /Processid:{3237AAD4-75E7-4BEF-ABFA-CC11C6628ABB} (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: system32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: system32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows User Mode Driver Framework: C:\WINDOWS\system32\wdfmgr.exe (autostart)
Microcode Update Driver: system32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
USB2 Enabled Hub: system32\DRIVERS\usbhub.sys (manual start)
Microsoft USB Open Host Controller Miniport Driver: system32\DRIVERS\usbohci.sys (manual start)
Microsoft USB PRINTER Class: system32\DRIVERS\usbprint.sys (manual start)
USB Scanner Driver: system32\DRIVERS\usbscan.sys (manual start)
USB Mass Storage Driver: system32\DRIVERS\USBSTOR.SYS (manual start)
VgaSave: \SystemRoot\System32\drivers\vga.sys (system)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: system32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\system32\wbem\wmiapsrv.exe (manual start)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
World Standard Teletext Codec: system32\DRIVERS\WSTCODEC.SYS (manual start)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 37,643 bytes
Report generated in 0.341 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


----------



## Cookiegal (Aug 27, 2003)

Under your account please do the following:

Create a new restore point, click on *Start*  *All Programs*  *Accessories*  *System Tools* and then select *System Restore*.

In the System Restore wizard, select *Create a restore point* and click the Next button.

Type a name for your new restore point then click on Create.

I'm attaching a FixColleen3.reg file to this post. Save it to your desktop but don't do anything with it yet. We will use it later in safe mode.

Click Start - Run - and type in:

*services.msc*

Click OK.

In the services window find * abhcop*.
Right click and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Start-up Type" in the dropdown menu select "Disabled". Click Apply then OK. Exit the Services utility.

*Note:* You may get an error here when trying to access the properties of the service. If you do get an error, just select the service and look there in the top left of the main service window and click "Stop" to stop the service. If that gives an error or it is already stopped, just skip this step and proceed with the rest.

Repeat the above steps for each of the following services:

*abhcop
Anfad
FAD
fu1hme04
auyj59s7
hcalway 
Remote Log*

Rescan with HijackThis, close all browser windows except HijackThis, put a check mark beside these entries and click *fix checked*.

* 
O2 - BHO: IE Address Browser Helper - {2A0176FE-008B-4706-90F5-BBA532A49731} - C:\Program Files\SearchNet\SNHpr.dll

O4 - HKLM\..\Run: [SearchNet_Up] "C:\Program Files\SearchNet\ServeUp.exe"

O23 - Service: Remote Log - Beijing zhongsou online software - C:\WINDOWS\system32\ServeHost.exe
*

Reboot into safe mode and run Killbox on these files/folders:

*C:\Program Files\SearchNet\SNHpr.dll

C:\Program Files\SearchNet

C:\WINDOWS\system32\big5_gb2312.exe

C:\WINDOWS\system32\drivers\abhcop.sys

C:\WINDOWS\system32\drivers\Anfad.sys

C:\WINDOWS\system32\DRIVERS\FAD.sys

C:\WINDOWS\system32\drivers\fu1hme04.sys

C:\WINDOWS\system32\drivers\auyj59s7.sys

C:\WINDOWS\system32\DRIVERS\hcalway.sys

C:\WINDOWS\system32\ServeHost.exe *

While still in safe mode, unzip the FixColleen3.zip file on your desktop. Double click the FixColleen3.reg file and allow it to enter into the registry.

Reboot and post a new HijackThis log please.


----------



## ColleenA (Feb 18, 2002)

K...

In the services.msc there was no file called abhcop. Infact the only one i found was the Remote log which I followed your instructions and stopped it.

When I ran Killbox there were only 2 files that I could delete the fu1hme04.sys and the auyj59s7.sys

Here is the new Hijack log

Logfile of HijackThis v1.99.1
Scan saved at 8:40:59 PM, on 6/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\ServeHost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\SearchNet\SearchNet.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Colleen\Desktop\HiJack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IE Address Browser Helper - {2A0176FE-008B-4706-90F5-BBA532A49731} - C:\Program Files\SearchNet\SNHpr.dll
O2 - BHO: PopKill Class - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [SearchNet_Up] "C:\Program Files\SearchNet\ServeUp.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKCU\..\Run: [warez] "C:\Documents and Settings\Nicholas\My Documents\game\Warez P2P Client\warez.exe" -h
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O16 - DPF: TruePass EPF 7,0,100,717 - https://blrscr3.egs-seg.gc.ca/applets/entrusttruepassapplet-epf.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab46479.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (ZPA_HRTZ Object) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab37625.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.photolab.ca/en/Photo/ImageUploader3.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zpa_shvl.cab46704.cab
O16 - DPF: {A9FDC7FD-FE81-4910-8CF2-FA59EEFE11EC} (ZooInstaller Class) - http://www.zoo-games.com/ClientSite/ZooInstaller.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab36385.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Remote Log - Beijing zhongsou online software - C:\WINDOWS\system32\ServeHost.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe


----------



## Cookiegal (Aug 27, 2003)

Please do this again:

Open HijackThis and click on the "Open the Misc Tools Section" button. Click on the "Open Uninstall Manager" button. Click the "Save List" botton. Copy and paste that list here please.

*Click here* to download Silent Runners.
Save (do not choose open) it to the desktop.
Run SilentRunners by double clicking the "SilentRunners" icon on your desktop.
You will see a text file appear on the desktop - *it's not done, let it run (it won't appear to be doing anything!)*
Once you receive the prompt *All Done!*, open the text file on the desktop, copy that entire log, and paste it here.
**NOTE* If you receive any warning message about scripts, please choose to allow the script to run.*


----------



## ColleenA (Feb 18, 2002)

here are the logs

ACDSee
Ad-Aware SE Personal
Adobe Download Manager 2.0 (Remove Only)
Adobe Reader 7.0
ArcSoft Camera Suite 1.3
Canon Camera Support Core Library
Canon Camera Window for ZoomBrowser EX
Canon MovieEdit Task for ZoomBrowser EX
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities PhotoStitch 3.1
Canon Utilities ZoomBrowser EX
ewido anti-spyware 4.0
Freedom Security & Privacy
Gutterball
HijackThis 1.99.1
HP Photo Imaging Software
HP Photo Printing Software
hp photosmart printer series (Remove only)
HP Share-to-Web
IEµØÖ·À¸ËÑË÷
iPod for Windows 2005-09-23
iTunes
J2SE Runtime Environment 5.0 Update 3
KODAK EASYSHARE Gallery Upload ActiveX Control
Labtec WebCam
Macromedia Flash Player 8
Macromedia Shockwave Player
Mario Forever v 2.16 !
Microsoft Office 2000 Premium
MSN
MSN Gaming Zone
MSN Messenger 7.5
Music Visualizer Library 1.4.00
Net MD Simple Burner
NetAssistant
OpenMG Limited Patch 4.1-05-13-31-01
OpenMG Secure Module 4.1.00
Panda ActiveScan
Personal CD Label Kit
PestPatrol SDK
PIXELA ImageMixer
PokerStars.net
Prassi PrimoCD Plus 2.0 (English)
QuickTime
RealPlayer 7 Basic
Reel Deal Slots & Video Poker
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
SonicStage 3.0
TAXWIZ 2005
The Pink Panther's Passport to Peril
Tiger Gaming
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB887797
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
Yahoo! Toolbar
ZooGames

"Silent Runners.vbs", revision 46, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"warez" = ""C:\Documents and Settings\Nicholas\My Documents\game\Warez P2P Client\warez.exe" -h" [file not found]
"msnmsgr" = ""C:\Program Files\MSN Messenger\msnmsgr.exe" /background" [MS]
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"HPDJ Taskbar Utility" = "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe" ["HP"]
"SsAAD.exe" = "C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [null data]
"SearchNet_Up" = ""C:\Program Files\SearchNet\ServeUp.exe"" ["****" (unwritable string)]
"!ewido" = ""C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized" ["Anti-Malware Development a.s."]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" ["Sun Microsystems, Inc."]
"Share-to-Web Namespace Daemon" = "C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe" ["Hewlett-Packard"]
"RealTray" = "C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER" ["RealNetworks, Inc."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"Motive SmartBridge" = "C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe" ["Motive Communications, Inc."]
"LVCOMS" = "C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE" ["Logitech Inc."]
"iTunesHelper" = ""C:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Computer, Inc."]
"CXMon" = ""C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"" ["Hewlett-Packard Company"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{02478D38-C3F9-4efb-9B51-7695ECA05670}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Companion BHO"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll" ["Yahoo! Inc."]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{2A0176FE-008B-4706-90F5-BBA532A49731}\(Default) = (no title provided)
-> {HKLM...CLSID} = "IE Address Browser Helper"
\InProcServer32\(Default) = "C:\Program Files\SearchNet\SNHpr.dll" ["Beijing Zhongsou Online Software"]
{3C060EA2-E6A9-4E49-A530-D4657B8C449A}\(Default) = (no title provided)
-> {HKLM...CLSID} = "PopKill Class"
\InProcServer32\(Default) = "C:\Program Files\Zero Knowledge\Freedom\pkR.dll" ["Zero-Knowledge Systems Inc."]
{56071E0D-C61B-11D3-B41C-00E02927A304}\(Default) = (no title provided)
-> {HKLM...CLSID} = "ZKBho Class"
\InProcServer32\(Default) = "C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll" ["Zero-Knowledge Systems Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{A4DF5659-0801-4A60-9607-1C48695EFDA9}" = "Share-to-Web Upload Folder"
-> {HKLM...CLSID} = "Share-to-Web Upload Folder"
\InProcServer32\(Default) = "C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\HPGS2WNS.DLL" ["Hewlett-Packard"]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {HKLM...CLSID} = "Portable Media Devices"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
-> {HKLM...CLSID} = "Shell Search Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "ewido anti-spyware 4.0"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll" ["Anti-Malware Development a.s."]

HKLM\System\CurrentControlSet\Control\Session Manager\
"BootExecute" = ** WARNING -- empty or invalid data! **

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! WgaLogon\DLLName = "WgaLogon.dll" [MS]
INFECTION WARNING! WRNotifier\DLLName = "WRLogonNTF.dll" [file not found]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]

Active Desktop and Wallpaper:
-----------------------------

Active Desktop is enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Desktop\_C210052.jpg"

Startup items in "Colleen" & "All Users" startup folders:
---------------------------------------------------------

C:\Documents and Settings\Colleen\Start Menu\Programs\Startup
"LimeWire On Startup" -> shortcut to: "C:\Program Files\LimeWire\LimeWire.exe -startup" ["Lime Wire, LLC"]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]
"NetAssistant" -> shortcut to: "C:\Program Files\NetAssistant\bin\matcli.exe -boot" ["Motive Communications, Inc."]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 19
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
-> {HKLM...CLSID} = "Yahoo! Companion"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll" ["Yahoo! Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Companion"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll" ["Yahoo! Inc."]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Real.com"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Shdocvw.dll" [MS]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

DvpApi, dvpapi, ""C:\Program Files\Common Files\Command Software\dvpapi.exe"" ["Command Software Systems, Inc."]
ewido anti-spyware 4.0 guard, ewido anti-spyware 4.0 guard, "C:\Program Files\ewido anti-spyware 4.0\guard.exe" ["Anti-Malware Development a.s."]
iPodService, iPodService, "C:\Program Files\iPod\bin\iPodService.exe" ["Apple Computer, Inc."]
Remote Log, Remote Log, "system32\ServeHost.exe" ["Beijing zhongsou online software"]
SonicStage SCSI Service, SSScsiSV, "C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe" ["Sony Corporation"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]

----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 78 seconds, including 30 seconds for message boxes)


----------



## Cookiegal (Aug 27, 2003)

Go to Control Panel - Add/Remove programs and see if you can find this or something with odd looking or oriental characters there. If so, try to uninstall it there.

*IEµØÖ•À¸ËÑË÷*

Then rescan with HijackThis and fix these entries:

*O2 - BHO: IE Address Browser Helper - {2A0176FE-008B-4706-90F5-BBA532A49731} - C:\Program Files\SearchNet\SNHpr.dll

O4 - HKLM\..\Run: [SearchNet_Up] "C:\Program Files\SearchNet\ServeUp.exe"

O23 - Service: Remote Log - Beijing zhongsou online software - C:\WINDOWS\system32\ServeHost.exe*

1. Please *download* *The Avenger* by Swandog46 to your *Desktop*.
Click on Avenger.zip to open the file
Extract *avenger.exe* to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (*Ctrl+C*):



> Files to delete:
> C:\Program Files\SearchNet\SNHpr.dll
> C:\WINDOWS\system32\ServeHost.exe
> 
> ...


_*
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.*_

3. Now, *start The Avenger program* by clicking on its icon on your desktop.
 Under "*Script file to execute*" choose "*Input Script Manually*".
Now click on the *Magnifying Glass icon* which will open a new window titled "*View/edit script*" 
 Paste the text copied to clipboard into this window by pressing (*Ctrl+V*).
 Click *Done* 
 Now click on the *Green Light* to begin execution of the script 
 Answer "*Yes*" twice when prompted.
4. *The Avenger will automatically do the following*:
It will *Restart your computer*. ( In cases where the code to execute contains "*Drivers to Unload*", The Avenger will actually *restart your system twice.*) 
On reboot, it will briefly *open a black command window* on your desktop, this is normal.
After the restart, it *creates a log file* that should open with the results of Avenger's actions. This log file will be located at *C:\avenger.txt*
 The Avenger will also have *backed up all the files, etc., that you asked it to delete*, and will have zipped them and moved the zip archives to *C:\avenger\backup.zip*.
5. Please *copy/paste* the content of *c:\avenger.txt* into your reply along with a fresh HJT log.


----------



## ColleenA (Feb 18, 2002)

went to control panel that funny looking program was there but when I clicked the change/remove button the box that opened had all ???'s beside everything so I couldnt tell which button to click on. I did a normal search for the program but it didn't find it.

Here is the avenger log

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\jiltprnl

*******************

Script file located at: \??\C:\vvljjngb.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\Program Files\SearchNet\SNHpr.dll deleted successfully.
File C:\WINDOWS\system32\ServeHost.exe deleted successfully.
Folder C:\Program Files\SearchNet deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Hijack

Logfile of HijackThis v1.99.1
Scan saved at 10:31:29 PM, on 6/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\NetAssistant\bin\mpbtn.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Colleen\Desktop\HiJack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IE Address Browser Helper - {2A0176FE-008B-4706-90F5-BBA532A49731} - C:\Program Files\SearchNet\SNHpr.dll (file missing)
O2 - BHO: PopKill Class - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [SearchNet_Up] "C:\Program Files\SearchNet\ServeUp.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKCU\..\Run: [warez] "C:\Documents and Settings\Nicholas\My Documents\game\Warez P2P Client\warez.exe" -h
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O16 - DPF: TruePass EPF 7,0,100,717 - https://blrscr3.egs-seg.gc.ca/applets/entrusttruepassapplet-epf.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab46479.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (ZPA_HRTZ Object) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab37625.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.photolab.ca/en/Photo/ImageUploader3.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zpa_shvl.cab46704.cab
O16 - DPF: {A9FDC7FD-FE81-4910-8CF2-FA59EEFE11EC} (ZooInstaller Class) - http://www.zoo-games.com/ClientSite/ZooInstaller.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab36385.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{37C2D4C1-A9A2-4B71-987F-7E1D20FD8E3E}: NameServer = 67.69.184.151 206.47.244.57
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Remote Log - Unknown owner - C:\WINDOWS\system32\ServeHost.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

I really hope that I am not wasting your time, and I do appreciate all that you are doing for me.

Thanks


----------



## ColleenA (Feb 18, 2002)

I think I got the oriental program to uninstall. I did it from Nicholas' add/remove

Hope that helps


----------



## Cookiegal (Aug 27, 2003)

Go here and download the *Free Trial* version of *SpySweeper*.

Click on "Download the trial" on the right side of the page.
Save the ssfsetup file to your desktop or somewhere convenient.
Double click the ssfsetup file to begin the setup.
Follow the prompts to complete the installation then click "Finish" and SpySweeper should launch.
When it first opens, Spysweeper will prompt you to "Check for Updated Definitions"
Click "Yes" and dowload the updates.
After the updated definitons are downloaded restart your computer into safe mode.
Once in safe mode start SpySweeper. Click the "Options" button on the left.
Under "What to Sweep", select *ALL* the boxes there.
 Click the "Sweep" button on the left then click "Start" to begin the scan.
When it's finished scanning, click the "Next" button.
Make sure everything has a check next to it by clicking the "Select All" button.
Click the "Next" button and it will remove the selected entries.
Click "Finish" then exit SpySweeper.
*Restart your computer back to Windows normally.*
Go here and do the BitDefender online virus scan.
Click "I Agree" to agree to the EULA.
Allow the ActiveX control to install when prompted.
Click "Click here to scan" to begin the scan.
Please refrain from using the computer until the scan is finished.
When the scan is finished, click on "Click here to export the scan results"
Save the report to your desktop then come back here and *attach* it to your next reply along with a new Hijack This log..
*Note:* You have to use Internet Explorer to do the online scan.

Rescan with HijackThis, close all browser windows except HijackThis, put a check mark beside these entries and click *fix checked*.

* 
O2 - BHO: IE Address Browser Helper - {2A0176FE-008B-4706-90F5-BBA532A49731} - C:\Program Files\SearchNet\SNHpr.dll (file missing)

O4 - HKLM\..\Run: [SearchNet_Up] "C:\Program Files\SearchNet\ServeUp.exe"

O23 - Service: Remote Log - Unknown owner - C:\WINDOWS\system32\ServeHost.exe (file missing)
*

Reboot to safe mode and run Killbox on these items but with a different method called delete on reboot as per the following instructions.


 Please double-click *Killbox.exe* to run it.
 Select:
*Delete on Reboot*
 then *Click* on the *All Files* button.

Please *copy the file paths below to the clipboard* by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose copy):

*C:\Program Files\SearchNet\ServeUp.exe

C:\Program Files\SearchNet
*

 Return to Killbox, go to the *File* menu, and choose *Paste from Clipboard*.

Click the red-and-white *Delete File* button. Click *Yes* at the Delete on Reboot prompt. Click *OK* at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

_*If your computer does not restart automatically, please restart it manually*_.

Post a new HijackThis log please.


----------



## ColleenA (Feb 18, 2002)

Sorry, I didnt ignore you today. I do see your newest post and will do it first thing Friday morning. It was my daughters high school graduation today so we have been running around all day to different ceremonies.

Thanks for your patience


----------



## Cookiegal (Aug 27, 2003)

No worries.


----------



## ColleenA (Feb 18, 2002)

I have to do this in 2 posts

Sorry for the delay, today is Prom day so we have been running around getting, nails, make up and hair done

Here are the logs you asked for

And yes, I did get the message PendingFileRenameOperations prompt

BitDefender Online Scanner



Scan report generated at: Fri, Jun 30, 2006 - 12:40:47





Scan path: A:\;C:\;D:\;E:\;F:\;







Statistics

Time
03:24:36

Files
570304

Folders
5477

Boot Sectors
2

Archives
2793

Packed Files
94827




Results

Identified Viruses 
2

Infected Files 
65

Suspect Files 
0

Warnings
0

Disinfected
0

Deleted Files
65




Engines Info

Virus Definitions
389890

Engine build
AVCORE v1.0 (build 2310) (i386) (Apr 17 2006 16:24:38)

Scan plugins
13

Archive plugins
39

Unpack plugins
5

E-mail plugins
6

System plugins
1




Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes




Scanned File
Status

C:\Documents and Settings\Nicholas\Local Settings\Temp\sp2patch.exe
Infected with: Backdoor.Virkel.A

C:\Documents and Settings\Nicholas\Local Settings\Temp\sp2patch.exe
Disinfection failed

C:\Documents and Settings\Nicholas\Local Settings\Temp\sp2patch.exe
Deleted

C:\Program Files\Common Files\PestPatrol\Quarantine\20051030230904.zip=>WINDOWS/system32/drivers/etc/hosts
Infected with: Generic.Qhost

C:\Program Files\Common Files\PestPatrol\Quarantine\20051030230904.zip=>WINDOWS/system32/drivers/etc/hosts
Disinfection failed

C:\Program Files\Common Files\PestPatrol\Quarantine\20051030230904.zip=>WINDOWS/system32/drivers/etc/hosts
Deleted

C:\Program Files\Common Files\PestPatrol\Quarantine\20051030230904.zip
Updated

C:\Program Files\Common Files\PestPatrol\Quarantine\20051030230905.zip=>WINDOWS/system32/drivers/etc/hosts
Infected with: Generic.Qhost

C:\Program Files\Common Files\PestPatrol\Quarantine\20051030230905.zip=>WINDOWS/system32/drivers/etc/hosts
Disinfection failed

C:\Program Files\Common Files\PestPatrol\Quarantine\20051030230905.zip=>WINDOWS/system32/drivers/etc/hosts
Deleted

C:\Program Files\Common Files\PestPatrol\Quarantine\20051030230905.zip
Updated

C:\Program Files\Common Files\PestPatrol\Quarantine\20051030230906.zip=>WINDOWS/system32/drivers/etc/hosts
Infected with: Generic.Qhost

C:\Program Files\Common Files\PestPatrol\Quarantine\20051030230906.zip=>WINDOWS/system32/drivers/etc/hosts
Disinfection failed

C:\Program Files\Common Files\PestPatrol\Quarantine\20051030230906.zip=>WINDOWS/system32/drivers/etc/hosts
Deleted

C:\Program Files\Common Files\PestPatrol\Quarantine\20051030230906.zip
Updated

C:\Program Files\Common Files\PestPatrol\Quarantine\20051030230907.zip=>WINDOWS/system32/drivers/etc/hosts
Infected with: Generic.Qhost

C:\Program Files\Common Files\PestPatrol\Quarantine\20051030230907.zip=>WINDOWS/system32/drivers/etc/hosts
Disinfection failed

C:\Program Files\Common Files\PestPatrol\Quarantine\20051030230907.zip=>WINDOWS/system32/drivers/etc/hosts
Deleted

C:\Program Files\Common Files\PestPatrol\Quarantine\20051030230907.zip
Updated

C:\Program Files\Common Files\PestPatrol\Quarantine\20051108173053.zip=>WINDOWS/system32/drivers/etc/hosts
Infected with: Generic.Qhost

C:\Program Files\Common Files\PestPatrol\Quarantine\20051108173053.zip=>WINDOWS/system32/drivers/etc/hosts
Disinfection failed

C:\Program Files\Common Files\PestPatrol\Quarantine\20051108173053.zip=>WINDOWS/system32/drivers/etc/hosts
Deleted

C:\Program Files\Common Files\PestPatrol\Quarantine\20051108173053.zip
Updated

C:\Program Files\Common Files\PestPatrol\Quarantine\20051108173055.zip=>WINDOWS/system32/drivers/etc/hosts
Infected with: Generic.Qhost

C:\Program Files\Common Files\PestPatrol\Quarantine\20051108173055.zip=>WINDOWS/system32/drivers/etc/hosts
Disinfection failed

C:\Program Files\Common Files\PestPatrol\Quarantine\20051108173055.zip=>WINDOWS/system32/drivers/etc/hosts
Deleted

C:\Program Files\Common Files\PestPatrol\Quarantine\20051108173055.zip
Updated

C:\Program Files\Common Files\PestPatrol\Quarantine\20051108173056.zip=>WINDOWS/system32/drivers/etc/hosts
Infected with: Generic.Qhost

C:\Program Files\Common Files\PestPatrol\Quarantine\20051108173056.zip=>WINDOWS/system32/drivers/etc/hosts
Disinfection failed

C:\Program Files\Common Files\PestPatrol\Quarantine\20051108173056.zip=>WINDOWS/system32/drivers/etc/hosts
Deleted

C:\Program Files\Common Files\PestPatrol\Quarantine\20051108173056.zip
Updated

C:\Program Files\Common Files\PestPatrol\Quarantine\20051108173057.zip=>WINDOWS/system32/drivers/etc/hosts
Infected with: Generic.Qhost

C:\Program Files\Common Files\PestPatrol\Quarantine\20051108173057.zip=>WINDOWS/system32/drivers/etc/hosts
Disinfection failed

C:\Program Files\Common Files\PestPatrol\Quarantine\20051108173057.zip=>WINDOWS/system32/drivers/etc/hosts
Deleted

C:\Program Files\Common Files\PestPatrol\Quarantine\20051108173057.zip
Updated

C:\Program Files\Common Files\PestPatrol\Quarantine\20051108175843.zip=>WINDOWS/system32/drivers/etc/hosts
Infected with: Generic.Qhost

C:\Program Files\Common Files\PestPatrol\Quarantine\20051108175843.zip=>WINDOWS/system32/drivers/etc/hosts
Disinfection failed

C:\Program Files\Common Files\PestPatrol\Quarantine\20051108175843.zip=>WINDOWS/system32/drivers/etc/hosts
Deleted

C:\Program Files\Common Files\PestPatrol\Quarantine\20051108175843.zip
Updated

C:\Program Files\Common Files\PestPatrol\Quarantine\20051108183118.zip=>WINDOWS/system32/drivers/etc/hosts
Infected with: Generic.Qhost

C:\Program Files\Common Files\PestPatrol\Quarantine\20051108183118.zip=>WINDOWS/system32/drivers/etc/hosts
Disinfection failed

C:\Program Files\Common Files\PestPatrol\Quarantine\20051108183118.zip=>WINDOWS/system32/drivers/etc/hosts
Deleted

C:\Program Files\Common Files\PestPatrol\Quarantine\20051108183118.zip
Updated

C:\Program Files\Common Files\PestPatrol\Quarantine\20051108194635.zip=>WINDOWS/system32/drivers/etc/hosts
Infected with: Generic.Qhost

C:\Program Files\Common Files\PestPatrol\Quarantine\20051108194635.zip=>WINDOWS/system32/drivers/etc/hosts
Disinfection failed

C:\Program Files\Common Files\PestPatrol\Quarantine\20051108194635.zip=>WINDOWS/system32/drivers/etc/hosts
Deleted

C:\Program Files\Common Files\PestPatrol\Quarantine\20051108194635.zip
Updated

C:\Program Files\Common Files\PestPatrol\Quarantine\20051108210245.zip=>WINDOWS/system32/drivers/etc/hosts
Infected with: Generic.Qhost

C:\Program Files\Common Files\PestPatrol\Quarantine\20051108210245.zip=>WINDOWS/system32/drivers/etc/hosts
Disinfection failed

C:\Program Files\Common Files\PestPatrol\Quarantine\20051108210245.zip=>WINDOWS/system32/drivers/etc/hosts
Deleted

C:\Program Files\Common Files\PestPatrol\Quarantine\20051108210245.zip
Updated

C:\Program Files\Common Files\PestPatrol\Quarantine\20051109161514.zip=>WINDOWS/system32/drivers/etc/hosts
Infected with: Generic.Qhost

C:\Program Files\Common Files\PestPatrol\Quarantine\20051109161514.zip=>WINDOWS/system32/drivers/etc/hosts
Disinfection failed

C:\Program Files\Common Files\PestPatrol\Quarantine\20051109161514.zip=>WINDOWS/system32/drivers/etc/hosts
Deleted

C:\Program Files\Common Files\PestPatrol\Quarantine\20051109161514.zip
Updated

C:\Program Files\Common Files\PestPatrol\Quarantine\20051109162725.zip=>WINDOWS/system32/drivers/etc/hosts
Infected with: Generic.Qhost

C:\Program Files\Common Files\PestPatrol\Quarantine\20051109162725.zip=>WINDOWS/system32/drivers/etc/hosts
Disinfection failed

C:\Program Files\Common Files\PestPatrol\Quarantine\20051109162725.zip=>WINDOWS/system32/drivers/etc/hosts
Deleted

C:\Program Files\Common Files\PestPatrol\Quarantine\20051109162725.zip
Updated

C:\Program Files\Common Files\PestPatrol\Quarantine\20051109183110.zip=>WINDOWS/system32/drivers/etc/hosts
Infected with: Generic.Qhost

C:\Program Files\Common Files\PestPatrol\Quarantine\20051109183110.zip=>WINDOWS/system32/drivers/etc/hosts
Disinfection failed

C:\Program Files\Common Files\PestPatrol\Quarantine\20051109183110.zip=>WINDOWS/system32/drivers/etc/hosts
Deleted

C:\Program Files\Common Files\PestPatrol\Quarantine\20051109183110.zip
Updated

C:\Program Files\Common Files\PestPatrol\Quarantine\20051109194622.zip=>WINDOWS/system32/drivers/etc/hosts
Infected with: Generic.Qhost

C:\Program Files\Common Files\PestPatrol\Quarantine\20051109194622.zip=>WINDOWS/system32/drivers/etc/hosts
Disinfection failed

C:\Program Files\Common Files\PestPatrol\Quarantine\20051109194622.zip=>WINDOWS/system32/drivers/etc/hosts
Deleted

C:\Program Files\Common Files\PestPatrol\Quarantine\20051109194622.zip
Updated

C:\Program Files\Common Files\PestPatrol\Quarantine\20051109203706.zip=>WINDOWS/system32/drivers/etc/hosts
Infected with: Generic.Qhost

C:\Program Files\Common Files\PestPatrol\Quarantine\20051109203706.zip=>WINDOWS/system32/drivers/etc/hosts
Disinfection failed

C:\Program Files\Common Files\PestPatrol\Quarantine\20051109203706.zip=>WINDOWS/system32/drivers/etc/hosts
Deleted

C:\Program Files\Common Files\PestPatrol\Quarantine\20051109203706.zip
Updated

C:\Program Files\Common Files\PestPatrol\Quarantine\20051109225725.zip=>WINDOWS/system32/drivers/etc/hosts
Infected with: Generic.Qhost

C:\Program Files\Common Files\PestPatrol\Quarantine\20051109225725.zip=>WINDOWS/system32/drivers/etc/hosts
Disinfection failed

C:\Program Files\Common Files\PestPatrol\Quarantine\20051109225725.zip=>WINDOWS/system32/drivers/etc/hosts
Deleted

C:\Program Files\Common Files\PestPatrol\Quarantine\20051109225725.zip
Updated

C:\Program Files\Common Files\PestPatrol\Quarantine\20051110065014.zip=>WINDOWS/system32/drivers/etc/hosts
Infected with: Generic.Qhost

C:\Program Files\Common Files\PestPatrol\Quarantine\20051110065014.zip=>WINDOWS/system32/drivers/etc/hosts
Disinfection failed

C:\Program Files\Common Files\PestPatrol\Quarantine\20051110065014.zip=>WINDOWS/system32/drivers/etc/hosts
Deleted

C:\Program Files\Common Files\PestPatrol\Quarantine\20051110065014.zip
Updated

C:\Program Files\Common Files\PestPatrol\Quarantine\20051110165017.zip=>WINDOWS/system32/drivers/etc/hosts
Infected with: Generic.Qhost

C:\Program Files\Common Files\PestPatrol\Quarantine\20051110165017.zip=>WINDOWS/system32/drivers/etc/hosts
Disinfection failed

C:\Program Files\Common Files\PestPatrol\Quarantine\20051110165017.zip=>WINDOWS/system32/drivers/etc/hosts
Deleted

C:\Program Files\Common Files\PestPatrol\Quarantine\20051110165017.zip
Updated

C:\Program Files\Common Files\PestPatrol\Quarantine\20051110171055.zip=>WINDOWS/system32/drivers/etc/hosts
Infected with: Generic.Qhost

C:\Program Files\Common Files\PestPatrol\Quarantine\20051110171055.zip=>WINDOWS/system32/drivers/etc/hosts
Disinfection failed

C:\Program Files\Common Files\PestPatrol\Quarantine\20051110171055.zip=>WINDOWS/system32/drivers/etc/hosts
Deleted

C:\Program Files\Common Files\PestPatrol\Quarantine\20051110171055.zip
Updated

C:\Program Files\Common Files\PestPatrol\Quarantine\20051111135401.zip=>WINDOWS/system32/drivers/etc/hosts
Infected with: Generic.Qhost

C:\Program Files\Common Files\PestPatrol\Quarantine\20051111135401.zip=>WINDOWS/system32/drivers/etc/hosts
Disinfection failed

C:\Program Files\Common Files\PestPatrol\Quarantine\20051111135401.zip=>WINDOWS/system32/drivers/etc/hosts
Deleted

C:\Program Files\Common Files\PestPatrol\Quarantine\20051111135401.zip
Updated

C:\Program Files\Common Files\PestPatrol\Quarantine\20051113204154.zip=>WINDOWS/system32/drivers/etc/hosts
Infected with: Generic.Qhost

C:\Program Files\Common Files\PestPatrol\Quarantine\20051113204154.zip=>WINDOWS/system32/drivers/etc/hosts
Disinfection failed

C:\Program Files\Common Files\PestPatrol\Quarantine\20051113204154.zip=>WINDOWS/system32/drivers/etc/hosts
Deleted

C:\Program Files\Common Files\PestPatrol\Quarantine\20051113204154.zip
Updated

C:\Program Files\Common Files\PestPatrol\Quarantine\20051113204155.zip=>WINDOWS/system32/drivers/etc/hosts
Infected with: Generic.Qhost

C:\Program Files\Common Files\PestPatrol\Quarantine\20051113204155.zip=>WINDOWS/system32/drivers/etc/hosts
Disinfection failed

C:\Program Files\Common Files\PestPatrol\Quarantine\20051113204155.zip=>WINDOWS/system32/drivers/etc/hosts
Deleted

C:\Program Files\Common Files\PestPatrol\Quarantine\20051113204155.zip
Updated

C:\Program Files\Common Files\PestPatrol\Quarantine\20051113204156.zip=>WINDOWS/system32/drivers/etc/hosts
Infected with: Generic.Qhost

C:\Program Files\Common Files\PestPatrol\Quarantine\20051113204156.zip=>WINDOWS/system32/drivers/etc/hosts
Disinfection failed

C:\Program Files\Common Files\PestPatrol\Quarantine\20051113204156.zip=>WINDOWS/system32/drivers/etc/hosts
Deleted

C:\Program Files\Common Files\PestPatrol\Quarantine\20051113204156.zip
Updated

C:\Program Files\Common Files\PestPatrol\Quarantine\20051113204157.zip=>WINDOWS/system32/drivers/etc/hosts
Infected with: Generic.Qhost

C:\Program Files\Common Files\PestPatrol\Quarantine\20051113204157.zip=>WINDOWS/system32/drivers/etc/hosts
Disinfection failed

C:\Program Files\Common Files\PestPatrol\Quarantine\20051113204157.zip=>WINDOWS/system32/drivers/etc/hosts
Deleted

C:\Program Files\Common Files\PestPatrol\Quarantine\20051113204157.zip
Updated

C:\Program Files\Common Files\PestPatrol\Quarantine\20051113204158.zip=>WINDOWS/system32/drivers/etc/hosts
Infected with: Generic.Qhost

C:\Program Files\Common Files\PestPatrol\Quarantine\20051113204158.zip=>WINDOWS/system32/drivers/etc/hosts
Disinfection failed

C:\Program Files\Common Files\PestPatrol\Quarantine\20051113204158.zip=>WINDOWS/system32/drivers/etc/hosts
Deleted

C:\Program Files\Common Files\PestPatrol\Quarantine\20051113204158.zip
Updated

C:\Program Files\Common Files\PestPatrol\Quarantine\20051113204159.zip=>WINDOWS/system32/drivers/etc/hosts
Infected with: Generic.Qhost

C:\Program Files\Common Files\PestPatrol\Quarantine\20051113204159.zip=>WINDOWS/system32/drivers/etc/hosts
Disinfection failed

C:\Program Files\Common Files\PestPatrol\Quarantine\20051113204159.zip=>WINDOWS/system32/drivers/etc/hosts
Deleted

C:\Program Files\Common Files\PestPatrol\Quarantine\20051113204159.zip
Updated

C:\Program Files\Common Files\PestPatrol\Quarantine\20051113204547.zip=>WINDOWS/system32/drivers/etc/hosts
Infected with: Generic.Qhost

C:\Program Files\Common Files\PestPatrol\Quarantine\20051113204547.zip=>WINDOWS/system32/drivers/etc/hosts
Disinfection failed

C:\Program Files\Common Files\PestPatrol\Quarantine\20051113204547.zip=>WINDOWS/system32/drivers/etc/hosts
Deleted

C:\Program Files\Common Files\PestPatrol\Quarantine\20051113204547.zip
Updated

C:\Program Files\Common Files\PestPatrol\Quarantine\20051114144922.zip=>WINDOWS/system32/drivers/etc/hosts
Infected with: Generic.Qhost

C:\Program Files\Common Files\PestPatrol\Quarantine\20051114144922.zip=>WINDOWS/system32/drivers/etc/hosts
Disinfection failed

C:\Program Files\Common Files\PestPatrol\Quarantine\20051114144922.zip=>WINDOWS/system32/drivers/etc/hosts
Deleted

C:\Program Files\Common Files\PestPatrol\Quarantine\20051114144922.zip
Updated

C:\Program Files\Common Files\PestPatrol\Quarantine\20051114145301.zip=>WINDOWS/system32/drivers/etc/hosts
Infected with: Generic.Qhost

C:\Program Files\Common Files\PestPatrol\Quarantine\20051114145301.zip=>WINDOWS/system32/drivers/etc/hosts
Disinfection failed

C:\Program Files\Common Files\PestPatrol\Quarantine\20051114145301.zip=>WINDOWS/system32/drivers/etc/hosts
Deleted

C:\Program Files\Common Files\PestPatrol\Quarantine\20051114145301.zip
Updated

C:\Program Files\Common Files\PestPatrol\Quarantine\20051114211914.zip=>WINDOWS/system32/drivers/etc/hosts
Infected with: Generic.Qhost

C:\Program Files\Common Files\PestPatrol\Quarantine\20051114211914.zip=>WINDOWS/system32/drivers/etc/hosts
Disinfection failed

C:\Program Files\Common Files\PestPatrol\Quarantine\20051114211914.zip=>WINDOWS/system32/drivers/etc/hosts
Deleted

C:\Program Files\Common Files\PestPatrol\Quarantine\20051114211914.zip
Updated

C:\Program Files\Common Files\PestPatrol\Quarantine\20051114212657.zip=>WINDOWS/system32/drivers/etc/hosts
Infected with: Generic.Qhost

C:\Program Files\Common Files\PestPatrol\Quarantine\20051114212657.zip=>WINDOWS/system32/drivers/etc/hosts
Disinfection failed

C:\Program Files\Common Files\PestPatrol\Quarantine\20051114212657.zip=>WINDOWS/system32/drivers/etc/hosts
Deleted

C:\Program Files\Common Files\PestPatrol\Quarantine\20051114212657.zip
Updated

C:\Program Files\Common Files\PestPatrol\Quarantine\20051115130315.zip=>WINDOWS/system32/drivers/etc/hosts
Infected with: Generic.Qhost

C:\Program Files\Common Files\PestPatrol\Quarantine\20051115130315.zip=>WINDOWS/system32/drivers/etc/hosts
Disinfection failed

C:\Program Files\Common Files\PestPatrol\Quarantine\20051115130315.zip=>WINDOWS/system32/drivers/etc/hosts
Deleted

C:\Program Files\Common Files\PestPatrol\Quarantine\20051115130315.zip
Updated

C:\Program Files\Common Files\PestPatrol\Quarantine\20051115151030.zip=>WINDOWS/system32/drivers/etc/hosts
Infected with: Generic.Qhost

C:\Program Files\Common Files\PestPatrol\Quarantine\20051115151030.zip=>WINDOWS/system32/drivers/etc/hosts
Disinfection failed

C:\Program Files\Common Files\PestPatrol\Quarantine\20051115151030.zip=>WINDOWS/system32/drivers/etc/hosts
Deleted

C:\Program Files\Common Files\PestPatrol\Quarantine\20051115151030.zip
Updated

C:\Program Files\Common Files\PestPatrol\Quarantine\20051115162843.zip=>WINDOWS/system32/drivers/etc/hosts
Infected with: Generic.Qhost

C:\Program Files\Common Files\PestPatrol\Quarantine\20051115162843.zip=>WINDOWS/system32/drivers/etc/hosts
Disinfection failed

C:\Program Files\Common Files\PestPatrol\Quarantine\20051115162843.zip=>WINDOWS/system32/drivers/etc/hosts
Deleted

C:\Program Files\Common Files\PestPatrol\Quarantine\20051115162843.zip
Updated

C:\Program Files\Common Files\PestPatrol\Quarantine\20051115190132.zip=>WINDOWS/system32/drivers/etc/hosts
Infected with: Generic.Qhost

C:\Program Files\Common Files\PestPatrol\Quarantine\20051115190132.zip=>WINDOWS/system32/drivers/etc/hosts
Disinfection failed

C:\Program Files\Common Files\PestPatrol\Quarantine\20051115190132.zip=>WINDOWS/system32/drivers/etc/hosts
Deleted

C:\Program Files\Common Files\PestPatrol\Quarantine\20051115190132.zip
Updated

C:\Program Files\Common Files\PestPatrol\Quarantine\20051115204106.zip=>WINDOWS/system32/drivers/etc/hosts
Infected with: Generic.Qhost

C:\Program Files\Common Files\PestPatrol\Quarantine\20051115204106.zip=>WINDOWS/system32/drivers/etc/hosts
Disinfection failed

C:\Program Files\Common Files\PestPatrol\Quarantine\20051115204106.zip=>WINDOWS/system32/drivers/etc/hosts
Deleted

C:\Program Files\Common Files\PestPatrol\Quarantine\20051115204106.zip
Updated

C:\Program Files\Common Files\PestPatrol\Quarantine\20051116131141.zip=>WINDOWS/system32/drivers/etc/hosts
Infected with: Generic.Qhost

C:\Program Files\Common Files\PestPatrol\Quarantine\20051116131141.zip=>WINDOWS/system32/drivers/etc/hosts
Disinfection failed

C:\Program Files\Common Files\PestPatrol\Quarantine\20051116131141.zip=>WINDOWS/system32/drivers/etc/hosts
Deleted

C:\Program Files\Common Files\PestPatrol\Quarantine\20051116131141.zip
Updated

C:\Program Files\Common Files\PestPatrol\Quarantine\20051116145249.zip=>WINDOWS/system32/drivers/etc/hosts
Infected with: Generic.Qhost

C:\Program Files\Common Files\PestPatrol\Quarantine\20051116145249.zip=>WINDOWS/system32/drivers/etc/hosts
Disinfection failed

C:\Program Files\Common Files\PestPatrol\Quarantine\20051116145249.zip=>WINDOWS/system32/drivers/etc/hosts
Deleted

C:\Program Files\Common Files\PestPatrol\Quarantine\20051116145249.zip
Updated

C:\Program Files\Common Files\PestPatrol\Quarantine\20051116154952.zip=>WINDOWS/system32/drivers/etc/hosts
Infected with: Generic.Qhost

C:\Program Files\Common Files\PestPatrol\Quarantine\20051116154952.zip=>WINDOWS/system32/drivers/etc/hosts
Disinfection failed

C:\Program Files\Common Files\PestPatrol\Quarantine\20051116154952.zip=>WINDOWS/system32/drivers/etc/hosts
Deleted


----------



## ColleenA (Feb 18, 2002)

here is the continuation of BitDefender

C:\Program Files\Common Files\PestPatrol\Quarantine\20051116154952.zip
Updated

C:\Program Files\Common Files\PestPatrol\Quarantine\20051116155025.zip=>WINDOWS/system32/drivers/etc/hosts
Infected with: Generic.Qhost

C:\Program Files\Common Files\PestPatrol\Quarantine\20051116155025.zip=>WINDOWS/system32/drivers/etc/hosts
Disinfection failed

C:\Program Files\Common Files\PestPatrol\Quarantine\20051116155025.zip=>WINDOWS/system32/drivers/etc/hosts
Deleted

C:\Program Files\Common Files\PestPatrol\Quarantine\20051116155025.zip
Updated

C:\Program Files\Common Files\PestPatrol\Quarantine\20051116222145.zip=>WINDOWS/system32/drivers/etc/hosts
Infected with: Generic.Qhost

C:\Program Files\Common Files\PestPatrol\Quarantine\20051116222145.zip=>WINDOWS/system32/drivers/etc/hosts
Disinfection failed

C:\Program Files\Common Files\PestPatrol\Quarantine\20051116222145.zip=>WINDOWS/system32/drivers/etc/hosts
Deleted

C:\Program Files\Common Files\PestPatrol\Quarantine\20051116222145.zip
Updated

C:\Program Files\Common Files\PestPatrol\Quarantine\20051117192101.zip=>WINDOWS/system32/drivers/etc/hosts
Infected with: Generic.Qhost

C:\Program Files\Common Files\PestPatrol\Quarantine\20051117192101.zip=>WINDOWS/system32/drivers/etc/hosts
Disinfection failed

C:\Program Files\Common Files\PestPatrol\Quarantine\20051117192101.zip=>WINDOWS/system32/drivers/etc/hosts
Deleted

C:\Program Files\Common Files\PestPatrol\Quarantine\20051117192101.zip
Updated

C:\Program Files\Common Files\PestPatrol\Quarantine\20051120211942.zip=>WINDOWS/system32/drivers/etc/hosts
Infected with: Generic.Qhost

C:\Program Files\Common Files\PestPatrol\Quarantine\20051120211942.zip=>WINDOWS/system32/drivers/etc/hosts
Disinfection failed

C:\Program Files\Common Files\PestPatrol\Quarantine\20051120211942.zip=>WINDOWS/system32/drivers/etc/hosts
Deleted

C:\Program Files\Common Files\PestPatrol\Quarantine\20051120211942.zip
Updated

C:\Program Files\Common Files\PestPatrol\Quarantine\20051120211943.zip=>WINDOWS/system32/drivers/etc/hosts
Infected with: Generic.Qhost

C:\Program Files\Common Files\PestPatrol\Quarantine\20051120211943.zip=>WINDOWS/system32/drivers/etc/hosts
Disinfection failed

C:\Program Files\Common Files\PestPatrol\Quarantine\20051120211943.zip=>WINDOWS/system32/drivers/etc/hosts
Deleted

C:\Program Files\Common Files\PestPatrol\Quarantine\20051120211943.zip
Updated

C:\Program Files\Common Files\PestPatrol\Quarantine\20051120211944.zip=>WINDOWS/system32/drivers/etc/hosts
Infected with: Generic.Qhost

C:\Program Files\Common Files\PestPatrol\Quarantine\20051120211944.zip=>WINDOWS/system32/drivers/etc/hosts
Disinfection failed

C:\Program Files\Common Files\PestPatrol\Quarantine\20051120211944.zip=>WINDOWS/system32/drivers/etc/hosts
Deleted

C:\Program Files\Common Files\PestPatrol\Quarantine\20051120211944.zip
Updated

C:\Program Files\Common Files\PestPatrol\Quarantine\20051120211945.zip=>WINDOWS/system32/drivers/etc/hosts
Infected with: Generic.Qhost

C:\Program Files\Common Files\PestPatrol\Quarantine\20051120211945.zip=>WINDOWS/system32/drivers/etc/hosts
Disinfection failed

C:\Program Files\Common Files\PestPatrol\Quarantine\20051120211945.zip=>WINDOWS/system32/drivers/etc/hosts
Deleted

C:\Program Files\Common Files\PestPatrol\Quarantine\20051120211945.zip
Updated

C:\Program Files\Common Files\PestPatrol\Quarantine\20051120211946.zip=>WINDOWS/system32/drivers/etc/hosts
Infected with: Generic.Qhost

C:\Program Files\Common Files\PestPatrol\Quarantine\20051120211946.zip=>WINDOWS/system32/drivers/etc/hosts
Disinfection failed

C:\Program Files\Common Files\PestPatrol\Quarantine\20051120211946.zip=>WINDOWS/system32/drivers/etc/hosts
Deleted

C:\Program Files\Common Files\PestPatrol\Quarantine\20051120211946.zip
Updated

C:\Program Files\Common Files\PestPatrol\Quarantine\20051120211947.zip=>WINDOWS/system32/drivers/etc/hosts
Infected with: Generic.Qhost

C:\Program Files\Common Files\PestPatrol\Quarantine\20051120211947.zip=>WINDOWS/system32/drivers/etc/hosts
Disinfection failed

C:\Program Files\Common Files\PestPatrol\Quarantine\20051120211947.zip=>WINDOWS/system32/drivers/etc/hosts
Deleted

C:\Program Files\Common Files\PestPatrol\Quarantine\20051120211947.zip
Updated

C:\Program Files\Common Files\PestPatrol\Quarantine\20051120221224.zip=>WINDOWS/system32/drivers/etc/hosts
Infected with: Generic.Qhost

C:\Program Files\Common Files\PestPatrol\Quarantine\20051120221224.zip=>WINDOWS/system32/drivers/etc/hosts
Disinfection failed

C:\Program Files\Common Files\PestPatrol\Quarantine\20051120221224.zip=>WINDOWS/system32/drivers/etc/hosts
Deleted

C:\Program Files\Common Files\PestPatrol\Quarantine\20051120221224.zip
Updated

C:\Program Files\Common Files\PestPatrol\Quarantine\20051121110421.zip=>WINDOWS/system32/drivers/etc/hosts
Infected with: Generic.Qhost

C:\Program Files\Common Files\PestPatrol\Quarantine\20051121110421.zip=>WINDOWS/system32/drivers/etc/hosts
Disinfection failed

C:\Program Files\Common Files\PestPatrol\Quarantine\20051121110421.zip=>WINDOWS/system32/drivers/etc/hosts
Deleted

C:\Program Files\Common Files\PestPatrol\Quarantine\20051121110421.zip
Updated

C:\Program Files\Common Files\PestPatrol\Quarantine\20051121161912.zip=>WINDOWS/system32/drivers/etc/hosts
Infected with: Generic.Qhost

C:\Program Files\Common Files\PestPatrol\Quarantine\20051121161912.zip=>WINDOWS/system32/drivers/etc/hosts
Disinfection failed

C:\Program Files\Common Files\PestPatrol\Quarantine\20051121161912.zip=>WINDOWS/system32/drivers/etc/hosts
Deleted

C:\Program Files\Common Files\PestPatrol\Quarantine\20051121161912.zip
Updated

C:\Program Files\Common Files\PestPatrol\Quarantine\20051121211746.zip=>WINDOWS/system32/drivers/etc/hosts
Infected with: Generic.Qhost

C:\Program Files\Common Files\PestPatrol\Quarantine\20051121211746.zip=>WINDOWS/system32/drivers/etc/hosts
Disinfection failed

C:\Program Files\Common Files\PestPatrol\Quarantine\20051121211746.zip=>WINDOWS/system32/drivers/etc/hosts
Deleted

C:\Program Files\Common Files\PestPatrol\Quarantine\20051121211746.zip
Updated

C:\Program Files\Common Files\PestPatrol\Quarantine\20051121223335.zip=>WINDOWS/system32/drivers/etc/hosts
Infected with: Generic.Qhost

C:\Program Files\Common Files\PestPatrol\Quarantine\20051121223335.zip=>WINDOWS/system32/drivers/etc/hosts
Disinfection failed

C:\Program Files\Common Files\PestPatrol\Quarantine\20051121223335.zip=>WINDOWS/system32/drivers/etc/hosts
Deleted

C:\Program Files\Common Files\PestPatrol\Quarantine\20051121223335.zip
Updated

C:\Program Files\Common Files\PestPatrol\Quarantine\20051122145011.zip=>WINDOWS/system32/drivers/etc/hosts
Infected with: Generic.Qhost

C:\Program Files\Common Files\PestPatrol\Quarantine\20051122145011.zip=>WINDOWS/system32/drivers/etc/hosts
Disinfection failed

C:\Program Files\Common Files\PestPatrol\Quarantine\20051122145011.zip=>WINDOWS/system32/drivers/etc/hosts
Deleted

C:\Program Files\Common Files\PestPatrol\Quarantine\20051122145011.zip
Updated

C:\Program Files\Common Files\PestPatrol\Quarantine\20051122180335.zip=>WINDOWS/system32/drivers/etc/hosts
Infected with: Generic.Qhost

C:\Program Files\Common Files\PestPatrol\Quarantine\20051122180335.zip=>WINDOWS/system32/drivers/etc/hosts
Disinfection failed

C:\Program Files\Common Files\PestPatrol\Quarantine\20051122180335.zip=>WINDOWS/system32/drivers/etc/hosts
Deleted

C:\Program Files\Common Files\PestPatrol\Quarantine\20051122180335.zip
Updated

C:\Program Files\Common Files\PestPatrol\Quarantine\20051122180840.zip=>WINDOWS/system32/drivers/etc/hosts
Infected with: Generic.Qhost

C:\Program Files\Common Files\PestPatrol\Quarantine\20051122180840.zip=>WINDOWS/system32/drivers/etc/hosts
Disinfection failed

C:\Program Files\Common Files\PestPatrol\Quarantine\20051122180840.zip=>WINDOWS/system32/drivers/etc/hosts
Deleted

C:\Program Files\Common Files\PestPatrol\Quarantine\20051122180840.zip
Updated

C:\Program Files\Common Files\PestPatrol\Quarantine\20051122184504.zip=>WINDOWS/system32/drivers/etc/hosts
Infected with: Generic.Qhost

C:\Program Files\Common Files\PestPatrol\Quarantine\20051122184504.zip=>WINDOWS/system32/drivers/etc/hosts
Disinfection failed

C:\Program Files\Common Files\PestPatrol\Quarantine\20051122184504.zip=>WINDOWS/system32/drivers/etc/hosts
Deleted

C:\Program Files\Common Files\PestPatrol\Quarantine\20051122184504.zip
Updated

C:\Program Files\Common Files\PestPatrol\Quarantine\20051122203411.zip=>WINDOWS/system32/drivers/etc/hosts
Infected with: Generic.Qhost

C:\Program Files\Common Files\PestPatrol\Quarantine\20051122203411.zip=>WINDOWS/system32/drivers/etc/hosts
Disinfection failed

C:\Program Files\Common Files\PestPatrol\Quarantine\20051122203411.zip=>WINDOWS/system32/drivers/etc/hosts
Deleted

C:\Program Files\Common Files\PestPatrol\Quarantine\20051122203411.zip
Updated

C:\Program Files\Common Files\PestPatrol\Quarantine\20051122221911.zip=>WINDOWS/system32/drivers/etc/hosts
Infected with: Generic.Qhost

C:\Program Files\Common Files\PestPatrol\Quarantine\20051122221911.zip=>WINDOWS/system32/drivers/etc/hosts
Disinfection failed

C:\Program Files\Common Files\PestPatrol\Quarantine\20051122221911.zip=>WINDOWS/system32/drivers/etc/hosts
Deleted

C:\Program Files\Common Files\PestPatrol\Quarantine\20051122221911.zip
Updated

C:\Program Files\Common Files\PestPatrol\Quarantine\20051203095537.zip=>WINDOWS/system32/drivers/etc/hosts
Infected with: Generic.Qhost

C:\Program Files\Common Files\PestPatrol\Quarantine\20051203095537.zip=>WINDOWS/system32/drivers/etc/hosts
Disinfection failed

C:\Program Files\Common Files\PestPatrol\Quarantine\20051203095537.zip=>WINDOWS/system32/drivers/etc/hosts
Deleted

C:\Program Files\Common Files\PestPatrol\Quarantine\20051203095537.zip
Updated

C:\Program Files\Common Files\PestPatrol\Quarantine\20051203095539.zip=>WINDOWS/system32/drivers/etc/hosts
Infected with: Generic.Qhost

C:\Program Files\Common Files\PestPatrol\Quarantine\20051203095539.zip=>WINDOWS/system32/drivers/etc/hosts
Disinfection failed

C:\Program Files\Common Files\PestPatrol\Quarantine\20051203095539.zip=>WINDOWS/system32/drivers/etc/hosts
Deleted

C:\Program Files\Common Files\PestPatrol\Quarantine\20051203095539.zip
Updated

C:\Program Files\Common Files\PestPatrol\Quarantine\20051203095540.zip=>WINDOWS/system32/drivers/etc/hosts
Infected with: Generic.Qhost

C:\Program Files\Common Files\PestPatrol\Quarantine\20051203095540.zip=>WINDOWS/system32/drivers/etc/hosts
Disinfection failed

C:\Program Files\Common Files\PestPatrol\Quarantine\20051203095540.zip=>WINDOWS/system32/drivers/etc/hosts
Deleted

C:\Program Files\Common Files\PestPatrol\Quarantine\20051203095540.zip
Updated

Here is the Hijack

Logfile of HijackThis v1.99.1
Scan saved at 4:02:54 PM, on 6/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\NetAssistant\bin\mpbtn.exe
C:\Documents and Settings\Colleen\Desktop\HiJack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IE Address Browser Helper - {2A0176FE-008B-4706-90F5-BBA532A49731} - C:\Program Files\SearchNet\SNHpr.dll (file missing)
O2 - BHO: PopKill Class - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [warez] "C:\Documents and Settings\Nicholas\My Documents\game\Warez P2P Client\warez.exe" -h
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: TruePass EPF 7,0,100,717 - https://blrscr3.egs-seg.gc.ca/applets/entrusttruepassapplet-epf.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab46479.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (ZPA_HRTZ Object) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab37625.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.photolab.ca/en/Photo/ImageUploader3.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zpa_shvl.cab46704.cab
O16 - DPF: {A9FDC7FD-FE81-4910-8CF2-FA59EEFE11EC} (ZooInstaller Class) - http://www.zoo-games.com/ClientSite/ZooInstaller.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab36385.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Remote Log - Unknown owner - C:\WINDOWS\system32\ServeHost.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe


----------



## Cookiegal (Aug 27, 2003)

We are finally making progress with this.

Click Start - Run - and type in:

*services.msc*

Click OK.

In the services window find *Remote Log*.
Right click and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Start-up Type" in the dropdown menu select "Disabled". Click Apply then OK. Exit the Services utility.

Rescan with HijackThis and fix these entries:

O2 - BHO: IE Address Browser Helper - {2A0176FE-008B-4706-90F5-BBA532A49731} - C:\Program Files\SearchNet\SNHpr.dll (file missing)

O23 - Service: Remote Log - Unknown owner - C:\WINDOWS\system32\ServeHost.exe (file missing)

Reboot and post a new HijackThis log please.


----------



## ColleenA (Feb 18, 2002)

Here is the new hijack log

Logfile of HijackThis v1.99.1
Scan saved at 9:21:47 PM, on 6/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\NetAssistant\bin\mpbtn.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Colleen\Desktop\HiJack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IE Address Browser Helper - {2A0176FE-008B-4706-90F5-BBA532A49731} - C:\Program Files\SearchNet\SNHpr.dll (file missing)
O2 - BHO: PopKill Class - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [warez] "C:\Documents and Settings\Nicholas\My Documents\game\Warez P2P Client\warez.exe" -h
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: TruePass EPF 7,0,100,717 - https://blrscr3.egs-seg.gc.ca/applets/entrusttruepassapplet-epf.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab46479.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (ZPA_HRTZ Object) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab37625.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.photolab.ca/en/Photo/ImageUploader3.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zpa_shvl.cab46704.cab
O16 - DPF: {A9FDC7FD-FE81-4910-8CF2-FA59EEFE11EC} (ZooInstaller Class) - http://www.zoo-games.com/ClientSite/ZooInstaller.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab36385.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Remote Log - Unknown owner - C:\WINDOWS\system32\ServeHost.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

thanks


----------



## Cookiegal (Aug 27, 2003)

Please disable SpySweeper, as it may be hindering the removal of some entries. You can re-enable it after you're clean.

To disable SpySweeper:

Open it click >Options over to the left then >program options >Uncheck "load at windows startup".
Over to the left click "shields" and uncheck all there.
Uncheck "home page shield".
Uncheck "automatically restore default without notification".

Rescan with HijackThis and fix these entries:

*O2 - BHO: IE Address Browser Helper - {2A0176FE-008B-4706-90F5-BBA532A49731} - C:\Program Files\SearchNet\SNHpr.dll (file missing)

O23 - Service: Remote Log - Unknown owner - C:\WINDOWS\system32\ServeHost.exe (file missing)*

Reboot and post a new HijackThis log please.


----------



## ColleenA (Feb 18, 2002)

k i disabled spysweeper. did th e options part. But when I went to the shields I couldn't find thouse things you told me to click on. Seems it just shows you what shields are available with this version.

Logfile of HijackThis v1.99.1
Scan saved at 1:09:43 AM, on 7/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\NetAssistant\bin\mpbtn.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Colleen\Desktop\HiJack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IE Address Browser Helper - {2A0176FE-008B-4706-90F5-BBA532A49731} - C:\Program Files\SearchNet\SNHpr.dll (file missing)
O2 - BHO: PopKill Class - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKCU\..\Run: [warez] "C:\Documents and Settings\Nicholas\My Documents\game\Warez P2P Client\warez.exe" -h
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: TruePass EPF 7,0,100,717 - https://blrscr3.egs-seg.gc.ca/applets/entrusttruepassapplet-epf.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab46479.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (ZPA_HRTZ Object) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab37625.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.photolab.ca/en/Photo/ImageUploader3.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zpa_shvl.cab46704.cab
O16 - DPF: {A9FDC7FD-FE81-4910-8CF2-FA59EEFE11EC} (ZooInstaller Class) - http://www.zoo-games.com/ClientSite/ZooInstaller.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab36385.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Remote Log - Unknown owner - C:\WINDOWS\system32\ServeHost.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

P.S. I am leaving town Saturday and will be back some time Sunday.

Thanks


----------



## Cookiegal (Aug 27, 2003)

It's probably Ewido blocking the changes then. This is a new version and it gets installed with realtime protection.

Disable Ewido by opening the program and on the Status page - beside "Resident Shield" click on "change status" so that it says "inactive", then do this again please.

Rescan with HijackThis and fix these entries:

*O2 - BHO: IE Address Browser Helper - {2A0176FE-008B-4706-90F5-BBA532A49731} - C:\Program Files\SearchNet\SNHpr.dll (file missing)

O23 - Service: Remote Log - Unknown owner - C:\WINDOWS\system32\ServeHost.exe (file missing)*

Reboot and post a new HijackThis log please.


----------



## ColleenA (Feb 18, 2002)

hi 

Back from the cottage. I went into EWido and it already said "Inactive" beside the Resident shield


----------



## Cookiegal (Aug 27, 2003)

Would you please post a new HijackThis log from Nicholas' account.


----------



## ColleenA (Feb 18, 2002)

Here is the log from Nicholas

Logfile of HijackThis v1.99.1
Scan saved at 10:06:20 PM, on 7/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\NetAssistant\bin\mpbtn.exe
C:\Documents and Settings\Colleen\Desktop\HiJack\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IE Address Browser Helper - {2A0176FE-008B-4706-90F5-BBA532A49731} - C:\Program Files\SearchNet\SNHpr.dll (file missing)
O2 - BHO: PopKill Class - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [warez] "C:\Documents and Settings\Nicholas\My Documents\game\Warez P2P Client\warez.exe" -h
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: TruePass EPF 7,0,100,717 - https://blrscr3.egs-seg.gc.ca/applets/entrusttruepassapplet-epf.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab46479.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (ZPA_HRTZ Object) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab37625.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.photolab.ca/en/Photo/ImageUploader3.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zpa_shvl.cab46704.cab
O16 - DPF: {A9FDC7FD-FE81-4910-8CF2-FA59EEFE11EC} (ZooInstaller Class) - http://www.zoo-games.com/ClientSite/ZooInstaller.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab36385.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{37C2D4C1-A9A2-4B71-987F-7E1D20FD8E3E}: NameServer = 67.69.184.151 206.47.244.57
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Remote Log - Unknown owner - C:\WINDOWS\system32\ServeHost.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

thanks


----------



## Cookiegal (Aug 27, 2003)

Does your Freedom program include a firewall?


----------



## ColleenA (Feb 18, 2002)

yes it does and it is enabled right now

thanks


----------



## Cookiegal (Aug 27, 2003)

Please disable Freedom completely (firewall, popup blocker, spam filter, etc.) by taking it out of start-ups via *Start *- *Run *- type in *msconfig *- click on and click on the startup tab. Uncheck all entries for Freedom that you see there.

Also, be sure that SpySweeper and Ewido are disabled in the same fashion.

Then reboot the computer for those changes to take effect.

After you've done that, rescan with HijackThis, close all other windows, put a check mark beside these entries and then click "fix checked":

*O2 - BHO: IE Address Browser Helper - {2A0176FE-008B-4706-90F5-BBA532A49731} - C:\Program Files\SearchNet\SNHpr.dll (file missing)

O23 - Service: Remote Log - Unknown owner - C:\WINDOWS\system32\ServeHost.exe (file missing)*

Reboot and post a new HijackThis log please.


----------



## ColleenA (Feb 18, 2002)

k, i went to msconfig. Freedom isnt there, I dont have it set to start automatically, I manually start it when I connect to the internet.

Disabled Ewido, SpySweeper not there either.

here is new hijack

Logfile of HijackThis v1.99.1
Scan saved at 9:14:55 AM, on 7/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\NetAssistant\bin\mpbtn.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Colleen\Desktop\HiJack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IE Address Browser Helper - {2A0176FE-008B-4706-90F5-BBA532A49731} - C:\Program Files\SearchNet\SNHpr.dll (file missing)
O2 - BHO: PopKill Class - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: TruePass EPF 7,0,100,717 - https://blrscr3.egs-seg.gc.ca/applets/entrusttruepassapplet-epf.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab46479.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (ZPA_HRTZ Object) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab37625.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.photolab.ca/en/Photo/ImageUploader3.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zpa_shvl.cab46704.cab
O16 - DPF: {A9FDC7FD-FE81-4910-8CF2-FA59EEFE11EC} (ZooInstaller Class) - http://www.zoo-games.com/ClientSite/ZooInstaller.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab36385.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Remote Log - Unknown owner - C:\WINDOWS\system32\ServeHost.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe


----------



## Cookiegal (Aug 27, 2003)

You need to turn off Freedom then, reboot and be sure it's not running and then repeat the steps please.


----------



## ColleenA (Feb 18, 2002)

as far as I know, freedom doesn't run unless I turn it on. Here is a log which I know freedom was not turned on when I ran it.

Logfile of HijackThis v1.99.1
Scan saved at 9:58:20 AM, on 7/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\NetAssistant\bin\mpbtn.exe
C:\Documents and Settings\Colleen\Desktop\HiJack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IE Address Browser Helper - {2A0176FE-008B-4706-90F5-BBA532A49731} - C:\Program Files\SearchNet\SNHpr.dll (file missing)
O2 - BHO: PopKill Class - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: TruePass EPF 7,0,100,717 - https://blrscr3.egs-seg.gc.ca/applets/entrusttruepassapplet-epf.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab46479.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (ZPA_HRTZ Object) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab37625.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.photolab.ca/en/Photo/ImageUploader3.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zpa_shvl.cab46704.cab
O16 - DPF: {A9FDC7FD-FE81-4910-8CF2-FA59EEFE11EC} (ZooInstaller Class) - http://www.zoo-games.com/ClientSite/ZooInstaller.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab36385.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Remote Log - Unknown owner - C:\WINDOWS\system32\ServeHost.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe


----------



## Cookiegal (Aug 27, 2003)

OK but Ewido and SpySweeper are in the running processes so please do this:

Open the Task Manager (Ctrl-Alt-Del) and end task on these processes:

*guard.exe
WRSSSDK.exe*

Once you've done that, fix those entries with HijackThis, reboot and post a new log please.


----------



## ColleenA (Feb 18, 2002)

Logfile of HijackThis v1.99.1
Scan saved at 12:19:20 PM, on 7/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\NetAssistant\bin\mpbtn.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Colleen\Desktop\HiJack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IE Address Browser Helper - {2A0176FE-008B-4706-90F5-BBA532A49731} - C:\Program Files\SearchNet\SNHpr.dll (file missing)
O2 - BHO: PopKill Class - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: TruePass EPF 7,0,100,717 - https://blrscr3.egs-seg.gc.ca/applets/entrusttruepassapplet-epf.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab46479.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (ZPA_HRTZ Object) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab37625.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.photolab.ca/en/Photo/ImageUploader3.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zpa_shvl.cab46704.cab
O16 - DPF: {A9FDC7FD-FE81-4910-8CF2-FA59EEFE11EC} (ZooInstaller Class) - http://www.zoo-games.com/ClientSite/ZooInstaller.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab36385.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Remote Log - Unknown owner - C:\WINDOWS\system32\ServeHost.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe


----------



## Cookiegal (Aug 27, 2003)

Ewido and SpySweeper are still in the running processes.


----------



## ColleenA (Feb 18, 2002)

Logfile of HijackThis v1.99.1
Scan saved at 3:54:48 PM, on 7/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\NetAssistant\bin\mpbtn.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Colleen\Desktop\HiJack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IE Address Browser Helper - {2A0176FE-008B-4706-90F5-BBA532A49731} - C:\Program Files\SearchNet\SNHpr.dll (file missing)
O2 - BHO: PopKill Class - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: TruePass EPF 7,0,100,717 - https://blrscr3.egs-seg.gc.ca/applets/entrusttruepassapplet-epf.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab46479.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (ZPA_HRTZ Object) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab37625.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.photolab.ca/en/Photo/ImageUploader3.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zpa_shvl.cab46704.cab
O16 - DPF: {A9FDC7FD-FE81-4910-8CF2-FA59EEFE11EC} (ZooInstaller Class) - http://www.zoo-games.com/ClientSite/ZooInstaller.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab36385.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Remote Log - Unknown owner - C:\WINDOWS\system32\ServeHost.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe


----------



## Cookiegal (Aug 27, 2003)

Please post a HijackThis log from your own account. I think there's a permissions problem with Nicholas.


----------



## ColleenA (Feb 18, 2002)

Logfile of HijackThis v1.99.1
Scan saved at 6:21:16 PM, on 7/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\NetAssistant\bin\mpbtn.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Colleen\Desktop\HiJack\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IE Address Browser Helper - {2A0176FE-008B-4706-90F5-BBA532A49731} - C:\Program Files\SearchNet\SNHpr.dll (file missing)
O2 - BHO: PopKill Class - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: TruePass EPF 7,0,100,717 - https://blrscr3.egs-seg.gc.ca/applets/entrusttruepassapplet-epf.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab46479.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (ZPA_HRTZ Object) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab37625.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.photolab.ca/en/Photo/ImageUploader3.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zpa_shvl.cab46704.cab
O16 - DPF: {A9FDC7FD-FE81-4910-8CF2-FA59EEFE11EC} (ZooInstaller Class) - http://www.zoo-games.com/ClientSite/ZooInstaller.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab36385.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{37C2D4C1-A9A2-4B71-987F-7E1D20FD8E3E}: NameServer = 67.69.184.151 206.47.244.57
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Remote Log - Unknown owner - C:\WINDOWS\system32\ServeHost.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe


----------



## Cookiegal (Aug 27, 2003)

Open Task Manager (Ctrl-Alt-Del) and end task on these two processes:

*guard.exe

WRSSSDK.exe*

If there is an icon in the taskbar for Ewido, right click on it and click on exit to exit the program.

Rescan with HijackThis and fix these entries:

*O2 - BHO: IE Address Browser Helper - {2A0176FE-008B-4706-90F5-BBA532A49731} - C:\Program Files\SearchNet\SNHpr.dll (file missing)

O23 - Service: Remote Log - Unknown owner - C:\WINDOWS\system32\ServeHost.exe (file missing)*

Reboot and post a new HijackThis log please.


----------



## ColleenA (Feb 18, 2002)

Logfile of HijackThis v1.99.1
Scan saved at 7:02:01 PM, on 7/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Colleen\Desktop\HiJack\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IE Address Browser Helper - {2A0176FE-008B-4706-90F5-BBA532A49731} - C:\Program Files\SearchNet\SNHpr.dll (file missing)
O2 - BHO: PopKill Class - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: TruePass EPF 7,0,100,717 - https://blrscr3.egs-seg.gc.ca/applets/entrusttruepassapplet-epf.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab46479.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (ZPA_HRTZ Object) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab37625.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.photolab.ca/en/Photo/ImageUploader3.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zpa_shvl.cab46704.cab
O16 - DPF: {A9FDC7FD-FE81-4910-8CF2-FA59EEFE11EC} (ZooInstaller Class) - http://www.zoo-games.com/ClientSite/ZooInstaller.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab36385.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Remote Log - Unknown owner - C:\WINDOWS\system32\ServeHost.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe


----------



## Cookiegal (Aug 27, 2003)

Are you not able to end process on those tasks?


----------



## ColleenA (Feb 18, 2002)

doesn't seem like it. I do it, they disappear but when I restart they are there again


----------



## Cookiegal (Aug 27, 2003)

Try booting into safe mode, end those tasks if they are still running and do the fixes with HijackThis also in safe mode.

Reboot and post a new log please.


----------



## ColleenA (Feb 18, 2002)

when i went to end the processes in safe mode. the guard.exe wasn't there

Logfile of HijackThis v1.99.1
Scan saved at 9:48:41 PM, on 7/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\NetAssistant\bin\mpbtn.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Colleen\Desktop\HiJack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IE Address Browser Helper - {2A0176FE-008B-4706-90F5-BBA532A49731} - C:\Program Files\SearchNet\SNHpr.dll (file missing)
O2 - BHO: PopKill Class - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: TruePass EPF 7,0,100,717 - https://blrscr3.egs-seg.gc.ca/applets/entrusttruepassapplet-epf.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab46479.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (ZPA_HRTZ Object) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab37625.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.photolab.ca/en/Photo/ImageUploader3.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zpa_shvl.cab46704.cab
O16 - DPF: {A9FDC7FD-FE81-4910-8CF2-FA59EEFE11EC} (ZooInstaller Class) - http://www.zoo-games.com/ClientSite/ZooInstaller.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab36385.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Remote Log - Unknown owner - C:\WINDOWS\system32\ServeHost.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe


----------



## Cookiegal (Aug 27, 2003)

Would you please run another Ewido scan (in safe mode) and post the log.


----------



## ColleenA (Feb 18, 2002)

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at:	11:08:24 PM 7/3/2006

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{2A0176FE-008B-4706-90F5-BBA532A49731} -> Adware.Generic : Error during cleaning.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2A0176FE-008B-4706-90F5-BBA532A49731} -> Adware.Generic : Error during cleaning.
HKU\S-1-5-21-1275210071-854245398-1708537768-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2A0176FE-008B-4706-90F5-BBA532A49731} -> Adware.Generic : Error during cleaning.
C:\!KillBox\HuaCi\huaci\mUin.exe -> Adware.WSearch : Cleaned with backup (quarantined).
C:\!KillBox\HuaCi\huaci\reg.exe -> Adware.WSearch : Cleaned with backup (quarantined).
C:\!KillBox\HuaCi\update\reg.exe.dat/reg.exe -> Adware.WSearch : Cleaned with backup (quarantined).
C:\!KillBox\HuaCi\update\zpig.exe.dat/zpig.exe -> Adware.WSearch : Cleaned with backup (quarantined).
C:\!KillBox\SearchNet\SearchNet.exe -> Adware.Zhongsou : Cleaned with backup (quarantined).
C:\!KillBox\ServeUp.exe -> Adware.Zhongsou : Cleaned with backup (quarantined).
C:\!KillBox\searchnet.exe -> Adware.Zhongsou : Cleaned with backup (quarantined).
C:\Documents and Settings\Colleen\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Nicholas\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Nicholas\Cookies\[email protected][1].txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
C:\Documents and Settings\Nicholas\Cookies\[email protected][2].txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
C:\Documents and Settings\Nicholas\Cookies\[email protected][1].txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
C:\Documents and Settings\Jessica\Cookies\[email protected][1].txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Nicholas\Cookies\[email protected][2].txt -> TrackingCookie.Euroclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Colleen\Cookies\[email protected][2].txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).

::Report end


----------



## blkwlnt64 (Mar 28, 2005)

Hi Cookiegal, She still has Limewire installed and running and for life of me I can't figure out what the firewall is.


----------



## Cookiegal (Aug 27, 2003)

Go to *Start * *Run * type in *cmd * click OK

Type: *Net stop "Remote Log"*

Hit Enter and close the DOS window.

I'm attaching a FixColleen4.zip file to this post. Save it to your desktop. Don't do anything with it yet.

Rescan with HijackThis and fix these entries:

*O2 - BHO: IE Address Browser Helper - {2A0176FE-008B-4706-90F5-BBA532A49731} - C:\Program Files\SearchNet\SNHpr.dll (file missing)

O23 - Service: Remote Log - Unknown owner - C:\WINDOWS\system32\ServeHost.exe (file missing)*

Boot to safe mode and unzip the FixColleen4.zip file you downloaded to your desktop. Double click the FixColleen4.reg file and allow it to enter into the registry.

Reboot and post a new HijackThis log please.


----------



## ColleenA (Feb 18, 2002)

Logfile of HijackThis v1.99.1
Scan saved at 8:04:36 PM, on 7/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Colleen\Desktop\HiJack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IE Address Browser Helper - {2A0176FE-008B-4706-90F5-BBA532A49731} - C:\Program Files\SearchNet\SNHpr.dll (file missing)
O2 - BHO: PopKill Class - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: TruePass EPF 7,0,100,717 - https://blrscr3.egs-seg.gc.ca/applets/entrusttruepassapplet-epf.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab46479.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (ZPA_HRTZ Object) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab37625.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.photolab.ca/en/Photo/ImageUploader3.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zpa_shvl.cab46704.cab
O16 - DPF: {A9FDC7FD-FE81-4910-8CF2-FA59EEFE11EC} (ZooInstaller Class) - http://www.zoo-games.com/ClientSite/ZooInstaller.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab36385.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Remote Log - Unknown owner - C:\WINDOWS\system32\ServeHost.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe


----------



## Cookiegal (Aug 27, 2003)

Download Registrar Lite from here:

http://www.resplendence.com/download/reglite.exe

Put it in its own folder.

Copy and paste the follow text into the address bar, then hit 'Go':

*HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects*

In the pane on the right are the values associated with the key we want to remove.

We want to remove this one -> *{2A0176FE-008B-4706-90F5-BBA532A49731}*

Right click on it, and select delete.

If you get a confirmation question, respond OK then close out the program.

Reboot and post a new HijackThis log please.


----------



## ColleenA (Feb 18, 2002)

HI

I hope that I am not frustrating you toooooooo much, but I think I'm doing everything you ask of me.

I downloaded the program. When I went to paste in the HKEY_LOCAL.....line in the address bar I kept getting and "Error Performing Copy" message. So I typed the address in and hit go.

When I went to remove the 2A0176E...... I got a message "Access denied"


----------



## Cookiegal (Aug 27, 2003)

Then it's a permissions issue. You don't have permission to edit the registry.

We'll go in and change that.

Are you familiar with the registry at all?


----------



## ColleenA (Feb 18, 2002)

A very little bit, I know it gets hard but I'm willing to try or we can just pretend its fixed as the original problem we started with is fixed and all seems to be working ok other then everything is still set to start when machine is turned on but I know how to fix that.

I'm just afraid I am using up to much of your time. Your call

Thanks


----------



## Cookiegal (Aug 27, 2003)

No, it's fine with me. I'd like to get this fixed if you're willing to continue.

I'll be signing off in a few minutes so I'll post further instructions sometime tomorrow.


----------



## ColleenA (Feb 18, 2002)

I'm willing if it is not taking too much of your time

Have a nice evening


----------



## Cookiegal (Aug 27, 2003)

You have a nice evening too. :up:


----------



## Cookiegal (Aug 27, 2003)

We backed up the registry earlier on but since weve made some changes since, please back up the registry again before doing the following steps:

Go to *Start *- *Run*
Type:
*regedit*
Click OK.
On the left side, click to highlight *My Computer* at the top. 
Go up to "*File - Export*"
Make sure in that window there is a tick next to "All" under Export Branch.
Leave the "Save As Type" as "Registration Files".
Under "Filename" put *backup July 5*

Choose to save it to *C:\* or somewhere else safe so that you will remember where you put it (don't put it on the desktop!)
Click save and then go to File > Exit.
This is so the registry can be restored to this point if we need it. It may take a minute. Just let it go until it's done.

And let's also create a new system restore point:

To create a new restore point, click on *Start*  *All Programs*  *Accessories*  *System Tools* and then select *System Restore*.

In the System Restore wizard, select *Create a restore point* and click the Next button.

Type a name for your new restore point then click on Create.

Click *Start *- *Run *> and type in:
*
services.msc*

Click OK.

In the services window find *Remote Log*.
Rightclick and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK. Exit the Services utility.

Note: You may get an error here when trying to access the properties of the service. If you do get an error, just select the service and look there in the top left of the main service window and click "Stop" to stop the service. If that gives an error or it is already stopped, just skip this step and proceed with the rest.

Now open HijackThis and click on the "Open Misc Tools section" button. Now click on the "Delete a NT service" button. Copy and paste this line in the box that appears:

*Remote Log*

Click OK and restart the computer.

Now go to *Start * *Run * type in *regedit *and click OK to open the registry editor.

1) Click on the + sign to the left of each of the following values to expand them:

HKEY_LOCAL_MACHINE
Software
Microsoft
Windows
CurrentVersion
Explorer
Browser Helper Objects

Under *Browser Helper Objects *you should see 5 entries that contain a combination of several digits and letters (these are referred to as CLSIDs). This is the one we want to remove:

*{2A0176FE-008B-4706-90F5-BBA532A49731}*

Under *Group or user names*, select your Administrator user profile name (probably Administrator or My Computer).

Click on *Advanced*. Put a check mark in the two boxes at the bottom that say:

*Inherit from parents the permission entries that apply to child objects. 
Include these with entries explicitly defined here.*

Click Apply and OK.

Then, under *Permissions* for Administrators, put a check mark in "Full Control" and "Allow". Then click Apply and OK.

Now right click the *{2A0176FE-008B-4706-90F5-BBA532A49731}* key and select *delete*.

*If you get any error messages and/or the deletion is not successful, please let me know before continuing beyond this point.*

2) Click on the + sign to the left of each of the following values to expand them:

HKEY_LOCAL_MACHINE
SOFTWARE
Classes
CLSID

Under CLSID you should see many CLSIDs listed. Again, this is the one we want to remove:

*{2A0176FE-008B-4706-90F5-BBA532A49731}*

Right click on it and choose *Permissions*. Under *Group or user names*, select your user profile name as administrator (probably My Computer).

Below that under *Permissions* for Administrators, by "Full Control" put a check by "Allow"

Click Apply then OK. Now right click the *{2A0176FE-008B-4706-90F5-BBA532A49731}* key and select *delete*.

3) Click on the + sign to the left of each of the following values to expand them:

HKEY_LOCAL_MACHINE
SOFTWARE

Click on *Searchnet *but do NOT expand it. This is the one we want to remove.

Right click on *Searchnet *and choose *Permissions*.

Under *Group or user names*, select your Administrator user profile name (probably Administrator or My Computer).

Click on *Advanced*. Put a check mark in the two boxes at the bottom that say:

*Inherit from parents the permission entries that apply to child objects. 
Include these with entries explicitly defined here.*

Click Apply and OK.

Then, under *Permissions* for Administrators, put a check mark in "Full Control" and "Allow". Then click Apply and OK.

Now right click the *Searchnet *key and select *delete*.

4) Click on the + sign to the left of each of the following values to expand them:

HKEY_LOCAL_MACHINE
SYSTEM
CurrentControlSet
Services

Under *Services *you should see many services listed. This is the one we want to remove but *be very careful as there are other valid services that begin with the word Remote*:

*Remote Log*

Right click on it and choose *Permissions*. Under *Group or user names*, select your user profile name as administrator (probably My Computer).

Below that under *Permissions* for Administrators, by "Full Control" put a check by "Allow"

Click Apply then OK. Now right click the *Remote Log* key and select *delete*.

5) Click on the + sign to the left of each of the following values to expand them:

HKEY_LOCAL_MACHINE
SYSTEM
CurrentControlSet1
Services

Under *Services *you should see many services listed. This is the one we want to remove but *be very careful as there are other valid services that begin with the word Remote*:

*Remote Log*

Right click on it and choose *Permissions*. Under *Group or user names*, select your user profile name as administrator (probably My Computer).

Below that under *Permissions* for Administrators, by "Full Control" put a check by "Allow"

Click Apply then OK. Now right click the *Remote Log* key and select *delete*.

6) Click on the + sign to the left of each of the following values to expand them:

HKEY_LOCAL_MACHINE
SYSTEM
CurrentControlSet2
Services

Under *Services *you should see many services listed. This is the one we want to remove but *be very careful as there are other valid services that begin with the word Remote*:

*Remote Log*

Right click on it and choose *Permissions*. Under *Group or user names*, select your user profile name as administrator (probably My Computer).

Below that under *Permissions* for Administrators, by "Full Control" put a check by "Allow"

Click Apply then OK. Now right click the *Remote Log* key and select *delete*.

7) Click on the + sign to the left of each of the following values to expand them:

Note this one is not under the Local Machine key, its under Users:

HKEY_USERS
S-1-5-21-1275210071-854245398-1708537768-1005
Software
Microsoft
Windows
CurrentVersion
Ext
Stats

Under *Stats *you should see a list of several CLSIDs. Again, this is the one we want to remove:

*{2A0176FE-008B-4706-90F5-BBA532A49731}*

Under *Group or user names*, select your Administrator user profile name (probably Administrator or My Computer).

Click on *Advanced*. Put a check mark in the two boxes at the bottom that say:

*Inherit from parents the permission entries that apply to child objects. 
Include these with entries explicitly defined here.*

Click Apply and OK.

Then, under *Permissions* for Administrators, put a check mark in "Full Control" and "Allow". Then click Apply and OK.

Now right click the *{2A0176FE-008B-4706-90F5-BBA532A49731}* key and select *delete*.

After youve done all that, rescan with HijackThis and fix these entries:

*O2 - BHO: IE Address Browser Helper - {2A0176FE-008B-4706-90F5-BBA532A49731} - C:\Program Files\SearchNet\SNHpr.dll (file missing)

O23 - Service: Remote Log - Unknown owner - C:\WINDOWS\system32\ServeHost.exe (file missing)*

Reboot to safe mode and run Killbox on this folder/file. They may not be found.

*C:\Program Files\SearchNet

C:\WINDOWS\system32\ServeHost.exe*

Reboot and post a new HijackThis log please.


----------



## ColleenA (Feb 18, 2002)

K,

I did the services.msc thing and the remote log was already stopped, but i disabled it.

I then did the hijack and Open Misc tools, delete NT service button put Remot Log in the line clicked ok and got a message

The service "Remote Log" is enabled/running. Disable it first using hijackthis (from the scan results) or the services.msc window

but it is enabled, should I continue with the rest of the steps?


----------



## Cookiegal (Aug 27, 2003)

Before you go any further, please do this:

Go to Start - Run - services.msc - OK

Right click on the *Remote Log* service and click on Properties. Please tell me exactly what it says beside Service Name.

Also, can you get the status of this service to stopped?


----------



## ColleenA (Feb 18, 2002)

It says Remote Log beside Serive name

Status of this service says stopped


----------



## ColleenA (Feb 18, 2002)

just noticed under status column it doesn't say anything

the box says

Name Remote Log
Description IEouOA (all in thos funny characters)
Status Is blank
Start Up Type Automatic
Log On As Local System

Not sure if this helps


----------



## Cookiegal (Aug 27, 2003)

OK, that's good.

Go to *Start*, *All Programs* - *Accessories*, and the click on* Command Prompt*. In the console type: *sc* and press the Enter key. You will see lots of info here. At the bottom, it will ask you if you want to view the query command help info, press* n* for no.

Type the following exactly as it appears below with all spaces and quotation marks and press enter:

*sc delete "Remote Log"*

Close the DOS screen by clicking on the X in the upper right-hand corner.

Now, if you've made your registry back-up and created the new system restore point, after doing the above start with the numbered registry edits (1 through 7) and everything that follows please.


----------



## Cookiegal (Aug 27, 2003)

I had not seen your second post before I posted mine.

Can you change the startup type from automatic to disabled or manual?


----------



## ColleenA (Feb 18, 2002)

under step 1.... Under Group or User names I only have 1 icon and it says everyone


----------



## ColleenA (Feb 18, 2002)

k i think im going all over the place

after I have pressed the + infront of all those entries, you say to go Under Group or user names...where do i find that i right clicked on the one we want to delete and went to permissions ..now when I do that I see adminsitrators, colleen, creator owener, system & Users


----------



## Cookiegal (Aug 27, 2003)

That's where it is. When you right click on the key, you see those names that come under the heading "group or user names". Select "administrators".


----------



## ColleenA (Feb 18, 2002)

k got an error

Cannot delete 2A0176FE.......... Error while deleting


----------



## Cookiegal (Aug 27, 2003)

Did you do this?

Then, under Permissions for Administrators, put a check mark in "Full Control" and "Allow". Then click Apply and OK.


----------



## ColleenA (Feb 18, 2002)

there is already a lite grey check mark in allow beside full control, its shaded out, but there


----------



## Cookiegal (Aug 27, 2003)

What is the exact error message you get when you try to delete the key?


----------



## ColleenA (Feb 18, 2002)

Cannot delete 2A0176FE-008B-4706-90F5-BBA532A49731. Error while deleting


----------



## Cookiegal (Aug 27, 2003)

Try logging on as the Administrator in safe mode and see if you can perform the registry deletions.


----------



## ColleenA (Feb 18, 2002)

k got to step 2 this time (I think) but again this time I got the error message again

Cannot delte 2A0176FE-008B-4706-90F5=BBA532A49731 Error while deleting key


----------



## Cookiegal (Aug 27, 2003)

Did you have success in removing the first key?


----------



## ColleenA (Feb 18, 2002)

k I dont think i did remove it.

When I go to permissions I have 5 entries:

Administrators (TOM-C5C7EB10BE1\Adminiatrators) greyed out checkmarks in Allow

Colleen (TOM-C5C7EB10BE1\Colleen) green checkmarks in Allow

Creator Owner no checkmarks

System greyed out checkmarks

Users (TOM-C5C7EB10BE1\Users) green checkmarks

then if i hilight administrators and hit advanced I get

TYPE Name Permissions Inherited From Apply To

Allow Colleen (TOM-C5C7EB10BE1\Colleen) Full Control Not inherited This key & Subkeys

Allow Creator Owner Full Control Not Inherited subkeys only

Allow Users (TOM-C5C7EB10BE1\Users) Full Control Not Inherited This key & Subkeys

Allow Users (TOM-C5C7EB10BE1\Users) Read Machine\Software This key & Sub keys

Allow Administrators (TOM-C5C7EB10BE1\Adminiatrators) Full Control \Software This key & Sub keys

Allow System Full Control Machine\Software This key & Sub keys

Colleen (TOM-C5C7EB10BE1\Colleen) Full Control Machine\Software this key only

Creator Owner Full Control Machine\Software sub keys only



Not sur eif this helps


----------



## Cookiegal (Aug 27, 2003)

Let's try a different method:

1. Please *download* *The Avenger* by Swandog46 to your *Desktop*.
Click on Avenger.zip to open the file
Extract *avenger.exe* to your desktop

2. Copy all the text contained in the quote box below to your Clipboard by highlighting it and pressing (*Ctrl+C*):



> Registry keys to delete:
> HKEY_LOCAL_MACHINE\software\searchnet
> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2A0176FE-008B-4706-90F5-BBA532A49731}
> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2A0176FE-008B-4706-90F5-BBA532A49731}
> ...


_*
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.*_

3. Now, *start The Avenger program* by clicking on its icon on your desktop.
 Under "*Script file to execute*" choose "*Input Script Manually*".
Now click on the *Magnifying Glass icon* which will open a new window titled "*View/edit script*" 
 Paste the text copied to clipboard into this window by pressing (*Ctrl+V*). If you can manually remove the space between the 's' and the 'e' in the word 'Brows er', please do so. The forum software puts that space in and won't allow me to remove it. 
 Click *Done* 
 Now click on the *Green Light* to begin execution of the script 
 Answer "*Yes*" twice when prompted.
4. *The Avenger will automatically do the following*:
It will *Restart your computer*. ( In cases where the code to execute contains "*Drivers to Unload*", The Avenger will actually *restart your system twice.*) 
On reboot, it will briefly *open a black command window* on your desktop, this is normal.
After the restart, it *creates a log file* that should open with the results of Avengers actions. This log file will be located at *C:\avenger.txt*
 The Avenger will also have *backed up all the files, etc., that you asked it to delete*, and will have zipped them and moved the zip archives to *C:\avenger\backup.zip*.
5. Please *copy/paste* the content of *c:\avenger.txt* into your reply *along with a fresh HJT log * by using *Add/Reply*


----------



## ColleenA (Feb 18, 2002)

well that was a fiasco

i ran avenger and it gave me the black box part of it said

c:\avenger\backup zip

The process cannot access the file because it is being used by another process.

Then another windos boxed opened:

Windows-No Disk
There is no disk in the drive. Please insert disk into drive.

Then I went to C file to see if there was a text file there, found it tried to open it and got the same message the process cannot be accessed the file becauseit is being used by another process.

I have left it for now. I am going away for the weekend Friday Morning be back Sunday nite

Thanks


----------



## Cookiegal (Aug 27, 2003)

Please post a new HijackThis log after running Avenger.


----------



## Cookiegal (Aug 27, 2003)

Please post a new HijackThis log after running Avenger and see if you can get the contents of the c:\avenger.txt file posted as well.


----------



## ColleenA (Feb 18, 2002)

Hi

Just got back from cottage. Sorry for delay

I am still unable to run avenger with out getting those errors previously mentioned.

Now, I didn't re download the avenger program, as I already downloaded it earlier in the process....should I have redownloaded it?

Here is the new Hijack log

Logfile of HijackThis v1.99.1
Scan saved at 9:43:30 PM, on 7/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\NetAssistant\bin\mpbtn.exe
C:\Documents and Settings\Colleen\Desktop\HiJack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IE Address Browser Helper - {2A0176FE-008B-4706-90F5-BBA532A49731} - C:\Program Files\SearchNet\SNHpr.dll (file missing)
O2 - BHO: PopKill Class - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: TruePass EPF 7,0,100,717 - https://blrscr3.egs-seg.gc.ca/applets/entrusttruepassapplet-epf.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab46479.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (ZPA_HRTZ Object) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab37625.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.photolab.ca/en/Photo/ImageUploader3.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zpa_shvl.cab46704.cab
O16 - DPF: {A9FDC7FD-FE81-4910-8CF2-FA59EEFE11EC} (ZooInstaller Class) - http://www.zoo-games.com/ClientSite/ZooInstaller.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab36385.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe


----------



## Cookiegal (Aug 27, 2003)

Welcome back. Hope you had a great weekend away. 

We managed to remove the offending service.


Open Ewido by double-clicking the yellow 'E' icon in the system tray. 
In the 'Your security status' section, toggle the Ewido Guard realtime protection 'off' by clicking 'active' which will then change the protection status to 'inactive'. 
When you reboot, Ewido will prompt you as to whether you would like to "Restart the guard?". 
Reply 'no' and set it to 'inactive' for the duration of your cleanup.

Rescan with HijackThis and have it fix this entry:

*O2 - BHO: IE Address Browser Helper - {2A0176FE-008B-4706-90F5-BBA532A49731} - C:\Program Files\SearchNet\SNHpr.dll (file missing)*

Reboot and post another HijackThis log please.


----------



## ColleenA (Feb 18, 2002)

Logfile of HijackThis v1.99.1
Scan saved at 10:27:14 PM, on 7/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\NetAssistant\bin\mpbtn.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Colleen\Desktop\HiJack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IE Address Browser Helper - {2A0176FE-008B-4706-90F5-BBA532A49731} - C:\Program Files\SearchNet\SNHpr.dll (file missing)
O2 - BHO: PopKill Class - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: TruePass EPF 7,0,100,717 - https://blrscr3.egs-seg.gc.ca/applets/entrusttruepassapplet-epf.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab46479.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (ZPA_HRTZ Object) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab37625.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.photolab.ca/en/Photo/ImageUploader3.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zpa_shvl.cab46704.cab
O16 - DPF: {A9FDC7FD-FE81-4910-8CF2-FA59EEFE11EC} (ZooInstaller Class) - http://www.zoo-games.com/ClientSite/ZooInstaller.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab36385.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

Thanks


----------



## Cookiegal (Aug 27, 2003)

Download the Registry Search Tool here:

http://www.billsway.com/vbspage/

Unzip it and run it. If your antivirus interferes you may have to disable script blocking in the antivirus. Copy and Paste the following in the search box:

*2A0176FE-008B-4706-90F5-BBA532A49731*

Do the same search again for this please:

*SearchNet*

Copy and paste the results here.


----------



## ColleenA (Feb 18, 2002)

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "2A0176FE-008B-4706-90F5-BBA532A49731" 7/10/2006 4:50:37 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2A0176FE-008B-4706-90F5-BBA532A49731}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2A0176FE-008B-4706-90F5-BBA532A49731}\InprocServer32]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2A0176FE-008B-4706-90F5-BBA532A49731}\ProgID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2A0176FE-008B-4706-90F5-BBA532A49731}\Programmable]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2A0176FE-008B-4706-90F5-BBA532A49731}\TypeLib]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2A0176FE-008B-4706-90F5-BBA532A49731}\VersionIndependentProgID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEHpr.InterCept\CLSID]
@="{2A0176FE-008B-4706-90F5-BBA532A49731}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEHpr.InterCept.1\CLSID]
@="{2A0176FE-008B-4706-90F5-BBA532A49731}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2A0176FE-008B-4706-90F5-BBA532A49731}]

[HKEY_USERS\S-1-5-21-1275210071-854245398-1708537768-1005\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit]
"LastKey"="My Computer\\HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects\\{2A0176FE-008B-4706-90F5-BBA532A49731}"

[HKEY_USERS\S-1-5-21-1275210071-854245398-1708537768-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2A0176FE-008B-4706-90F5-BBA532A49731}]

[HKEY_USERS\S-1-5-21-1275210071-854245398-1708537768-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2A0176FE-008B-4706-90F5-BBA532A49731}\iexplore]

[HKEY_USERS\S-1-5-21-1275210071-854245398-1708537768-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2A0176FE-008B-4706-90F5-BBA532A49731}]

[HKEY_USERS\S-1-5-21-1275210071-854245398-1708537768-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2A0176FE-008B-4706-90F5-BBA532A49731}\iexplore]

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "SearchNet" 7/10/2006 4:54:04 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2A0176FE-008B-4706-90F5-BBA532A49731}\InprocServer32]
@="C:\\Program Files\\SearchNet\\SNHpr.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting\UserFaults]
"C:\\WINDOWS\\PCHealth\\ErrorRep\\UserDumps\\SearchNet.exe.20060623-173026-00.mdmp"=hex:b6,\

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting\UserFaults]
"C:\\WINDOWS\\PCHealth\\ErrorRep\\UserDumps\\SearchNet.exe.20060623-173231-00.mdmp"=hex:b6,\

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting\UserFaults]
"C:\\WINDOWS\\PCHealth\\ErrorRep\\UserDumps\\SearchNet.exe.20060623-173436-00.mdmp"=hex:b6,\

"C:\\Documents and Settings\\Jessica\\Local Settings\\Temporary Internet Files\\Content.IE5\\CHAFSDUF\\WarezP2P_DLC[1].exe"="WarezP2P_DLC[1]"
"C:\\Program Files\\SearchNet\\ServeUp.exe"="msupdate Microsoft ???????"

Hope these work


----------



## Cookiegal (Aug 27, 2003)

I didn't want you to think I'd forgotten you but I will be preparing something for you and posting back tomorrow morning.


----------



## ColleenA (Feb 18, 2002)

No problem at all, take your time, I know you are putting a lot of time and effort into this.

Thanks Again


----------



## Cookiegal (Aug 27, 2003)

You're welcome and have a nice evening!


----------



## Cookiegal (Aug 27, 2003)

I'm attaching a FixColleen5.zip file. Save it to your desktop but don't do anything with it yet.

Now reboot the computer to safe mode and *log on to the Administrator account*.

Unzip the FixColleen5.zip file and double click the FixColleen5.reg file and allow it to enter into the registry.

Reboot to normal mode and post a new HijackThis log please.


----------



## ColleenA (Feb 18, 2002)

Logfile of HijackThis v1.99.1
Scan saved at 5:11:44 PM, on 7/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\NetAssistant\bin\mpbtn.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Colleen\Desktop\HiJack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IE Address Browser Helper - {2A0176FE-008B-4706-90F5-BBA532A49731} - C:\Program Files\SearchNet\SNHpr.dll (file missing)
O2 - BHO: PopKill Class - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: TruePass EPF 7,0,100,717 - https://blrscr3.egs-seg.gc.ca/applets/entrusttruepassapplet-epf.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab46479.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (ZPA_HRTZ Object) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab37625.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.photolab.ca/en/Photo/ImageUploader3.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zpa_shvl.cab46704.cab
O16 - DPF: {A9FDC7FD-FE81-4910-8CF2-FA59EEFE11EC} (ZooInstaller Class) - http://www.zoo-games.com/ClientSite/ZooInstaller.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab36385.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe


----------



## Cookiegal (Aug 27, 2003)

Would you please do new registry searches for these two items:

*2A0176FE-008B-4706-90F5-BBA532A49731

SearchNet*


----------



## ColleenA (Feb 18, 2002)

Did the 2 registry searches for you. No instances of SearchNet were found.

Here is the log for the other search

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "2A0176FE-008B-4706-90F5-BBA532A49731" 7/11/2006 6:30:11 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2A0176FE-008B-4706-90F5-BBA532A49731}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2A0176FE-008B-4706-90F5-BBA532A49731}\InprocServer32]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2A0176FE-008B-4706-90F5-BBA532A49731}\ProgID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2A0176FE-008B-4706-90F5-BBA532A49731}\Programmable]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2A0176FE-008B-4706-90F5-BBA532A49731}\TypeLib]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2A0176FE-008B-4706-90F5-BBA532A49731}\VersionIndependentProgID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2A0176FE-008B-4706-90F5-BBA532A49731}]

[HKEY_USERS\S-1-5-21-1275210071-854245398-1708537768-1005\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit]
"LastKey"="My Computer\\HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects\\{2A0176FE-008B-4706-90F5-BBA532A49731}"

[HKEY_USERS\S-1-5-21-1275210071-854245398-1708537768-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2A0176FE-008B-4706-90F5-BBA532A49731}]

[HKEY_USERS\S-1-5-21-1275210071-854245398-1708537768-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2A0176FE-008B-4706-90F5-BBA532A49731}\iexplore]


----------



## Cookiegal (Aug 27, 2003)

A few are gone but not all. Are you sure you were logged into the Administrator account?


----------



## ColleenA (Feb 18, 2002)

K, I'm sure I was in the Administrator account, but I just repeated that step and Ran ColleenFix 5 from the administrator

Should I now

Should I re do the registry searches from that account as well?

Here is a new hijack

Logfile of HijackThis v1.99.1
Scan saved at 7:26:09 PM, on 7/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\NetAssistant\bin\mpbtn.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Colleen\Desktop\HiJack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IE Address Browser Helper - {2A0176FE-008B-4706-90F5-BBA532A49731} - C:\Program Files\SearchNet\SNHpr.dll (file missing)
O2 - BHO: PopKill Class - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: TruePass EPF 7,0,100,717 - https://blrscr3.egs-seg.gc.ca/applets/entrusttruepassapplet-epf.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab46479.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (ZPA_HRTZ Object) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab37625.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.photolab.ca/en/Photo/ImageUploader3.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zpa_shvl.cab46704.cab
O16 - DPF: {A9FDC7FD-FE81-4910-8CF2-FA59EEFE11EC} (ZooInstaller Class) - http://www.zoo-games.com/ClientSite/ZooInstaller.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab36385.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{37C2D4C1-A9A2-4B71-987F-7E1D20FD8E3E}: NameServer = 67.69.184.151 206.47.244.57
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

thanks


----------



## Cookiegal (Aug 27, 2003)

Please redo the registry search but just for this one:

2A0176FE-008B-4706-90F5-BBA532A49731


----------



## ColleenA (Feb 18, 2002)

K I wasnt asure how you wanted me to run the registry search so I did it both in reg mode on my account and safe mode on the administrator account

here is the log from my account

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "2A0176FE-008B-4706-90F5-BBA532A49731" 7/11/2006 10:19:08 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2A0176FE-008B-4706-90F5-BBA532A49731}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2A0176FE-008B-4706-90F5-BBA532A49731}\InprocServer32]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2A0176FE-008B-4706-90F5-BBA532A49731}\ProgID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2A0176FE-008B-4706-90F5-BBA532A49731}\Programmable]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2A0176FE-008B-4706-90F5-BBA532A49731}\TypeLib]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2A0176FE-008B-4706-90F5-BBA532A49731}\VersionIndependentProgID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2A0176FE-008B-4706-90F5-BBA532A49731}]

[HKEY_USERS\S-1-5-21-1275210071-854245398-1708537768-1005\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit]
"LastKey"="My Computer\\HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects\\{2A0176FE-008B-4706-90F5-BBA532A49731}"

[HKEY_USERS\S-1-5-21-1275210071-854245398-1708537768-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2A0176FE-008B-4706-90F5-BBA532A49731}]

[HKEY_USERS\S-1-5-21-1275210071-854245398-1708537768-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2A0176FE-008B-4706-90F5-BBA532A49731}\iexplore]

Here is the log in safe mode on administrators

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "2A0176FE-008B-4706-90F5-BBA532A49731" 7/11/2006 10:26:02 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2A0176FE-008B-4706-90F5-BBA532A49731}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2A0176FE-008B-4706-90F5-BBA532A49731}\InprocServer32]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2A0176FE-008B-4706-90F5-BBA532A49731}\ProgID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2A0176FE-008B-4706-90F5-BBA532A49731}\Programmable]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2A0176FE-008B-4706-90F5-BBA532A49731}\TypeLib]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2A0176FE-008B-4706-90F5-BBA532A49731}\VersionIndependentProgID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2A0176FE-008B-4706-90F5-BBA532A49731}]

[HKEY_USERS\S-1-5-21-1275210071-854245398-1708537768-500\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit]
"LastKey"="My Computer\\HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2A0176FE-008B-4706-90F5-BBA532A49731}"


----------



## Cookiegal (Aug 27, 2003)

Log into the administrator's account and navigate to this value in the registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\*{2A0176FE-008B-4706-90F5-BBA532A49731}*

Be sure that you are* not explanding *the value {2A0176FE-008B-4706-90F5-BBA532A49731}

Right click on {2A0176FE-008B-4706-90F5-BBA532A49731} and select "delete".

Do the same for this value:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Brows er Helper Objects\*{2A0176FE-008B-4706-90F5-BBA532A49731}*

While still in safe mode un Administrator do another registry search for {2A0176FE-008B-4706-90F5-BBA532A49731} and post the results please.


----------



## ColleenA (Feb 18, 2002)

logged onto administrator in safe mode, went to registry tried to delete those two items but it said that they could not be deleted


----------



## Cookiegal (Aug 27, 2003)

Do this from any account.

Right click on one of those last registry values - select permissions - click on advanced - click on the Owner tab and tell me who it says is the owner of this key.


----------



## ColleenA (Feb 18, 2002)

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2A0176FE-008B-4706-90F5-BBA532A49731}

says it belongs to Administrators(Tom-C5C7EB10BE1\Administrators)



HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Brows er Helper Objects\{2A0176FE-008B-4706-90F5-BBA532A49731}


says it belongs to Colleen )Tom-C5C7EB10BE1\Colleen)


----------



## Cookiegal (Aug 27, 2003)

Please do the same for each of these as well:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2A0176FE-008B-4706-90F5-BBA532A49731}\InprocServer32]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2A0176FE-008B-4706-90F5-BBA532A49731}\ProgID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2A0176FE-008B-4706-90F5-BBA532A49731}\Programmable]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2A0176FE-008B-4706-90F5-BBA532A49731}\TypeLib]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2A0176FE-008B-4706-90F5-BBA532A49731}\VersionIndependentProgID]

[HKEY_USERS\S-1-5-21-1275210071-854245398-1708537768-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2A0176FE-008B-4706-90F5-BBA532A49731}]

[HKEY_USERS\S-1-5-21-1275210071-854245398-1708537768-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2A0176FE-008B-4706-90F5-BBA532A49731}\iexplore]


----------



## ColleenA (Feb 18, 2002)

Sorry I haven't got back to you. I 've been out of town for a dew days, my sister had a kidney transplant yesterday so I've been at the hospital since wednesday with her.

You said to do the same with the list of items you gave me, not sure what you want me to do with them....see who they belong to?

thanks


----------



## Cookiegal (Aug 27, 2003)

I'm so sorry to hear about your sister and hope she is doing well.


Yes, please see who they belong too as you did for those other two:

Right click on one of those last registry values - select permissions - click on advanced - click on the Owner tab and tell me who it says is the owner of this key.


----------



## ColleenA (Feb 18, 2002)

hi:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2A0176FE-008B-4706-90F5-BBA532A49731}\InprocServer32] BELONGS TO Administrators (TOM-C5C7EB10BE1\Administrators)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2A0176FE-008B-4706-90F5-BBA532A49731}\ProgID] BELONGS TO Administrators (TOM-C5C7EB10BE1\Administrators)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2A0176FE-008B-4706-90F5-BBA532A49731}\Programmable] BELONGS TO Administrators (TOM-C5C7EB10BE1\Administrators)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2A0176FE-008B-4706-90F5-BBA532A49731}\TypeLib] BELONGS TO Administrators (TOM-C5C7EB10BE1\Administrators)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2A0176FE-008B-4706-90F5-BBA532A49731}\VersionIndependentProgID] BELONGS TO Administrators (TOM-C5C7EB10BE1\Administrators)

[HKEY_USERS\S-1-5-21-1275210071-854245398-1708537768-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2A0176FE-008B-4706-90F5-BBA532A49731}] BELONGS TO Colleen (TOM-C5C7EB10BE1\Colleen)

[HKEY_USERS\S-1-5-21-1275210071-854245398-1708537768-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2A0176FE-008B-4706-90F5-BBA532A49731}\iexplore] BELONGS TO Colleen (TOM-C5C7EB10BE1\Colleen)

Thanks


----------



## Cookiegal (Aug 27, 2003)

Log into the *Administrator* account in safe mode.

Expand each of these keys by clicking on the + sign to the left:

+HKEY_LOCAL_MACHINE
+SOFTWARE
+Classes
+CLSID
+{2A0176FE-008B-4706-90F5-BBA532A49731}

Right click on:

*VersionIndependentProgID*

Select "permissions"

Click on "advanced"

Put a checkmark next to "Inherit from parent the permission entries that apply to child objects......"

Click "apply" and OK.

Right click *VersionIndependentProgID* again and select "delete". If you get a message asking if you are sure you want to delete the key, reply "yes".

Let me know if you were able to delete that one before we go on please.


----------



## ColleenA (Feb 18, 2002)

I was unable to delete the key

Got Message:

Cannot delete VersionIndependentProgID: Error while deleting key


----------



## Cookiegal (Aug 27, 2003)

Is that the last sub-key (folders showing in the left-hand pane) that falls under the key {2A0176FE-008B-4706-90F5-BBA532A49731} or is there something else below it?


----------



## ColleenA (Feb 18, 2002)

yes that is the last sub key


----------



## Cookiegal (Aug 27, 2003)

Let's check to see if there are any group policies in effect that could be blocking this. Run this report from each of the user accounts, including the administrator and then save them and copy and paste them here please.

Go to *Start *and click *Help and Support Center*.

Under *Pick a Task*, select* Use Tools to view your computer information and diagnose problems*.

Click *Advanced System Information*, then click *View Group Policy settings applied*.


----------



## ColleenA (Feb 18, 2002)

I went to the Help Center and followed directions but there is nothing that I can see that says View Group Policy settings applied

There are 4 items

View detailed system information (Msinfo32.exe)

View running services

View error log

View information from another computer


----------



## Cookiegal (Aug 27, 2003)

Try it from the other user accounts, including administrator please


----------



## ColleenA (Feb 18, 2002)

I tried from all accounts and only got the same 4 items.

I can only seem to get into the administrators account in safe mode.

thanks


----------



## Cookiegal (Aug 27, 2003)

Log on as administrator (it's normal that you can only do this in safe mode).

Expand each of these keys by clicking on the + sign to the left:

+HKEY_LOCAL_MACHINE
+SOFTWARE
+Classes
+CLSID
+{2A0176FE-008B-4706-90F5-BBA532A49731}

Right click on:

*VersionIndependentProgID*

Select "permissions"

Click on "advanced"

Under "permission entries" double click on:

*Administrators (TOM-C5C7EB10BE1\Administrators)*

Another screen will open up with several boxes that should be checked.

Please take a screen shot of this box and attach it in your next reply.

To do that, click on "print screen" which will save the screen shot to your clipboard. Then open MS Paint and paste the screen shot there. Save it and upload it here please.


----------



## ColleenA (Feb 18, 2002)

hope this works


ooops when I upload the screen shot it says that it is too big for a bmp file anyway to make it smaller


----------



## Cookiegal (Aug 27, 2003)

Do you know how to make it smaller or do you need help with that?


----------



## ColleenA (Feb 18, 2002)

i cant seem to reduce the bytes size in paint


----------



## Cookiegal (Aug 27, 2003)

Save it to Microsoft Office Picture Manager and resize it there.


----------



## ColleenA (Feb 18, 2002)

let me know if this worked

says it is attached although I cant see where its call screenshot2


----------



## ColleenA (Feb 18, 2002)

oh i see once i hit submit it shows up


----------



## Cookiegal (Aug 27, 2003)

1. Please *download* *The Avenger* by Swandog46 to your *Desktop*.
Click on Avenger.zip to open the file
Extract *avenger.exe* to your desktop

2. Copy all the text contained in the quote box below (including the words "Registry keys to delete:") to your Clipboard by highlighting it and pressing (*Ctrl+C*):



> Registry keys to delete:
> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2A0176FE-008B-4706-90F5-BBA532A49731}\VersionIndependentProgID


_*
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.*_

3. Now, *start The Avenger program* by clicking on its icon on your desktop.
 Under "*Script file to execute*" choose "*Input Script Manually*".
Now click on the *Magnifying Glass icon* which will open a new window titled "*View/edit script*" 
 Paste the text copied to clipboard into this window by pressing (*Ctrl+V*).
 Click *Done* 
 Now click on the *Green Light* to begin execution of the script 
 Answer "*Yes*" twice when prompted.
4. *The Avenger will automatically do the following*:
It will *Restart your computer*. ( In cases where the code to execute contains "*Drivers to Unload*", The Avenger will actually *restart your system twice.*) 
On reboot, it will briefly *open a black command window* on your desktop, this is normal.
After the restart, it *creates a log file* that should open with the results of Avengers actions. This log file will be located at *C:\avenger.txt*
 The Avenger will also have *backed up all the files, etc., that you asked it to delete*, and will have zipped them and moved the zip archives to *C:\avenger\backup.zip*.
5. Please *copy/paste* the content of *c:\avenger.txt* into your reply.


----------



## ColleenA (Feb 18, 2002)

i did the avenger thing but when it restarted it said that it was unable to find the avenger txt file. 

I did find the file but there is nothing on the notepad or file it empty


----------



## Cookiegal (Aug 27, 2003)

Well, I'm running out of ideas.  

Please let me see a new HijackThis and WinpFind log taken from each user account and we'll see if there's anything I may have overlooked.


----------



## ColleenA (Feb 18, 2002)

Hi

I agree, you seem to be spending alot of time with me, which I appreciate but i don't think we are getting anywhere.

The computer seems to be working fine, and I have been doing virus and spyware scans and getting rid of any spyware haven't found any viruses

Here are the logs for each account..I'll have to post each separately as they are too big

COLLEEN HIJACK

Logfile of HijackThis v1.99.1
Scan saved at 12:24:38 PM, on 7/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\WINDOWS\system32\spider.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZSTC04.EXE
C:\Documents and Settings\Colleen\Desktop\HiJack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IE Address Browser Helper - {2A0176FE-008B-4706-90F5-BBA532A49731} - C:\Program Files\SearchNet\SNHpr.dll (file missing)
O2 - BHO: PopKill Class - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: TruePass EPF 7,0,100,717 - https://blrscr3.egs-seg.gc.ca/applets/entrusttruepassapplet-epf.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab46479.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (ZPA_HRTZ Object) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab37625.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.photolab.ca/en/Photo/ImageUploader3.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zpa_shvl.cab46704.cab
O16 - DPF: {A9FDC7FD-FE81-4910-8CF2-FA59EEFE11EC} (ZooInstaller Class) - http://www.zoo-games.com/ClientSite/ZooInstaller.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab40641.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{37C2D4C1-A9A2-4B71-987F-7E1D20FD8E3E}: NameServer = 67.69.184.151 206.47.244.57
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

NICHOLAS HIJACK

Logfile of HijackThis v1.99.1
Scan saved at 12:45:41 PM, on 7/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\Program Files\License_Manager\license_manager.exe
C:\Documents and Settings\Colleen\Desktop\HiJack\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IE Address Browser Helper - {2A0176FE-008B-4706-90F5-BBA532A49731} - C:\Program Files\SearchNet\SNHpr.dll (file missing)
O2 - BHO: PopKill Class - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: TruePass EPF 7,0,100,717 - https://blrscr3.egs-seg.gc.ca/applets/entrusttruepassapplet-epf.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab46479.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (ZPA_HRTZ Object) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab37625.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.photolab.ca/en/Photo/ImageUploader3.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zpa_shvl.cab46704.cab
O16 - DPF: {A9FDC7FD-FE81-4910-8CF2-FA59EEFE11EC} (ZooInstaller Class) - http://www.zoo-games.com/ClientSite/ZooInstaller.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab40641.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{37C2D4C1-A9A2-4B71-987F-7E1D20FD8E3E}: NameServer = 67.69.184.151 206.47.244.57
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

JESSICA HIJKACK

Logfile of HijackThis v1.99.1
Scan saved at 1:10:49 PM, on 7/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Documents and Settings\Colleen\Desktop\HiJack\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IE Address Browser Helper - {2A0176FE-008B-4706-90F5-BBA532A49731} - C:\Program Files\SearchNet\SNHpr.dll (file missing)
O2 - BHO: PopKill Class - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: TruePass EPF 7,0,100,717 - https://blrscr3.egs-seg.gc.ca/applets/entrusttruepassapplet-epf.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab46479.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (ZPA_HRTZ Object) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab37625.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.photolab.ca/en/Photo/ImageUploader3.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zpa_shvl.cab46704.cab
O16 - DPF: {A9FDC7FD-FE81-4910-8CF2-FA59EEFE11EC} (ZooInstaller Class) - http://www.zoo-games.com/ClientSite/ZooInstaller.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab40641.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{37C2D4C1-A9A2-4B71-987F-7E1D20FD8E3E}: NameServer = 67.69.184.151 206.47.244.57
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe


----------



## ColleenA (Feb 18, 2002)

Here is next post

TOM HIJACK

Logfile of HijackThis v1.99.1
Scan saved at 1:42:39 PM, on 7/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Documents and Settings\Colleen\Desktop\HiJack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sympatico.ca/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IE Address Browser Helper - {2A0176FE-008B-4706-90F5-BBA532A49731} - C:\Program Files\SearchNet\SNHpr.dll (file missing)
O2 - BHO: PopKill Class - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: TruePass EPF 7,0,100,717 - https://blrscr3.egs-seg.gc.ca/applets/entrusttruepassapplet-epf.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab46479.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (ZPA_HRTZ Object) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab37625.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.photolab.ca/en/Photo/ImageUploader3.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zpa_shvl.cab46704.cab
O16 - DPF: {A9FDC7FD-FE81-4910-8CF2-FA59EEFE11EC} (ZooInstaller Class) - http://www.zoo-games.com/ClientSite/ZooInstaller.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab40641.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{37C2D4C1-A9A2-4B71-987F-7E1D20FD8E3E}: NameServer = 67.69.184.151 206.47.244.57
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe


----------



## ColleenA (Feb 18, 2002)

COLLEEN WINPFIND

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
PEC2 8/4/2004 8:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PTech 5/23/2006 5:26:00 PM 579888 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
aspack 7/6/2006 9:21:46 PM 6757792 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 8:00:00 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/4/2004 8:00:00 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 8/4/2004 8:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
PTech 5/23/2006 5:25:52 PM 285488 C:\WINDOWS\SYSTEM32\WgaTray.exe

Checking %System%\Drivers folder and sub-folders...
aspack 1/20/2006 3:40:42 PM R 783984 C:\WINDOWS\SYSTEM32\drivers\css-dvp.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
7/23/2006 10:07:36 AM S 2048 C:\WINDOWS\bootstat.dat
7/23/2006 2:07:08 AM H 54156 C:\WINDOWS\QTFont.qfn
6/17/2006 10:13:24 AM H 65536 C:\WINDOWS\Minidump\Mini061706-01.dmp
5/29/2006 12:16:00 PM S 23751 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB916281.cat
6/1/2006 4:28:56 PM S 11043 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB918439.cat
7/23/2006 10:09:20 AM H 1024 C:\WINDOWS\system32\config\default.LOG
7/23/2006 10:07:44 AM H 1024 C:\WINDOWS\system32\config\SAM.LOG
7/23/2006 10:17:48 AM H 1024 C:\WINDOWS\system32\config\SECURITY.LOG
7/23/2006 12:28:46 PM H 1024 C:\WINDOWS\system32\config\software.LOG
7/23/2006 12:33:04 PM H 1024 C:\WINDOWS\system32\config\system.LOG
7/15/2006 5:00:58 PM H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
5/28/2006 11:29:10 AM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\9b2bfb91-210e-4e5c-add5-a50ad005d879
5/28/2006 11:29:10 AM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\Preferred
5/24/2006 5:51:16 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\d27aec55-df77-497b-9804-47a5571b66f9
5/24/2006 5:51:16 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
7/23/2006 10:07:40 AM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/4/2004 8:00:00 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 4/13/2005 3:48:52 AM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
RealNetworks, Inc. 9/4/2005 9:18:28 PM 24064 C:\WINDOWS\SYSTEM32\prefscpl.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Sony Corporation 12/4/1999 4:11:30 AM 151552 C:\WINDOWS\SYSTEM32\UILib.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 68608  C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 549888 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 135168 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 80384 C:\WINDOWS\SYSTEM32\dllcache\firewall.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 155136 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 358400 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 129536 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 68608 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 618496 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 25600 C:\WINDOWS\SYSTEM32\dllcache\netsetup.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 257024 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 32768 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 114688 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 155648 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 298496 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 94208 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 148480 C:\WINDOWS\SYSTEM32\dllcache\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
8/28/2005 11:15:28 AM 1757 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
8/26/2005 12:10:22 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
8/26/2005 3:33:14 PM 1725 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
8/26/2005 7:50:28 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
3/12/2006 6:05:30 PM 1767 C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache

Checking files in %USERPROFILE%\Startup folder...
8/26/2005 12:10:22 PM HS 84 C:\Documents and Settings\Colleen\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
8/28/2005 11:11:42 AM 1558 C:\Documents and Settings\Colleen\Application Data\AdobeDLM.log
8/26/2005 7:50:26 AM HS 62 C:\Documents and Settings\Colleen\Application Data\desktop.ini
8/28/2005 11:11:40 AM 0 C:\Documents and Settings\Colleen\Application Data\dm.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido anti-spyware
{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{FFFFE5C1-34AF-4d4d-B3D3-5BB86A2BAA7B}
= C:\Program Files\Zero Knowledge\Freedom\AVContextR.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\SpySweeper
{7C9D5882-CB4A-4090-96C8-430BFE8B795B} = C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\{FFFFE5C1-34AF-4d4d-B3D3-5BB86A2BAA7B}
= C:\Program Files\Zero Knowledge\Freedom\AVContextR.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido anti-spyware
{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\{FFFFE5C1-34AF-4d4d-B3D3-5BB86A2BAA7B}
= C:\Program Files\Zero Knowledge\Freedom\AVContextR.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}
Yahoo! Companion BHO = C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2A0176FE-008B-4706-90F5-BBA532A49731}
IE Address Browser Helper = C:\Program Files\SearchNet\SNHpr.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3C060EA2-E6A9-4E49-A530-D4657B8C449A}
PopKill Class = C:\Program Files\Zero Knowledge\Freedom\pkR.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{56071E0D-C61B-11D3-B41C-00E02927A304}
ZKBho Class = C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\system32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
Real.com = C:\WINDOWS\system32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Companion	: C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{85d1f590-48f4-11d9-9669-0800200c9a66}
MenuText = Uninstall BitDefender Online Scanner v8	:

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address	: %SystemRoot%\system32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links	: %SystemRoot%\system32\SHELL32.dll
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Companion	: C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
{463DF6D5-BEC1-4D67-B217-59DB692DFC53} = :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
HPDJ Taskbar Utility	C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
SsAAD.exe	C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
SunJavaUpdateSched	C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
Share-to-Web Namespace Daemon	C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
Motive SmartBridge	C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
LVCOMS	C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
CXMon	"C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL	Installed = 1
MAPI	Installed = 1
MSFS	Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NetAssistant.lnk
path	C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NetAssistant.lnk
backup	C:\WINDOWS\pss\NetAssistant.lnkCommon Startup
location	Common Startup
command	C:\PROGRA~1\NETASS~1\bin\matcli.exe -boot
item	NetAssistant
path	C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NetAssistant.lnk
backup	C:\WINDOWS\pss\NetAssistant.lnkCommon Startup
location	Common Startup
command	C:\PROGRA~1\NETASS~1\bin\matcli.exe -boot
item	NetAssistant

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Colleen^Start Menu^Programs^Startup^LimeWire On Startup.lnk
path	C:\Documents and Settings\Colleen\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup	C:\WINDOWS\pss\LimeWire On Startup.lnkStartup
location	Startup
command	C:\PROGRA~1\LimeWire\LimeWire.exe -startup
item	LimeWire On Startup
path	C:\Documents and Settings\Colleen\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup	C:\WINDOWS\pss\LimeWire On Startup.lnkStartup
location	Startup
command	C:\PROGRA~1\LimeWire\LimeWire.exe -startup
item	LimeWire On Startup

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\!ewido
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	ewido
hkey	HKLM
command	"C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	ewido
hkey	HKLM
command	"C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\csrss
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	warez
hkey	HKCU
command	"C:\Documents and Settings\Nicholas\My Documents\game\Warez P2P Client\warez.exe" -h
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	warez
hkey	HKCU
command	"C:\Documents and Settings\Nicholas\My Documents\game\Warez P2P Client\warez.exe" -h
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\iTunesHelper
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	iTunesHelper
hkey	HKLM
command	"C:\Program Files\iTunes\iTunesHelper.exe"
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	iTunesHelper
hkey	HKLM
command	"C:\Program Files\iTunes\iTunesHelper.exe"
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MSMSGS
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	msmsgs
hkey	HKCU
command	"C:\Program Files\Messenger\msmsgs.exe" /background
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	msmsgs
hkey	HKCU
command	"C:\Program Files\Messenger\msmsgs.exe" /background
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\msnmsgr
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	msnmsgr
hkey	HKCU
command	"C:\Program Files\MSN Messenger\msnmsgr.exe" /background
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	msnmsgr
hkey	HKCU
command	"C:\Program Files\MSN Messenger\msnmsgr.exe" /background
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	qttask
hkey	HKLM
command	"C:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	qttask
hkey	HKLM
command	"C:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\RealTray
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	RealPlay
hkey	HKLM
command	C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	RealPlay
hkey	HKLM
command	C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\warez
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	warez
hkey	HKCU
command	"C:\Documents and Settings\Nicholas\My Documents\game\Warez P2P Client\warez.exe" -h
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	warez
hkey	HKCU
command	"C:\Documents and Settings\Nicholas\My Documents\game\Warez P2P Client\warez.exe" -h
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini	0
win.ini	0
bootini	0
services	0
startup	2

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} = 
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername	0
legalnoticecaption	
legalnoticetext	
shutdownwithoutlogon	1
undockwithoutlogon	1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun	145

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
DisableRegistryTools	0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\system32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit	= C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon
= WgaLogon.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier
= WRLogonNTF.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1	- Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 7/23/2006 12:34:08 PM


----------



## ColleenA (Feb 18, 2002)

NICHOLAS WINPFIND

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
PEC2 8/4/2004 8:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PTech 5/23/2006 5:26:00 PM 579888 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
aspack 7/6/2006 9:21:46 PM 6757792 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 8:00:00 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/4/2004 8:00:00 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 8/4/2004 8:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
PTech 5/23/2006 5:25:52 PM 285488 C:\WINDOWS\SYSTEM32\WgaTray.exe

Checking %System%\Drivers folder and sub-folders...
aspack 1/20/2006 3:40:42 PM R 783984 C:\WINDOWS\SYSTEM32\drivers\css-dvp.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
7/23/2006 10:07:36 AM S 2048 C:\WINDOWS\bootstat.dat
7/23/2006 2:07:08 AM H 54156 C:\WINDOWS\QTFont.qfn
6/17/2006 10:13:24 AM H 65536 C:\WINDOWS\Minidump\Mini061706-01.dmp
5/29/2006 12:16:00 PM S 23751 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB916281.cat
6/1/2006 4:28:56 PM S 11043 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB918439.cat
7/23/2006 12:36:44 PM H 1024 C:\WINDOWS\system32\config\default.LOG
7/23/2006 12:36:56 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
7/23/2006 12:39:56 PM H 1024 C:\WINDOWS\system32\config\SECURITY.LOG
7/23/2006 12:46:34 PM H 1024 C:\WINDOWS\system32\config\software.LOG
7/23/2006 12:58:26 PM H 1024 C:\WINDOWS\system32\config\system.LOG
7/15/2006 5:00:58 PM H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
5/28/2006 11:29:10 AM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\9b2bfb91-210e-4e5c-add5-a50ad005d879
5/28/2006 11:29:10 AM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\Preferred
5/24/2006 5:51:16 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\d27aec55-df77-497b-9804-47a5571b66f9
5/24/2006 5:51:16 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
7/23/2006 10:07:40 AM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/4/2004 8:00:00 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 4/13/2005 3:48:52 AM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
RealNetworks, Inc. 9/4/2005 9:18:28 PM 24064 C:\WINDOWS\SYSTEM32\prefscpl.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Sony Corporation 12/4/1999 4:11:30 AM 151552 C:\WINDOWS\SYSTEM32\UILib.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 68608 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 549888 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 135168 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 80384 C:\WINDOWS\SYSTEM32\dllcache\firewall.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 155136 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 358400 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 129536 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 68608 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 618496 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 25600 C:\WINDOWS\SYSTEM32\dllcache\netsetup.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 257024 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 32768 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 114688 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 155648 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 298496 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 94208 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 148480 C:\WINDOWS\SYSTEM32\dllcache\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
8/28/2005 11:15:28 AM 1757 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
8/26/2005 12:10:22 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini

Checking files in %ALLUSERSPROFILE%\Application Data folder...
8/26/2005 7:50:28 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
3/12/2006 6:05:30 PM 1767 C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache

Checking files in %USERPROFILE%\Startup folder...
8/26/2005 12:10:22 PM HS 84 C:\Documents and Settings\Nicholas\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
8/26/2005 7:50:26 AM HS 62 C:\Documents and Settings\Nicholas\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido anti-spyware
{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{FFFFE5C1-34AF-4d4d-B3D3-5BB86A2BAA7B}
= C:\Program Files\Zero Knowledge\Freedom\AVContextR.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\SpySweeper
{7C9D5882-CB4A-4090-96C8-430BFE8B795B} = C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\{FFFFE5C1-34AF-4d4d-B3D3-5BB86A2BAA7B}
= C:\Program Files\Zero Knowledge\Freedom\AVContextR.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido anti-spyware
{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\{FFFFE5C1-34AF-4d4d-B3D3-5BB86A2BAA7B}
= C:\Program Files\Zero Knowledge\Freedom\AVContextR.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}
Yahoo! Companion BHO = C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2A0176FE-008B-4706-90F5-BBA532A49731}
IE Address Browser Helper = C:\Program Files\SearchNet\SNHpr.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3C060EA2-E6A9-4E49-A530-D4657B8C449A}
PopKill Class = C:\Program Files\Zero Knowledge\Freedom\pkR.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{56071E0D-C61B-11D3-B41C-00E02927A304}
ZKBho Class = C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\system32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
Real.com = C:\WINDOWS\system32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Companion	: C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{85d1f590-48f4-11d9-9669-0800200c9a66}
MenuText = Uninstall BitDefender Online Scanner v8	:

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\system32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address	: %SystemRoot%\system32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links	: %SystemRoot%\system32\SHELL32.dll
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Companion	: C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
{463DF6D5-BEC1-4D67-B217-59DB692DFC53} = :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
HPDJ Taskbar Utility	C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
SsAAD.exe	C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
SunJavaUpdateSched	C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
Share-to-Web Namespace Daemon	C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
Motive SmartBridge	C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
CXMon	"C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
MSConfig	C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL	Installed = 1
MAPI	Installed = 1
MSFS	Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk
path	C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup	C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
location	Common Startup
command	C:\PROGRA~1\MICROS~2\Office\OSA9.EXE -b -l
item	Microsoft Office
path	C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup	C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
location	Common Startup
command	C:\PROGRA~1\MICROS~2\Office\OSA9.EXE -b -l
item	Microsoft Office

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NetAssistant.lnk
path	C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NetAssistant.lnk
backup	C:\WINDOWS\pss\NetAssistant.lnkCommon Startup
location	Common Startup
command	C:\PROGRA~1\NETASS~1\bin\matcli.exe -boot
item	NetAssistant
path	C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NetAssistant.lnk
backup	C:\WINDOWS\pss\NetAssistant.lnkCommon Startup
location	Common Startup
command	C:\PROGRA~1\NETASS~1\bin\matcli.exe -boot
item	NetAssistant

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Colleen^Start Menu^Programs^Startup^LimeWire On Startup.lnk
path	C:\Documents and Settings\Colleen\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup	C:\WINDOWS\pss\LimeWire On Startup.lnkStartup
location	Startup
command	C:\PROGRA~1\LimeWire\LimeWire.exe -startup
item	LimeWire On Startup
path	C:\Documents and Settings\Colleen\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup	C:\WINDOWS\pss\LimeWire On Startup.lnkStartup
location	Startup
command	C:\PROGRA~1\LimeWire\LimeWire.exe -startup
item	LimeWire On Startup

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\!ewido
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	ewido
hkey	HKLM
command	"C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	ewido
hkey	HKLM
command	"C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\csrss
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	warez
hkey	HKCU
command	"C:\Documents and Settings\Nicholas\My Documents\game\Warez P2P Client\warez.exe" -h
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	warez
hkey	HKCU
command	"C:\Documents and Settings\Nicholas\My Documents\game\Warez P2P Client\warez.exe" -h
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\iTunesHelper
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	iTunesHelper
hkey	HKLM
command	"C:\Program Files\iTunes\iTunesHelper.exe"
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	iTunesHelper
hkey	HKLM
command	"C:\Program Files\iTunes\iTunesHelper.exe"
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\License Manager
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	license_manager
hkey	HKCU
command	"C:\Program Files\License_Manager\license_manager.exe " /silent
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	license_manager
hkey	HKCU
command	"C:\Program Files\License_Manager\license_manager.exe " /silent
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\LVCOMS
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	LVCOMS
hkey	HKLM
command	C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	LVCOMS
hkey	HKLM
command	C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MSMSGS
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	msmsgs
hkey	HKCU
command	"C:\Program Files\Messenger\msmsgs.exe" /background
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	msmsgs
hkey	HKCU
command	"C:\Program Files\Messenger\msmsgs.exe" /background
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\msnmsgr
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	msnmsgr
hkey	HKCU
command	"C:\Program Files\MSN Messenger\msnmsgr.exe" /background
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	msnmsgr
hkey	HKCU
command	"C:\Program Files\MSN Messenger\msnmsgr.exe" /background
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	qttask
hkey	HKLM
command	"C:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	qttask
hkey	HKLM
command	"C:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\RealTray
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	RealPlay
hkey	HKLM
command	C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	RealPlay
hkey	HKLM
command	C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\warez
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	warez
hkey	HKCU
command	"C:\Documents and Settings\Nicholas\My Documents\game\Warez P2P Client\warez.exe" -h
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	warez
hkey	HKCU
command	"C:\Documents and Settings\Nicholas\My Documents\game\Warez P2P Client\warez.exe" -h
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini	0
win.ini	0
bootini	0
services	0
startup	2

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} = 
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername	0
legalnoticecaption	
legalnoticetext	
shutdownwithoutlogon	1
undockwithoutlogon	1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun	145

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
DisableRegistryTools	1
NoAdminPage	1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\system32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit	= C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon
= WgaLogon.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier
= WRLogonNTF.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1	- Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 7/23/2006 1:00:58 PM


----------



## ColleenA (Feb 18, 2002)

JESSICA WINPFIND

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
PEC2 8/4/2004 8:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PTech 5/23/2006 5:26:00 PM 579888 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
aspack 7/6/2006 9:21:46 PM 6757792 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 8:00:00 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/4/2004 8:00:00 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 8/4/2004 8:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
PTech 5/23/2006 5:25:52 PM 285488 C:\WINDOWS\SYSTEM32\WgaTray.exe

Checking %System%\Drivers folder and sub-folders...
aspack 1/20/2006 3:40:42 PM R 783984 C:\WINDOWS\SYSTEM32\drivers\css-dvp.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
7/23/2006 10:07:36 AM S 2048 C:\WINDOWS\bootstat.dat
7/23/2006 2:07:08 AM H 54156 C:\WINDOWS\QTFont.qfn
6/17/2006 10:13:24 AM H 65536 C:\WINDOWS\Minidump\Mini061706-01.dmp
5/29/2006 12:16:00 PM S 23751 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB916281.cat
6/1/2006 4:28:56 PM S 11043 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB918439.cat
7/23/2006 1:08:34 PM H 1024 C:\WINDOWS\system32\config\default.LOG
7/23/2006 1:08:42 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
7/23/2006 1:09:58 PM H 1024 C:\WINDOWS\system32\config\SECURITY.LOG
7/23/2006 1:18:14 PM H 1024 C:\WINDOWS\system32\config\software.LOG
7/23/2006 1:16:46 PM H 1024 C:\WINDOWS\system32\config\system.LOG
7/15/2006 5:00:58 PM H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
5/28/2006 11:29:10 AM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\9b2bfb91-210e-4e5c-add5-a50ad005d879
5/28/2006 11:29:10 AM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\Preferred
5/24/2006 5:51:16 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\d27aec55-df77-497b-9804-47a5571b66f9
5/24/2006 5:51:16 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
7/23/2006 10:07:40 AM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/4/2004 8:00:00 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 4/13/2005 3:48:52 AM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
RealNetworks, Inc. 9/4/2005 9:18:28 PM 24064 C:\WINDOWS\SYSTEM32\prefscpl.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Sony Corporation 12/4/1999 4:11:30 AM 151552 C:\WINDOWS\SYSTEM32\UILib.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 68608 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 549888 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 135168 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 80384 C:\WINDOWS\SYSTEM32\dllcache\firewall.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 155136 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 358400 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 129536 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 68608 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 618496 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 25600 C:\WINDOWS\SYSTEM32\dllcache\netsetup.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 257024 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 32768 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 114688 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 155648 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 298496 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 94208 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 148480 C:\WINDOWS\SYSTEM32\dllcache\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
8/26/2005 12:10:22 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini

Checking files in %ALLUSERSPROFILE%\Application Data folder...
8/26/2005 7:50:28 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
3/12/2006 6:05:30 PM 1767 C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache

Checking files in %USERPROFILE%\Startup folder...
8/26/2005 12:10:22 PM HS 84 C:\Documents and Settings\Jessica\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
8/26/2005 7:50:26 AM HS 62 C:\Documents and Settings\Jessica\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido anti-spyware
{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{FFFFE5C1-34AF-4d4d-B3D3-5BB86A2BAA7B}
= C:\Program Files\Zero Knowledge\Freedom\AVContextR.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\SpySweeper
{7C9D5882-CB4A-4090-96C8-430BFE8B795B} = C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\{FFFFE5C1-34AF-4d4d-B3D3-5BB86A2BAA7B}
= C:\Program Files\Zero Knowledge\Freedom\AVContextR.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido anti-spyware
{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\{FFFFE5C1-34AF-4d4d-B3D3-5BB86A2BAA7B}
= C:\Program Files\Zero Knowledge\Freedom\AVContextR.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}
Yahoo! Companion BHO = C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2A0176FE-008B-4706-90F5-BBA532A49731}
IE Address Browser Helper = C:\Program Files\SearchNet\SNHpr.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3C060EA2-E6A9-4E49-A530-D4657B8C449A}
PopKill Class = C:\Program Files\Zero Knowledge\Freedom\pkR.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{56071E0D-C61B-11D3-B41C-00E02927A304}
ZKBho Class = C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\system32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
Real.com = C:\WINDOWS\system32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Companion	: C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{85d1f590-48f4-11d9-9669-0800200c9a66}
MenuText = Uninstall BitDefender Online Scanner v8	:

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\system32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address	: %SystemRoot%\system32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links	: %SystemRoot%\system32\SHELL32.dll
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Companion	: C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
{463DF6D5-BEC1-4D67-B217-59DB692DFC53} = :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
HPDJ Taskbar Utility	C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
SsAAD.exe	C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
SunJavaUpdateSched	C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
Share-to-Web Namespace Daemon	C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
Motive SmartBridge	C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
CXMon	"C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
MSConfig	C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL	Installed = 1
MAPI	Installed = 1
MSFS	Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk
path	C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup	C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
location	Common Startup
command	C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE 
item	Adobe Reader Speed Launch
path	C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup	C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
location	Common Startup
command	C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE 
item	Adobe Reader Speed Launch

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk
path	C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup	C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
location	Common Startup
command	C:\PROGRA~1\MICROS~2\Office\OSA9.EXE -b -l
item	Microsoft Office
path	C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup	C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
location	Common Startup
command	C:\PROGRA~1\MICROS~2\Office\OSA9.EXE -b -l
item	Microsoft Office

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NetAssistant.lnk
path	C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NetAssistant.lnk
backup	C:\WINDOWS\pss\NetAssistant.lnkCommon Startup
location	Common Startup
command	C:\PROGRA~1\NETASS~1\bin\matcli.exe -boot
item	NetAssistant
path	C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NetAssistant.lnk
backup	C:\WINDOWS\pss\NetAssistant.lnkCommon Startup
location	Common Startup
command	C:\PROGRA~1\NETASS~1\bin\matcli.exe -boot
item	NetAssistant

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Colleen^Start Menu^Programs^Startup^LimeWire On Startup.lnk
path	C:\Documents and Settings\Colleen\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup	C:\WINDOWS\pss\LimeWire On Startup.lnkStartup
location	Startup
command	C:\PROGRA~1\LimeWire\LimeWire.exe -startup
item	LimeWire On Startup
path	C:\Documents and Settings\Colleen\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup	C:\WINDOWS\pss\LimeWire On Startup.lnkStartup
location	Startup
command	C:\PROGRA~1\LimeWire\LimeWire.exe -startup
item	LimeWire On Startup

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\!ewido
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	ewido
hkey	HKLM
command	"C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	ewido
hkey	HKLM
command	"C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\csrss
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	warez
hkey	HKCU
command	"C:\Documents and Settings\Nicholas\My Documents\game\Warez P2P Client\warez.exe" -h
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	warez
hkey	HKCU
command	"C:\Documents and Settings\Nicholas\My Documents\game\Warez P2P Client\warez.exe" -h
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\iTunesHelper
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	iTunesHelper
hkey	HKLM
command	"C:\Program Files\iTunes\iTunesHelper.exe"
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	iTunesHelper
hkey	HKLM
command	"C:\Program Files\iTunes\iTunesHelper.exe"
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\License Manager
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	license_manager
hkey	HKCU
command	"C:\Program Files\License_Manager\license_manager.exe " /silent
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	license_manager
hkey	HKCU
command	"C:\Program Files\License_Manager\license_manager.exe " /silent
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\LVCOMS
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	LVCOMS
hkey	HKLM
command	C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	LVCOMS
hkey	HKLM
command	C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MSMSGS
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	msmsgs
hkey	HKCU
command	"C:\Program Files\Messenger\msmsgs.exe" /background
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	msmsgs
hkey	HKCU
command	"C:\Program Files\Messenger\msmsgs.exe" /background
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\msnmsgr
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	msnmsgr
hkey	HKCU
command	"C:\Program Files\MSN Messenger\msnmsgr.exe" /background
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	msnmsgr
hkey	HKCU
command	"C:\Program Files\MSN Messenger\msnmsgr.exe" /background
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	qttask
hkey	HKLM
command	"C:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	qttask
hkey	HKLM
command	"C:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\RealTray
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	RealPlay
hkey	HKLM
command	C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	RealPlay
hkey	HKLM
command	C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\warez
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	warez
hkey	HKCU
command	"C:\Documents and Settings\Nicholas\My Documents\game\Warez P2P Client\warez.exe" -h
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	warez
hkey	HKCU
command	"C:\Documents and Settings\Nicholas\My Documents\game\Warez P2P Client\warez.exe" -h
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini	0
win.ini	0
bootini	0
services	0
startup	2

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} = 
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername	0
legalnoticecaption	
legalnoticetext	
shutdownwithoutlogon	1
undockwithoutlogon	1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun	145

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
DisableRegistryTools	0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\system32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit	= C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon
= WgaLogon.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier
= WRLogonNTF.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1	- Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 7/23/2006 1:19:40 PM


----------



## ColleenA (Feb 18, 2002)

TOM WINPFIND

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
PEC2 8/4/2004 8:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PTech 5/23/2006 5:26:00 PM 579888 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
aspack 7/6/2006 9:21:46 PM 6757792 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 8:00:00 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/4/2004 8:00:00 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 8/4/2004 8:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
PTech 5/23/2006 5:25:52 PM 285488 C:\WINDOWS\SYSTEM32\WgaTray.exe

Checking %System%\Drivers folder and sub-folders...
aspack 1/20/2006 3:40:42 PM R 783984 C:\WINDOWS\SYSTEM32\drivers\css-dvp.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
7/23/2006 10:07:36 AM S 2048 C:\WINDOWS\bootstat.dat
7/23/2006 2:07:08 AM H 54156 C:\WINDOWS\QTFont.qfn
6/17/2006 10:13:24 AM H 65536 C:\WINDOWS\Minidump\Mini061706-01.dmp
5/29/2006 12:16:00 PM S 23751 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB916281.cat
6/1/2006 4:28:56 PM S 11043 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB918439.cat
7/23/2006 1:37:34 PM H 1024 C:\WINDOWS\system32\config\default.LOG
7/23/2006 1:37:08 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
7/23/2006 1:09:58 PM H 1024 C:\WINDOWS\system32\config\SECURITY.LOG
7/23/2006 1:45:08 PM H 1024 C:\WINDOWS\system32\config\software.LOG
7/23/2006 1:51:22 PM H 1024 C:\WINDOWS\system32\config\system.LOG
7/15/2006 5:00:58 PM H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
5/28/2006 11:29:10 AM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\9b2bfb91-210e-4e5c-add5-a50ad005d879
5/28/2006 11:29:10 AM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\Preferred
5/24/2006 5:51:16 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\d27aec55-df77-497b-9804-47a5571b66f9
5/24/2006 5:51:16 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
7/23/2006 10:07:40 AM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/4/2004 8:00:00 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 4/13/2005 3:48:52 AM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
RealNetworks, Inc. 9/4/2005 9:18:28 PM 24064 C:\WINDOWS\SYSTEM32\prefscpl.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Sony Corporation 12/4/1999 4:11:30 AM 151552 C:\WINDOWS\SYSTEM32\UILib.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 68608 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 549888 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 135168 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 80384 C:\WINDOWS\SYSTEM32\dllcache\firewall.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 155136 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 358400 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 129536 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 68608 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 618496 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 25600 C:\WINDOWS\SYSTEM32\dllcache\netsetup.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 257024 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 32768 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 114688 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 155648 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 298496 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 94208 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 148480 C:\WINDOWS\SYSTEM32\dllcache\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
8/26/2005 12:10:22 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini

Checking files in %ALLUSERSPROFILE%\Application Data folder...
8/26/2005 7:50:28 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
3/12/2006 6:05:30 PM 1767 C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache

Checking files in %USERPROFILE%\Startup folder...
8/26/2005 12:10:22 PM HS 84 C:\Documents and Settings\Tom\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
8/26/2005 7:50:26 AM HS 62 C:\Documents and Settings\Tom\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido anti-spyware
{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{FFFFE5C1-34AF-4d4d-B3D3-5BB86A2BAA7B}
= C:\Program Files\Zero Knowledge\Freedom\AVContextR.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\SpySweeper
{7C9D5882-CB4A-4090-96C8-430BFE8B795B} = C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\{FFFFE5C1-34AF-4d4d-B3D3-5BB86A2BAA7B}
= C:\Program Files\Zero Knowledge\Freedom\AVContextR.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido anti-spyware
{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\{FFFFE5C1-34AF-4d4d-B3D3-5BB86A2BAA7B}
= C:\Program Files\Zero Knowledge\Freedom\AVContextR.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}
Yahoo! Companion BHO = C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2A0176FE-008B-4706-90F5-BBA532A49731}
IE Address Browser Helper = C:\Program Files\SearchNet\SNHpr.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3C060EA2-E6A9-4E49-A530-D4657B8C449A}
PopKill Class = C:\Program Files\Zero Knowledge\Freedom\pkR.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{56071E0D-C61B-11D3-B41C-00E02927A304}
ZKBho Class = C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\system32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
Real.com = C:\WINDOWS\system32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Companion	: C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{85d1f590-48f4-11d9-9669-0800200c9a66}
MenuText = Uninstall BitDefender Online Scanner v8	:

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address	: %SystemRoot%\system32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links	: %SystemRoot%\system32\SHELL32.dll
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Companion	: C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
{463DF6D5-BEC1-4D67-B217-59DB692DFC53} = :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
HPDJ Taskbar Utility	C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
SsAAD.exe	C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
SunJavaUpdateSched	C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
Share-to-Web Namespace Daemon	C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
Motive SmartBridge	C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
CXMon	"C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
MSConfig	C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL	Installed = 1
MAPI	Installed = 1
MSFS	Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk
path	C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup	C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
location	Common Startup
command	C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE 
item	Adobe Reader Speed Launch
path	C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup	C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
location	Common Startup
command	C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE 
item	Adobe Reader Speed Launch

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk
path	C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup	C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
location	Common Startup
command	C:\PROGRA~1\MICROS~2\Office\OSA9.EXE -b -l
item	Microsoft Office
path	C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup	C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
location	Common Startup
command	C:\PROGRA~1\MICROS~2\Office\OSA9.EXE -b -l
item	Microsoft Office

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NetAssistant.lnk
path	C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NetAssistant.lnk
backup	C:\WINDOWS\pss\NetAssistant.lnkCommon Startup
location	Common Startup
command	C:\PROGRA~1\NETASS~1\bin\matcli.exe -boot
item	NetAssistant
path	C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NetAssistant.lnk
backup	C:\WINDOWS\pss\NetAssistant.lnkCommon Startup
location	Common Startup
command	C:\PROGRA~1\NETASS~1\bin\matcli.exe -boot
item	NetAssistant

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Colleen^Start Menu^Programs^Startup^LimeWire On Startup.lnk
path	C:\Documents and Settings\Colleen\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup	C:\WINDOWS\pss\LimeWire On Startup.lnkStartup
location	Startup
command	C:\PROGRA~1\LimeWire\LimeWire.exe -startup
item	LimeWire On Startup
path	C:\Documents and Settings\Colleen\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup	C:\WINDOWS\pss\LimeWire On Startup.lnkStartup
location	Startup
command	C:\PROGRA~1\LimeWire\LimeWire.exe -startup
item	LimeWire On Startup

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\!ewido
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	ewido
hkey	HKLM
command	"C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	ewido
hkey	HKLM
command	"C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\csrss
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	warez
hkey	HKCU
command	"C:\Documents and Settings\Nicholas\My Documents\game\Warez P2P Client\warez.exe" -h
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	warez
hkey	HKCU
command	"C:\Documents and Settings\Nicholas\My Documents\game\Warez P2P Client\warez.exe" -h
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\iTunesHelper
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	iTunesHelper
hkey	HKLM
command	"C:\Program Files\iTunes\iTunesHelper.exe"
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	iTunesHelper
hkey	HKLM
command	"C:\Program Files\iTunes\iTunesHelper.exe"
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\License Manager
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	license_manager
hkey	HKCU
command	"C:\Program Files\License_Manager\license_manager.exe " /silent
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	license_manager
hkey	HKCU
command	"C:\Program Files\License_Manager\license_manager.exe " /silent
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\LVCOMS
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	LVCOMS
hkey	HKLM
command	C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	LVCOMS
hkey	HKLM
command	C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MSMSGS
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	msmsgs
hkey	HKCU
command	"C:\Program Files\Messenger\msmsgs.exe" /background
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	msmsgs
hkey	HKCU
command	"C:\Program Files\Messenger\msmsgs.exe" /background
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\msnmsgr
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	msnmsgr
hkey	HKCU
command	"C:\Program Files\MSN Messenger\msnmsgr.exe" /background
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	msnmsgr
hkey	HKCU
command	"C:\Program Files\MSN Messenger\msnmsgr.exe" /background
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	qttask
hkey	HKLM
command	"C:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	qttask
hkey	HKLM
command	"C:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\RealTray
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	RealPlay
hkey	HKLM
command	C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	RealPlay
hkey	HKLM
command	C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\warez
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	warez
hkey	HKCU
command	"C:\Documents and Settings\Nicholas\My Documents\game\Warez P2P Client\warez.exe" -h
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	warez
hkey	HKCU
command	"C:\Documents and Settings\Nicholas\My Documents\game\Warez P2P Client\warez.exe" -h
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini	0
win.ini	0
bootini	0
services	0
startup	2

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} = 
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername	0
legalnoticecaption	
legalnoticetext	
shutdownwithoutlogon	1
undockwithoutlogon	1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun	145

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
DisableRegistryTools	0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\system32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit	= C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon
= WgaLogon.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier
= WRLogonNTF.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1	- Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 7/23/2006 1:52:30 PM


----------



## Cookiegal (Aug 27, 2003)

I've gone over all of the logs and do see some discrepancies. For one, Nicholas has restrictions that don't allow running registry tools so that could be a factor. If you're willing to continue just a bit longer, I would like to see if this makes a difference.

I would also like to know if you have the program Dr. Web for Windows installed (under user name Colleen).

Log into Nicholas' account for this please.

This may not work because of the restriction but we'll try it first.

I'm attaching a FixNicholas.zip file. Unzip it to your desktop.

Reboot into safe mode.

While in safe mode, run Killbox on this folder:
*
C:\Program Files\License_Manager*

Double click the FixNicholas.reg file and allow it to enter into the registry.

Reboot and post a new WinpFind log for Nicholas please.


----------



## ColleenA (Feb 18, 2002)

License Manager was deleted

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
PEC2 8/4/2004 8:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PTech 5/23/2006 5:26:00 PM 579888 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
aspack 7/6/2006 9:21:46 PM 6757792 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 8:00:00 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/4/2004 8:00:00 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 8/4/2004 8:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
PTech 5/23/2006 5:25:52 PM 285488 C:\WINDOWS\SYSTEM32\WgaTray.exe

Checking %System%\Drivers folder and sub-folders...
aspack 1/20/2006 3:40:42 PM R 783984 C:\WINDOWS\SYSTEM32\drivers\css-dvp.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
7/23/2006 4:59:36 PM S 2048 C:\WINDOWS\bootstat.dat
7/23/2006 2:07:08 AM H 54156 C:\WINDOWS\QTFont.qfn
6/17/2006 10:13:24 AM H 65536 C:\WINDOWS\Minidump\Mini061706-01.dmp
5/29/2006 12:16:00 PM S 23751 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB916281.cat
6/1/2006 4:28:56 PM S 11043 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB918439.cat
7/23/2006 5:01:48 PM H 1024 C:\WINDOWS\system32\config\default.LOG
7/23/2006 4:59:44 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
7/23/2006 5:01:50 PM H 1024 C:\WINDOWS\system32\config\SECURITY.LOG
7/23/2006 5:02:54 PM H 1024 C:\WINDOWS\system32\config\software.LOG
7/23/2006 5:06:54 PM H 1024 C:\WINDOWS\system32\config\system.LOG
7/15/2006 5:00:58 PM H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
5/28/2006 11:29:10 AM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\9b2bfb91-210e-4e5c-add5-a50ad005d879
5/28/2006 11:29:10 AM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\Preferred
5/24/2006 5:51:16 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\d27aec55-df77-497b-9804-47a5571b66f9
5/24/2006 5:51:16 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
7/23/2006 4:59:42 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/4/2004 8:00:00 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 4/13/2005 3:48:52 AM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
RealNetworks, Inc. 9/4/2005 9:18:28 PM 24064 C:\WINDOWS\SYSTEM32\prefscpl.cpl
Microsoft Corporation  8/4/2004 8:00:00 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Sony Corporation 12/4/1999 4:11:30 AM 151552 C:\WINDOWS\SYSTEM32\UILib.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 68608 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 549888 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 135168 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 80384 C:\WINDOWS\SYSTEM32\dllcache\firewall.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 155136 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 358400 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 129536 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 68608 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 618496 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 25600 C:\WINDOWS\SYSTEM32\dllcache\netsetup.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 257024 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 32768 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 114688 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 155648 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 298496 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 94208 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 148480 C:\WINDOWS\SYSTEM32\dllcache\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
8/26/2005 12:10:22 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini

Checking files in %ALLUSERSPROFILE%\Application Data folder...
8/26/2005 7:50:28 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
3/12/2006 6:05:30 PM 1767 C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache

Checking files in %USERPROFILE%\Startup folder...
8/26/2005 12:10:22 PM HS 84 C:\Documents and Settings\Nicholas\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
8/26/2005 7:50:26 AM HS 62 C:\Documents and Settings\Nicholas\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido anti-spyware
{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{FFFFE5C1-34AF-4d4d-B3D3-5BB86A2BAA7B}
= C:\Program Files\Zero Knowledge\Freedom\AVContextR.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\SpySweeper
{7C9D5882-CB4A-4090-96C8-430BFE8B795B} = C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\{FFFFE5C1-34AF-4d4d-B3D3-5BB86A2BAA7B}
= C:\Program Files\Zero Knowledge\Freedom\AVContextR.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido anti-spyware
{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\{FFFFE5C1-34AF-4d4d-B3D3-5BB86A2BAA7B}
= C:\Program Files\Zero Knowledge\Freedom\AVContextR.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}
Yahoo! Companion BHO = C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2A0176FE-008B-4706-90F5-BBA532A49731}
IE Address Browser Helper = C:\Program Files\SearchNet\SNHpr.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3C060EA2-E6A9-4E49-A530-D4657B8C449A}
PopKill Class = C:\Program Files\Zero Knowledge\Freedom\pkR.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{56071E0D-C61B-11D3-B41C-00E02927A304}
ZKBho Class = C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\system32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
Real.com = C:\WINDOWS\system32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Companion	: C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{85d1f590-48f4-11d9-9669-0800200c9a66}
MenuText = Uninstall BitDefender Online Scanner v8	:

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\system32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address	: %SystemRoot%\system32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links	: %SystemRoot%\system32\SHELL32.dll
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Companion	: C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
{463DF6D5-BEC1-4D67-B217-59DB692DFC53} = :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
HPDJ Taskbar Utility	C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
SsAAD.exe	C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
SunJavaUpdateSched	C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
Share-to-Web Namespace Daemon	C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
Motive SmartBridge	C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
CXMon	"C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL	Installed = 1
MAPI	Installed = 1
MSFS	Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
msnmsgr	"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk
path	C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup	C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
location	Common Startup
command	C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE 
item	Adobe Reader Speed Launch
path	C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup	C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
location	Common Startup
command	C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE 
item	Adobe Reader Speed Launch

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk
path	C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup	C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
location	Common Startup
command	C:\PROGRA~1\MICROS~2\Office\OSA9.EXE -b -l
item	Microsoft Office
path	C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup	C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
location	Common Startup
command	C:\PROGRA~1\MICROS~2\Office\OSA9.EXE -b -l
item	Microsoft Office

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NetAssistant.lnk
path	C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NetAssistant.lnk
backup	C:\WINDOWS\pss\NetAssistant.lnkCommon Startup
location	Common Startup
command	C:\PROGRA~1\NETASS~1\bin\matcli.exe -boot
item	NetAssistant
path	C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NetAssistant.lnk
backup	C:\WINDOWS\pss\NetAssistant.lnkCommon Startup
location	Common Startup
command	C:\PROGRA~1\NETASS~1\bin\matcli.exe -boot
item	NetAssistant

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Colleen^Start Menu^Programs^Startup^LimeWire On Startup.lnk
path	C:\Documents and Settings\Colleen\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup	C:\WINDOWS\pss\LimeWire On Startup.lnkStartup
location	Startup
command	C:\PROGRA~1\LimeWire\LimeWire.exe -startup
item	LimeWire On Startup
path	C:\Documents and Settings\Colleen\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup	C:\WINDOWS\pss\LimeWire On Startup.lnkStartup
location	Startup
command	C:\PROGRA~1\LimeWire\LimeWire.exe -startup
item	LimeWire On Startup

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\!ewido
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	ewido
hkey	HKLM
command	"C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	ewido
hkey	HKLM
command	"C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\iTunesHelper
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	iTunesHelper
hkey	HKLM
command	"C:\Program Files\iTunes\iTunesHelper.exe"
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	iTunesHelper
hkey	HKLM
command	"C:\Program Files\iTunes\iTunesHelper.exe"
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\License Manager
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	license_manager
hkey	HKCU
command	"C:\Program Files\License_Manager\license_manager.exe " /silent
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	license_manager
hkey	HKCU
command	"C:\Program Files\License_Manager\license_manager.exe " /silent
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\LVCOMS
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	LVCOMS
hkey	HKLM
command	C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	LVCOMS
hkey	HKLM
command	C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MSMSGS
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	msmsgs
hkey	HKCU
command	"C:\Program Files\Messenger\msmsgs.exe" /background
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	msmsgs
hkey	HKCU
command	"C:\Program Files\Messenger\msmsgs.exe" /background
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\msnmsgr
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	msnmsgr
hkey	HKCU
command	"C:\Program Files\MSN Messenger\msnmsgr.exe" /background
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	msnmsgr
hkey	HKCU
command	"C:\Program Files\MSN Messenger\msnmsgr.exe" /background
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	qttask
hkey	HKLM
command	"C:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	qttask
hkey	HKLM
command	"C:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\RealTray
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	RealPlay
hkey	HKLM
command	C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	RealPlay
hkey	HKLM
command	C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\warez
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	warez
hkey	HKCU
command	"C:\Documents and Settings\Nicholas\My Documents\game\Warez P2P Client\warez.exe" -h
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	warez
hkey	HKCU
command	"C:\Documents and Settings\Nicholas\My Documents\game\Warez P2P Client\warez.exe" -h
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini	0
win.ini	0
bootini	0
services	0
startup	2

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} = 
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername	0
legalnoticecaption	
legalnoticetext	
shutdownwithoutlogon	1
undockwithoutlogon	1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun	145

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
DisableRegistryTools	1
NoAdminPage	1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\system32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit	= C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon
= WgaLogon.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier
= WRLogonNTF.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1	- Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 7/23/2006 5:07:40 PM


----------



## ColleenA (Feb 18, 2002)

oh by the way I don't have Dr. Web on the machine as far as I know

It is nothing that I downloaded and I just did a search and nothing comes up


----------



## Cookiegal (Aug 27, 2003)

Is this XP Home or Pro?

I thought it wouldn't work because of the restrictions but wanted to try it that way first as it's easier.

I need to ask if you may have intentionally set up a restriction so that Nicholas could not edit the registry. If so, then we'll leave it as is. Otherwise, please continue:

Log on as Nicholas and do the following:

Expand each of the following keys in the registry:

HKEY_CURRENT_USER
SOFTWARE
Microsoft
Windows
CurrentVersion
policies

Highlight the next sub-key:

*System*

Do you see two entries that contain the following? They should be in the right-hand pane.

*DisableRegistryTools 
NoAdminPage *

If you do, right click on them and select "delete". *DO NOT delete the System key*.

Let me know if you were able to delete them please.


----------



## ColleenA (Feb 18, 2002)

This is XP Home
There were 3 entries off to the right:

The 2 you mentioned and the top one is Default REG_SZ Value not set

I was able to delete the two you mentioned


----------



## Cookiegal (Aug 27, 2003)

Log in under Tom's account.

I'm attaching a FixTom.zip file. Save it to your desktop. Unzip it and double click on the FixTom.reg file and allow it to enter into the registry.


Reboot and post a new WinpFind log from Tom's account please.


----------



## ColleenA (Feb 18, 2002)

sorry it dawned on me at work today that I didnt answer your questions yesterday regarding the restrictions on Nicholas' account - no I didnt intentionally set restrictions on his account

her is the WinPFind file from Tom's account

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
PEC2 8/4/2004 8:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PTech 6/19/2006 4:19:42 PM 571184 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
aspack 7/6/2006 9:21:46 PM 6757792 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 8:00:00 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/4/2004 8:00:00 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 8/4/2004 8:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
PTech 6/19/2006 4:19:26 PM 304944 C:\WINDOWS\SYSTEM32\WgaTray.exe

Checking %System%\Drivers folder and sub-folders...
aspack 1/20/2006 3:40:42 PM R 783984 C:\WINDOWS\SYSTEM32\drivers\css-dvp.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
7/24/2006 4:41:42 PM S 2048 C:\WINDOWS\bootstat.dat
7/23/2006 2:07:08 AM H 54156 C:\WINDOWS\QTFont.qfn
6/17/2006 10:13:24 AM H 65536 C:\WINDOWS\Minidump\Mini061706-01.dmp
5/29/2006 12:16:00 PM S 23751 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB916281.cat
6/1/2006 4:28:56 PM S 11043 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB918439.cat
6/19/2006 4:20:58 PM S 7160 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\WgaNotify.cat
7/24/2006 4:43:38 PM H 1024 C:\WINDOWS\system32\config\default.LOG
7/24/2006 4:41:52 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
7/24/2006 4:43:38 PM H 1024 C:\WINDOWS\system32\config\SECURITY.LOG
7/24/2006 4:44:24 PM H 1024 C:\WINDOWS\system32\config\software.LOG
7/24/2006 4:48:38 PM H 1024 C:\WINDOWS\system32\config\system.LOG
7/15/2006 5:00:58 PM H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
5/28/2006 11:29:10 AM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\9b2bfb91-210e-4e5c-add5-a50ad005d879
5/28/2006 11:29:10 AM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\Preferred
7/24/2006 4:41:46 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/4/2004 8:00:00 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 4/13/2005 3:48:52 AM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
RealNetworks, Inc. 9/4/2005 9:18:28 PM 24064 C:\WINDOWS\SYSTEM32\prefscpl.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Sony Corporation 12/4/1999 4:11:30 AM 151552 C:\WINDOWS\SYSTEM32\UILib.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 68608 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 549888 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 135168 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 80384 C:\WINDOWS\SYSTEM32\dllcache\firewall.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 155136 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 358400 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 129536 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 68608 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 618496 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 25600 C:\WINDOWS\SYSTEM32\dllcache\netsetup.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 257024 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 32768 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 114688 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 155648 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 298496 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 94208 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 148480 C:\WINDOWS\SYSTEM32\dllcache\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
8/26/2005 12:10:22 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini

Checking files in %ALLUSERSPROFILE%\Application Data folder...
8/26/2005 7:50:28 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
3/12/2006 6:05:30 PM 1767 C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache

Checking files in %USERPROFILE%\Startup folder...
8/26/2005 12:10:22 PM HS 84 C:\Documents and Settings\Tom\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
8/26/2005 7:50:26 AM HS 62 C:\Documents and Settings\Tom\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido anti-spyware
{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{FFFFE5C1-34AF-4d4d-B3D3-5BB86A2BAA7B}
= C:\Program Files\Zero Knowledge\Freedom\AVContextR.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\SpySweeper
{7C9D5882-CB4A-4090-96C8-430BFE8B795B} = C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\{FFFFE5C1-34AF-4d4d-B3D3-5BB86A2BAA7B}
= C:\Program Files\Zero Knowledge\Freedom\AVContextR.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido anti-spyware
{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\{FFFFE5C1-34AF-4d4d-B3D3-5BB86A2BAA7B}
= C:\Program Files\Zero Knowledge\Freedom\AVContextR.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}
Yahoo! Companion BHO = C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2A0176FE-008B-4706-90F5-BBA532A49731}
IE Address Browser Helper = C:\Program Files\SearchNet\SNHpr.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3C060EA2-E6A9-4E49-A530-D4657B8C449A}
PopKill Class = C:\Program Files\Zero Knowledge\Freedom\pkR.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{56071E0D-C61B-11D3-B41C-00E02927A304}
ZKBho Class = C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\system32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
Real.com = C:\WINDOWS\system32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Companion	: C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{85d1f590-48f4-11d9-9669-0800200c9a66}
MenuText = Uninstall BitDefender Online Scanner v8	:

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address	: %SystemRoot%\system32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links	: %SystemRoot%\system32\SHELL32.dll
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Companion	: C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
{463DF6D5-BEC1-4D67-B217-59DB692DFC53} = :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
HPDJ Taskbar Utility	C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
SsAAD.exe	C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
SunJavaUpdateSched	C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
Share-to-Web Namespace Daemon	C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
Motive SmartBridge	C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
CXMon	"C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL	Installed = 1
MAPI	Installed = 1
MSFS	Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk
path	C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup	C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
location	Common Startup
command	C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE 
item	Adobe Reader Speed Launch
path	C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup	C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
location	Common Startup
command	C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE 
item	Adobe Reader Speed Launch

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk
path	C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup	C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
location	Common Startup
command	C:\PROGRA~1\MICROS~2\Office\OSA9.EXE -b -l
item	Microsoft Office
path	C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup	C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
location	Common Startup
command	C:\PROGRA~1\MICROS~2\Office\OSA9.EXE -b -l
item	Microsoft Office

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NetAssistant.lnk
path	C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NetAssistant.lnk
backup	C:\WINDOWS\pss\NetAssistant.lnkCommon Startup
location	Common Startup
command	C:\PROGRA~1\NETASS~1\bin\matcli.exe -boot
item	NetAssistant
path	C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NetAssistant.lnk
backup	C:\WINDOWS\pss\NetAssistant.lnkCommon Startup
location	Common Startup
command	C:\PROGRA~1\NETASS~1\bin\matcli.exe -boot
item	NetAssistant

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Colleen^Start Menu^Programs^Startup^LimeWire On Startup.lnk
path	C:\Documents and Settings\Colleen\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup	C:\WINDOWS\pss\LimeWire On Startup.lnkStartup
location	Startup
command	C:\PROGRA~1\LimeWire\LimeWire.exe -startup
item	LimeWire On Startup
path	C:\Documents and Settings\Colleen\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup	C:\WINDOWS\pss\LimeWire On Startup.lnkStartup
location	Startup
command	C:\PROGRA~1\LimeWire\LimeWire.exe -startup
item	LimeWire On Startup

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\!ewido
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	ewido
hkey	HKLM
command	"C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	ewido
hkey	HKLM
command	"C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\iTunesHelper
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	iTunesHelper
hkey	HKLM
command	"C:\Program Files\iTunes\iTunesHelper.exe"
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	iTunesHelper
hkey	HKLM
command	"C:\Program Files\iTunes\iTunesHelper.exe"
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\LVCOMS
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	LVCOMS
hkey	HKLM
command	C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	LVCOMS
hkey	HKLM
command	C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MSMSGS
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	msmsgs
hkey	HKCU
command	"C:\Program Files\Messenger\msmsgs.exe" /background
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	msmsgs
hkey	HKCU
command	"C:\Program Files\Messenger\msmsgs.exe" /background
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\msnmsgr
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	msnmsgr
hkey	HKCU
command	"C:\Program Files\MSN Messenger\msnmsgr.exe" /background
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	msnmsgr
hkey	HKCU
command	"C:\Program Files\MSN Messenger\msnmsgr.exe" /background
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	qttask
hkey	HKLM
command	"C:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	qttask
hkey	HKLM
command	"C:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\RealTray
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	RealPlay
hkey	HKLM
command	C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	RealPlay
hkey	HKLM
command	C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\warez
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	warez
hkey	HKCU
command	"C:\Documents and Settings\Nicholas\My Documents\game\Warez P2P Client\warez.exe" -h
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	warez
hkey	HKCU
command	"C:\Documents and Settings\Nicholas\My Documents\game\Warez P2P Client\warez.exe" -h
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini	0
win.ini	0
bootini	0
services	0
startup	2

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} = 
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername	0
legalnoticecaption	
legalnoticetext	
shutdownwithoutlogon	1
undockwithoutlogon	1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun	145

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
DisableRegistryTools	0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\system32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit	= C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon
= WgaLogon.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier
= WRLogonNTF.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1	- Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 7/24/2006 4:49:37 PM


----------



## Cookiegal (Aug 27, 2003)

Can you go into the registry and see if this key is still there please? I included it for removal in the last regfix. Crossing fingers. 

*HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2A0176FE-008B-4706-90F5-BBA532A49731}\VersionIndependentProgID*


----------



## ColleenA (Feb 18, 2002)

sorry but it seems to still be there


----------



## Cookiegal (Aug 27, 2003)

I'm afraid I don't know what else to suggest at this point. Something is still blocking those entries from being deleted in the registry. It's possible they are corrupt.  

As the file associated with the BHO is gone, I don't believe there is any threat from it though, if that's any consolation.


----------



## ColleenA (Feb 18, 2002)

I appreciate all that you have done for me, the machine seems to be fine now/ I'm just going to delete a bunch of junk from Nicholas' account and ban him from downloading anything ever again.

Is it safe to get rid of all the programs you've had me download or should I save all that stuff?

Thanks for all your time and help

Colleen


----------



## Cookiegal (Aug 27, 2003)

You're quite welcome. 

I would keep Ewido. After the trial period expires it becomes freeware with limited functions but is still a very good on-demand scanner.

You can remove these:

WinpFind
Killbox
Silent Runners
Avenger

I can't remember what else I had you install at the moment. If I've missed any just let me know.

Now you should turn system restore off to flush out all previous system restore points, then turn it back on and create a new restore point:

To turn off system restore, on the Desktop, right click on *My Computer* and click on *Properties.*
Click the *System Restore* tab.
Check *Turn off System Restore.*
Click Apply and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a new restore point, click on *Start*  *All Programs*  *Accessories*  *System Tools* and then select *System Restore*.

In the System Restore wizard, select *Create a restore point* and click the Next button.

Type a name for your new restore point then click on Create.

I also recommend downloading  *SPYWAREBLASTER* for added protection.

*Read here* for info on how to tighten your security.

*Delete your temporary files:*

In safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit - Select All then Edit - Delete to delete the entire contents of the Temp folder.

Go to Start - Run and type *%temp%* in the Run box. The Temp folder will open. Click *Edit - Select All* then hit *Delete* to delete the entire contents of the Temp folder.

Finally go to Control Panel - Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

*Empty the recycle bin*.


----------



## ColleenA (Feb 18, 2002)

We also downloaded

Hoster

Registar lite

Root Kit revealer

BFU

LSPFix

Spysweeper

Thanks


----------



## Cookiegal (Aug 27, 2003)

You can delete all of those. SpySweeper will expire after the trial period is over.


----------

