# Cox Virus Scan Problem



## BigRC (Dec 18, 2006)

Hi all: I am using XP and IE7. Computer slowing down and a lot of lag when gaming. I have be watching the task manager and noticed that the syssvcnt.exe (associated with the Cox virus scan package) seems to be bleeding off my memory. I watch the CPU and Memory Usage readings and My available memory numbers bleed down as the memory usage numbers for the syssvcnt.exe increase. The gauge that shows the page file usage also increases as long as I have the virus scan enabled. Starts at approx. 270k after reboot and climbs to over 1gig after a few hours. Is this normal? I also notice a cpu usage spike that jumps to 60 or 70 percent about every 5 minutes. This happens with or without the virus scan enabled. I think this causes a lot of the lag I'm getting while gaming. What could be causing that? I am attaching a HijackThis log. Hope you can help.
Thanks, BigRC

Logfile of HijackThis v1.99.1
Scan saved at 9:26:21 PM, on 12/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Cox\Applications\App\syssvcnt.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3C7195F6-D788-4D50-BA72-2EE212EDAC78} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: (no name) - {2C0A5F28-48D8-408B-9172-9C6121025BCE} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [ESP] C:\Program Files\Cox\Applications\app\start.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\PrintMaster 16\pmremind.exe
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: cpcScanner - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O20 - Winlogon Notify: awvvt - C:\WINDOWS\system32\awvvt.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: vtstu - C:\WINDOWS\system32\vtstu.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Cox High Speed Internet Security Suite System Service (AuthSysSvc) - Authentium, Inc. - C:\Program Files\Cox\Applications\App\syssvcnt.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe


----------



## Cookiegal (Aug 27, 2003)

Hi and welcome to TSG,

We are sorry your thread got overlooked. Do you still require assistance with this? If so please post a new HijackThis log and I will be happy to assist.


----------



## BigRC (Dec 18, 2006)

Hope you can help. Here is the latest log.
Logfile of HijackThis v1.99.1
Scan saved at 5:43:08 PM, on 12/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Cox\Applications\App\syssvcnt.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Cox\Applications\App\Console.exe
C:\Documents and Settings\Owner\My Documents\Misc. Stuff\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3C7195F6-D788-4D50-BA72-2EE212EDAC78} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: (no name) - {2C0A5F28-48D8-408B-9172-9C6121025BCE} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [ESP] C:\Program Files\Cox\Applications\app\start.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\PrintMaster 16\pmremind.exe
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: cpcScanner - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O20 - Winlogon Notify: awvvt - C:\WINDOWS\system32\awvvt.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: vtstu - C:\WINDOWS\system32\vtstu.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Cox High Speed Internet Security Suite System Service (AuthSysSvc) - Authentium, Inc. - C:\Program Files\Cox\Applications\App\syssvcnt.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe


----------



## Cookiegal (Aug 27, 2003)

Please download *VundoFix.exe* to your desktop.


Double-click *VundoFix.exe* to run it.
Click the *Scan for Vundo* button.
Once it's done scanning, click the *Remove Vundo* button.
You will receive a prompt asking if you want to remove the files, click *YES*
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click *OK*.
Please post the contents of C:\*vundofix.txt* and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the *Scan for Vundo* button" when VundoFix appears upon rebooting.


----------



## BigRC (Dec 18, 2006)

I downloaded and ran vundofix. It hung up at file updspapi.dll twice, so I shut down the cox security suite and it seemed to run OK and scanned pass the updspapi.dll file, until the screen went black. I waited 30minutes and had to reboot. What now?
Thanks, Rex
Merry Christmas!!


----------



## Cookiegal (Aug 27, 2003)

Download *WinPFind.exe* to your desktop and double click on it open it and then select extract to extract the files. This will create a folder named *WinPFind* on your desktop.

*Start in Safe Mode Using the F8 method:*


Restart the computer.
As soon as the BIOS is loaded begin tapping the *F8* key until the boot menu appears.
Use the arrow keys to select the *Safe Mode* menu item.
Press the *Enter* key.

Double click on the WinPFind folder on your desktop to open it and then double click on the *WinPFind.exe* file to start the program.


Click Configure scan options
Under Run AdOns select the following:
Policies.def
Security.def

Click apply
Click "*Start Scan*"
*It will scan the entire System, so please be patient and let it complete.*

When the scan is complete reboot normally and post the *WinPFind.txt* file (located in the WinPFind folder) back here along with a new HijackThis log.


----------



## BigRC (Dec 18, 2006)

Sorry for all the trouble, but having more problems. I followed your instructions and started the scan. Left the room for about 15 minutes and returned to a blank screen. Rebooted in safemode again and ran scan over. It scanned until it reached this file:
pec2 7/11/1997 163384 C:\windows\system 32\ODBCJET.HLP ( )
The computer locked up. Could not move hour glass. HD light out.
Rebooted normally. No WinPFind.txt file in the folder. What now?
Rex


----------



## Cookiegal (Aug 27, 2003)

Can you try running it in normal mode then.


----------



## BigRC (Dec 18, 2006)

Hi CookieGal: Tried again in Normal mode. Ran to same file and went black. Had to reboot.


----------



## Cookiegal (Aug 27, 2003)

Download *ComboFix* to your Desktop.

Reboot to Safe mode:

Restart your computer and begin tapping the F8 key on your keyboard just before Windows starts to load. If done properly a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.

Perform the following actions in *Safe Mode*.

Double click *combofix.exe * and follow the prompts.
When finished, it will produce a log for you. Post that log and a new *HijackThis* log in your next reply
*Note: Do not mouseclick combofix's window while it's running as that may cause it to stall*


----------



## BigRC (Dec 18, 2006)

During scan a windows - No Disk window came up and HD stopped a few seconds later. waited a couple of minutes and pressed the cancel but the window kept coming back. Drug the window out of the Combofix window and hit cancel and it went away and the HD light started again. It finished scan and made log. Here it is.
Owner - 06-12-26 21:36:25.04 Service Pack 2
ComboFix 06.12.01W - Running from: "C:\Documents and Settings\Owner\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-11-26 to 2006-12-26 ))))))))))))))))))))))))))))))))))

2006-12-25	11:40 d--------	C:\VundoFix Backups
2006-12-24	17:03 d--hs----	C:\Config.Msi
2006-12-17	21:21 d--------	C:\Program Files\HijackThis
2006-12-17	21:10 d--------	C:\Program Files\Common Files\Java
2006-12-14	18:05 d--------	C:\Documents and Settings\All Users\Application Data\Adobe
2006-12-11	19:25 dr-h-----	C:\Documents and Settings\Owner\Recent
2006-12-11	16:43 d--------	C:\Documents and Settings\Owner\Application Data\Nova Development
2006-12-11	16:34 d--------	C:\Program Files\Common Files\Ulead Systems
2006-12-11	16:34 d--------	C:\Documents and Settings\All Users\Application Data\Nova Development
2006-12-11	08:33	79,336	--a------	C:\WINDOWS\system32\wscapi.dll
2006-12-11	07:24	36,864	--a------	C:\WINDOWS\system32\drivers\GRTdiMon.sys
2006-11-30	20:13	44,875	--a------	C:\WINDOWS\system32\IPrtCnst.dll
2006-11-30	20:13	13,891	--a------	C:\WINDOWS\system32\drivers\IdeBusDr.sys
2006-11-30	20:13	101,431	--a------	C:\WINDOWS\system32\drivers\IdeChnDr.sys
2006-11-30	20:13 d--------	C:\Program Files\Intel
2006-11-30	05:40	150,016	--a------	C:\WINDOWS\system32\Unzip32.dll
2006-11-30	05:40 d--------	C:\Program Files\Camtech

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-12-25 19:30	--------	d--------	C:\Documents and Settings\Owner\Application Data\teamspeak2
2006-12-24 17:06	--------	d--------	C:\Program Files\Common Files\PestPatrol
2006-12-24 17:05	--------	d--------	C:\Program Files\Common Files\Command Software
2006-12-18 11:51	3887	--a------	C:\WINDOWS\viassary-hp.reg
2006-12-17 21:10	--------	d--------	C:\Program Files\Java
2006-12-17 21:10	--------	d--------	C:\Program Files\Common Files
2006-12-17 21:08	--------	d--h-----	C:\Program Files\InstallShield Installation Information
2006-12-14 18:08	--------	d--------	C:\Documents and Settings\Owner\Application Data\AdobeUM
2006-12-14 03:00	--------	d--------	C:\Program Files\Outlook Express
2006-12-14 03:00	--------	d--------	C:\Program Files\Common Files\System
2006-12-11 18:46	--------	d--------	C:\Program Files\Microsoft Works
2006-12-11 16:34	--------	d--------	C:\Program Files\Nova Development
2006-12-10 10:26	--------	d--------	C:\Program Files\PrintMaster 16
2006-12-10 10:25	--------	d--------	C:\Program Files\Common Files\Broderbund
2006-12-10 10:20	--------	d---s----	C:\Documents and Settings\Owner\Application Data\Microsoft
2006-12-07 00:40	2362184	--a------	C:\WINDOWS\system32\wmvcore.dll
2006-11-17 13:27	--------	d--------	C:\Program Files\IncrediMail
2006-11-14 20:33	--------	d--------	C:\Program Files\MSXML 4.0
2006-11-14 16:48	--------	d--------	C:\Program Files\Internet Explorer
2006-11-07 23:06	679424	--a------	C:\WINDOWS\system32\inetcomm.dll
2006-11-07 21:03	6049280	---------	C:\WINDOWS\system32\ieframe.dll
2006-11-07 21:03	50688	---------	C:\WINDOWS\system32\msfeedsbs.dll
2006-11-07 21:03	458752	---------	C:\WINDOWS\system32\msfeeds.dll
2006-11-07 21:03	413696	--a------	C:\WINDOWS\system32\vbscript.dll
2006-11-07 21:03	231424	--a------	C:\WINDOWS\system32\webcheck.dll
2006-11-07 21:03	180736	---------	C:\WINDOWS\system32\ieui.dll
2006-11-07 21:03	156160	--a------	C:\WINDOWS\system32\msls31.dll
2006-11-07 16:34	--------	d--------	C:\Program Files\Common Files\Authentium Shared
2006-11-07 03:27	382976	--a------	C:\WINDOWS\system32\iedkcs32.dll
2006-11-07 03:27	229376	--a------	C:\WINDOWS\system32\ieaksie.dll
2006-11-07 03:26	71680	--a------	C:\WINDOWS\system32\admparse.dll
2006-11-07 03:26	55296	--a------	C:\WINDOWS\system32\iesetup.dll
2006-11-07 03:26	54784	--a------	C:\WINDOWS\system32\ie4uinit.exe
2006-11-07 03:26	43008	--a------	C:\WINDOWS\system32\iernonce.dll
2006-11-07 03:26	152064	--a------	C:\WINDOWS\system32\ieakeng.dll
2006-11-07 03:26	13312	--a------	C:\WINDOWS\system32\ieudinit.exe
2006-11-07 03:26	123904	--a------	C:\WINDOWS\system32\advpack.dll
2006-11-07 03:25	161792	--a------	C:\WINDOWS\system32\ieakui.dll
2006-11-04 14:14	1245696	--a------	C:\WINDOWS\system32\msxml4.dll
2006-10-27 16:06	--------	d--------	C:\Program Files\Cox
2006-10-19 07:56	713216	--a------	C:\WINDOWS\system32\sxs.dll
2006-10-17 12:06	78336	--a------	C:\WINDOWS\system32\ieencode.dll
2006-10-17 12:05	40960	--a------	C:\WINDOWS\system32\licmgr10.dll
2006-10-17 12:05	206336	---------	C:\WINDOWS\system32\WinFXDocObj.exe
2006-10-17 12:05	105984	--a------	C:\WINDOWS\system32\url.dll
2006-10-17 12:04	101376	--a------	C:\WINDOWS\system32\occache.dll
2006-10-17 12:03	17408	--a------	C:\WINDOWS\system32\corpol.dll
2006-10-17 11:58	61952	---------	C:\WINDOWS\system32\icardie.dll
2006-10-17 11:58	12288	---------	C:\WINDOWS\system32\msfeedssync.exe
2006-10-17 11:57	36352	--a------	C:\WINDOWS\system32\imgutil.dll
2006-10-17 11:57	266752	---------	C:\WINDOWS\system32\iertutil.dll
2006-10-17 11:56	45568	--a------	C:\WINDOWS\system32\mshta.exe
2006-10-17 11:28	48128	--a------	C:\WINDOWS\system32\mshtmler.dll
2006-10-17 11:27	380928	---------	C:\WINDOWS\system32\ieapfltr.dll
2006-10-13 06:35	142336	--a------	C:\WINDOWS\system32\nwprovau.dll
2006-10-06 15:19	189984	--a------	C:\WINDOWS\system32\grfilter.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"RecordNow!"=""
"BackupNotify"="c:\\Program Files\\HP\\Digital Imaging\\bin\\backupnotify.exe"
"MoneyAgent"="\"C:\\Program Files\\Microsoft Money\\System\\mnyexpr.exe\""
"Start WingMan Profiler"=""
"LDM"="\\Program\\BackWeb-8876480.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"CamMonitor"="c:\\Program Files\\HP\\Digital Imaging\\Unload\\hpqcmon.exe"
"HPHmon05"="C:\\WINDOWS\\System32\\hphmon05.exe"
"UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"AutoTKit"="C:\\hp\\bin\\AUTOTKIT.EXE"
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"VTTimer"="VTTimer.exe"
"LTMSG"="LTMSG.exe 7"
"Sunkist2k"="C:\\Program Files\\Multimedia Card Reader\\shwicon2k.exe"
"Logitech Utility"="Logi_MwX.Exe"
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"AlcxMonitor"="ALCXMNTR.EXE"
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"ESP"="C:\\Program Files\\Cox\\Applications\\app\\start.exe"
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0\\bin\\jusched.exe\""

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000002

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,20,01,00,00,00,00,00,00,80,04,00,00,68,03,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,20,01,00,00,00,00,00,00,80,04,00,00,68,03,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=hex:91,00,00,00

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService	REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService	REG_MULTI_SZ DnsCache\0\0
rpcss	REG_MULTI_SZ RpcSs\0\0
imgsvc	REG_MULTI_SZ StiSvc\0\0
termsvcs	REG_MULTI_SZ TermService\0\0
HTTPFilter	REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch	REG_MULTI_SZ DcomLaunch\0TermService\0\0

Completion time: 06-12-26 21:43:07.09
C:\ComboFix.txt ... 06-12-26 21:43

Will make another post with the HiJackThis log.
Thanks, Rex


----------



## BigRC (Dec 18, 2006)

Owner - 06-12-26 21:36:25.04 Service Pack 2
ComboFix 06.12.01W - Running from: "C:\Documents and Settings\Owner\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-11-26 to 2006-12-26 ))))))))))))))))))))))))))))))))))

2006-12-25	11:40 d--------	C:\VundoFix Backups
2006-12-24	17:03 d--hs----	C:\Config.Msi
2006-12-17	21:21 d--------	C:\Program Files\HijackThis
2006-12-17	21:10 d--------	C:\Program Files\Common Files\Java
2006-12-14	18:05 d--------	C:\Documents and Settings\All Users\Application Data\Adobe
2006-12-11	19:25 dr-h-----	C:\Documents and Settings\Owner\Recent
2006-12-11	16:43 d--------	C:\Documents and Settings\Owner\Application Data\Nova Development
2006-12-11	16:34 d--------	C:\Program Files\Common Files\Ulead Systems
2006-12-11	16:34 d--------	C:\Documents and Settings\All Users\Application Data\Nova Development
2006-12-11	08:33	79,336	--a------	C:\WINDOWS\system32\wscapi.dll
2006-12-11	07:24	36,864	--a------	C:\WINDOWS\system32\drivers\GRTdiMon.sys
2006-11-30	20:13	44,875	--a------	C:\WINDOWS\system32\IPrtCnst.dll
2006-11-30	20:13	13,891	--a------	C:\WINDOWS\system32\drivers\IdeBusDr.sys
2006-11-30	20:13	101,431	--a------	C:\WINDOWS\system32\drivers\IdeChnDr.sys
2006-11-30	20:13 d--------	C:\Program Files\Intel
2006-11-30	05:40	150,016	--a------	C:\WINDOWS\system32\Unzip32.dll
2006-11-30	05:40 d--------	C:\Program Files\Camtech

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-12-25 19:30	--------	d--------	C:\Documents and Settings\Owner\Application Data\teamspeak2
2006-12-24 17:06	--------	d--------	C:\Program Files\Common Files\PestPatrol
2006-12-24 17:05	--------	d--------	C:\Program Files\Common Files\Command Software
2006-12-18 11:51	3887	--a------	C:\WINDOWS\viassary-hp.reg
2006-12-17 21:10	--------	d--------	C:\Program Files\Java
2006-12-17 21:10	--------	d--------	C:\Program Files\Common Files
2006-12-17 21:08	--------	d--h-----	C:\Program Files\InstallShield Installation Information
2006-12-14 18:08	--------	d--------	C:\Documents and Settings\Owner\Application Data\AdobeUM
2006-12-14 03:00	--------	d--------	C:\Program Files\Outlook Express
2006-12-14 03:00	--------	d--------	C:\Program Files\Common Files\System
2006-12-11 18:46	--------	d--------	C:\Program Files\Microsoft Works
2006-12-11 16:34	--------	d--------	C:\Program Files\Nova Development
2006-12-10 10:26	--------	d--------	C:\Program Files\PrintMaster 16
2006-12-10 10:25	--------	d--------	C:\Program Files\Common Files\Broderbund
2006-12-10 10:20	--------	d---s----	C:\Documents and Settings\Owner\Application Data\Microsoft
2006-12-07 00:40	2362184	--a------	C:\WINDOWS\system32\wmvcore.dll
2006-11-17 13:27	--------	d--------	C:\Program Files\IncrediMail
2006-11-14 20:33	--------	d--------	C:\Program Files\MSXML 4.0
2006-11-14 16:48	--------	d--------	C:\Program Files\Internet Explorer
2006-11-07 23:06	679424	--a------	C:\WINDOWS\system32\inetcomm.dll
2006-11-07 21:03	6049280	---------	C:\WINDOWS\system32\ieframe.dll
2006-11-07 21:03	50688	---------	C:\WINDOWS\system32\msfeedsbs.dll
2006-11-07 21:03	458752	---------	C:\WINDOWS\system32\msfeeds.dll
2006-11-07 21:03	413696	--a------	C:\WINDOWS\system32\vbscript.dll
2006-11-07 21:03	231424	--a------	C:\WINDOWS\system32\webcheck.dll
2006-11-07 21:03	180736	---------	C:\WINDOWS\system32\ieui.dll
2006-11-07 21:03	156160	--a------	C:\WINDOWS\system32\msls31.dll
2006-11-07 16:34	--------	d--------	C:\Program Files\Common Files\Authentium Shared
2006-11-07 03:27	382976	--a------	C:\WINDOWS\system32\iedkcs32.dll
2006-11-07 03:27	229376	--a------	C:\WINDOWS\system32\ieaksie.dll
2006-11-07 03:26	71680	--a------	C:\WINDOWS\system32\admparse.dll
2006-11-07 03:26	55296	--a------	C:\WINDOWS\system32\iesetup.dll
2006-11-07 03:26	54784	--a------	C:\WINDOWS\system32\ie4uinit.exe
2006-11-07 03:26	43008	--a------	C:\WINDOWS\system32\iernonce.dll
2006-11-07 03:26	152064	--a------	C:\WINDOWS\system32\ieakeng.dll
2006-11-07 03:26	13312	--a------	C:\WINDOWS\system32\ieudinit.exe
2006-11-07 03:26	123904	--a------	C:\WINDOWS\system32\advpack.dll
2006-11-07 03:25	161792	--a------	C:\WINDOWS\system32\ieakui.dll
2006-11-04 14:14	1245696	--a------	C:\WINDOWS\system32\msxml4.dll
2006-10-27 16:06	--------	d--------	C:\Program Files\Cox
2006-10-19 07:56	713216	--a------	C:\WINDOWS\system32\sxs.dll
2006-10-17 12:06	78336	--a------	C:\WINDOWS\system32\ieencode.dll
2006-10-17 12:05	40960	--a------	C:\WINDOWS\system32\licmgr10.dll
2006-10-17 12:05	206336	---------	C:\WINDOWS\system32\WinFXDocObj.exe
2006-10-17 12:05	105984	--a------	C:\WINDOWS\system32\url.dll
2006-10-17 12:04	101376	--a------	C:\WINDOWS\system32\occache.dll
2006-10-17 12:03	17408	--a------	C:\WINDOWS\system32\corpol.dll
2006-10-17 11:58	61952	---------	C:\WINDOWS\system32\icardie.dll
2006-10-17 11:58	12288	---------	C:\WINDOWS\system32\msfeedssync.exe
2006-10-17 11:57	36352	--a------	C:\WINDOWS\system32\imgutil.dll
2006-10-17 11:57	266752	---------	C:\WINDOWS\system32\iertutil.dll
2006-10-17 11:56	45568	--a------	C:\WINDOWS\system32\mshta.exe
2006-10-17 11:28	48128	--a------	C:\WINDOWS\system32\mshtmler.dll
2006-10-17 11:27	380928	---------	C:\WINDOWS\system32\ieapfltr.dll
2006-10-13 06:35	142336	--a------	C:\WINDOWS\system32\nwprovau.dll
2006-10-06 15:19	189984	--a------	C:\WINDOWS\system32\grfilter.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"RecordNow!"=""
"BackupNotify"="c:\\Program Files\\HP\\Digital Imaging\\bin\\backupnotify.exe"
"MoneyAgent"="\"C:\\Program Files\\Microsoft Money\\System\\mnyexpr.exe\""
"Start WingMan Profiler"=""
"LDM"="\\Program\\BackWeb-8876480.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"CamMonitor"="c:\\Program Files\\HP\\Digital Imaging\\Unload\\hpqcmon.exe"
"HPHmon05"="C:\\WINDOWS\\System32\\hphmon05.exe"
"UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"AutoTKit"="C:\\hp\\bin\\AUTOTKIT.EXE"
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"VTTimer"="VTTimer.exe"
"LTMSG"="LTMSG.exe 7"
"Sunkist2k"="C:\\Program Files\\Multimedia Card Reader\\shwicon2k.exe"
"Logitech Utility"="Logi_MwX.Exe"
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"AlcxMonitor"="ALCXMNTR.EXE"
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"ESP"="C:\\Program Files\\Cox\\Applications\\app\\start.exe"
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0\\bin\\jusched.exe\""

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000002

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,20,01,00,00,00,00,00,00,80,04,00,00,68,03,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,20,01,00,00,00,00,00,00,80,04,00,00,68,03,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=hex:91,00,00,00

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService	REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService	REG_MULTI_SZ DnsCache\0\0
rpcss	REG_MULTI_SZ RpcSs\0\0
imgsvc	REG_MULTI_SZ StiSvc\0\0
termsvcs	REG_MULTI_SZ TermService\0\0
HTTPFilter	REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch	REG_MULTI_SZ DcomLaunch\0TermService\0\0

Completion time: 06-12-26 21:43:07.09
C:\ComboFix.txt ... 06-12-26 21:43

Thanks again for all your help and patience. Rex


----------



## Cookiegal (Aug 27, 2003)

Download *AVG Anti-Spyware* from *HERE* and save that file to your desktop.

When the trial period expires it becomes feature-limited freeware but is still worth keeping as a good on-demand scanner.


Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double click it to launch the set up program.
Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
On the main screen select the icon "*Update*" then select the "*Update now*" link.
Next select the "*Start Update*" button. The update will start and a progress bar will show the updates being installed.

Once the update has completed, select the "*Scanner*" icon at the top of the screen, then select the "*Settings*" tab.
Once in the Settings screen click on "*Recommended actions*" and then select "*Quarantine*".
Under "*Reports*"
Select "*Automatically generate report after every scan*"
Un-Select "*Only if threats were found*"

Close AVG Anti-Spyware. Do Not run a scan just yet, we will run it in safe mode.
Reboot your computer into *Safe Mode*. You can do this by restarting your computer and continually tapping the *F8* key until a menu appears. Use your up arrow key to highlight *Safe Mode* then hit enter.

*IMPORTANT:* Do not open any other windows or programs while AVG Anti-Spyware is scanning as it may interfere with the scanning process:

Launch AVG Anti-Spyware by double clicking the icon on your desktop.
Select the "*Scanner*" icon at the top and then the "*Scan*" tab then click on "*Complete System Scan*".
AVG will now begin the scanning process. Please be patient as this may take a little time.
*Once the scan is complete, do the following:*
If you have any infections you will be prompted. Then select "*Apply all actions.*"
Next select the "*Reports*" icon at the top.
Select the "*Save report as*" button in the lower lef- hand of the screen and save it to a text file on your system (make sure to remember where you saved that file. This is important).
Close AVG Anti-Spyware and reboot your system back into Normal Mode.

Please go *HERE* to run Panda's ActiveScan
You need to use IE to run this scan
Once you are on the Panda site click the *Scan your PC* button
A new window will open...click the *Check Now* button
Enter your *Country*
Enter your *State/Province*
Enter your *e-mail address* and click *send*
Select either *Home User* or *Company*
Click the big *Scan Now* button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on *My Computer* to start the scan
When the scan completes, if anything malicious is detected, click the *See Report* button, *then Save Report* and save it to a convenient location. Post the contents of the ActiveScan report

*Come back here and post a new HijackThis log along with the logs from the AVG and Panda scans.*


----------



## BigRC (Dec 18, 2006)

AVG updates, gives me a "server down please try again later" message. I have been waiting a couple of hours. Is this normal?
Thanks, Rex


----------



## Cookiegal (Aug 27, 2003)

I justed updated mine with no problems. Can you try again please?


----------



## BigRC (Dec 18, 2006)

Hi Cookiegal, don't give up on me, it's been a heck of a day. To make a long story short. I have been trying to complete a AVG scan all day. It would run awhile a quit. (black screen) I'd reboot and watch for the file it died on. Was able to delete a couple of the files and rerun. It would get further and die again. Had a problem in the Windows/system 32/folder. I finally did a couple of custom scans leaving out the problem folders and got a completed scan and log. Then I went to the panda program and started a scan. It ran to a file in my telechart program and sort of locked up. Stopped scanning. Well it didn't die right away, I called up the task manager and the cpu was fluctuatiing between 50 and 100%. It had scanned 305777 files and found 22 spyware and 1 hacking tools and rootkit. No log since it did not finish. I am attaching the AVG log and the hijackthis log. I will continue to try to get a Panda scan. I also had it die after I rebooted the last time for nothing. I think the cpu may be overheating with all the scans today. Thanks for your help, Rex

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at:	4:57:32 PM 12/27/2006

+ Scan result:

HKU\S-1-5-21-105069026-3139044376-2131570021-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E} -> Adware.NewDotNet : Cleaned with backup (quarantined).
HKU\S-1-5-21-105069026-3139044376-2131570021-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{52B1DFC7-AAFC-4362-B103-868B0683C697} -> Adware.Vundo : Cleaned with backup (quarantined).
HKU\S-1-5-21-105069026-3139044376-2131570021-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00DBDAC8-4691-4797-8E6A-7C6AB89BC441} -> Downloader.ConHook.l : Cleaned with backup (quarantined).

::Report end

Logfile of HijackThis v1.99.1
Scan saved at 6:27:58 PM, on 12/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Cox\Applications\App\syssvcnt.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Owner\My Documents\Misc. Stuff\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3C7195F6-D788-4D50-BA72-2EE212EDAC78} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: (no name) - {2C0A5F28-48D8-408B-9172-9C6121025BCE} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [ESP] C:\Program Files\Cox\Applications\app\start.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\PrintMaster 16\pmremind.exe
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: cpcScanner - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O20 - Winlogon Notify: awvvt - C:\WINDOWS\system32\awvvt.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: vtstu - C:\WINDOWS\system32\vtstu.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Cox High Speed Internet Security Suite System Service (AuthSysSvc) - Authentium, Inc. - C:\Program Files\Cox\Applications\App\syssvcnt.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe


----------



## Cookiegal (Aug 27, 2003)

Download GMER from:

http://www.majorgeeks.com/download.php?det=5198

Save it somewhere safe & unzip it to desktop

Double click the gmer.exe to run it and select the rootkit tab, press scan and when it has finished press save and copy the log back here please.


----------



## BigRC (Dec 18, 2006)

GMER 1.0.12.12011 - http://www.gmer.net
Rootkit scan 2006-12-27 20:28:46
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.12 ----

SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess

Code 856E49A8 ZwCreateSection
Code 85399508 ZwSetInformationFile
Code 857B5628 ZwSetSystemInformation
Code 853B6B40 ZwWriteFile
Code 856E49A7 NtCreateSection
Code 85399507 NtSetInformationFile
Code 853B6B3F NtWriteFile

---- Kernel code sections - GMER 1.0.12 ----

PAGE Fastfat.SYS EB05D948 7 Bytes JMP 857A052C

---- Devices - GMER 1.0.12 ----

Device \FileSystem\Fastfat \FatCdrom IRP_MJ_FILE_SYSTEM_CONTROL Code 857A0528
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_NAMED_PIPE [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_READ [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_WRITE [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_INFORMATION [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_INFORMATION [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_EA [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_EA  [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_FLUSH_BUFFERS [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_VOLUME_INFORMATION [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_VOLUME_INFORMATION [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_DIRECTORY_CONTROL [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_FILE_SYSTEM_CONTROL [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_LOCK_CONTROL [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_MAILSLOT [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_SECURITY [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_SECURITY [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_POWER [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_SYSTEM_CONTROL [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CHANGE [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_QUOTA [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_QUOTA [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_NAMED_PIPE [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE  [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_READ [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_WRITE [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_INFORMATION [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_INFORMATION [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_EA [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_EA [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_FLUSH_BUFFERS [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_VOLUME_INFORMATION [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_VOLUME_INFORMATION [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DIRECTORY_CONTROL [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_FILE_SYSTEM_CONTROL [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_LOCK_CONTROL [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_SECURITY [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_SECURITY [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_POWER [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SYSTEM_CONTROL  [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CHANGE [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_QUOTA [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_QUOTA [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_NAMED_PIPE [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_READ [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_WRITE [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_INFORMATION [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_INFORMATION [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_EA [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_EA [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_FLUSH_BUFFERS [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_VOLUME_INFORMATION [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_VOLUME_INFORMATION [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_DIRECTORY_CONTROL [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_FILE_SYSTEM_CONTROL [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_LOCK_CONTROL  [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_MAILSLOT [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_SECURITY [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_SECURITY [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_POWER [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_SYSTEM_CONTROL [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CHANGE [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_QUOTA [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_QUOTA [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_NAMED_PIPE [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_READ [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_WRITE [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_INFORMATION [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_INFORMATION [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_EA [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_EA [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_FLUSH_BUFFERS [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_VOLUME_INFORMATION [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_VOLUME_INFORMATION [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DIRECTORY_CONTROL [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_FILE_SYSTEM_CONTROL [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_LOCK_CONTROL [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_MAILSLOT [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_SECURITY [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_SECURITY [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_POWER [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SYSTEM_CONTROL [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CHANGE [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_QUOTA [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_QUOTA [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE_NAMED_PIPE [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_READ [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_WRITE [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_INFORMATION [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_INFORMATION [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_EA [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_EA [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_FLUSH_BUFFERS [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_VOLUME_INFORMATION [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_VOLUME_INFORMATION [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DIRECTORY_CONTROL [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_FILE_SYSTEM_CONTROL [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SHUTDOWN [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_LOCK_CONTROL [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE_MAILSLOT [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_SECURITY [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_SECURITY [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_POWER [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SYSTEM_CONTROL [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CHANGE [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_QUOTA [F7608E20] GRTdiMon.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_QUOTA [F7608E20] GRTdiMon.sys
Device \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL Code 857A0528

---- Files - GMER 1.0.12 ----

ADS C:\Documents and Settings\Owner\Desktop\DIS Account.url:favicon 
ADS C:\Documents and Settings\Owner\Desktop\KATC.com - Acadiana News, LIVE Weather and Sports.url:favicon 
ADS C:\Documents and Settings\Owner\Desktop\Online Trading - TD AMERITRADE - Active Trading and Investing.url:favicon 
ADS C:\Documents and Settings\Owner\Favorites\Cox Virus Scan Problem - Tech Support Guy Forums.url:favicon 
ADS C:\Documents and Settings\Owner\Favorites\Crafts Christmas - Hanukkah - Kwanzaa Holiday Shoebox Glass Block Lights Home & Garden Television.url:favicon 
ADS C:\Documents and Settings\Owner\Favorites\Expert Zone Columns Archive.url:favicon 
ADS C:\Documents and Settings\Owner\Favorites\MAD MONEY RECAP Index of Stock Mentions by Date.url:favicon 
ADS C:\Documents and Settings\Owner\Favorites\Netives.com [Games-Marbles].url:favicon 
ADS C:\Documents and Settings\Owner\Favorites\Speakeasy - Speed Test.url:favicon 
ADS C:\Documents and Settings\Owner\Favorites\Tech Support Guy .url:favicon 
ADS C:\Documents and Settings\Owner\Favorites\The Daily Review.url:favicon 
ADS ...

---- EOF - GMER 1.0.12 ----


----------



## Cookiegal (Aug 27, 2003)

Please open HijackThis.
Click on *Open Misc Tools Section*
Make sure that both boxes beside "Generate StartupList Log" are checked:

*List all minor sections(Full)*
*List Empty Sections(Complete)*
Click *Generate StartupList Log*.
Click *Yes* at the prompt.
It will open a text file. Please copy the entire contents of that page and paste it here.


----------



## BigRC (Dec 18, 2006)

Good Morning Cookiegal: Here's the log.
StartupList report, 12/28/2006, 9:09:21 AM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Owner\My Documents\Misc. Stuff\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.5730.0011)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Cox\Applications\App\syssvcnt.exe
C:\Program Files\Cox\Applications\app\Console.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Documents and Settings\Owner\My Documents\Misc. Stuff\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Owner\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Event Reminder.lnk = C:\Program Files\PrintMaster 16\pmremind.exe
Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

hpsysdrv = c:\windows\system\hpsysdrv.exe
HotKeysCmds = C:\WINDOWS\system32\hkcmd.exe
CamMonitor = c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
HPHmon05 = C:\WINDOWS\System32\hphmon05.exe
UpdateManager = "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
AutoTKit = C:\hp\bin\AUTOTKIT.EXE
Recguard = C:\WINDOWS\SMINST\RECGUARD.EXE
VTTimer = VTTimer.exe
LTMSG = LTMSG.exe 7
Sunkist2k = C:\Program Files\Multimedia Card Reader\shwicon2k.exe
Logitech Utility = Logi_MwX.Exe
IgfxTray = C:\WINDOWS\system32\igfxtray.exe
AlcxMonitor = ALCXMNTR.EXE
HP Software Update = C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
nwiz = nwiz.exe /install
NvMediaCenter = RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
KBD = C:\HP\KBD\KBD.EXE
ESP = C:\Program Files\Cox\Applications\app\start.exe
HP Component Manager = "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
SunJavaUpdateSched = "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
!AVG Anti-Spyware = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

RecordNow! = 
BackupNotify = c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
MoneyAgent = "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
Start WingMan Profiler = 
LDM = \Program\BackWeb-8876480.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\system32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}] *
StubPath = C:\WINDOWS\system32\ieudinit.exe

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{44BBA851-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\wpie4x86.inf,PerUserStub

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = C:\WINDOWS\system32\ie4uinit.exe -BaseSettings

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\System32\mscories.dll,Install

[{8b15971b-5355-4c82-8c07-7e181ea07608}]
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.UnInstall.PerUser

[{94de52c8-2d59-4f1b-883e-79663d2d9a8c}]
StubPath = rundll32.exe C:\WINDOWS\System32\Setup\FxsOcm.dll,XP_UninstallProvider

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\GOLDFI~1.SCR
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------


----------



## BigRC (Dec 18, 2006)

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - (no file) - {3C7195F6-D788-4D50-BA72-2EE212EDAC78}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\Program Files\Java\jre1.6.0\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}

--------------------------------------------------

Enumerating Task Scheduler jobs:

*No jobs found*

--------------------------------------------------

Enumerating Download Program Files:

[cpcScanner]
CODEBASE = http://www.crucial.com/controls/cpcScanner.cab
OSD = C:\WINDOWS\Downloaded Program Files\OSD4A1.OSD

[{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}]
CODEBASE = http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab

[Java Plug-in 1.6.0]
InProcServer32 = C:\Program Files\Java\jre1.6.0\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
CODEBASE = http://acs.pandasoftware.com/activescan/as5free/asinst.cab

[{BCC0FF27-31D9-4614-A68E-C18E1ADA4389}]
CODEBASE = http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab

[Java Plug-in 1.6.0]
InProcServer32 = C:\Program Files\Java\jre1.6.0\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab

[Java Plug-in 1.6.0]
InProcServer32 = C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash5r42.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
NameSpace #4: C:\WINDOWS\System32\nwprovau.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll
Protocol #16: C:\WINDOWS\system32\mswsock.dll
Protocol #17: C:\WINDOWS\system32\mswsock.dll
Protocol #18: C:\WINDOWS\system32\mswsock.dll
Protocol #19: C:\WINDOWS\system32\mswsock.dll
Protocol #20: C:\WINDOWS\system32\mswsock.dll
Protocol #21: C:\WINDOWS\system32\mswsock.dll
Protocol #22: C:\WINDOWS\system32\mswsock.dll
Protocol #23: C:\WINDOWS\system32\mswsock.dll
Protocol #24: C:\WINDOWS\system32\mswsock.dll
Protocol #25: C:\WINDOWS\system32\mswsock.dll
Protocol #26: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (system)
Intel AGP Bus Filter: System32\DRIVERS\agp440.sys (system)
Service for WDM 3D Audio Driver: system32\drivers\ALCXSENS.SYS (manual start)
Service for Realtek AC97 Audio (WDM): system32\drivers\ALCXWDM.SYS (manual start)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
AMD K7 Processor Driver: System32\DRIVERS\amdk7.sys (system)
ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter: System32\DRIVERS\AN983.sys (manual start)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
1394 ARP Client Protocol: System32\DRIVERS\arp1394.sys (manual start)
ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
Cox High Speed Internet Security Suite System Service: C:\Program Files\Cox\Applications\App\syssvcnt.exe (autostart)
AVG Anti-Spyware Driver: \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys (system)
AVG Anti-Spyware Guard: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (autostart)
AVG Anti-Spyware Clean Driver: System32\DRIVERS\AvgAsCln.sys (system)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Closed Caption Decoder: System32\DRIVERS\CCDECODE.sys (manual start)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
CSS DVP: system32\DRIVERS\css-dvp.sys (autostart)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
dmio: System32\drivers\dmio.sys (disabled)
dmload: System32\drivers\dmload.sys (disabled)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
DvpApi: "C:\Program Files\Common Files\Command Software\dvpapi.exe" (autostart)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
fasttx2k: System32\DRIVERS\fasttx2k.sys (system)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
FltMgr: system32\drivers\fltmgr.sys (system)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
gmer: System32\DRIVERS\gmer.sys (manual start)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Authentium TDI Mon: System32\Drivers\GRTdiMon.sys (autostart)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Microsoft HID Class Driver: System32\DRIVERS\hidusb.sys (manual start)
IEEE-1284.4 Driver HPZid412: system32\DRIVERS\HPZid412.sys (manual start)
Print Class Driver for IEEE-1284.4 HPZipr12: system32\DRIVERS\HPZipr12.sys (manual start)
USB to IEEE-1284.4 Translation Driver HPZius12: system32\DRIVERS\HPZius12.sys (manual start)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
ialm: System32\DRIVERS\ialmnt5.sys (manual start)
IdeBusDr: system32\DRIVERS\IdeBusDr.sys (system)
Intel(R) Ultra ATA Controller: system32\DRIVERS\IdeChnDr.sys (system)
CD-Burning Filter Driver: System32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)
IntelIde: System32\DRIVERS\intelide.sys (system)
Intel Processor Driver: System32\DRIVERS\intelppm.sys (system)
IPv6 Windows Firewall Driver: system32\drivers\ip6fw.sys (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Keyboard HID Driver: System32\DRIVERS\kbdhid.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Logitech PS/2 Mouse Filter Driver: System32\DRIVERS\L8042pr2.Sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
LexBce Server: C:\WINDOWS\system32\LEXBCES.EXE (autostart)
Logitech HID/USB Mouse Filter Driver: System32\DRIVERS\LHidFlt2.Sys (manual start)
Logitech USB Receiver device driver: System32\Drivers\LHidUsb.Sys (manual start)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Logitech Mouse Class Filter Driver: System32\DRIVERS\LMouFlt2.Sys (manual start)
Agere Modem Driver: System32\DRIVERS\ltmdmnt.sys (manual start)
Lexmark X73 MFP Scanner: System32\Drivers\Lxarscan.sys (autostart)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: System32\DRIVERS\mouhid.sys (manual start)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\system32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: System32\DRIVERS\mssmbios.sys (manual start)
Microsoft Streaming Tee/Sink-to-Sink Converter: system32\drivers\MSTEE.sys (manual start)
NABTS/FEC VBI Codec: System32\DRIVERS\NABTSFEC.sys (manual start)
NaiAvFilter1: system32\drivers\naiavf5x.sys (manual start)
Microsoft TV/Video Connection: System32\DRIVERS\NdisIP.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBT: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
1394 Net Driver: System32\DRIVERS\nic1394.sys (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
nv: System32\DRIVERS\nv4_mini.sys (manual start)
nVidia WDM Video Capture (universal): System32\DRIVERS\nvcap.sys (autostart)
NVIDIA Display Driver Service: %SystemRoot%\system32\nvsvc32.exe (autostart)
nVidia WDM A/V Crossbar: System32\DRIVERS\NVxbar.sys (autostart)
NVIDIA nForce AGP Bus Filter: System32\DRIVERS\nv_agp.sys (system)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
NWLink IPX/SPX/NetBIOS Compatible Transport Protocol: System32\DRIVERS\nwlnkipx.sys (autostart)
NWLink NetBIOS: System32\DRIVERS\nwlnknb.sys (autostart)
NWLink SPX/SPXII Protocol: System32\DRIVERS\nwlnkspx.sys (autostart)
VIA OHCI Compliant IEEE 1394 Host Controller: System32\DRIVERS\ohci1394.sys (system)
OrangeWare USB 2.0 Root Hub Support: system32\DRIVERS\ousb2hub.sys (manual start)
OrangeWare USB Enhanced Host Controller Service: System32\Drivers\ousbehci.sys (autostart)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
PCIIde: \SystemRoot\System32\DRIVERS\pciide.sys (disabled)
Toshiba PCX1100U USB Cable Modem networking driver: system32\DRIVERS\pcx1nd5.sys (manual start)
Toshiba PCX1100U USB Cable Modem WDM driver: system32\DRIVERS\pcx1unic.sys (manual start)
Padus ASPI Shell: system32\drivers\pfc.sys (manual start)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
Pml Driver HPZ12: C:\WINDOWS\system32\HPZipm12.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Processor Driver: System32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
PS2: System32\DRIVERS\PS2.sys (manual start)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
PxHelp20: System32\DRIVERS\PxHelp20.sys (system)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Realtek RTL8139/810x Family Fast Ethernet NIC NT Driver: System32\DRIVERS\R8139n51.SYS (manual start)
S3Psddr: System32\DRIVERS\s3gnbm.sys (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (autostart)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
SiS315: System32\DRIVERS\sisgrp.sys (manual start)
SiS AGP Filter: System32\DRIVERS\SISAGPX.sys (system)
SiSkp: System32\DRIVERS\srvkp.sys (system)
BDA Slip De-Framer: System32\DRIVERS\SLIP.sys (manual start)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: System32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
BDA IPSink: System32\DRIVERS\StreamIP.sys (manual start)
Alcor Micro Corp - 9360: \??\C:\WINDOWS\System32\Drivers\sunkfilt.sys (manual start)
HP && Alcor Micro Corp for Phison: \??\C:\WINDOWS\System32\Drivers\sunkfiltp.sys (manual start)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{07E67AF9-F29E-4C46-A99E-83F064F16F92} (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows User Mode Driver Framework: C:\WINDOWS\System32\wdfmgr.exe (autostart)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB Generic Parent Driver: System32\DRIVERS\usbccgp.sys (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: System32\DRIVERS\usbehci.sys (manual start)
USB2 Enabled Hub: System32\DRIVERS\usbhub.sys (manual start)
Microsoft USB Open Host Controller Miniport Driver: System32\DRIVERS\usbohci.sys (manual start)
Microsoft USB PRINTER Class: System32\DRIVERS\usbprint.sys (manual start)
USB Scanner Driver: System32\DRIVERS\usbscan.sys (manual start)
USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start)
VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)
VIA AGP Filter: System32\DRIVERS\viaagp1.sys (system)
viagfx: System32\DRIVERS\vtmini.sys (manual start)
ViaIde: \SystemRoot\System32\DRIVERS\viaide.sys (disabled)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Logitech Virtual Bus Enumerator Driver: system32\drivers\WmBEnum.sys (manual start)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Logitech Gaming HID Filter Driver: system32\drivers\WmFilter.sys (manual start)
WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
Logitech Virtual Hid Device Driver: system32\drivers\WmVirHid.sys (manual start)
Logitech WingMan Translation Layer Driver: system32\drivers\WmXlCore.sys (manual start)
Windows Socket 2.0 Non-IFS Service Provider Support Environment: \SystemRoot\System32\drivers\ws2ifsl.sys (disabled)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
World Standard Teletext Codec: System32\DRIVERS\WSTCODEC.SYS (manual start)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Intel(R) Graphics Platform (SoftBIOS) Driver: system32\drivers\ialmsbw.sys (manual start)
Intel(R) Graphics Chipset (KCH) Driver: system32\drivers\ialmkchw.sys (manual start)

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

End of report, 38,162 bytes
Report generated in 0.375 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


----------



## Cookiegal (Aug 27, 2003)

Do you have your XP CD?


----------



## BigRC (Dec 18, 2006)

Hi: no cd. but I have been talking to a Cox security suite rep. He says the problem may be with the IE-7 that I loaded on my desktop. I did not load it on my wife's laptop and for some reason the file(syssvcnt.exe) that has been eating up my memory is different on her laptop. It is (CurtainsSysSvcNt.exe) and it does not eat the memory or do the 100% spike every 2 minutes. I removed the IE-7 on mine a few minutes ago, but the file is the same and still eating memory. I may have to go to a (can't think of the term) where windows saves the operating system every few days so you can go back to a time before it screwed up. What do you think. Rex


----------



## Cookiegal (Aug 27, 2003)

You could definitely try to do a system restore and see if it corrects the problem.


----------



## BigRC (Dec 18, 2006)

Hi Cookiegal: It would not let me do a restore back to Nov. the 13 to go before I installed the Cox security suite so I uninstalled the suite and IE7. Got back to IE6 and tried to reinstall the Cox suite. It told me it couldn't install the Cox suite because I had McAfee(Dumb, because I don't have McAfee anywhere on my computer. I uninstalled it before I put the Cox suite on before.) Anyway, I am giving up on the Free Cox suite and I bought the McAfee 2007 virus scan plus and install it. I left the McAfee scan running last night and this morning I had he black screen of death. Rebooted and checked the scan. It had found a dozen or so cookies and deleted them. Not sure what is causing the Black out. I ran a HiJackthis log this morning. Would you please take a look at it. Thanks, Rex
Logfile of HijackThis v1.99.1
Scan saved at 8:53:56 AM, on 12/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\WINDOWS\LTMSG.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\SiteAdvisor\4979\SiteAdv.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee\MSC\mctskshd.exe
C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\SiteAdvisor\4979\SAService.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\My Documents\Misc. Stuff\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\4979\SiteAdv.dll
O2 - BHO: (no name) - {3C7195F6-D788-4D50-BA72-2EE212EDAC78} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\4979\SiteAdv.dll
O3 - Toolbar: (no name) - {2C0A5F28-48D8-408B-9172-9C6121025BCE} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\4979\SiteAdv.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O16 - DPF: cpcScanner - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} (CNavigationManager Object) - http://www3.authentium.com/cssrelease/bin/wizard.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\4979\SiteAdv.dll
O20 - Winlogon Notify: awvvt - C:\WINDOWS\system32\awvvt.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: vtstu - C:\WINDOWS\system32\vtstu.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: McAfee Application Installer Cleanup (0313271167366974) (0313271167366974mcinstcleanup) - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\031327~1.EXE (file missing)
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Log Manager (McLogManagerService) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Task Scheduler (mctskshd.exe) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mctskshd.exe
O23 - Service: McAfee User Manager (mcusrmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\4979\SAService.exe


----------



## Cookiegal (Aug 27, 2003)

Rescan with HijackThis, close all browser windows except HijackThis, put a check mark beside these entries and click *fix checked*.

*
O2 - BHO: (no name) - {3C7195F6-D788-4D50-BA72-2EE212EDAC78} - (no file)

O3 - Toolbar: (no name) - {2C0A5F28-48D8-408B-9172-9C6121025BCE} - (no file)

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

O20 - Winlogon Notify: awvvt - C:\WINDOWS\system32\awvvt.dll (file missing)

O20 - Winlogon Notify: vtstu - C:\WINDOWS\system32\vtstu.dll (file missing)*

Download GMER from:

http://www.majorgeeks.com/download.php?det=5198

Save it somewhere safe & unzip it to desktop

Double click the gmer.exe to run it and select the rootkit tab, press scan and when it has finished press save and copy the log back here please along with a new HijackThis log.


----------



## BigRC (Dec 18, 2006)

GMER 1.0.12.12011 - http://www.gmer.net
Rootkit scan 2006-12-29 18:15:01
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.12 ----

Code \SystemRoot\system32\drivers\mfehidk.sys ZwCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys ZwCreateKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwCreateProcess
Code \SystemRoot\system32\drivers\mfehidk.sys ZwDeleteKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwDeleteValueKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys  ZwOpenKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwProtectVirtualMemory
Code \SystemRoot\system32\drivers\mfehidk.sys ZwRenameKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwSetValueKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwTerminateProcess
Code \SystemRoot\system32\drivers\mfehidk.sys ZwUnmapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys ZwYieldExecution
Code \SystemRoot\system32\drivers\mfehidk.sys NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys NtMapViewOfSection

---- Kernel code sections - GMER 1.0.12 ----

.text ntoskrnl.exe!ZwYieldExecution 804F4102 7 Bytes JMP B8B092FD \SystemRoot\system32\drivers\mfehidk.sys

---- User code sections - GMER 1.0.12 ----

.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00FF0000 
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00FF0F92 
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00FF0FAD 
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00FF0FCA 
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00FF0087 
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00FF0051 
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00FF0F6B 
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00FF00B3 
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00FF00CE 
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00FF0F3F 
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!GetProcAddress  7C80ADA0 5 Bytes JMP 00FF0F10 
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00FF006C 
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00FF0FE5 
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00FF00A2 
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00FF0036 
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00FF001B 
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00FF0F50 
.text C:\WINDOWS\system32\services.exe[576] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00A70051 
.text C:\WINDOWS\system32\services.exe[576] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00A70FAF 
.text C:\WINDOWS\system32\services.exe[576] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00A70036 
.text C:\WINDOWS\system32\services.exe[576] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00A7001B 
.text C:\WINDOWS\system32\services.exe[576] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00A70FC0 
.text C:\WINDOWS\system32\services.exe[576] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00A70FD1 
.text C:\WINDOWS\system32\services.exe[576] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00A7000A 
.text C:\WINDOWS\system32\services.exe[576] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00A70062 
.text C:\WINDOWS\system32\services.exe[576] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00A40000 
.text C:\WINDOWS\system32\lsass.exe[588] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00BC0000 
.text C:\WINDOWS\system32\lsass.exe[588] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00BC0F8C 
.text C:\WINDOWS\system32\lsass.exe[588] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00BC0081 
.text C:\WINDOWS\system32\lsass.exe[588] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00BC0066 
.text C:\WINDOWS\system32\lsass.exe[588] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00BC0055 
.text C:\WINDOWS\system32\lsass.exe[588] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00BC0033 
.text C:\WINDOWS\system32\lsass.exe[588] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00BC00D4 
.text C:\WINDOWS\system32\lsass.exe[588] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00BC00C3 
.text C:\WINDOWS\system32\lsass.exe[588] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00BC00F9 
.text C:\WINDOWS\system32\lsass.exe[588] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00BC0F60 
.text C:\WINDOWS\system32\lsass.exe[588] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00BC0F4F 
.text C:\WINDOWS\system32\lsass.exe[588] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00BC0044 
.text C:\WINDOWS\system32\lsass.exe[588] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00BC0011 
.text C:\WINDOWS\system32\lsass.exe[588] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00BC009C 
.text C:\WINDOWS\system32\lsass.exe[588] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00BC0022 
.text C:\WINDOWS\system32\lsass.exe[588] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00BC0FDB 
.text C:\WINDOWS\system32\lsass.exe[588] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00BC0F7B 
.text C:\WINDOWS\system32\lsass.exe[588] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00BB0FD4 
.text C:\WINDOWS\system32\lsass.exe[588] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00BB0F94 
.text C:\WINDOWS\system32\lsass.exe[588] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00BB0FE5 
.text C:\WINDOWS\system32\lsass.exe[588] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00BB001B 
.text C:\WINDOWS\system32\lsass.exe[588] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00BB0051 
.text C:\WINDOWS\system32\lsass.exe[588] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00BB0FAF 
.text C:\WINDOWS\system32\lsass.exe[588] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00BB000A 
.text C:\WINDOWS\system32\lsass.exe[588] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00BB0036 
.text C:\WINDOWS\system32\lsass.exe[588] WS2_32.dll!socket  71AB3B91 5 Bytes JMP 00B10FE5 
.text C:\WINDOWS\system32\svchost.exe[736] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00820000 
.text C:\WINDOWS\system32\svchost.exe[736] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 0082007F 
.text C:\WINDOWS\system32\svchost.exe[736] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00820064 
.text C:\WINDOWS\system32\svchost.exe[736] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00820047 
.text C:\WINDOWS\system32\svchost.exe[736] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00820F94 
.text C:\WINDOWS\system32\svchost.exe[736] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00820FAF 
.text C:\WINDOWS\system32\svchost.exe[736] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 008200B5 
.text C:\WINDOWS\system32\svchost.exe[736] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 0082009A 
.text C:\WINDOWS\system32\svchost.exe[736] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 008200D0 
.text C:\WINDOWS\system32\svchost.exe[736] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00820F41 
.text C:\WINDOWS\system32\svchost.exe[736] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 008200EB 
.text C:\WINDOWS\system32\svchost.exe[736] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 0082002C 
.text C:\WINDOWS\system32\svchost.exe[736] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00820FE5 
.text C:\WINDOWS\system32\svchost.exe[736] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00820F6F 
.text C:\WINDOWS\system32\svchost.exe[736] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00820011 
.text C:\WINDOWS\system32\svchost.exe[736] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00820FC0 
.text C:\WINDOWS\system32\svchost.exe[736] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00820F52 
.text C:\WINDOWS\system32\svchost.exe[736] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00810047 
.text C:\WINDOWS\system32\svchost.exe[736] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00810073 
.text C:\WINDOWS\system32\svchost.exe[736] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 0081002C 
.text C:\WINDOWS\system32\svchost.exe[736] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00810011 
.text C:\WINDOWS\system32\svchost.exe[736] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00810FC0 
.text C:\WINDOWS\system32\svchost.exe[736] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00810062 
.text C:\WINDOWS\system32\svchost.exe[736] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00810000 
.text C:\WINDOWS\system32\svchost.exe[736] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00810FDB 
.text C:\WINDOWS\system32\svchost.exe[736] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 007D0FEF 
.text C:\WINDOWS\system32\svchost.exe[796] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 0094000A 
.text C:\WINDOWS\system32\svchost.exe[796] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 009400A7 
.text C:\WINDOWS\system32\svchost.exe[796] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00940FB2 
.text C:\WINDOWS\system32\svchost.exe[796] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00940FCD 
.text C:\WINDOWS\system32\svchost.exe[796] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00940080 
.text C:\WINDOWS\system32\svchost.exe[796] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0094004A 
.text C:\WINDOWS\system32\svchost.exe[796] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00940F6B 
.text C:\WINDOWS\system32\svchost.exe[796] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00940F7C 
.text C:\WINDOWS\system32\svchost.exe[796] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00940F50 
.text C:\WINDOWS\system32\svchost.exe[796] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 009400E9 
.text C:\WINDOWS\system32\svchost.exe[796] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00940F3F 
.text C:\WINDOWS\system32\svchost.exe[796] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00940065 
.text C:\WINDOWS\system32\svchost.exe[796] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00940FEF 
.text C:\WINDOWS\system32\svchost.exe[796] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00940F8D 
.text C:\WINDOWS\system32\svchost.exe[796] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00940039 
.text C:\WINDOWS\system32\svchost.exe[796] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00940FDE 
.text C:\WINDOWS\system32\svchost.exe[796] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 009400D8 
.text C:\WINDOWS\system32\svchost.exe[796] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 0093001B 
.text C:\WINDOWS\system32\svchost.exe[796] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00930058 
.text C:\WINDOWS\system32\svchost.exe[796] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 0093000A 
.text C:\WINDOWS\system32\svchost.exe[796] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00930FD4 
.text C:\WINDOWS\system32\svchost.exe[796] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00930FA5 
.text C:\WINDOWS\system32\svchost.exe[796] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00930047 
.text C:\WINDOWS\system32\svchost.exe[796] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00930FE5 
.text C:\WINDOWS\system32\svchost.exe[796] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00930036 
.text C:\WINDOWS\system32\svchost.exe[796] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00910000 
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 01FD0000 
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 01FD009B 
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 01FD008A 
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 01FD0FA6 
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 01FD006F 
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 01FD0FD4 
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 01FD00B8 
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 01FD0F70 
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!CreateProcessW  7C802332 5 Bytes JMP 01FD0F41 
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 01FD00E4 
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 01FD0F26 
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 01FD0FC3 
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 01FD001B 
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 01FD0F81 
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 01FD0FE5 
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 01FD0036 
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 01FD00C9 
.text C:\WINDOWS\system32\svchost.exe[860] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 01C70FB2 
.text C:\WINDOWS\system32\svchost.exe[860] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 01C7002F 
.text C:\WINDOWS\system32\svchost.exe[860] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 01C70FCD 
.text C:\WINDOWS\system32\svchost.exe[860] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 01C70FDE


----------



## BigRC (Dec 18, 2006)

.text C:\WINDOWS\system32\svchost.exe[860] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 01C70F7C 
.text C:\WINDOWS\system32\svchost.exe[860] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 01C70F8D 
.text C:\WINDOWS\system32\svchost.exe[860] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 01C70FEF 
.text C:\WINDOWS\system32\svchost.exe[860] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 01C7001E 
.text C:\WINDOWS\system32\svchost.exe[860] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 01C40FEF 
.text C:\WINDOWS\system32\svchost.exe[860] WININET.dll!InternetOpenW 771BAF19 5 Bytes JMP 01C50FE5 
.text C:\WINDOWS\system32\svchost.exe[860] WININET.dll!InternetOpenA 771C58A2 5 Bytes JMP 01C50000 
.text C:\WINDOWS\system32\svchost.exe[860] WININET.dll!InternetOpenUrlA 771C5B6E 5 Bytes JMP 01C50FD4 
.text C:\WINDOWS\system32\svchost.exe[860] WININET.dll!InternetOpenUrlW 771D5B72 5 Bytes JMP 01C50027 
.text C:\WINDOWS\system32\svchost.exe[908] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00760FEF 
.text C:\WINDOWS\system32\svchost.exe[908] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00760F5F 
.text C:\WINDOWS\system32\svchost.exe[908] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00760054 
.text C:\WINDOWS\system32\svchost.exe[908] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00760F7C 
.text C:\WINDOWS\system32\svchost.exe[908] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00760039 
.text C:\WINDOWS\system32\svchost.exe[908] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00760014 
.text C:\WINDOWS\system32\svchost.exe[908] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00760F16 
.text C:\WINDOWS\system32\svchost.exe[908] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00760F33 
.text C:\WINDOWS\system32\svchost.exe[908] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00760ED6 
.text C:\WINDOWS\system32\svchost.exe[908] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 0076006F 
.text C:\WINDOWS\system32\svchost.exe[908] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00760EBB 
.text C:\WINDOWS\system32\svchost.exe[908] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00760F8D 
.text C:\WINDOWS\system32\svchost.exe[908] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00760FCA 
.text C:\WINDOWS\system32\svchost.exe[908] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00760F44 
.text C:\WINDOWS\system32\svchost.exe[908] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00760F9E 
.text C:\WINDOWS\system32\svchost.exe[908] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00760FB9 
.text C:\WINDOWS\system32\svchost.exe[908] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00760EFB 
.text C:\WINDOWS\system32\svchost.exe[908] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00750FB9 
.text C:\WINDOWS\system32\svchost.exe[908] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00750051 
.text C:\WINDOWS\system32\svchost.exe[908] ADVAPI32.dll!RegOpenKeyExA  77DD761B 5 Bytes JMP 00750FCA 
.text C:\WINDOWS\system32\svchost.exe[908] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00750FDB 
.text C:\WINDOWS\system32\svchost.exe[908] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00750040 
.text C:\WINDOWS\system32\svchost.exe[908] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 0075002F 
.text C:\WINDOWS\system32\svchost.exe[908] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00750000 
.text C:\WINDOWS\system32\svchost.exe[908] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00750FA8 
.text C:\WINDOWS\system32\svchost.exe[908] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00730FEF 
.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 007F0000 
.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 007F00AB 
.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 007F0FB6 
.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 007F009A 
.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 007F007D 
.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 007F0051 
.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 007F0F74 
.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 007F00BC 
.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 007F0F37 
.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 007F0F52 
.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 007F00EB 
.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 007F006C 
.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 007F001B 
.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 007F0F9B 
.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 007F0036 
.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 007F0FE5 
.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 007F0F63 
.text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 006E0033 
.text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 006E0FA5 
.text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 006E0022 
.text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 006E0011 
.text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 006E0FB6 
.text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 006E004E 
.text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 006E0000 
.text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 006E0FC7 
.text C:\WINDOWS\system32\svchost.exe[984] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 006B0000 
.text C:\WINDOWS\system32\svchost.exe[984] WININET.dll!InternetOpenW 771BAF19 5 Bytes JMP 006C0FDE 
.text C:\WINDOWS\system32\svchost.exe[984] WININET.dll!InternetOpenA 771C58A2 5 Bytes JMP 006C0FEF 
.text C:\WINDOWS\system32\svchost.exe[984] WININET.dll!InternetOpenUrlA 771C5B6E 5 Bytes JMP 006C0014 
.text C:\WINDOWS\system32\svchost.exe[984] WININET.dll!InternetOpenUrlW 771D5B72 5 Bytes JMP 006C003B 
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00760FE5 
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00760F4B 
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00760F5C 
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00760F77 
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00760F94 
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0076001B 
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00760F26 
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00760062 
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 007600BF 
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreateProcessA  7C802367 5 Bytes JMP 007600AE 
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 007600D0 
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00760036 
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00760000 
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00760051 
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00760FAF 
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00760FC0 
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00760089 
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00750025 
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 0075007D 
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00750014 
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00750FDE 
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 0075006C 
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00750051 
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00750FEF 
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00750036 
.text C:\WINDOWS\system32\svchost.exe[1100] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00A10000 
.text C:\WINDOWS\explorer.exe[1288] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00B9000A 
.text C:\WINDOWS\explorer.exe[1288] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00B9007D 
.text C:\WINDOWS\explorer.exe[1288] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00B9006C 
.text C:\WINDOWS\explorer.exe[1288] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00B9005B 
.text C:\WINDOWS\explorer.exe[1288] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00B90FA8 
.text C:\WINDOWS\explorer.exe[1288] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00B90036 
.text C:\WINDOWS\explorer.exe[1288] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00B90F6B 
.text C:\WINDOWS\explorer.exe[1288] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00B900B3 
.text C:\WINDOWS\explorer.exe[1288] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00B90F5A 
.text C:\WINDOWS\explorer.exe[1288] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00B900F3 
.text C:\WINDOWS\explorer.exe[1288] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00B90F49 
.text C:\WINDOWS\explorer.exe[1288] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00B90FB9 
.text C:\WINDOWS\explorer.exe[1288] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00B90FEF 
.text C:\WINDOWS\explorer.exe[1288] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00B90098 
.text C:\WINDOWS\explorer.exe[1288] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00B90FCA 
.text C:\WINDOWS\explorer.exe[1288] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00B9001B 
.text C:\WINDOWS\explorer.exe[1288] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00B900CE 
.text C:\WINDOWS\explorer.exe[1288] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00B80FD4 
.text C:\WINDOWS\explorer.exe[1288] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00B8006F 
.text C:\WINDOWS\explorer.exe[1288] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00B8001B 
.text C:\WINDOWS\explorer.exe[1288] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00B8000A 
.text C:\WINDOWS\explorer.exe[1288] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00B80054 
.text C:\WINDOWS\explorer.exe[1288] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00B80FB2 
.text C:\WINDOWS\explorer.exe[1288] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00B80FE5 
.text C:\WINDOWS\explorer.exe[1288] ADVAPI32.dll!RegCreateKeyA  77DFD5BB 5 Bytes JMP 00B80FC3 
.text C:\WINDOWS\explorer.exe[1288] WININET.dll!InternetOpenW 771BAF19 5 Bytes JMP 00B5000A 
.text C:\WINDOWS\explorer.exe[1288] WININET.dll!InternetOpenA 771C58A2 5 Bytes JMP 00B50FEF 
.text C:\WINDOWS\explorer.exe[1288] WININET.dll!InternetOpenUrlA 771C5B6E 5 Bytes JMP 00B5001B 
.text C:\WINDOWS\explorer.exe[1288] WININET.dll!InternetOpenUrlW 771D5B72 5 Bytes JMP 00B50036 
.text C:\WINDOWS\explorer.exe[1288] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00A90000 
.text C:\WINDOWS\system32\svchost.exe[3224] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 001A0000 
.text C:\WINDOWS\system32\svchost.exe[3224] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001A0F5C 
.text C:\WINDOWS\system32\svchost.exe[3224] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 001A005B 
.text C:\WINDOWS\system32\svchost.exe[3224] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 001A0F81 
.text C:\WINDOWS\system32\svchost.exe[3224] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 001A0F9E 
.text C:\WINDOWS\system32\svchost.exe[3224] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 001A0FCA 
.text C:\WINDOWS\system32\svchost.exe[3224] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 001A0F41 
.text C:\WINDOWS\system32\svchost.exe[3224] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 001A0089 
.text C:\WINDOWS\system32\svchost.exe[3224] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001A00DA 
.text C:\WINDOWS\system32\svchost.exe[3224] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 001A00BF 
.text C:\WINDOWS\system32\svchost.exe[3224] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 001A00FF 
.text C:\WINDOWS\system32\svchost.exe[3224] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 001A0FAF 
.text C:\WINDOWS\system32\svchost.exe[3224] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 001A0FE5 
.text C:\WINDOWS\system32\svchost.exe[3224] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 001A006C 
.text C:\WINDOWS\system32\svchost.exe[3224] kernel32.dll!CreateNamedPipeW  7C82F0D4 5 Bytes JMP 001A0036 
.text C:\WINDOWS\system32\svchost.exe[3224] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 001A001B 
.text C:\WINDOWS\system32\svchost.exe[3224] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 001A00A4 
.text C:\WINDOWS\system32\svchost.exe[3224] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00280FEF 
.text C:\WINDOWS\system32\svchost.exe[3224] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00280087 
.text C:\WINDOWS\system32\svchost.exe[3224] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00280040 
.text C:\WINDOWS\system32\svchost.exe[3224] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00280025 
.text C:\WINDOWS\system32\svchost.exe[3224] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00280FCA 
.text C:\WINDOWS\system32\svchost.exe[3224] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00280076 
.text C:\WINDOWS\system32\svchost.exe[3224] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 0028000A 
.text C:\WINDOWS\system32\svchost.exe[3224] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 0028005B 
.text C:\WINDOWS\system32\svchost.exe[3224] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 006D0000

---- Files - GMER 1.0.12 ----


----------



## BigRC (Dec 18, 2006)

Logfile of HijackThis v1.99.1
Scan saved at 6:16:14 PM, on 12/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SiteAdvisor\4979\SiteAdv.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\MSC\mctskshd.exe
C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\SiteAdvisor\4979\SAService.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Owner\My Documents\Misc. Stuff\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\4979\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\4979\SiteAdv.dll
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\4979\SiteAdv.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O16 - DPF: cpcScanner - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} (CNavigationManager Object) - http://www3.authentium.com/cssrelease/bin/wizard.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\4979\SiteAdv.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: McAfee Application Installer Cleanup (0313271167366974) (0313271167366974mcinstcleanup) - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\031327~1.EXE (file missing)
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Log Manager (McLogManagerService) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Task Scheduler (mctskshd.exe) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mctskshd.exe
O23 - Service: McAfee User Manager (mcusrmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\4979\SAService.exe


----------



## Cookiegal (Aug 27, 2003)

Is that the entire GMER log? It usually says EOF - GMER 1.0.12 at the end.


----------



## BigRC (Dec 18, 2006)

GMER 1.0.12.12011 - http://www.gmer.net
Rootkit scan 2006-12-29 19:23:06
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.12 ----

Code \SystemRoot\system32\drivers\mfehidk.sys ZwCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys ZwCreateKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwCreateProcess
Code \SystemRoot\system32\drivers\mfehidk.sys ZwDeleteKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwDeleteValueKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys ZwOpenKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwProtectVirtualMemory
Code \SystemRoot\system32\drivers\mfehidk.sys ZwRenameKey
Code \SystemRoot\system32\drivers\mfehidk.sys  ZwSetValueKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwTerminateProcess
Code \SystemRoot\system32\drivers\mfehidk.sys ZwUnmapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys ZwYieldExecution
Code \SystemRoot\system32\drivers\mfehidk.sys NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys NtMapViewOfSection

---- Kernel code sections - GMER 1.0.12 ----

.text ntoskrnl.exe!ZwYieldExecution 804F4102 7 Bytes JMP B98BB2FD \SystemRoot\system32\drivers\mfehidk.sys

---- User code sections - GMER 1.0.12 ----

.text C:\WINDOWS\system32\services.exe[592] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00FF0FE5 
.text C:\WINDOWS\system32\services.exe[592] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00FF0F46 
.text C:\WINDOWS\system32\services.exe[592] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00FF0F57 
.text C:\WINDOWS\system32\services.exe[592] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00FF0F72 
.text C:\WINDOWS\system32\services.exe[592] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00FF0F83 
.text C:\WINDOWS\system32\services.exe[592] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00FF0025 
.text C:\WINDOWS\system32\services.exe[592] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00FF0078 
.text C:\WINDOWS\system32\services.exe[592] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00FF0067 
.text C:\WINDOWS\system32\services.exe[592] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00FF0EF0 
.text C:\WINDOWS\system32\services.exe[592] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00FF0089 
.text C:\WINDOWS\system32\services.exe[592] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00FF0ED5 
.text C:\WINDOWS\system32\services.exe[592] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00FF0F9E 
.text C:\WINDOWS\system32\services.exe[592] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00FF0FD4 
.text C:\WINDOWS\system32\services.exe[592] kernel32.dll!CreatePipe  7C81E0C7 5 Bytes JMP 00FF0056 
.text C:\WINDOWS\system32\services.exe[592] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00FF000A 
.text C:\WINDOWS\system32\services.exe[592] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00FF0FB9 
.text C:\WINDOWS\system32\services.exe[592] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00FF0F15 
.text C:\WINDOWS\system32\services.exe[592] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00A70FC3 
.text C:\WINDOWS\system32\services.exe[592] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00A70065 
.text C:\WINDOWS\system32\services.exe[592] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00A70FD4 
.text C:\WINDOWS\system32\services.exe[592] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00A7000A 
.text C:\WINDOWS\system32\services.exe[592] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00A7004A 
.text C:\WINDOWS\system32\services.exe[592] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00A70F9E 
.text C:\WINDOWS\system32\services.exe[592] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00A70FEF 
.text C:\WINDOWS\system32\services.exe[592] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00A70025 
.text C:\WINDOWS\system32\services.exe[592] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00A40000 
.text C:\WINDOWS\system32\lsass.exe[604] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00B60FE5 
.text C:\WINDOWS\system32\lsass.exe[604] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00B60F5C 
.text C:\WINDOWS\system32\lsass.exe[604] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00B60F6D 
.text C:\WINDOWS\system32\lsass.exe[604] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00B60051 
.text C:\WINDOWS\system32\lsass.exe[604] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00B60F9E 
.text C:\WINDOWS\system32\lsass.exe[604] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00B60025 
.text C:\WINDOWS\system32\lsass.exe[604] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00B60F2E 
.text C:\WINDOWS\system32\lsass.exe[604] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00B60076 
.text C:\WINDOWS\system32\lsass.exe[604] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00B60EE7 
.text C:\WINDOWS\system32\lsass.exe[604] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00B60F02 
.text C:\WINDOWS\system32\lsass.exe[604] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00B6009B 
.text C:\WINDOWS\system32\lsass.exe[604] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00B60040 
.text C:\WINDOWS\system32\lsass.exe[604] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00B60000 
.text C:\WINDOWS\system32\lsass.exe[604] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00B60F4B 
.text C:\WINDOWS\system32\lsass.exe[604] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00B60FB9 
.text C:\WINDOWS\system32\lsass.exe[604] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00B60FCA 
.text C:\WINDOWS\system32\lsass.exe[604] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00B60F13 
.text C:\WINDOWS\system32\lsass.exe[604] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00B50047 
.text C:\WINDOWS\system32\lsass.exe[604] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00B50FB9 
.text C:\WINDOWS\system32\lsass.exe[604] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00B50036 
.text C:\WINDOWS\system32\lsass.exe[604] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00B50011 
.text C:\WINDOWS\system32\lsass.exe[604] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00B50FCA 
.text C:\WINDOWS\system32\lsass.exe[604] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00B50FDB 
.text C:\WINDOWS\system32\lsass.exe[604] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00B50000 
.text C:\WINDOWS\system32\lsass.exe[604] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00B50058 
.text C:\WINDOWS\system32\lsass.exe[604] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00B30FEF 
.text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 007D0000 
.text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 007D0F70 
.text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!VirtualProtect  7C801AD0 5 Bytes JMP 007D0F81 
.text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 007D0F9C 
.text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 007D0FB9 
.text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 007D0FCA 
.text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 007D009D 
.text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 007D0F55 
.text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 007D00E4 
.text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 007D00C9 
.text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 007D00FF 
.text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 007D0051 
.text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 007D0FEF 
.text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 007D0080 
.text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 007D0036 
.text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 007D001B 
.text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 007D00B8 
.text C:\WINDOWS\system32\svchost.exe[752] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 007C0FB9 
.text C:\WINDOWS\system32\svchost.exe[752] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 007C005B 
.text C:\WINDOWS\system32\svchost.exe[752] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 007C0FD4 
.text C:\WINDOWS\system32\svchost.exe[752] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 007C000A 
.text C:\WINDOWS\system32\svchost.exe[752] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 007C004A 
.text C:\WINDOWS\system32\svchost.exe[752] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 007C0FA8 
.text C:\WINDOWS\system32\svchost.exe[752] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 007C0FEF 
.text C:\WINDOWS\system32\svchost.exe[752] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 007C0025 
.text C:\WINDOWS\system32\svchost.exe[752] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 007A0FE5 
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00900000 
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00900F60 
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 0090005F 
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00900F91 
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 0090004E 
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0090003D 
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 0090009C 
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00900081 
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00900F0D 
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00900F28 
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 009000C1 
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00900FAC 
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00900FE5 
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00900070 
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 0090002C 
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 0090001B 
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00900F39 
.text C:\WINDOWS\system32\svchost.exe[812] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 008F0FAF 
.text C:\WINDOWS\system32\svchost.exe[812] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 008F004E 
.text C:\WINDOWS\system32\svchost.exe[812] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 008F0000 
.text C:\WINDOWS\system32\svchost.exe[812] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 008F0FCA 
.text C:\WINDOWS\system32\svchost.exe[812] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 008F0033 
.text C:\WINDOWS\system32\svchost.exe[812] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 008F0022 
.text C:\WINDOWS\system32\svchost.exe[812] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 008F0FEF 
.text C:\WINDOWS\system32\svchost.exe[812] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 008F0011 
.text C:\WINDOWS\system32\svchost.exe[812] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 008D0000 
.text C:\WINDOWS\system32\svchost.exe[876] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 01BB0FEF 
.text C:\WINDOWS\system32\svchost.exe[876] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 01BB0071 
.text C:\WINDOWS\system32\svchost.exe[876] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 01BB0F7C 
.text C:\WINDOWS\system32\svchost.exe[876] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 01BB0F8D 
.text C:\WINDOWS\system32\svchost.exe[876] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 01BB0F9E 
.text C:\WINDOWS\system32\svchost.exe[876] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 01BB0036 
.text C:\WINDOWS\system32\svchost.exe[876] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 01BB0F3C 
.text C:\WINDOWS\system32\svchost.exe[876] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 01BB0F57 
.text C:\WINDOWS\system32\svchost.exe[876] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 01BB0F06 
.text C:\WINDOWS\system32\svchost.exe[876] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 01BB0F17 
.text C:\WINDOWS\system32\svchost.exe[876] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 01BB0EEB 
.text C:\WINDOWS\system32\svchost.exe[876] kernel32.dll!LoadLibraryW  7C80AE4B 5 Bytes JMP 01BB0FAF 
.text C:\WINDOWS\system32\svchost.exe[876] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 01BB0000 
.text C:\WINDOWS\system32\svchost.exe[876] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 01BB0082 
.text C:\WINDOWS\system32\svchost.exe[876] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 01BB0FCA


----------



## BigRC (Dec 18, 2006)

.text C:\WINDOWS\system32\svchost.exe[876] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 01BB0011 
.text C:\WINDOWS\system32\svchost.exe[876] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 01BB009F 
.text C:\WINDOWS\system32\svchost.exe[876] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 01BA0047 
.text C:\WINDOWS\system32\svchost.exe[876] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 01BA0FAC 
.text C:\WINDOWS\system32\svchost.exe[876] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 01BA002C 
.text C:\WINDOWS\system32\svchost.exe[876] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 01BA001B 
.text C:\WINDOWS\system32\svchost.exe[876] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 01BA0069 
.text C:\WINDOWS\system32\svchost.exe[876] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 01BA0058 
.text C:\WINDOWS\system32\svchost.exe[876] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 01BA0000 
.text C:\WINDOWS\system32\svchost.exe[876] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 01BA0FD1 
.text C:\WINDOWS\system32\svchost.exe[876] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 01B7000A 
.text C:\WINDOWS\system32\svchost.exe[876] WININET.dll!InternetOpenW 771BAF19 5 Bytes JMP 01B80FE5 
.text C:\WINDOWS\system32\svchost.exe[876] WININET.dll!InternetOpenA 771C58A2 5 Bytes JMP 01B8000A 
.text C:\WINDOWS\system32\svchost.exe[876] WININET.dll!InternetOpenUrlA 771C5B6E 5 Bytes JMP 01B8001B 
.text C:\WINDOWS\system32\svchost.exe[876] WININET.dll!InternetOpenUrlW 771D5B72 5 Bytes JMP 01B80FC8 
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00760FE5 
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 0076007D 
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00760062 
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00760051 
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00760F94 
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00760FAF 
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00760F5C 
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00760F6D 
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 007600E4 
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 007600C9 
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00760F3A 
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!LoadLibraryW  7C80AE4B 5 Bytes JMP 00760040 
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00760000 
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00760098 
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00760FC0 
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 0076001B 
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00760F4B 
.text C:\WINDOWS\system32\svchost.exe[936] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00750F9E 
.text C:\WINDOWS\system32\svchost.exe[936] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00750F83 
.text C:\WINDOWS\system32\svchost.exe[936] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00750FB9 
.text C:\WINDOWS\system32\svchost.exe[936] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00750FDE 
.text C:\WINDOWS\system32\svchost.exe[936] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 0075004A 
.text C:\WINDOWS\system32\svchost.exe[936] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00750025 
.text C:\WINDOWS\system32\svchost.exe[936] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00750FEF 
.text C:\WINDOWS\system32\svchost.exe[936] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 0075000A 
.text C:\WINDOWS\system32\svchost.exe[936] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00730FEF 
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 007F000A 
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 007F008C 
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 007F007B 
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 007F0F97 
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 007F0054 
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!LoadLibraryA  7C801D77 5 Bytes JMP 007F0FB9 
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 007F00BB 
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 007F0F75 
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 007F00F1 
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 007F00E0 
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 007F010C 
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 007F0FA8 
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 007F0FEF 
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 007F0F86 
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 007F002F 
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 007F0FDE 
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 007F0F58 
.text C:\WINDOWS\system32\svchost.exe[1024] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 006E0014 
.text C:\WINDOWS\system32\svchost.exe[1024] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 006E0F94 
.text C:\WINDOWS\system32\svchost.exe[1024] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 006E0FC3 
.text C:\WINDOWS\system32\svchost.exe[1024] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 006E0FD4 
.text C:\WINDOWS\system32\svchost.exe[1024] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 006E005B 
.text C:\WINDOWS\system32\svchost.exe[1024] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 006E004A 
.text C:\WINDOWS\system32\svchost.exe[1024] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 006E0FEF 
.text C:\WINDOWS\system32\svchost.exe[1024] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 006E0025 
.text C:\WINDOWS\system32\svchost.exe[1024] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 006B0FE5 
.text C:\WINDOWS\system32\svchost.exe[1024] WININET.dll!InternetOpenW 771BAF19 5 Bytes JMP 006C0FD4 
.text C:\WINDOWS\system32\svchost.exe[1024] WININET.dll!InternetOpenA 771C58A2 5 Bytes JMP 006C0FEF 
.text C:\WINDOWS\system32\svchost.exe[1024] WININET.dll!InternetOpenUrlA 771C5B6E 5 Bytes JMP 006C0FC3 
.text C:\WINDOWS\system32\svchost.exe[1024] WININET.dll!InternetOpenUrlW 771D5B72 5 Bytes JMP 006C0F9C 
.text C:\WINDOWS\explorer.exe[1312] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00E4000A 
.text C:\WINDOWS\explorer.exe[1312] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00E4007B 
.text C:\WINDOWS\explorer.exe[1312] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00E40F90 
.text C:\WINDOWS\explorer.exe[1312] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00E4006A 
.text C:\WINDOWS\explorer.exe[1312] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00E40043 
.text C:\WINDOWS\explorer.exe[1312] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00E40FB2 
.text C:\WINDOWS\explorer.exe[1312] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00E40F5A 
.text C:\WINDOWS\explorer.exe[1312] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00E40096 
.text C:\WINDOWS\explorer.exe[1312] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00E40F24 
.text C:\WINDOWS\explorer.exe[1312] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00E40F35 
.text C:\WINDOWS\explorer.exe[1312] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00E40F09 
.text C:\WINDOWS\explorer.exe[1312] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00E40FA1 
.text C:\WINDOWS\explorer.exe[1312] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00E40FE5 
.text C:\WINDOWS\explorer.exe[1312] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00E40F75 
.text C:\WINDOWS\explorer.exe[1312] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00E40FC3 
.text C:\WINDOWS\explorer.exe[1312] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00E40FD4 
.text C:\WINDOWS\explorer.exe[1312] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00E400B3 
.text C:\WINDOWS\explorer.exe[1312] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00E3002F 
.text C:\WINDOWS\explorer.exe[1312] ADVAPI32.dll!RegCreateKeyExW  77DD7535 5 Bytes JMP 00E30076 
.text C:\WINDOWS\explorer.exe[1312] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00E30FDE 
.text C:\WINDOWS\explorer.exe[1312] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00E3000A 
.text C:\WINDOWS\explorer.exe[1312] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00E3005B 
.text C:\WINDOWS\explorer.exe[1312] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00E30FB9 
.text C:\WINDOWS\explorer.exe[1312] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00E30FEF 
.text C:\WINDOWS\explorer.exe[1312] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00E3004A 
.text C:\WINDOWS\explorer.exe[1312] WININET.dll!InternetOpenW 771BAF19 5 Bytes JMP 00C8001B 
.text C:\WINDOWS\explorer.exe[1312] WININET.dll!InternetOpenA 771C58A2 5 Bytes JMP 00C8000A 
.text C:\WINDOWS\explorer.exe[1312] WININET.dll!InternetOpenUrlA 771C5B6E 5 Bytes JMP 00C80FD9 
.text C:\WINDOWS\explorer.exe[1312] WININET.dll!InternetOpenUrlW 771D5B72 5 Bytes JMP 00C80FC8 
.text C:\WINDOWS\explorer.exe[1312] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00C30000 
.text C:\WINDOWS\system32\svchost.exe[2024] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00760FE5 
.text C:\WINDOWS\system32\svchost.exe[2024] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00760067 
.text C:\WINDOWS\system32\svchost.exe[2024] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00760F7C 
.text C:\WINDOWS\system32\svchost.exe[2024] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00760F8D 
.text C:\WINDOWS\system32\svchost.exe[2024] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 0076004A 
.text C:\WINDOWS\system32\svchost.exe[2024] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00760FA8 
.text C:\WINDOWS\system32\svchost.exe[2024] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00760F35 
.text C:\WINDOWS\system32\svchost.exe[2024] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00760F46 
.text C:\WINDOWS\system32\svchost.exe[2024] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 007600A2 
.text C:\WINDOWS\system32\svchost.exe[2024] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00760EFF 
.text C:\WINDOWS\system32\svchost.exe[2024] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00760EEE 
.text C:\WINDOWS\system32\svchost.exe[2024] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00760039 
.text C:\WINDOWS\system32\svchost.exe[2024] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 0076000A 
.text C:\WINDOWS\system32\svchost.exe[2024] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00760F57 
.text C:\WINDOWS\system32\svchost.exe[2024] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00760FB9 
.text C:\WINDOWS\system32\svchost.exe[2024] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00760FD4 
.text C:\WINDOWS\system32\svchost.exe[2024] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00760F1A 
.text C:\WINDOWS\system32\svchost.exe[2024] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00750047 
.text C:\WINDOWS\system32\svchost.exe[2024] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 0075008E 
.text C:\WINDOWS\system32\svchost.exe[2024] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 0075002C 
.text C:\WINDOWS\system32\svchost.exe[2024] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 0075001B 
.text C:\WINDOWS\system32\svchost.exe[2024] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00750069 
.text C:\WINDOWS\system32\svchost.exe[2024] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00750FC7 
.text C:\WINDOWS\system32\svchost.exe[2024] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00750000 
.text C:\WINDOWS\system32\svchost.exe[2024] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00750058 
.text C:\WINDOWS\system32\svchost.exe[2024] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00A10000

---- Files - GMER 1.0.12 ----

ADS C:\Documents and Settings\Owner\Desktop\DIS Account.url:favicon 
ADS C:\Documents and Settings\Owner\Desktop\KATC.com - Acadiana News, LIVE Weather and Sports.url:favicon 
ADS C:\Documents and Settings\Owner\Desktop\Online Trading - TD AMERITRADE - Active Trading and Investing.url:favicon 
ADS C:\Documents and Settings\Owner\Favorites\Cox Virus Scan Problem - Tech Support Guy Forums.url:favicon  
ADS C:\Documents and Settings\Owner\Favorites\Crafts Christmas - Hanukkah - Kwanzaa Holiday Shoebox Glass Block Lights Home & Garden Television.url:favicon 
ADS C:\Documents and Settings\Owner\Favorites\Expert Zone Columns Archive.url:favicon 
ADS C:\Documents and Settings\Owner\Favorites\MAD MONEY RECAP Index of Stock Mentions by Date.url:favicon 
ADS C:\Documents and Settings\Owner\Favorites\Netives.com [Games-Marbles].url:favicon 
ADS C:\Documents and Settings\Owner\Favorites\Speakeasy - Speed Test.url:favicon 
ADS C:\Documents and Settings\Owner\Favorites\Tech Support Guy .url:favicon 
ADS C:\Documents and Settings\Owner\Favorites\The Daily Review.url:favicon 
ADS ...

---- EOF - GMER 1.0.12 ----


----------



## BigRC (Dec 18, 2006)

Logfile of HijackThis v1.99.1
Scan saved at 7:24:48 PM, on 12/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SiteAdvisor\4979\SiteAdv.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\WINDOWS\LTMSG.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee\MSC\mctskshd.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\SiteAdvisor\4979\SAService.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Owner\My Documents\Misc. Stuff\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\4979\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\4979\SiteAdv.dll
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\4979\SiteAdv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - Startup: AutoTBar.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O16 - DPF: cpcScanner - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} (CNavigationManager Object) - http://www3.authentium.com/cssrelease/bin/wizard.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\4979\SiteAdv.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: McAfee Application Installer Cleanup (0313271167366974) (0313271167366974mcinstcleanup) - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\031327~1.EXE (file missing)
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Log Manager (McLogManagerService) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Task Scheduler (mctskshd.exe) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mctskshd.exe
O23 - Service: McAfee User Manager (mcusrmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\4979\SAService.exe


----------



## Cookiegal (Aug 27, 2003)

*Click here* to download FindAWF.exe and save it to your desktop.
Double-click on the FindAWF.exe file to run it.
It will open a command prompt and ask you to "Press any key to continue".
Press any key and the FindAWF tool will begin scanning your computer for the infected AWF files and the backups the trojan created.
It may take a few minutes to complete so be patient.
When it is complete, it will open a text file in notepad called AWF.txt which will automatically be saved to your desktop or whatever location you ran the file from.
Come back here to this thread and copy and paste the contents of the AWF.txt file in your next reply.


----------



## BigRC (Dec 18, 2006)

Find AWF report by noahdfear ©2006


21504 byte files found
~~~~~~~~~~~~~

21504 "C:\Documents and Settings\Owner\My Documents\Xmas Labels 05.wps"
21504 "C:\Program Files\Common Files\Authentium Shared\Core\threadmanager.dll"
21504 "C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData"


21504 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



25600 byte files found
~~~~~~~~~~~~~

25600 "C:\Program Files\Java\jre1.6.0\bin\keytool.exe"
25600 "C:\Program Files\Java\jre1.6.0\bin\kinit.exe"
25600 "C:\Program Files\Java\jre1.6.0\bin\klist.exe"
25600 "C:\Program Files\Java\jre1.6.0\bin\ktab.exe"
25600 "C:\Program Files\Java\jre1.6.0\bin\orbd.exe"
25600 "C:\Program Files\Java\jre1.6.0\bin\pack200.exe"
25600 "C:\Program Files\Java\jre1.6.0\bin\policytool.exe"
25600 "C:\Program Files\Java\jre1.6.0\bin\rmid.exe"
25600 "C:\Program Files\Java\jre1.6.0\bin\rmiregistry.exe"
25600 "C:\Program Files\Java\jre1.6.0\bin\servertool.exe"


25600 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



26450 byte files found
~~~~~~~~~~~~~



26450 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



bak folders found
~~~~~~~~~~~



Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report


----------



## Cookiegal (Aug 27, 2003)

Were you ever able to run the full system scan with AVG-AS? I know you said you did a shorter scan because the full one wouldn't complete. Also, were you ever able to run Panda?

Run Kaspersky online virus scan *Kaspersky Online Scanner*.

After the updates have downloaded, click on the "Scan Settings" button.
Choose the *"Extended database" *for the scan.
Under "Please select a target to scan", click "My Computer".
When the scan is finished, Save the results from the scan!

*Note:* You have to use Internet Explorer to do the online scan.

*Post a new HiJackThis log along with the results from Kaspersky scan*


----------



## BigRC (Dec 18, 2006)

Hi Cookiegal: I ran the Kaspersky scan but it shutdown at 30%. It was showing that it found 2 virus' and 3 infected objects before the computer went black and locked up.
I never did get to try the Panda scan or AVG scan again. I will try them while waiting for a reply on the Kaspersky scan problem.

Thanks so much for you help, Rex


----------



## BigRC (Dec 18, 2006)

Tried to run the AVG scan again with same results. Black screen of death. Went back to the kaspersky site and scanned again. This time as soon as it showed that it had found the 2 virus' and 3 infected item, I stopped the scan. It gave me a report that I am copying here.
KASPERSKY ONLINE SCANNER REPORT 
Saturday, December 30, 2006 1:15:27 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 30/12/2006
Kaspersky Anti-Virus database records: 255175

Scan Settings 
Scan using the following antivirus database extended 
Scan Archives true 
Scan Mail Bases true

Scan Target My Computer 
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan Statistics 
Total number of scanned objects 12142 
Number of viruses found 2 
Number of infected objects 3 / 0 
Number of suspicious objects 0 
Duration of the scan process 00:13:33

Infected Object Name Virus Name Last Action 
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\log.edb Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Owner\Application Data\SiteAdvisor\SiteAdv.csh Object is locked skipped

C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012006123020061231\index.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\05QJOD6R\alaunch[1].cab/gsda.dll Infected: not-a-virusownloader.Win32.SpyGame skipped

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\05QJOD6R\alaunch[1].cab CAB: infected - 1 skipped

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped

C:\hp\bin\KillWind.exe Infected: not-a-virus:RiskTool.Win32.PsKill.p skipped

Scan was interrupted by user!


----------



## Cookiegal (Aug 27, 2003)

*Click here* to download ATF Cleaner by Atribune and save it to your desktop.
Double-click *ATF-Cleaner.exe* to run the program.
Under *Main* choose: *Select All*
Click the *Empty Selected* button.
*If you use Firefox:*
Click *Firefox* at the top and choose: *Select All*
Click the *Empty Selected* button.
*NOTE:* If you would like to keep your saved passwords, please click *No* at the prompt.


*If you use Opera:*
Click *Opera* at the top and choose: *Select All*
Click the *Empty Selected* button.
*
[*]NOTE:* If you would like to keep your saved passwords, please click *No* at the prompt.


Click *Exit* on the Main menu to close the program.

How many user accounts are there on this computerÉ


----------



## BigRC (Dec 18, 2006)

Hi Cookie Gal: I'm the only user account on this computer. I ran the ATF-cleaner. Here's a new Hijackthis log.
Logfile of HijackThis v1.99.1
Scan saved at 8:44:06 PM, on 12/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SiteAdvisor\4979\SiteAdv.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\WINDOWS\LTMSG.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\MSC\mctskshd.exe
C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\SiteAdvisor\4979\SAService.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
C:\Documents and Settings\Owner\My Documents\Misc. Stuff\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\4979\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\4979\SiteAdv.dll
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\4979\SiteAdv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O16 - DPF: cpcScanner - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} (CNavigationManager Object) - http://www3.authentium.com/cssrelease/bin/wizard.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\4979\SiteAdv.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: McAfee Application Installer Cleanup (0313271167366974) (0313271167366974mcinstcleanup) - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\031327~1.EXE (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Log Manager (McLogManagerService) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Task Scheduler (mctskshd.exe) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mctskshd.exe
O23 - Service: McAfee User Manager (mcusrmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\4979\SAService.exe


----------



## BigRC (Dec 18, 2006)

Hi Cookiegal: I'll try to be brief. Unloaded Mcafee and downloaded trial of Kaspersky. Ran scan but it kept freezing up at certain files in the program files group. I'd remove one to the trash can and rescan and so on. I removed a folder from Telechart, HP, and then had problems with several files in one of the folders in my FarCry game. It made the cpu usage go real eratic from 4 to 100% and you couldn't do anything. I tried to uninstall the program and it would do the same thing and I couldn't uninstal. I moved the hold ubisoft(farcry) folder to the trash and then deleted it. I started a new scan and it went to 94% of scan, 315135 files scanned, 1 hr and 23 minutes. It froze up on this file and I don't know if I can delete it or what. Please help. File is
C:\windows\system 32\olesvr.dll
I went to the file in my computer and the damn thing would give me the black screen of death just by passing the pointer over it. I did it 3 times, just to make sure. Can you believe that!!! Help!
Thanks, Rex
PS- I had also tried to run a Panda scan again earlier and it would crash also.


----------



## Cookiegal (Aug 27, 2003)

Let's do a diagnostic startup.

Go to *Start * *Run *- type *msconfig*  click OK and click on the *startup tab*. Click the *Disable All* button then reboot. See if that solves the problem. If it does, then it means there's a problem with a program that's starting up. Then re-enable them one at a time. Reboot after enabling one item then run for a while and see if the problem comes back. Repeat that process until you determine which one it is thats causing the problem.


----------



## BigRC (Dec 18, 2006)

Did as asked and restarted. syst conf. utility box showed 2 boxes still checked(NvCpl and avp) Went to explorer, Window\system32 and found the olesvr.dll file tile. Moved pointer over some of the other files OK. Move the pointer over the olesvr.dll file tile and got the Black screen of death.
Rebooted-now 3 boxed checked(NvCpl & avp & dumprep o-k) I disables all again and exit with out restarting. Found file again and pointer gives black screen of death again.
HELP, I'm pulling out what little hair I have left. LOL


----------



## Cookiegal (Aug 27, 2003)

It's possible that particular dll has become corrupt.

Let's try re-registering it.

Go to Start - Run - type the following in the box and click OK:

*regsvr32 Olesvr.dll*

Also, do you have your XP CD?


----------



## BigRC (Dec 18, 2006)

Hi Cookiegal: Typed in and when I hit Ok I got the BSD. 
I bought this thing in 2004 with XP preinstalled. I think everything is on the D drive.


----------



## Cookiegal (Aug 27, 2003)

Let's take a look and see what errors are being generated.

Go to *Start *- *Run *- type in *eventvwr.msc* and click OK.

Look under both "application" and "system" and if you see any recent errors in red double click on them to open them up and then click on the icon that looks like two pieces of paper. This will copy the entire error to the clipboard. Then paste them in here.


----------



## BigRC (Dec 18, 2006)

Some had mutiple entrys. Here's a few.
Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 12/31/2006
Time: 5:49:06 PM
User: N/A
Computer:	REX
Description:
The nVidia WDM A/V Crossbar service failed to start due to the following error: 
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 12/31/2006
Time: 5:49:06 PM
User: N/A
Computer:	REX
Description:
The Lexmark X73 MFP Scanner service failed to start due to the following error: 
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7006
Date: 12/31/2006
Time: 5:11:12 PM
User: N/A
Computer:	REX
Description:
The ScRegSetValueExW call failed for Start with the following error: 
Access is denied.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Warning
Event Source:	Disk
Event Category:	None
Event ID:	51
Date: 12/31/2006
Time: 4:37:22 PM
User: N/A
Computer:	REX
Description:
An error was detected on device \Device\Harddisk0\D during a paging operation.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 03 00 68 00 01 00 b6 00 ..h...¶.
0008: 00 00 00 00 33 00 04 80 ....3..&#128;
0010: 2d 01 00 00 00 00 00 00 -.......
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........
0028: d2 03 00 00 00 00 00 00 Ò.......
0030: ff ff ff ff 03 00 00 00 ÿÿÿÿ....
0038: 40 00 00 04 00 00 00 00 @.......
0040: 00 20 0a 12 40 03 20 40 . [email protected] @
0048: 00 00 00 00 14 00 00 00 ........
0050: 00 00 28 00 58 4f 6b 85 ..(.XOk&#133;
0058: 00 00 00 00 28 4d 6b 85 ....(Mk&#133;
0060: 00 00 00 00 e8 1b 11 05 ....è...
0068: 28 00 05 11 1b e8 00 01 (....è..
0070: 00 00 00 00 00 00 00 00 ........
0078: 00 00 00 00 00 00 00 00 ........
0080: 00 00 00 00 00 00 00 00 ........
0088: 00 00 00 00 00 00 00 00 ........

Event Type:	Error
Event Source:	IdeChnDr
Event Category:	None
Event ID:	9
Date: 12/25/2006
Time: 7:28:55 PM
User: N/A
Computer:	REX
Description:
The device, \Device\Ide\IdeDeviceP0T0L0, did not respond within the timeout period.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 0f 00 05 00 01 00 6e 00 ......n.
0008: 00 00 00 00 09 00 04 c0 .......À
0010: 01 00 00 00 00 00 00 00 ........
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........
0028: 00 00 00 00 00 .....

Event Type:	Error
Event Source:	DCOM
Event Category:	None
Event ID:	10005
Date: 12/26/2006
Time: 6:46:57 PM
User: NT AUTHORITY\SYSTEM
Computer:	REX
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service EventSystem with arguments "" in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	System Error
Event Category:	(102)
Event ID:	1003
Date: 12/27/2006
Time: 2:18:55 PM
User: N/A
Computer:	REX
Description:
Error code 1000000a, parameter1 000000e8, parameter2 00000002, parameter3 00000001, parameter4 806ffa16.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 53 79 73 74 65 6d 20 45 System E
0008: 72 72 6f 72 20 20 45 72 rror Er
0010: 72 6f 72 20 63 6f 64 65 ror code
0018: 20 31 30 30 30 30 30 30 1000000
0020: 61 20 20 50 61 72 61 6d a Param
0028: 65 74 65 72 73 20 30 30 eters 00
0030: 30 30 30 30 65 38 2c 20 0000e8, 
0038: 30 30 30 30 30 30 30 32 00000002
0040: 2c 20 30 30 30 30 30 30 , 000000
0048: 30 31 2c 20 38 30 36 66 01, 806f
0050: 66 61 31 36 fa16

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7001
Date: 12/27/2006
Time: 4:43:22 PM
User: N/A
Computer:	REX
Description:
The DHCP Client service depends on the NetBT service which failed to start because of the following error: 
A device attached to the system is not functioning.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Warning
Event Source:	Disk
Event Category:	None
Event ID:	51
Date: 12/31/2006
Time: 4:37:22 PM
User: N/A
Computer:	REX
Description:
An error was detected on device \Device\Harddisk0\D during a paging operation.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 03 00 68 00 01 00 b6 00 ..h...¶.
0008: 00 00 00 00 33 00 04 80 ....3..&#128;
0010: 2d 01 00 00 00 00 00 00 -.......
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........
0028: d2 03 00 00 00 00 00 00 Ò.......
0030: ff ff ff ff 03 00 00 00 ÿÿÿÿ....
0038: 40 00 00 04 00 00 00 00 @.......
0040: 00 20 0a 12 40 03 20 40 . [email protected] @
0048: 00 00 00 00 14 00 00 00 ........
0050: 00 00 28 00 58 4f 6b 85 ..(.XOk&#133;
0058: 00 00 00 00 28 4d 6b 85 ....(Mk&#133;
0060: 00 00 00 00 e8 1b 11 05 ....è...
0068: 28 00 05 11 1b e8 00 01 (....è..
0070: 00 00 00 00 00 00 00 00 ........
0078: 00 00 00 00 00 00 00 00 ........
0080: 00 00 00 00 00 00 00 00 ........
0088: 00 00 00 00 00 00 00 00 ........

Event Type:	Warning
Event Source:	Disk
Event Category:	None
Event ID:	51
Date: 12/31/2006
Time: 12:20:01 PM
User: N/A
Computer:	REX
Description:
An error was detected on device \Device\Harddisk0\D during a paging operation.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 03 01 68 00 01 00 b6 00 ..h...¶.
0008: 00 00 00 00 33 00 04 80 ....3..&#128;
0010: 2d 01 00 00 00 00 00 00 -.......
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........
0028: a0 79 04 00 00 00 00 00 *y......
0030: ff ff ff ff 03 00 00 00 ÿÿÿÿ....
0038: 40 00 00 04 00 00 00 00 @.......
0040: ff 20 0a 12 4c 02 20 40 ÿ ..L. @
0048: 00 00 00 00 0a 00 00 00 ........
0050: 00 00 00 00 a0 40 7b 85 ....*@{&#133;
0058: 00 00 00 00 38 78 d9 84 ....8xÙ&#132;
0060: 00 00 00 00 a0 32 57 01 ....*2W.
0068: 28 00 01 57 32 a0 00 00 (..W2*..
0070: 08 00 00 00 00 00 00 00 ........
0078: 00 00 00 00 00 00 00 00 ........
0080: 00 00 00 00 00 00 00 00 ........
0088: 00 00 00 00 00 00 00 00 ........

Event Type:	Warning
Event Source:	Userenv
Event Category:	None
Event ID:	1517
Date: 12/31/2006
Time: 5:11:28 PM
User: NT AUTHORITY\SYSTEM
Computer:	REX
Description:
Windows saved user REX\Owner registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.

This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


----------



## BigRC (Dec 18, 2006)

Hi CookieGal: Left computer setting doing nothing while I went to get a bite to eat and when I got back it had the BSD. I know it's not my screen saver because I've set it for several hours.
Thanks again for your help and Have a Great New Year!
Rex


----------



## Cookiegal (Aug 27, 2003)

It looks like a driver or HD problem or incompatibility issue.

Have you installed any new hardware and/or drivers recently?


Open HijackThis and click on the "Open the Misc Tools Section" button. Click on the "Open Uninstall Manager" button. Click the "Save List" botton. Copy and paste that list here please.


----------



## BigRC (Dec 18, 2006)

Adobe Flash Player 9 ActiveX
Adobe Reader 7.0.8
Advanced Analyzer
Avery Cardoza's 100 Slots 2000
Battlefield 1942
Battlefield 1942: Secret Weapons of WWII
Battlefield 1942: The Road To Rome
Delta Force 2
Delta Force Land Warrior
Delta Force Task Force Dagger
Enhanced Multimedia Keyboard Solution
Excavation from Hewlett-Packard Desktops (remove only)
Five Card Frenzy from Hewlett-Packard Desktops (remove only)
GameSpy Arcade
GdiplusUpgrade
Greeting Card Factory Express
Hewlett-Packard Multimedia Keyboard/Mouse Solution
HijackThis 1.99.1
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hoyle Casino '99
HP Deskjet Preloaded Printer Drivers
HP Image Zone 3.5
HP Instant Support
HP Organize
HP Photo and Imaging 2.0 - Photosmart Cameras
HP PSC & OfficeJet 3.5
hp psc 1310 series
HP Software Update
HPIZ311
IncrediMail Xe
Intel Application Accelerator
Intel(R) Extreme Graphics Driver
InterVideo WinDVD Player
Java(TM) SE Runtime Environment 6
Kaspersky Anti-Virus 6.0
Kaspersky Online Scanner
Living Marine Aquarium Screen Saver
Logitech Desktop Messenger
Logitech Gaming Software
Logitech MouseWare 9.79 
Macromedia Shockwave Player
Marine Aquarium 2.5, Goldfish, Sharks & Carousel Bundle
Masque Slots
Masque Slots II
Medal of Honor Allied Assault
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 97, Professional Edition
Microsoft Plus! Digital Media Edition
Microsoft Web Publishing Wizard 1.52
Microsoft Works 7.0
Mshow Client
MSXML 4.0 SP2 (KB927978)
Multimedia Card Reader
NVIDIA Drivers
NVIDIA GART Driver
OLYMPUS CAMEDIA Master 4.1
overland
PC-Doctor for Windows
Photo Explosion
PhotoParade Player
Photosmart 140,240,7200,7600,7700,7900 Series
Polar Bowler from Hewlett-Packard Desktops (remove only)
PrintMaster 16
PS2
Python 2.2 combined Win32 extensions
Python 2.2.1
QuickTime
RecordNow!
Reel Deal Slots - Nickels and More
Reel Deal Slots 1.6
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB926255)
Shockwave
Sierra Utilities
Sonic Update Manager
TeamSpeak 2 RC2
toolkit
Ultimate Pinball
UnZip Me
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Updates from HP
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
Yahoo! Toolbar


----------



## Cookiegal (Aug 27, 2003)

> Have you installed any new hardware and/or drivers recently?


When did you install *Intel Application Accelerator*?

I see on-line casinos that are always suspect for infections as well.


----------



## BigRC (Dec 18, 2006)

I downloaded the intel accelerator not too long ago, couldn't tell if it did anygood anyway. I can uninstall it if you want. The online casinos is a mystery. I don't use them at all. We need to get rid of that stuff. Please let me know how.
Thanks, Rex


----------



## BigRC (Dec 18, 2006)

I went back and looked at that list again. Those are not online casinos. They are games we bought on CDs. My computer hasn't crashed lately and I played BF1942 on line last night and it works like it used to, no lag and looks good. I guess the main problem is that I can not run a complete scan because of that file in the Window\system 32 folder.
Thanks, Rex


----------



## Cookiegal (Aug 27, 2003)

I guess I mistook those for on-line casinos.  

Let's try uninstalling Intel Application Accelerator and see if that makes any difference.


----------



## BigRC (Dec 18, 2006)

Hi Cookiegal: I uninstalled the intel accelerator, rebooted, went to explorer and found that file thats been giving trouble. Found the olesvr.dll and put the pointer on it and NO black screen of death, lockup, or nothing. Ran a full computer scan last night and woke up to a completed scan with no threats found. Thank you, thank you, thank you!!!!!!
Thanks for all you help. I will diffinitely send a donation! When my trial of Kaspersky is over at the end of the month I may try reloading the Cox security system since it's free. Hope I don't have to bother you folks again, but its good to know that you all are willing to donate your time to help others. You're GREAT.
Thanks, Rex

Now that I have a completed scan on Kaspersky, I might try the Panda scan again to see if it finds anything.


----------



## Cookiegal (Aug 27, 2003)

That's great! I suspected that program was causing a conflict. Accelerator programs often cause more problems than they fix.  


Let me know if anything turns up in the Panda scan. Also, please see if you can now run WinpFind as outlined in post no. 6 and post that log.


----------



## BigRC (Dec 18, 2006)

Hi Cookiegal: I started a panda scan at around 11:30am and when it got to a "avp file", which is associated with Kaspersky, it got real slow. It was at 67215 files at 11:50, 67503 at 1:19 and 67990 at 3:51. I stopped the scan at that point. to check the e-mail from you. I may run again tonight while I'm sleeping.
attached are the 2 logs.

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows sometimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Logfile created on: 1/2/2007 4:03:34 PM
WinPFind v1.5.0	Folder = C:\Documents and Settings\Owner\Desktop\WinPFind\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 6.0.2900.2180)

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
WSUD 9/20/2004 3:20:44 PM 16121856 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL (Realtek Semiconductor Corp.)
PEC2 8/29/2002 6:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc ()
PTech 8/20/2004 3:56:24 PM 59914 C:\WINDOWS\SYSTEM32\igfxhcsy.lhp ()
PTech 12/12/2006 10:45:04 AM 1474864 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL (Microsoft Corporation)
PECompact2 12/7/2006 3:13:46 PM 10716584 C:\WINDOWS\SYSTEM32\MRT.exe (Microsoft Corporation)
aspack 12/7/2006 3:13:46 PM 10716584 C:\WINDOWS\SYSTEM32\MRT.exe (Microsoft Corporation)
aspack 8/4/2004 1:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll (Microsoft Corporation)
WSUD 8/4/2004 1:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl (Microsoft Corporation)
PEC2 7/11/1997 163384 C:\WINDOWS\SYSTEM32\ODBCJET.HLP ()
Umonitor 8/4/2004 1:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll (Microsoft Corporation)
winsync 8/29/2002 6:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu ()
PTech 6/19/2006 3:19:26 PM 304944 C:\WINDOWS\SYSTEM32\WgaTray.exe (Microsoft Corporation)

Checking %System%\Drivers folder and sub-folders...
PTech 8/3/2004 11:41:38 PM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys (Smart Link)

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
1/2/2007 4:02:00 PM S 2048 C:\WINDOWS\bootstat.dat ()
12/30/2006 10:45:08 PM HS 7168 C:\WINDOWS\Thumbs.db ()
12/28/2006 10:06:46 PM HS 13824 C:\WINDOWS\forms\configs\Thumbs.db ()
1/2/2007 10:33:08 AM H 0 C:\WINDOWS\LastGood\INF\oem106.inf ()
1/2/2007 10:33:08 AM H 0 C:\WINDOWS\LastGood\INF\oem106.PNF ()
12/7/2006 7:30:20 PM S 9057 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB923689.cat ()
11/7/2006 11:24:16 PM S 11671 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB923694.cat ()
11/18/2006 12:05:18 AM S 22261 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB925454.cat ()
1/2/2007 4:01:50 PM H 8192 C:\WINDOWS\system32\config\default.LOG ()
1/2/2007 4:02:16 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG ()
1/2/2007 4:02:02 PM H 12288 C:\WINDOWS\system32\config\SECURITY.LOG ()
1/2/2007 4:02:20 PM H 155648 C:\WINDOWS\system32\config\software.LOG ()
1/2/2007 4:02:00 PM H 1204224 C:\WINDOWS\system32\config\system.LOG ()
12/14/2006 3:00:34 AM H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG ()
12/17/2006 9:08:16 PM H 1024 C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG ()
1/2/2007 4:00:10 PM HS 3383328 C:\WINDOWS\system32\drivers\fidbox.dat ()
1/2/2007 4:00:10 PM HS 46388 C:\WINDOWS\system32\drivers\fidbox.idx ()
1/2/2007 4:00:10 PM HS 34848 C:\WINDOWS\system32\drivers\fidbox2.dat ()
1/2/2007 4:00:10 PM HS 4340 C:\WINDOWS\system32\drivers\fidbox2.idx ()
12/25/2006 10:13:44 AM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\126144d5-2247-4c25-862c-6b4db3c2db09 ()
12/25/2006 10:13:44 AM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\Preferred ()
11/6/2006 1:40:40 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\28a3d400-6039-477b-baf8-abf23a75bb2a ()
11/6/2006 1:40:40 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred ()
1/2/2007 3:59:50 PM H 6 C:\WINDOWS\Tasks\SA.DAT ()
12/27/2006 2:26:18 PM HS 343541760 C:\WINDOWS\temp\bfhcnzh8.TMP ()
12/27/2006 2:13:52 PM HS 349028352 C:\WINDOWS\temp\tywe79zo.TMP ()

Checking for CPL files...
8/4/2004 1:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl (Microsoft Corporation)
9/20/2004 3:20:44 PM 16121856 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL (Realtek Semiconductor Corp.)
8/4/2004 1:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl (Microsoft Corporation)
8/4/2004 1:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl (Microsoft Corporation)
8/4/2004 1:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl (Microsoft Corporation)
7/11/1997 36864 C:\WINDOWS\SYSTEM32\FINDFAST.CPL ()
8/4/2004 1:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl (Microsoft Corporation)
8/4/2004 1:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl (Microsoft Corporation)
8/20/2004 3:53:06 PM 94208 C:\WINDOWS\SYSTEM32\igfxcpl.cpl (Intel Corporation)
8/4/2004 1:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl (Microsoft Corporation)
8/4/2004 1:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl (Microsoft Corporation)
8/4/2004 1:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl (Microsoft Corporation)
12/17/2006 9:10:12 PM 69632 C:\WINDOWS\SYSTEM32\javacpl.cpl (Sun Microsystems, Inc.)
8/4/2004 1:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl (Microsoft Corporation)
8/29/2002 6:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl (Microsoft Corporation)
7/11/1997 61440 C:\WINDOWS\SYSTEM32\MLCFG32.CPL (Microsoft Corporation)
8/4/2004 1:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl (Microsoft Corporation)
8/29/2002 6:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl (Microsoft Corporation)
8/4/2004 1:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl (Microsoft Corporation)
8/4/2004 1:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl (Microsoft Corporation)
11/21/2005 1:42:00 PM 73728 C:\WINDOWS\SYSTEM32\nvtuicpl.cpl ()
8/4/2004 1:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl (Microsoft Corporation)
8/4/2004 1:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl (Microsoft Corporation)
9/23/2004 6:57:44 PM 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl (Apple Computer, Inc.)
8/4/2004 1:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl (Microsoft Corporation)
8/29/2002 6:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl (Microsoft Corporation)
8/4/2004 1:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl (Microsoft Corporation)
8/4/2004 1:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl (Microsoft Corporation)
5/26/2005 3:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl (Microsoft Corporation)
8/4/2004 1:56:58 AM 68608 C:\WINDOWS\SYSTEM32\dllcache\access.cpl (Microsoft Corporation)
8/4/2004 1:56:58 AM 155136 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl (Microsoft Corporation)
8/4/2004 1:56:58 AM 358400 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl (Microsoft Corporation)
8/4/2004 1:56:58 AM 129536 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl (Microsoft Corporation)
8/4/2004 1:56:58 AM 68608 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl (Microsoft Corporation)
8/29/2002 6:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl (Microsoft Corporation)
8/29/2002 6:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl (Microsoft Corporation)
8/4/2004 1:56:58 AM 257024 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl (Microsoft Corporation)
8/4/2004 1:56:58 AM 32768 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl (Microsoft Corporation)
8/4/2004 1:56:58 AM 114688 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl (Microsoft Corporation)
8/4/2004 1:56:58 AM 155648 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl (Microsoft Corporation)
8/29/2002 6:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl (Microsoft Corporation)
8/4/2004 1:56:58 AM 94208 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl (Microsoft Corporation)
5/26/2005 3:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl (Microsoft Corporation)
2/17/2004 5:49:14 AM 14193152 C:\WINDOWS\SYSTEM32\DRVSTORE\Alcxwdm_cfb7d3fc0ab7f7a3133a6c25509eaf3479108975\ALSNDMGR.CPL (Realtek Semiconductor Corp.)
2/17/2004 5:49:14 AM 14193152 C:\WINDOWS\SYSTEM32\ReinstallBackups\0012\DriverFiles\ALSNDMGR.CPL (Realtek Semiconductor Corp.)
8/20/2004 3:53:06 PM 94208 C:\WINDOWS\SYSTEM32\ReinstallBackups\0021\DriverFiles\igfxcpl.cpl (Intel Corporation)

Checking for Downloaded Program Files...
{0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - CKAVWebScan Object - CodeBase = http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
{17492023-C23A-453E-A040-C7C580BBF700} - Windows Genuine Advantage Validation Tool - CodeBase = http://download.microsoft.com/downl...-40e1-a617-af65a72a0465/LegitCheckControl.cab
{1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} - CNavigationManager Object - CodeBase = http://www3.authentium.com/cssrelease/bin/wizard.exe
{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - - CodeBase = http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
{8AD9C840-044E-11D1-B3E9-00805F499D93} - Java Plug-in 1.6.0 - CodeBase = http://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
{9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - ActiveScan Installer Class - CodeBase = http://acs.pandasoftware.com/activescan/as5free/asinst.cab
{BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - - CodeBase = http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - Java Plug-in 1.6.0 - CodeBase = http://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - Java Plug-in 1.6.0 - CodeBase = http://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
{D27CDB6E-AE6D-11CF-96B8-444553540000} - - CodeBase = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash5r42.cab
cpcScanner - - CodeBase = http://www.crucial.com/controls/cpcScanner.cab

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
10/10/2003 8:32:08 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini ()

Checking files in %ALLUSERSPROFILE%\Application Data folder...
10/10/2003 1:26:14 PM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini ()
11/16/2006 8:35:56 PM 13028 C:\Documents and Settings\All Users\Application Data\hpzinstall.log ()

Checking files in %USERPROFILE%\Startup folder...
10/10/2003 8:32:08 PM HS 84 C:\Documents and Settings\Owner\Start Menu\Programs\Startup\desktop.ini ()

Checking files in %USERPROFILE%\Application Data folder...
10/10/2003 1:26:14 PM HS 62 C:\Documents and Settings\Owner\Application Data\desktop.ini ()
5/8/2006 11:26:56 PM 5973 C:\Documents and Settings\Owner\Application Data\GdiplusUpgrade_MSIApproach_Wrapper.log ()

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

>>> Internet Explorer Settings <<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
\\Start Page - http://us10.hpwis.com/
\\Search Bar - http://srch-us10.hpwis.com/
\\Search Page - http://srch-us10.hpwis.com/
\\Default_Page_URL - http://us10.hpwis.com/
\\Default_Search_URL - http://srch-us10.hpwis.com/
\\Local Page - %SystemRoot%\system32\blank.htm

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
\\Start Page - http://my.yahoo.com/
\\Search Page - http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
\\Default_Page_URL - http://us10.hpwis.com/
\\Default_Search_URL - http://srch-us10.hpwis.com/
\\Local Page - C:\WINDOWS\system32\blank.htm

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
\\CustomizeSearch - http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
\\SearchAssistant - http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
\\{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Microsoft Url Search Hook = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation)

>>> BHO's <<<
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - Adobe PDF Reader Link Helper = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - SSVHelper Class = C:\Program Files\Java\jre1.6.0\bin\ssv.dll (Sun Microsystems, Inc.)

>>> Internet Explorer Bars, Toolbars and Extensions <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
\{4D5C8C25-D075-11d0-B416-00C04FB90376} - &Tip of the Day = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation)
\{8F4902B6-6C04-4ade-8052-AA58578A21BD} - hp view = C:\WINDOWS\System32\Shdocvw.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
\{21569614-B795-46B1-85F4-E737A8DC09AD} - Shell Search Band = %SystemRoot%\system32\browseui.dll (Microsoft Corporation)
\{30D02401-6A81-11D0-8274-00C04FD5AE38} - Search Band = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
\{32683183-48a0-441b-a342-7c2a440a9478} - = ()
\{EFA24E61-B078-11D0-89E4-00C04FC9E26E} - Favorites Band = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation)
\{EFA24E62-B078-11D0-89E4-00C04FC9E26E} - History Band = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation)
\{EFA24E64-B078-11D0-89E4-00C04FC9E26E} - Explorer Band = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
\ShellBrowser\\{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - HP View = c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll (Hewlett-Packard Company)
\WebBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - = ()
\WebBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
\WebBrowser\\{0E5CBF21-D15F-11D0-8301-00AA005B4383} - &Links = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
\WebBrowser\\{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - HP View = c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll (Hewlett-Packard Company)
\WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar = C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\CmdMapping]
\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - 8192 = 
\\NEXTID - 8198
\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} - 8193 = 
\\{FB5F1910-F110-11d2-BB9E-00C04F795683} - 8195 = 
\\{e2e2dd38-d088-4134-82b7-f2ba38496583} - 8196 = 
\\{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - 8197 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]

>>> Approved Shell Extensions (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
\\{42071714-76d4-11d1-8b24-00a0c9068ff3} - Display Panning CPL Extension = ()
\\{764BF0E1-F219-11ce-972D-00AA00A14F56} - Shell extensions for file compression = ()
\\{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} - Encryption Context Menu = ()
\\{88895560-9AA2-1069-930E-00AA0030EBC8} - HyperTerminal Icon Ext = C:\WINDOWS\System32\hticons.dll (Hilgraeve, Inc.)
\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} - Taskbar and Start Menu = ()
\\{32683183-48a0-441b-a342-7c2a440a9478} - Media Band = ()
\\{7A9D77BD-5403-11d2-8785-2E0420524153} - User Accounts = ()
\\{19CC43A1-6925-4B48-B292-830291F393A6} - HPNSView = c:\Program Files\HP\Digital Imaging\bin\hpdns_01.dll ()
\\{DEE12703-6333-4D4E-8F34-738C4DCC2E04} - RecordNow! SendToExt = c:\Program Files\RecordNow!\shlext.dll (Sonic Solutions)
\\{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} - Shell Extensions for RealOne Player = ()
\\{7F67036B-66F1-411A-AD85-759FB9C5B0DB} - SampleView = C:\WINDOWS\System32\ShellvRTF.dll (XSS)
\\{1CDB2949-8F65-4355-8456-263E7C208A5D} - Desktop Explorer = C:\WINDOWS\system32\nvshell.dll ()
\\{1E9B04FB-F9E5-4718-997B-B8DA88302A47} - Desktop Explorer Menu = C:\WINDOWS\system32\nvshell.dll ()
\\{A70C977A-BF00-412C-90B7-034C51DA2439} - NvCpl DesktopContext Class = C:\WINDOWS\system32\nvcpl.dll (NVIDIA Corporation)
\\{FFB699E0-306A-11d3-8BD1-00104B6F7516} - Play on my TV helper = C:\WINDOWS\system32\nvcpl.dll (NVIDIA Corporation)
\\{1E9B04FB-F9E5-4718-997B-B8DA88302A48} - nView Desktop Context Menu = C:\WINDOWS\system32\nvshell.dll ()
\\{85E0B171-04FA-11D1-B7DA-00A0C90348D6} - Web Anti-Virus = C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll (Kaspersky Lab)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

>>> Context Menu Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers]
\IMMenuShellExt - {F8984111-38B6-11D5-8725-0050DA2761C4} = C:\PROGRA~1\INCRED~1\bin\ImShExt.dll (IncrediMail, Ltd.)
\Kaspersky Anti-Virus - {dd230880-495a-11d1-b064-008048ec2fc5} = C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\ShellEx.dll (Kaspersky Lab)
\WinRAR - = ()

[HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers]

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\shellex\ContextMenuHandlers]
\WinRAR - = ()

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\BackGround\shellex\ContextMenuHandlers]
\00nView - {1E9B04FB-F9E5-4718-997B-B8DA88302A48} = C:\WINDOWS\system32\nvshell.dll ()
\igfxcui - {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} = C:\WINDOWS\system32\igfxpph.dll (Intel Corporation)
\NvCplDesktopContext - {A70C977A-BF00-412C-90B7-034C51DA2439} = C:\WINDOWS\system32\nvcpl.dll (NVIDIA Corporation)

[HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers]
\Kaspersky Anti-Virus - {dd230880-495a-11d1-b064-008048ec2fc5} = C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\ShellEx.dll (Kaspersky Lab)
\WinRAR - = ()

>>> Column Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
\{F9DB5320-233E-11D1-9F84-707F02C10627} - PDF Column Info = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll (Adobe Systems, Inc.)

>>> Registry Run Keys <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
KernelFaultCheck - ()
AVP - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe (Kaspersky Lab)
VTTimer - VTTimer.exe ()
UpdateManager - C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe (Sonic Solutions)
Sunkist2k - C:\Program Files\Multimedia Card Reader\shwicon2k.exe (Alcor Micro, Corp.)
SunJavaUpdateSched - C:\Program Files\Java\jre1.6.0\bin\jusched.exe (Sun Microsystems, Inc.)
Recguard - C:\WINDOWS\SMINST\RECGUARD.EXE ()
QuickTime Task - C:\Program Files\QuickTime\qttask.exe (Apple Computer, Inc.)
nwiz - C:\WINDOWS\SYSTEM32\nwiz.exe ()
NvMediaCenter - RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll ()
NvCplDaemon - RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll ()
LTMSG - C:\WINDOWS\LTMSG.exe (Agere Systems)
Logitech Utility - C:\WINDOWS\Logi_MwX.Exe (Logitech Inc.)
KBD - C:\HP\KBD\KBD.EXE (Hewlett-Packard Company)
IgfxTray - C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
hpsysdrv - c:\windows\system\hpsysdrv.exe (Hewlett-Packard Company)
HPHmon05 - C:\WINDOWS\System32\hphmon05.exe (Hewlett-Packard)
HP Software Update - C:\Program Files\HP\HP Software Update\HPWuSchd2.exe (Hewlett-Packard Co.)
HP Component Manager - C:\Program Files\HP\hpcoretech\hpcmpmgr.exe (Hewlett-Packard Company)
HotKeysCmds - C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
CamMonitor - c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe ()
AutoTKit - C:\hp\bin\AUTOTKIT.EXE ()
AlcxMonitor - C:\WINDOWS\ALCXMNTR.EXE (Realtek Semiconductor Corp.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Start WingMan Profiler - Reg Data missing or invalid ()
RecordNow! - Reg Data missing or invalid ()
MoneyAgent - C:\Program Files\Microsoft Money\System\mnyexpr.exe ()
LDM - BackWeb-8876480.exe ()
IncrediMail - C:\Program Files\IncrediMail\bin\IncMail.exe (IncrediMail, Ltd.)
BackupNotify - c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe ( )

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

>>> Startup Links <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\Common Startup]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini ()

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\Startup]
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\desktop.ini ()

>>> MSConfig Disabled Items <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	
hkey	HKLM
command	
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini	0
win.ini	0
bootini	0
services	0
startup	0


----------



## BigRC (Dec 18, 2006)

[All Users Startup Folder Disabled Items]

[Current User Startup Folder Disabled Items]

>>> User Agent Post Platform <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
\\SV1 -

>>> AppInit Dll's <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs]

>>> Image File Execution Options <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
\Your Image File Name Here without a path - Debugger = ntsd -d

>>> Shell Service Object Delay Load <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
\\PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
\\CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
\\WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll (Microsoft Corporation)
\\SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll (Microsoft Corporation)

>>> Shell Execute Hooks <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} - URL Exec Hook = shell32.dll (Microsoft Corporation)

>>> Shared Task Scheduler <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
\\{438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
\\{8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)

>>> Winlogon <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
\\UserInit = C:\WINDOWS\system32\Userinit.exe
\\Shell = Explorer.exe
\\System =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
\crypt32chain - crypt32.dll = (Microsoft Corporation)
\cryptnet - cryptnet.dll = (Microsoft Corporation)
\cscdll - cscdll.dll = (Microsoft Corporation)
\igfxcui - igfxsrvc.dll = (Intel Corporation)
\klogon - C:\WINDOWS\system32\klogon.dll = (Kaspersky Lab)
\ScCertProp - wlnotify.dll = (Microsoft Corporation)
\Schedule - wlnotify.dll = (Microsoft Corporation)
\sclgntfy - sclgntfy.dll = (Microsoft Corporation)
\SensLogn - WlNotify.dll = (Microsoft Corporation)
\termsrv - wlnotify.dll = (Microsoft Corporation)
\WgaLogon - WgaLogon.dll = (Microsoft Corporation)
\wlballoon - wlnotify.dll = (Microsoft Corporation)

>>> DNS Name Servers <<<
{0689CEC2-8D77-4684-9520-B9193268E020} - ()
{2B5F7BD3-8B82-4960-B9AE-31CC67E384D8} - (Linksys NC100 Fast Ethernet Adapter)
{3B31C8C6-4132-4812-9425-5408B5538BC4} - (Realtek RTL8139/810x Family Fast Ethernet NIC)
{4790A22A-2873-44EC-BE0B-74D5AF82998E} - (1394 Net Adapter)
{DC5C716B-F7ED-478B-BF0E-9466D1D1A04D} - (Toshiba PCX1100U USB Cable Modem (NDIS 5))

>>> All Winsock2 Catalogs <<<
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries]
\000000000001\\LibraryPath - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation)
\000000000002\\LibraryPath - %SystemRoot%\System32\winrnr.dll (Microsoft Corporation)
\000000000003\\LibraryPath - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation)
\000000000004\\LibraryPath - %SystemRoot%\System32\nwprovau.dll (Microsoft Corporation)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries]
\000000000001\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000002\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000003\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000004\\PackedCatalogItem - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation)
\000000000005\\PackedCatalogItem - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation)
\000000000006\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000007\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000008\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000009\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000010\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000011\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000012\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000013\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000014\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000015\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000016\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000017\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000018\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000019\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000020\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000021\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000022\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000023\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000024\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000025\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000026\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)

>>> Protocol Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler]
\cetihpz - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company)
\ipp - ()
\msdaipp - ()

>>> Protocol Filters (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter]

>>> Selected AddOn's <<<

>>>>Output for AddOn file Policies.def<<<<
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies - Include SUBKEYS
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]
policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} - 1
policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} - 1073741857
policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} - 32
policies\system\\dontdisplaylastusername - 0
policies\system\\legalnoticecaption - 
policies\system\\legalnoticetext - 
policies\system\\shutdownwithoutlogon - 1
policies\system\\undockwithoutlogon - 1

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies - Include SUBKEYS
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]
policies\Explorer\\NoDriveTypeAutoRun - 91 00 00 00 
policies\System\\DisableRegistryTools - 0
policies\System\\DisableTaskMgr - 0

>>>>Output for AddOn file Security.def<<<<
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center - Include SUBKEYS
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
Security Center\\AntiVirusDisableNotify - 0
Security Center\\FirewallDisableNotify - 0
Security Center\\UpdatesDisableNotify - 0
Security Center\\AntiVirusOverride - 0
Security Center\\FirewallOverride - 0
Security Center\Monitoring\KasperskyAntiVirus\\DisableMonitoring - 1
Security Center\Monitoring\KasperskyAntiVirus\\ -

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS - Include SUBKEYS
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS]
BITS\\Type - 32
BITS\\Start - 3
BITS\\ErrorControl - 1
BITS\\ImagePath - %SystemRoot%\System32\svchost.exe -k netsvcs
BITS\\DisplayName - Background Intelligent Transfer Service
BITS\\DependOnService - Rpcss;
BITS\\DependOnGroup - 
BITS\\ObjectName - LocalSystem
BITS\\Description - Transfers files in the background using idle network bandwidth. If the service is stopped, features such as Windows Update, and MSN Explorer will be unable to automatically download programs and other information. If this service is disabled, any services that explicitly depend on it may fail to transfer files if they do not have a fail safe mechanism to transfer files directly through IE in case BITS has been disabled.
BITS\\FailureActions - 00 00 00 00 00 00 00 00 00 00 00 00 03 00 00 00 68 E3 0C 00 01 00 00 00 60 EA 00 00 01 00 00 00 60 EA 00 00 01 00 00 00 60 EA 00 00 
BITS\Parameters\\ServiceDll - C:\WINDOWS\System32\qmgr.dll
BITS\Security\\Security - 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 
BITS\Enum\\0 - Root\LEGACY_BITS\0000
BITS\Enum\\Count - 1
BITS\Enum\\NextInstance - 1


----------



## BigRC (Dec 18, 2006)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess - Include SUBKEYS
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]
SharedAccess\\Type - 32
SharedAccess\\Start - 2
SharedAccess\\ErrorControl - 1
SharedAccess\\ImagePath - %SystemRoot%\System32\svchost.exe -k netsvcs
SharedAccess\\DisplayName - Windows Firewall/Internet Connection Sharing (ICS)
SharedAccess\\DependOnService - Netman;WinMgmt;
SharedAccess\\DependOnGroup - 
SharedAccess\\ObjectName - LocalSystem
SharedAccess\\Description - Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network.
SharedAccess\Epoch\\Epoch - 8969
SharedAccess\Parameters\\ServiceDll - %SystemRoot%\System32\ipnathlp.dll
SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\%windir%\system32\sessmgr.exe - %windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019
SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\%windir%\Network Diagnostic\xpnetdiag.exe - %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000
SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\139:TCP - 139:TCP:*:Enabledxpsp2res.dll,-22004
SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\445:TCP - 445:TCP:*:Enabledxpsp2res.dll,-22005
SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\137:UDP - 137:UDP:*:Enabledxpsp2res.dll,-22001
SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\138:UDP - 138:UDP:*:Enabledxpsp2res.dll,-22002
SharedAccess\Parameters\FirewallPolicy\StandardProfile\\EnableFirewall - 1
SharedAccess\Parameters\FirewallPolicy\StandardProfile\\DoNotAllowExceptions - 0
SharedAccess\Parameters\FirewallPolicy\StandardProfile\\DisableNotifications - 0
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\kdx\khost.exe - C:\WINDOWS\kdx\khost.exe:*isabled:Secure Delivery Plug-In
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Soldier of Fortune II - Double Helix GOLD\SoF2MP.exe - C:\Program Files\Soldier of Fortune II - Double Helix GOLD\SoF2MP.exe:*isabled:SoF2MP
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Red Storm Entertainment\RavenShield\system\ravenshield.exe - C:\Program Files\Red Storm Entertainment\RavenShield\system\ravenshield.exe:*isabled:ravenshield
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\EA GAMES\Battlefield 1942 Singleplayer Demo\BF1942.exe - C:\Program Files\EA GAMES\Battlefield 1942 Singleplayer Demo\BF1942.exe:*:Enabled:BF1942
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Duke Nukem - Manhattan Project\prism3d.exe - C:\Program Files\Duke Nukem - Manhattan Project\prism3d.exe:*isabledrism3d
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\NovaLogic\Delta Force Black Hawk Down\update.exe - C:\Program Files\NovaLogic\Delta Force Black Hawk Down\update.exe:*isabled:update
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\096JGXQN\incredimail_install[1].exe - C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\096JGXQN\incredimail_install[1].exe:*:Enabled:IncrediMail Installer
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\IncrediMail\bin\IMApp.exe - C:\Program Files\IncrediMail\bin\IMApp.exe:*:Enabled:IncrediMail
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\IncrediMail\bin\IncMail.exe - C:\Program Files\IncrediMail\bin\IncMail.exe:*:Enabled:IncrediMail
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\IncrediMail\bin\ImpCnt.exe - C:\Program Files\IncrediMail\bin\ImpCnt.exe:*:Enabled:IncrediMail
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Ubisoft\Crytek\Far Cry\Bin32\FarCry.exe - C:\Program Files\Ubisoft\Crytek\Far Cry\Bin32\FarCry.exe:*:Enabled:Far Cry
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\EA GAMES\Battlefield Vietnam\bfvietnam.exe - C:\Program Files\EA GAMES\Battlefield Vietnam\bfvietnam.exe:*isabled:bfvietnam
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\NovaLogic\Delta Force Land Warrior\DFLW.EXE - C:\Program Files\NovaLogic\Delta Force Land Warrior\DFLW.EXE:*isabledFLW
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Steam\SteamApps\rcluke\team fortress classic\hl.exe - C:\Program Files\Steam\SteamApps\rcluke\team fortress classic\hl.exe:*isabled:Half-Life Launcher
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Steam\SteamApps\rcluke\half-life\hl.exe - C:\Program Files\Steam\SteamApps\rcluke\half-life\hl.exe:*isabled:Half-Life Launcher


----------



## BigRC (Dec 18, 2006)

SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\EA GAMES\MOHAA\MOHAA.exe - C:\Program Files\EA GAMES\MOHAA\MOHAA.exe:*isabled:Medal of Honor Allied Assault(tm)
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\system32\mshta.exe - C:\WINDOWS\system32\mshta.exe:*isabled:Microsoft (R) HTML Application host
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\system32\dpvsetup.exe - C:\WINDOWS\system32\dpvsetup.exe:*isabled:Microsoft DirectPlay Voice Test
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\Network Diagnostic\xpnetdiag.exe - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe:*isabledxpsp3res.dll,-20000
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\system32\sessmgr.exe - C:\WINDOWS\system32\sessmgr.exe:*isabledxpsp2res.dll,-22019
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\system32\rundll32.exe - C:\WINDOWS\system32\rundll32.exe:*isabled:Run a DLL as an App
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\interMute\SpamSubtract\SpamSub.exe - C:\Program Files\interMute\SpamSubtract\SpamSub.exe:*isabled:SpamSubtract
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\NovaLogic\Delta Force Task Force Dagger\Update.exe - C:\Program Files\NovaLogic\Delta Force Task Force Dagger\Update.exe:*isabled:Update
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\NovaLogic\Delta Force Land Warrior\Update.exe - C:\Program Files\NovaLogic\Delta Force Land Warrior\Update.exe:*isabled:Update
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\NovaLogic\Delta Force Land Warrior Demo\Update.exe - C:\Program Files\NovaLogic\Delta Force Land Warrior Demo\Update.exe:*isabled:Update
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\NovaLogic\Comanche 4\Update.exe - C:\Program Files\NovaLogic\Comanche 4\Update.exe:*isabled:Update
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\EA GAMES\Battlefield 1942\BF1942.exe - C:\Program Files\EA GAMES\Battlefield 1942\BF1942.exe:*:Enabled:BF1942
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\HP\HP Software Update\HPWUCli.exe - C:\Program Files\HP\HP Software Update\HPWUCli.exe:*:Enabled:HP Software Update Client
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Internet Explorer\iexplore.exe - C:\Program Files\Internet Explorer\iexplore.exe:*:Enabled:Internet Explorer
SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\1900:UDP - 1900:UDP:LocalSubNetisabledxpsp2res.dll,-22007
SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\2869:TCP - 2869:TCP:LocalSubNetisabledxpsp2res.dll,-22008
SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\139:TCP - 139:TCP:LocalSubNet:Enabledxpsp2res.dll,-22004
SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\445:TCP - 445:TCP:LocalSubNet:Enabledxpsp2res.dll,-22005
SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\137:UDP - 137:UDP:LocalSubNet:Enabledxpsp2res.dll,-22001
SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\138:UDP - 138:UDP:LocalSubNet:Enabledxpsp2res.dll,-22002
SharedAccess\Security\\Security - 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 
SharedAccess\Setup\\ServiceUpgrade - 1
SharedAccess\Setup\InterfacesUnfirewalledAtUpdate\\{E73C3CF8-D927-4ED8-B532-20857E47DFAF} - 1
SharedAccess\Enum\\0 - Root\LEGACY_SHAREDACCESS\0000
SharedAccess\Enum\\Count - 1
SharedAccess\Enum\\NextInstance - 1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv - Include SUBKEYS
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv]
wuauserv\\Type - 32
wuauserv\\Start - 2
wuauserv\\ErrorControl - 1
wuauserv\\ImagePath - %systemroot%\system32\svchost.exe -k netsvcs
wuauserv\\DisplayName - Automatic Updates
wuauserv\\ObjectName - LocalSystem
wuauserv\\Description - Enables the download and installation of critical Windows updates. If the service is disabled, the operating system can be manually updated at the Windows Update Web site.
wuauserv\Parameters\\ServiceDll - C:\WINDOWS\system32\wuauserv.dll
wuauserv\Security\\Security - 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 
wuauserv\Enum\\0 - Root\LEGACY_WUAUSERV\0000
wuauserv\Enum\\Count - 1
wuauserv\Enum\\NextInstance - 1

»
»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Logfile of HijackThis v1.99.1
Scan saved at 4:15:45 PM, on 1/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\WINDOWS\LTMSG.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\My Documents\Misc. Stuff\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O16 - DPF: cpcScanner - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} (CNavigationManager Object) - http://www3.authentium.com/cssrelease/bin/wizard.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe


----------



## Cookiegal (Aug 27, 2003)

There could be a conflict between Panda and Kaspersky.

Open Task Manager (Ctrl-Alt-Del) and end task on this process:

*ALCXMNTR.EXE*

Rescan with HijackThis and fix these entries:

*O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE*

Boot to safe mode and run Killbox on these files:
*
C:\WINDOWS\temp\bfhcnzh8.TMP
C:\WINDOWS\temp\tywe79zo.TMP*

How are things running now?


----------



## BigRC (Dec 18, 2006)

What is Killbox and how do I run it on the files? I fixed the other two with Hijackthis. Thanks, Rex


----------



## Cookiegal (Aug 27, 2003)

Sorry, I thought we had already used Killbox. Here are the instructions:

*Click Here* and download Killbox and save it to your desktop but don't run it yet.

Then boot to safe mode:

 *How to restart to safe mode*

Double-click on Killbox.exe to run it. 

Put a tick by *Standard File Kill*. 
In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time:

* C:\WINDOWS\temp\bfhcnzh8.TMP
C:\WINDOWS\temp\tywe79zo.TMP*

Click on the button that has the red circle with the X in the middle after you enter each file. 
It will ask for confirmation to delete the file. 
Click Yes. 
Continue with that procedure until you have pasted all of these in the "Paste Full Path of File to Delete" box.
Killbox may tell you that one or more files do not exist. 
If that happens, just continue on with all the files. Be sure you don't miss any.
Next in Killbox go to *Tools > Delete Temp Files*
In the window that pops up, put a check by *ALL* the options there *except* these three:
XP Prefetch
Recent
History

Now click the *Delete Selected Temp Files* button.
Exit the Killbox.


----------



## BigRC (Dec 18, 2006)

Hi Cookiegal: All is done and computer working fine. Only one problem I've had for the last few sessions is that I can't log onto my ameritrade acct. I hit logon button and nothing happens. I can log onto my other accounts ok. any ideas or should I call ameritrade?
Thanks for all your help! Rex


----------



## Cookiegal (Aug 27, 2003)

Try deleting all of your cookies and see if that helps. One may have become corrupt.


----------



## BigRC (Dec 18, 2006)

Hi:Cookiegal: All I needed to do is renew my desktop short cut to get ameritrade to working again. I reinstalled my Telechart program and scan it with no problem. All seems to be working fine. Thanks again for all your help. Rex


----------



## Cookiegal (Aug 27, 2003)

That's great. 

Now you should turn system restore off to flush out all previous system restore points, then turn it back on and create a new restore point:

To turn off system restore, on the Desktop, right click on *My Computer* and click on *Properties.*
Click the *System Restore* tab.
Check *Turn off System Restore.*
Click Apply and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a new restore point, click on *Start*  *All Programs*  *Accessories*  *System Tools* and then select *System Restore*.

In the System Restore wizard, select *Create a restore point* and click the Next button.

Type a name for your new restore point then click on Create.

I also recommend downloading  *SPYWAREBLASTER* for added protection.

*Read here* for info on how to tighten your security.

*Delete your temporary files:*

In safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit - Select All then Edit - Delete to delete the entire contents of the Temp folder.

Go to Start - Run and type *%temp%* in the Run box. The Temp folder will open. Click *Edit - Select All* then hit *Delete* to delete the entire contents of the Temp folder.

Finally go to Control Panel - Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK (this option does not exist in IE7). Click Apply then OK.

*Empty the recycle bin*.


----------



## BigRC (Dec 18, 2006)

I did as you suggested and all is well. Thanks again. Rex


----------



## Cookiegal (Aug 27, 2003)

It's my pleasure.


----------

