Winsock32 + Others [Archive] - Safer-Networking Forums

greer

2007-01-24, 05:58

It has been a few months since I originally got my problems which I believe came through an unprotected email. I tried to fight the trojans on my own, and eventually I went to more professional help first at Nerdhelp.com then I was refered to AumHa Forums. Neither of which completely solved my problem, so before long it was back to full force again. Just tonight I found a forum on here about Winsock32, which I have noticed has been a constant problem since day one. Unfortunately I was not able to use the Forum's advice on my own computer. With that being said:
Logfile of HijackThis v1.99.1
Scan saved at 9:57:57 PM, on 1/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\services.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\greer\Desktop\America Online 9.0\waol.exe
C:\Documents and Settings\greer\Desktop\America Online 9.0\shellmon.exe
C:\DOCUME~1\greer\LOCALS~1\Temp\Temporary Directory 3 for HijackThis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/
O1 - Hosts: 190.204.102.187 securityresponse.symantec.com
O1 - Hosts: 210.20.136.89 symantec.com
O1 - Hosts: 171.46.156.9 www.sophos.com
O1 - Hosts: 98.172.23.152 www.mcafee.com
O1 - Hosts: 200.239.3.112 mcafee.com
O1 - Hosts: 189.42.94.38 liveupdate.symantecliveupdate.com
O1 - Hosts: 245.209.93.49 www.viruslist.com
O1 - Hosts: 26.18.184.216 viruslist.com
O1 - Hosts: 178.99.24.205 viruslist.com
O1 - Hosts: 126.215.161.191 f-secure.com
O1 - Hosts: 191.123.112.214 www.f-secure.com
O1 - Hosts: 93.198.214.178 kaspersky.com
O1 - Hosts: 104.220.39.101 kaspersky-labs.com
O1 - Hosts: 88.165.123.234 www.avp.com
O1 - Hosts: 149.3.164.41 www.kaspersky.com
O1 - Hosts: 32.36.67.125 avp.com
O1 - Hosts: 111.186.177.71 www.networkassociates.com
O1 - Hosts: 90.28.53.158 networkassociates.com
O1 - Hosts: 19.10.185.2 www.ca.com
O1 - Hosts: 159.37.114.182 ca.com
O1 - Hosts: 205.101.39.55 mast.mcafee.com
O1 - Hosts: 132.111.156.198 my-etrust.com
O1 - Hosts: 121.62.70.46 www.my-etrust.com
O1 - Hosts: 52.247.191.27 download.mcafee.com
O1 - Hosts: 213.214.186.51 dispatch.mcafee.com
O1 - Hosts: 26.10.210.83 secure.nai.com
O1 - Hosts: 129.236.9.4 nai.com
O1 - Hosts: 158.11.198.176 www.nai.com
O1 - Hosts: 120.177.44.12 update.symantec.com
O1 - Hosts: 239.159.159.67 updates.symantec.com
O1 - Hosts: 41.143.59.113 us.mcafee.com
O1 - Hosts: 92.155.171.216 liveupdate.symantec.com
O1 - Hosts: 148.74.31.112 customer.symantec.com
O1 - Hosts: 188.191.60.191 rads.mcafee.com
O1 - Hosts: 4.220.91.137 trendmicro.com
O1 - Hosts: 242.75.114.223 www.trendmicro.com
O1 - Hosts: 200.60.99.253 www.grisoft.com
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1124207719\ee\AOLSoftware.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Documents and Settings\greer\Desktop\America Online 9.0\AOL.EXE" -b
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [WinMedia] C:\DOCUME~1\greer\LOCALS~1\Temp\20804609.exe
O4 - HKCU\..\Run: [WinInit] "C:\DOCUME~1\greer\LOCALS~1\Temp\1387718.exe "
O4 - Startup: TA_Start.lnk = C:\WINDOWS\TIELT001.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mp4: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {400429E4-BED4-472E-93BF-F85AB8565DFF} - http://www.terp17.com/ax/axo.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1157719802640
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4056/ftp.coupons.com/r3302/Coupons.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: asusrx20 - asusrx20.dll (file missing)
O20 - Winlogon Notify: odbccom - C:\WINDOWS\addins\odbccom.dll (file missing)
O20 - Winlogon Notify: Uninstall - C:\WINDOWS\system32\dmound3d.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: General Network Service - Unknown owner - c:\windows\winsocks32.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: TCP and UDP Support - Unknown owner - C:\WINDOWS\system32\tcpip.exe (file missing)
O23 - Service: winsock32 (winsock32.exe) - Unknown owner - C:\WINDOWS\winsock32.exe (file missing)

Thank you.

tashi

2007-01-24, 06:29

Hello greer,

Before one of our helpers assists you, please provide links to your topics at
Nerdhelp.com and AumHa.

Regards. :)

"BEFORE you POST" -Preliminary Steps (http://forums.spybot.info/showthread.php?t=288)

greer

2007-01-25, 01:01

AumHa
http://aumha.net/viewtopic.php?p=131342#131342
NerdHelp, AumHa helped with several of my problems I originally posted here.
http://www.nerdhelp.com/forums/showthread.php?t=8653

teacup61

2007-02-01, 03:35

Hello greer,

You left them hanging at AumHa. Please do 2 things for me. :) 1) Go back there and tell them you're getting help elsewhere so they don't keep looking for a reply and can close the thread. 2) Promise me you won't leave me hanging the same way.

I don't think #2 will be difficult to do. My instructions will be easy to follow, and each set will be as brief as possible.

Are you still having the PhotoGallery problem?

1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/combofix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea

greer

2007-02-03, 19:51

As far as AumHa help goes, with the exception of the last two comments, we continued via email and he closed most of the thread. And I promise to try not and leave you hanging.

"greer" - 07-02-03 11:40:59 Service Pack 2
ComboFix 07.02.03 - Running from: "C:\Documents and Settings\greer\Desktop"

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))

REGISTRY ENTRIES REMOVED:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\clsid\{dedc3b5e-da9b-4068-be19-998d7c5bfce5}]

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Granting SeDebugPrivilege to Administrators ... successful

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\DOCUME~1\Owner\Application Data\Dxccwrd.dll
C:\DOCUME~1\greer\Application Data\Install.dat
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\Program Files\ECURIT~1
C:\qoobox\purity\Program Files\YMANTE~1
C:\qoobox\purity\Program Files\YSTEM~1
C:\qoobox\purity\Program Files\Common Files\ICROSO~1
C:\qoobox\purity\Program Files\Common Files\SSTEM3~1
C:\qoobox\purity\Program Files\Common Files\WNSXS~1
C:\qoobox\purity\Program Files\Common Files\YSTEM~1
C:\qoobox\purity\Program Files\Common Files\SSTEM3~1\bak
C:\qoobox\purity\Program Files\Common Files\SSTEM3~1\SSTEM3~1
C:\qoobox\purity\WINDOWS\CROSOF~1
C:\qoobox\purity\WINDOWS\SCURIT~1
C:\qoobox\purity\WINDOWS\system32\WNSXS~1

((((((((((((((((((((((((((((((( Files Created from 2007-01-03 to 2007-02-03 ))))))))))))))))))))))))))))))))))

2007-01-21 14:44 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Application Data\Creative
2007-01-21 11:27 <DIR> d-------- C:\DOCUME~1\Owner\Application Data\SUPERAntiSpyware.com
2007-01-19 23:17 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\SUPERAntiSpyware.com
2007-01-17 17:11 <DIR> d-------- C:\DOCUME~1\Owner\Application Data\Viewpoint
2007-01-12 08:54 <DIR> d-------- C:\Program Files\WinBudget
2007-01-11 17:39 <DIR> d-------- C:\DOCUME~1\greer\Application Data\Viewpoint
2007-01-05 22:42 <DIR> d-------- C:\Program Files\Acoustica Beatcraft

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-02-03 11:40 -------- d-------- C:\Program Files\getright
2007-02-01 22:11 -------- d-------- C:\Program Files\mozilla firefox
2007-01-31 16:25 -------- d-------- C:\Program Files\superantispyware
2007-01-24 21:25 -------- d-------- C:\Program Files\aim
2007-01-21 15:05 -------- d-------- C:\Program Files\aol toolbar
2007-01-15 11:11 -------- d-------- C:\Program Files\warcraft iii
2007-01-15 11:11 -------- d-------- C:\Program Files\quicktime
2007-01-15 11:11 -------- d-------- C:\Program Files\messenger
2007-01-15 11:11 -------- d-------- C:\Program Files\Common Files\adobe
2007-01-15 11:11 -------- d-------- C:\Program Files\a-squared free
2007-01-11 17:39 -------- d-------- C:\Documents and Settings\greer\Application Data\viewpoint
2007-01-05 22:41 -------- d-------- C:\Documents and Settings\greer\Application Data\avg7
2006-12-29 22:12 -------- d-------- C:\Program Files\aod
2006-12-29 22:12 -------- d-------- C:\Documents and Settings\greer\Application Data\aim
2006-12-29 18:05 -------- d-------- C:\Documents and Settings\greer\Application Data\adobe
2006-12-29 15:11 -------- d-------- C:\Program Files\power defrag
2006-12-25 15:22 43520 --a------ C:\WINDOWS\system32\cmdlineext03.dll
2006-12-25 15:09 -------- d-------- C:\Program Files\diablo ii
2006-12-14 15:32 -------- d-------- C:\Documents and Settings\greer\Application Data\mozilla
2006-12-09 11:07 -------- d-------- C:\Program Files\Common Files\aol
2006-12-09 11:07 -------- d-------- C:\Program Files\aol
2006-11-16 09:44 103984 --a------ C:\WINDOWS\system32\aoldial.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"SUPERAntiSpyware"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"
"AOL Fast Start"="\"C:\\Documents and Settings\\greer\\Desktop\\America Online 9.0\\AOL.EXE\" -b"
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"WinInit"="\"C:\\DOCUME~1\\greer\\LOCALS~1\\Temp\\1387718.exe \" "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Recguard"="%WINDIR%\\SMINST\\RECGUARD.EXE"
"SigmatelSysTrayApp"="sttray.exe"
"nwiz"="nwiz.exe /installquiet /keeploaded /nodetect"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1124207719\\ee\\AOLSoftware.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{6af69c4d-420a-4c95-b34f-e4635f84f53b}"="forevouched"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\
63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\
6d,73,73,74,79,6c,65,73,00
"InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\
73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\asusrx20
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\odbccom

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{00e6738e-44e3-11da-bdeb-00038a000015}]
Shell\AutoRun\command L:\JDSecure\Windows\JDSecure31.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{075186ab-2084-11da-99d2-806d6172696f}]
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fb043cb5-1fe1-11da-90c0-806d6172696f}]
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\Symantec NetDetect.job

********************************************************************

catchme 0.1 W2K/XP - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-02-03 11:45:43
Logfile of HijackThis v1.99.1
Scan saved at 11:50:07 AM, on 2/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Documents and Settings\greer\Desktop\America Online 9.0\AOL.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\MsiExec.exe
c:\program files\internet explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
c:\program files\internet explorer\iexplore.exe
C:\DOCUME~1\greer\LOCALS~1\Temp\Temporary Directory 1 for HijackThis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1124207719\ee\AOLSoftware.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Documents and Settings\greer\Desktop\America Online 9.0\AOL.EXE" -b
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [WinInit] "C:\DOCUME~1\greer\LOCALS~1\Temp\1387718.exe "
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mp4: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {400429E4-BED4-472E-93BF-F85AB8565DFF} - http://www.terp17.com/ax/axo.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1157719802640
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4056/ftp.coupons.com/r3302/Coupons.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: asusrx20 - asusrx20.dll (file missing)
O20 - Winlogon Notify: odbccom - C:\WINDOWS\addins\odbccom.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: General Network Service - Unknown owner - c:\windows\winsocks32.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: TCP and UDP Support - Unknown owner - C:\WINDOWS\system32\tcpip.exe (file missing)
O23 - Service: winsock32 (winsock32.exe) - Unknown owner - C:\WINDOWS\winsock32.exe (file missing)

teacup61

2007-02-03, 22:15

Hello,

Quite a bit going on there, and still more to do. :spider:

Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Thanks,
tea

greer

2007-02-04, 21:19

greer

2007-02-04, 21:22

SDFix: Version 1.63

Sun 02/04/2007 - 13:09:48.29

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
General Network Service
TCP and UDP Support
winsock32.exe

Path:
c:\windows\winsocks32.exe
C:\WINDOWS\system32\tcpip.exe /winnt
"C:\WINDOWS\winsock32.exe"

General Network Service Deleted
TCP and UDP Support Deleted
winsock32.exe Deleted

Restoring Windows Registry Entries
Restoring Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\system32\ldinfo.ldr - Deleted
C:\WINDOWS\system32\mini7tone.ini - Deleted
C:\WINDOWS\tcb.pmw - Deleted

ADS Check:

C:\WINDOWS\system32
No streams found.

Final Check:

Remaining Services:
------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Application Loader"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe:*:Enabled:AOLTsMon"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe:*:Enabled:AOLTopSpeed"
"C:\\Program Files\\Common Files\\AOL\\1124207719\\EE\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1124207719\\EE\\AOLServiceHost.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"="C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"="C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe:*:Enabled:AOL"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Warcraft III\\Warcraft III.exe"="C:\\Program Files\\Warcraft III\\Warcraft III.exe:*:Enabled:Warcraft III"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"="C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe:*:Enabled:Sid Meier's Civilization 4"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe:*:Enabled:AOL TopSpeed"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"%windir%\\system32\\tcpip.exe"="%windir%\\system32\\tcpip.exe:*:Enabled:TCP and UDP Support"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"

Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes :

C:\Documents and Settings\greer\Desktop\America Online 9.0\AOLphx.exe
C:\Documents and Settings\greer\Desktop\America Online 9.0\rbm.exe
C:\Documents and Settings\Owner\Desktop\America Online 9.0\AOLphx.exe
C:\Documents and Settings\Owner\Desktop\America Online 9.0\rbm.exe
C:\Program Files\America Online 9.0\AOLphx.exe
C:\Program Files\America Online 9.0\rbm.exe
C:\hiberfil.sys
C:\WINDOWS\uccspecb.sys
C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\SBE2.tmp
C:\Documents and Settings\Owner\Desktop\Extra Icons\My Documents2\~WRL1122.tmp
C:\Program Files\InterActual\InterActual Player\itiB4.tmp

Finished

Logfile of HijackThis v1.99.1
Scan saved at 1:22:44 PM, on 2/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Documents and Settings\greer\Desktop\America Online 9.0\AOL.EXE
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\program files\internet explorer\iexplore.exe
c:\program files\internet explorer\iexplore.exe
C:\DOCUME~1\greer\LOCALS~1\Temp\Temporary Directory 2 for HijackThis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1124207719\ee\AOLSoftware.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Documents and Settings\greer\Desktop\America Online 9.0\AOL.EXE" -b
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [WinInit] "C:\DOCUME~1\greer\LOCALS~1\Temp\1387718.exe "
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mp4: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {400429E4-BED4-472E-93BF-F85AB8565DFF} - http://www.terp17.com/ax/axo.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1157719802640
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4056/ftp.coupons.com/r3302/Coupons.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: asusrx20 - asusrx20.dll (file missing)
O20 - Winlogon Notify: odbccom - C:\WINDOWS\addins\odbccom.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

teacup61

2007-02-04, 21:59

Hello,

So......how does it feel to finally be rid of winsock32?:laugh: Still some things to do though....

We need to move HijackThis! to it's own permanent folder to ensure that we don't lose its backups. To make a permanent folder, double-click the My Computer icon on the desktop.
Click Local Disk C:.
File | New | Folder
A new folder called New Folder will be created.
Rename New Folder to HJT or HijackThis. Now move HijackThis! into the new folder you just created.
Read here how to unzip/extract properly:
http://metallica.geekstogo.com/xpcompressedexplanation.html

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

O4 - HKCU\..\Run: [WinInit] "C:\DOCUME~1\greer\LOCALS~1\Temp\1387718.exe "
O20 - Winlogon Notify: asusrx20 - asusrx20.dll (file missing)
O20 - Winlogon Notify: odbccom - C:\WINDOWS\addins\odbccom.dll (file missing)

Close all browsers and other windows except for HijackThis!, and click "Fix Checked".

Navigate to and delete the following, if present:

C:\DOCUME~1\greer\LOCALS~1\Temp\1387718.exe<---empty everything else in there you find, but NOT the folder itself!

Reboot your computer.

Run another scan with SUPERAntispyware now and let me know what it comes up with. How is it running now?

Thanks,
tea

greer

2007-02-06, 00:31

Everything appears to be the same except I'm still getting parts of that HP Imaging/ PhotoGallery stuff and when I try to use short cuts to AOL I get aol.exe is not a valid win32 application.

teacup61

2007-02-06, 03:35

Hello,

Download and Save blacklight to your desktop.
F-Secure Blacklight: https://europe.f-secure.com/blacklight/try.shtml
Double-click blbeta.exe then accept the agreement.
click > scan then > next,
You'll see a list of all items found.
Don't choose rename yet! I want to see the log first, because legit items can also be present there...
There must be also a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)
Post the contents of the log in your next reply.

Thanks,
tea

greer

2007-02-09, 01:28

Nothing came up

02/08/07 17:11:35 [Info]: BlackLight Engine 1.0.55 initialized
02/08/07 17:11:35 [Info]: OS: 5.1 build 2600 (Service Pack 2)
02/08/07 17:11:35 [Note]: 7019 4
02/08/07 17:11:35 [Note]: 7005 0
02/08/07 17:11:38 [Note]: 7006 0
02/08/07 17:11:38 [Note]: 7011 1768
02/08/07 17:11:38 [Note]: 7026 0
02/08/07 17:11:38 [Note]: 7026 0
02/08/07 17:11:45 [Note]: FSRAW library version 1.7.1021
02/08/07 17:14:41 [Note]: 2000 1012
02/08/07 17:27:26 [Note]: 7007 0

teacup61

2007-02-09, 07:41

Hello,
I'm still getting parts of that HP Imaging/ PhotoGallery stuff This is a known problem with HP, and they can help you better with that problem in their support forums. :)

Is this the exact file in the error message?
aol.exe

greer

2007-02-09, 22:18

C:\\Program Files\American Online 9.0\aol.exe is not a valid win32 application.

teacup61

2007-02-09, 22:55

Hello,

Could be all right....could also be very bad. Let's see. :)

Use Windows Search (Start > Search > For Files or Folders), to search for the following file:
aol.exe

Please go to VirusTotal (]http://www.virustotal.com/) and submit the file for a scan and post the results in your next reply.

Thanks,
tea

greer

2007-02-14, 01:08

This looks really bad but the fact that something was actually found makes me happy.

STATUS: FINISHEDComplete scanning result of "aol.exe", received in VirusTotal at 02.14.2007, 00:58:40 (CET).

Antivirus Version Update Result
AntiVir 7.3.1.37 02.13.2007 TR/Mitglieder.35852
Authentium 4.93.8 02.14.2007 no virus found
Avast 4.7.936.0 02.14.2007 no virus found
AVG 386 02.14.2007 no virus found
BitDefender 7.2 02.14.2007 DeepScan:Generic.Mitglied.D1598399
CAT-QuickHeal 9.00 02.13.2007 no virus found
ClamAV devel-20060426 02.13.2007 no virus found
DrWeb 4.33 02.13.2007 Trojan.Swizzor
eSafe 7.0.14.0 02.12.2007 suspicious Trojan/Worm
eTrust-Vet 30.4.3394 02.13.2007 no virus found
Ewido 4.0 02.13.2007 no virus found
Fortinet 2.85.0.0 02.13.2007 W32/QLowZones.42!tr
F-Prot 4.2.1.29 02.14.2007 no virus found
F-Secure 6.70.13030.0 02.13.2007 no virus found
Ikarus T3.1.0.31 02.14.2007 Generic.Mitglied
Kaspersky 4.0.2.24 02.14.2007 no virus found
McAfee 4962 02.13.2007 QLowZones-42
Microsoft 1.2204 02.13.2007 Trojan:Win32/Kukum.A
NOD32v2 2058 02.13.2007 a variant of Win32/TrojanDownloader.Agent.AWF
Norman 5.80.02 02.13.2007 no virus found
Panda 9.0.0.4 02.14.2007 Adware/SearchExe
Prevx1 V2 02.14.2007 Malware:SysCovert
Sophos 4.14.0 02.13.2007 no virus found
Sunbelt 2.2.907.0 02.09.2007 Trojan.Zonebac
Symantec 10 02.14.2007 Trojan.Zonebac
TheHacker 6.1.6.056 02.11.2007 no virus found
UNA 1.83 02.13.2007 no virus found
VBA32 3.11.2 02.13.2007 no virus found
VirusBuster 4.3.19:9 02.13.2007 no virus found

Aditional Information
File size: 35852 bytes
MD5: 52c56b22fb253c63b709a2ada1ef7dce
SHA1: ff25d609a6e471785228340b56e2c135804989b3
packers: UPX
packers: UPX
packers: UPX
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=6f7866442943

teacup61

2007-02-17, 10:16

Hello,

Oh boy....looks like we have some work to do here. :sick: I'm so very sorry for my delayed reply. I was unavoidably offline the last few days. :sad:

I'll get back here as soon as possible to get this thing gone.

Regards,
tea

teacup61

2007-02-18, 01:41

Hello,

Please download silentRunners from here:

http://www.silentrunners.org/Silent%20Runners.vbs

Save the file to your C:\ drive

Open a command prompt (start> run> cmd.exe)

type (or copy and paste) this line & hit enter:

"c:\silent runners.vbs" -all

If you get any warnings about the script; let it run.
Once scan is done it will tell you.
Log is called "startup programs + time/date/computername.txt" is created in c:\

Please download FindAWF by noahdfear http://noahdfear.geekstogo.com/FindAWF.exe and save it to your desktop:
* Please double-click FindAWF.exe to run it.
* If a security alert shows, allow the program to run.
* When the tool has completed, a report will open in Notepad.
* Please post the results of the awf.txt in your next reply.

Please post both logs along with a fresh hijackthis log. Make sure that wordwrap is turned off in Notepad.

Thanks,
tea

greer

2007-02-22, 02:11

"Silent Runners.vbs", revision R50, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output of all locations checked and all values found.

Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"SUPERAntiSpyware" = "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" ["SUPERAntiSpyware.com"]
"AOL Fast Start" = ""C:\Documents and Settings\greer\Desktop\America Online 9.0\AOL.EXE" -b" [null data]
"AIM" = "C:\Program Files\AIM\aim.exe -cnetwait.odl" ["America Online, Inc."]
"swg" = "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" ["Google Inc."]
"WinUpdate" = ""C:\DOCUME~1\greer\LOCALS~1\Temp\100532875.exe" " [file not found]
"WinMedia" = "C:\DOCUME~1\greer\LOCALS~1\Temp\100532750.exe" [null data]
"WinUpgrade" = ""C:\DOCUME~1\greer\LOCALS~1\Temp\100532921.exe" " [file not found]

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
"Recguard" = "%WINDIR%\SMINST\RECGUARD.EXE" [empty string]
"SigmatelSysTrayApp" = "sttray.exe" [file not found]
"nwiz" = "nwiz.exe /installquiet /keeploaded /nodetect" ["NVIDIA Corporation"]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"" [null data]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" [null data]
"AOLDialer" = "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [null data]
"HostManager" = "C:\Program Files\Common Files\AOL\1124207719\ee\AOLSoftware.exe" [null data]
"KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k"

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\

HKLM\Software\Microsoft\Active Setup\Installed Components\
>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\(Default) = "Microsoft Windows Media Player"
\StubPath = "C:\WINDOWS\inf\unregmp2.exe /ShowWMP" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{31FF080D-12A3-439A-A2EF-4BA95A3148E8}\(Default) = (no title provided)
-> {HKLM...CLSID} = "bho2gr Class"
\InProcServer32\(Default) = "C:\Program Files\GetRight\xx2gr.dll" ["Headlight Software, Inc."]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Helper"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar5.dll" ["Google Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{00022613-0000-0000-C000-000000000046}" = "Multimedia File Property Sheet"
-> {HKLM...CLSID} = "Multimedia File Property Sheet"
\InProcServer32\(Default) = "mmsys.cpl" [MS]
"{176d6597-26d3-11d1-b350-080036a75b03}" = "ICM Scanner Management"
-> {HKLM...CLSID} = "ICM Scanner Management"
\InProcServer32\(Default) = "icmui.dll" [MS]
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}" = "NTFS Security Page"
-> {HKLM...CLSID} = "Security Shell Extension"
\InProcServer32\(Default) = "rshx32.dll" [MS]
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}" = "OLE Docfile Property Page"
-> {HKLM...CLSID} = "OLE Docfile Property Page"
\InProcServer32\(Default) = "docprop.dll" [MS]
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}" = "Shell extensions for sharing"
-> {HKLM...CLSID} = "Shell extensions for sharing"
\InProcServer32\(Default) = "ntshrui.dll" [MS]
"{41E300E0-78B6-11ce-849B-444553540000}" = "PlusPack CPL Extension"
-> {HKLM...CLSID} = "PlusPack CPL Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\themeui.dll" [MS]
"{42071712-76d4-11d1-8b24-00a0c9068ff3}" = "Display Adapter CPL Extension"
-> {HKLM...CLSID} = "Display Adapter CPL Extension"
\InProcServer32\(Default) = "deskadp.dll" [MS]
"{42071713-76d4-11d1-8b24-00a0c9068ff3}" = "Display Monitor CPL Extension"
-> {HKLM...CLSID} = "Display Monitor CPL Extension"
\InProcServer32\(Default) = "deskmon.dll" [MS]
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{4E40F770-369C-11d0-8922-00A024AB2DBB}" = "DS Security Page"
-> {HKLM...CLSID} = "Security Shell Extension"
\InProcServer32\(Default) = "dssec.dll" [MS]
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}" = "Compatibility Page"
-> {HKLM...CLSID} = "Compatibility Page"
\InProcServer32\(Default) = "SlayerXP.dll" [MS]
"{56117100-C0CD-101B-81E2-00AA004AE837}" = "Shell Scrap DataHandler"
-> {HKLM...CLSID} = "Shell Scrap DataHandler"
\InProcServer32\(Default) = "shscrap.dll" [MS]
"{59099400-57FF-11CE-BD94-0020AF85B590}" = "Disk Copy Extension"
-> {HKLM...CLSID} = "Disk Copy Extension"
\InProcServer32\(Default) = "diskcopy.dll" [MS]
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}" = "Shell extensions for Microsoft Windows Network objects"
-> {HKLM...CLSID} = "Shell extensions for Microsoft Windows Network objects"
\InProcServer32\(Default) = "ntlanui2.dll" [MS]
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}" = "ICM Monitor Management"
-> {HKLM...CLSID} = "ICM Monitor Management"
\InProcServer32\(Default) = "C:\WINDOWS\System32\icmui.dll" [MS]
"{675F097E-4C4D-11D0-B6C1-0800091AA605}" = "ICM Printer Management"
-> {HKLM...CLSID} = "ICM Printer Management"
\InProcServer32\(Default) = "C:\WINDOWS\system32\icmui.dll" [MS]
"{77597368-7b15-11d0-a0c2-080036af3f03}" = "Web Printer Shell Extension"
-> {HKLM...CLSID} = "Web Printer Shell Extension"
\InProcServer32\(Default) = "printui.dll" [MS]
"{7988B573-EC89-11cf-9C00-00AA00A14F56}" = "Disk Quota UI"
-> {HKLM...CLSID} = "Microsoft Disk Quota UI"
\InProcServer32\(Default) = "dskquoui.dll" [MS]
"{85BBD920-42A0-1069-A2E4-08002B30309D}" = "Briefcase"
-> {HKLM...CLSID} = "Briefcase"
\InProcServer32\(Default) = "syncui.dll" [MS]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{BD84B380-8CA2-1069-AB1D-08000948F534}" = "Fonts"
-> {HKLM...CLSID} = "Fonts"
\InProcServer32\(Default) = "fontext.dll" [MS]
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}" = "ICC Profile"
-> {HKLM...CLSID} = "ICC Profile"
\InProcServer32\(Default) = "C:\WINDOWS\system32\icmui.dll" [MS]
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}" = "Printers Security Page"
-> {HKLM...CLSID} = "Security Shell Extension"
\InProcServer32\(Default) = "rshx32.dll" [MS]
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}" = "Shell extensions for sharing"
-> {HKLM...CLSID} = "Shell extensions for sharing"
\InProcServer32\(Default) = "ntshrui.dll" [MS]
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}" = "Display TroubleShoot CPL Extension"
-> {HKLM...CLSID} = "Display TroubleShoot CPL Extension"
\InProcServer32\(Default) = "deskperf.dll" [MS]
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}" = "Crypto PKO Extension"
-> {HKLM...CLSID} = "CryptPKO Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\cryptext.dll" [MS]
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}" = "Crypto Sign Extension"
-> {HKLM...CLSID} = "CryptSig Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\cryptext.dll" [MS]
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}" = "Network Connections"
-> {HKLM...CLSID} = "Network Connections"
\InProcServer32\(Default) = "C:\WINDOWS\system32\NETSHELL.dll" [MS]
"{992CFFA0-F557-101A-88EC-00DD010CCC48}" = "Network Connections"
-> {HKLM...CLSID} = "Network Connections"
\InProcServer32\(Default) = "C:\WINDOWS\system32\NETSHELL.dll" [MS]
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}" = "Scanners & Cameras"
-> {HKLM...CLSID} = "Scanners & Cameras"
\InProcServer32\(Default) = "wiashext.dll" [MS]
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}" = "Scanners & Cameras"
-> {HKLM...CLSID} = "Scanners & Cameras"
\InProcServer32\(Default) = "wiashext.dll" [MS]
"{905667aa-acd6-11d2-8080-00805f6596d2}" = "Scanners & Cameras"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "wiashext.dll" [MS]
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}" = "Scanners & Cameras"
-> {HKLM...CLSID} = "Scanners & Cameras"
\InProcServer32\(Default) = "wiashext.dll" [MS]
"{83bbcbf3-b28a-4919-a5aa-73027445d672}" = "Scanners & Cameras"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "wiashext.dll" [MS]
"{F0152790-D56E-4445-850E-4F3117DB740C}" = "Remote Sessions CPL Extension"
-> {HKLM...CLSID} = "Remote Sessions CPL Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\remotepg.dll" [MS]
"{1D2680C9-0E2A-469d-B787-065558BC7D43}" = "Fusion Cache"
-> {HKLM...CLSID} = "Fusion Cache"
\InProcServer32\(Default) = "C:\WINDOWS\system32\mscoree.dll" [MS]
"{60254CA5-953B-11CF-8C96-00AA00B8708C}" = "Shell extensions for Windows Script Host"
-> {HKLM...CLSID} = "Shell Extension For Windows Script Host"
\InProcServer32\(Default) = "C:\WINDOWS\system32\wshext.dll" [MS]
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}" = "Microsoft Data Link"
-> {HKLM...CLSID} = "Microsoft OLE DB Service Component Data Links"
\InProcServer32\(Default) = "C:\Program Files\Common Files\System\Ole DB\oledb32.dll" [MS]
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}" = "Tasks Folder Icon Handler"
-> {HKLM...CLSID} = "Scheduling UI icon handler"
\InProcServer32\(Default) = "C:\WINDOWS\system32\mstask.dll" [MS]
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}" = "Tasks Folder Shell Extension"
-> {HKLM...CLSID} = "Scheduling UI property sheet handler"
\InProcServer32\(Default) = "C:\WINDOWS\system32\mstask.dll" [MS]
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}" = "Scheduled Tasks"
-> {HKLM...CLSID} = "Scheduled Tasks"
\InProcServer32\(Default) = "C:\WINDOWS\system32\mstask.dll" [MS]
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}" = "Set Program Access and Defaults"
-> {HKLM...CLSID} = "Set Program Access and Defaults"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}" = "Auto Update Property Sheet Extension"
-> {HKLM...CLSID} = "Auto Update Property Sheet Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\wuaucpl.cpl" [MS]
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}" = "Search"
-> {HKLM...CLSID} = "Search"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}" = "Help and Support"
-> {HKLM...CLSID} = "Help and Support"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}" = "Help and Support"
-> {HKLM...CLSID} = "Windows Security"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}" = "Run..."
-> {HKLM...CLSID} = "Run..."
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}" = "Internet"
-> {HKLM...CLSID} = "Internet"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}" = "E-mail"
-> {HKLM...CLSID} = "E-mail"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{D20EA4E1-3957-11d2-A40B-0C5020524152}" = "Fonts"
-> {HKLM...CLSID} = "Fonts"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{D20EA4E1-3957-11d2-A40B-0C5020524153}" = "Administrative Tools"
-> {HKLM...CLSID} = "Administrative Tools"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{596AB062-B4D2-4215-9F74-E9109B0A8153}" = "Previous Versions Property Page"
-> {HKLM...CLSID} = "Previous Versions Property Page"
\InProcServer32\(Default) = "C:\WINDOWS\system32\twext.dll" [MS]
"{9DB7A13C-F208-4981-8353-73CC61AE2783}" = "Previous Versions"
-> {HKLM...CLSID} = "Previous Versions"
\InProcServer32\(Default) = "C:\WINDOWS\system32\twext.dll" [MS]
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}" = "Audio Media Properties Handler"
-> {HKLM...CLSID} = "Audio Media Properties Handler"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shmedia.dll" [MS]
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}" = "Video Media Properties Handler"
-> {HKLM...CLSID} = "Video Media Properties Handler"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shmedia.dll" [MS]
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}" = "Wav Properties Handler"
-> {HKLM...CLSID} = "Wav Properties Handler"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shmedia.dll" [MS]
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}" = "Avi Properties Handler"
-> {HKLM...CLSID} = "Avi Properties Handler"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shmedia.dll" [MS]
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}" = "Midi Properties Handler"
-> {HKLM...CLSID} = "Midi Properties Handler"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shmedia.dll" [MS]
"{c5a40261-cd64-4ccf-84cb-c394da41d590}" = "Video Thumbnail Extractor"
-> {HKLM...CLSID} = "Video Thumbnail Extractor"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shmedia.dll" [MS]
"{5E6AB780-7743-11CF-A12B-00AA004AE837}" = "Microsoft Internet Toolbar"
-> {HKLM...CLSID} = "Microsoft Internet Toolbar"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}" = "Download Status"
-> {HKLM...CLSID} = "Download Status"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}" = "Augmented Shell Folder"
-> {HKLM...CLSID} = "Augmented Shell Folder"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{6413BA2C-B461-11d1-A18A-080036B11A03}" = "Augmented Shell Folder 2"
-> {HKLM...CLSID} = "Augmented Shell Folder 2"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}" = "BandProxy"
-> {HKLM...CLSID} = "BandProxy"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}" = "Microsoft BrowserBand"
-> {HKLM...CLSID} = "Microsoft BrowserBand"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{30D02401-6A81-11d0-8274-00C04FD5AE38}" = "Search Band"
-> {HKLM...CLSID} = "Search Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}" = "In-pane search"
-> {HKLM...CLSID} = "In-pane search"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{07798131-AF23-11d1-9111-00A0C98BA67D}" = "Web Search"
-> {HKLM...CLSID} = "Web Search"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}" = "Registry Tree Options Utility"
-> {HKLM...CLSID} = "Registry Tree Options Utility"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}" = "&Address"
-> {HKLM...CLSID} = "&Address"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{A08C11D2-A228-11d0-825B-00AA005B4383}" = "Address EditBox"
-> {HKLM...CLSID} = "Address EditBox"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{00BB2763-6A77-11D0-A535-00C04FD7D062}" = "Microsoft AutoComplete"
-> {HKLM...CLSID} = "Microsoft AutoComplete"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{7376D660-C583-11d0-A3A5-00C04FD706EC}" = "TridentImageExtractor"
-> {HKLM...CLSID} = "TridentImageExtractor"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{6756A641-DE71-11d0-831B-00AA005B4383}" = "MRU AutoComplete List"
-> {HKLM...CLSID} = "MRU AutoComplete List"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}" = "Custom MRU AutoCompleted List"
-> {HKLM...CLSID} = "Custom MRU AutoCompleted List"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{7e653215-fa25-46bd-a339-34a2790f3cb7}" = "Accessible"
-> {HKLM...CLSID} = "Accessible"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{acf35015-526e-4230-9596-becbe19f0ac9}" = "Track Popup Bar"
-> {HKLM...CLSID} = "Track Popup Bar"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{00BB2764-6A77-11D0-A535-00C04FD7D062}" = "Microsoft History AutoComplete List"
-> {HKLM...CLSID} = "Microsoft History AutoComplete List"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{03C036F1-A186-11D0-824A-00AA005B4383}" = "Microsoft Shell Folder AutoComplete List"
-> {HKLM...CLSID} = "Microsoft Shell Folder AutoComplete List"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{00BB2765-6A77-11D0-A535-00C04FD7D062}" = "Microsoft Multiple AutoComplete List Container"
-> {HKLM...CLSID} = "Microsoft Multiple AutoComplete List Container"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}" = "Shell Band Site Menu"
-> {HKLM...CLSID} = "Shell Band Site Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}" = "Shell DeskBarApp"
-> {HKLM...CLSID} = "Shell DeskBarApp"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}" = "Shell DeskBar"
-> {HKLM...CLSID} = "Shell DeskBar"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}" = "Shell Rebar BandSite"
-> {HKLM...CLSID} = "Shell Rebar BandSite"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}" = "User Assist"
-> {HKLM...CLSID} = "User Assist"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}" = "Global Folder Settings"
-> {HKLM...CLSID} = "Global Folder Settings"

greer

2007-02-22, 02:12

\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}" = "Favorites Band"
-> {HKLM...CLSID} = "Favorites Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{0A89A860-D7B1-11CE-8350-444553540000}" = "Shell Automation Inproc Service"
-> {HKLM...CLSID} = "Shell Automation Inproc Service"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}" = "Shell DocObject Viewer"
-> {HKLM...CLSID} = "Shell DocObject Viewer"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}" = "Microsoft Browser Architecture"
-> {HKLM...CLSID} = "Microsoft Browser Architecture"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}" = "InternetShortcut"
-> {HKLM...CLSID} = "Internet Shortcut"
\InProcServer32\(Default) = "shdocvw.dll" [MS]
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}" = "Microsoft Url History Service"
-> {HKLM...CLSID} = "Microsoft Url History Service"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{FF393560-C2A7-11CF-BFF4-444553540000}" = "History"
-> {HKLM...CLSID} = "History"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}" = "Temporary Internet Files"
-> {HKLM...CLSID} = "Temporary Internet Files"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}" = "Temporary Internet Files"
-> {HKLM...CLSID} = "Temporary Internet Files"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" = "Microsoft Url Search Hook"
-> {HKLM...CLSID} = "Microsoft Url Search Hook"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}" = "IE4 Suite Splash Screen"
-> {HKLM...CLSID} = "IE4 Suite Splash Screen"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}" = "CDF Extension Copy Hook"
-> {HKLM...CLSID} = "CDF Extension Copy Hook"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{131A6951-7F78-11D0-A979-00C04FD705A2}" = "ISFBand OC"
-> {HKLM...CLSID} = "ISFBand OC"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}" = "Search Assistant OC"
-> {HKLM...CLSID} = "Search Assistant OC"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}" = "The Internet"
-> {HKLM...CLSID} = "The Internet"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{871C5380-42A0-1069-A2EA-08002B30309D}" = "Internet Name Space"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}" = "Explorer Band"
-> {HKLM...CLSID} = "Explorer Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}" = "Sendmail service"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\sendmail.dll" [MS]
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}" = "Sendmail service"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\sendmail.dll" [MS]
"{88C6C381-2E85-11D0-94DE-444553540000}" = "ActiveX Cache Folder"
-> {HKLM...CLSID} = "ActiveX Cache Folder"
\InProcServer32\(Default) = "C:\WINDOWS\system32\occache.dll" [MS]
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}" = "WebCheck"
-> {HKLM...CLSID} = "WebCheck"
\InProcServer32\(Default) = "C:\WINDOWS\system32\webcheck.dll" [MS]
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}" = "Subscription Mgr"
-> {HKLM...CLSID} = "Subscription Mgr"
\InProcServer32\(Default) = "C:\WINDOWS\system32\webcheck.dll" [MS]
"{F5175861-2688-11d0-9C5E-00AA00A45957}" = "Subscription Folder"
-> {HKLM...CLSID} = "Subscription Folder"
\InProcServer32\(Default) = "C:\WINDOWS\system32\webcheck.dll" [MS]
"{08165EA0-E946-11CF-9C87-00AA005127ED}" = "WebCheckWebCrawler"
-> {HKLM...CLSID} = "WebCheckWebCrawler"
\InProcServer32\(Default) = "C:\WINDOWS\system32\webcheck.dll" [MS]
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}" = "WebCheckChannelAgent"
-> {HKLM...CLSID} = "WebCheckChannelAgent"
\InProcServer32\(Default) = "C:\WINDOWS\system32\webcheck.dll" [MS]
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}" = "TrayAgent"
-> {HKLM...CLSID} = "TrayAgent"
\InProcServer32\(Default) = "C:\WINDOWS\system32\webcheck.dll" [MS]
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}" = "Code Download Agent"
-> {HKLM...CLSID} = "Code Download Agent"
\InProcServer32\(Default) = "C:\WINDOWS\system32\webcheck.dll" [MS]
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}" = "ConnectionAgent"
-> {HKLM...CLSID} = "ConnectionAgent"
\InProcServer32\(Default) = "C:\WINDOWS\system32\webcheck.dll" [MS]
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}" = "PostAgent"
-> {HKLM...CLSID} = "PostAgent"
\InProcServer32\(Default) = "C:\WINDOWS\system32\webcheck.dll" [MS]
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}" = "WebCheck SyncMgr Handler"
-> {HKLM...CLSID} = "WebCheck SyncMgr Handler"
\InProcServer32\(Default) = "C:\WINDOWS\system32\webcheck.dll" [MS]
"{352EC2B7-8B9A-11D1-B8AE-006008059382}" = "Shell Application Manager"
-> {HKLM...CLSID} = "Shell Application Manager"
\InProcServer32\(Default) = "C:\WINDOWS\system32\appwiz.cpl" [MS]
"{0B124F8F-91F0-11D1-B8B5-006008059382}" = "Installed Apps Enumerator"
-> {HKLM...CLSID} = "Installed Apps Enumerator"
\InProcServer32\(Default) = "C:\WINDOWS\system32\appwiz.cpl" [MS]
"{CFCCC7A0-A282-11D1-9082-006008059382}" = "Darwin App Publisher"
-> {HKLM...CLSID} = "Darwin App Publisher"
\InProcServer32\(Default) = "C:\WINDOWS\system32\appwiz.cpl" [MS]
"{e84fda7c-1d6a-45f6-b725-cb260c236066}" = "Shell Image Verbs"
-> {HKLM...CLSID} = "Shell Image Verbs"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shimgvw.dll" [MS]
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}" = "Shell Image Data Factory"
-> {HKLM...CLSID} = "Shell Image Data Factory"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shimgvw.dll" [MS]
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}" = "GDI+ file thumbnail extractor"
-> {HKLM...CLSID} = "GDI+ file thumbnail extractor"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shimgvw.dll" [MS]
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}" = "Summary Info Thumbnail handler (DOCFILES)"
-> {HKLM...CLSID} = "Summary Info Thumbnail handler (DOCFILES)"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shimgvw.dll" [MS]
"{EAB841A0-9550-11cf-8C16-00805F1408F3}" = "HTML Thumbnail Extractor"
-> {HKLM...CLSID} = "HTML Thumbnail Extractor"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shimgvw.dll" [MS]
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}" = "Shell Image Property Handler"
-> {HKLM...CLSID} = "Shell Image Property Handler"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shimgvw.dll" [MS]
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}" = "Web Publishing Wizard"
-> {HKLM...CLSID} = "Web Publishing Wizard"
\InProcServer32\(Default) = "C:\WINDOWS\system32\netplwiz.dll" [MS]
"{add36aa8-751a-4579-a266-d66f5202ccbb}" = "Print Ordering via the Web"
-> {HKLM...CLSID} = "Print Ordering via the Web"
\InProcServer32\(Default) = "C:\WINDOWS\system32\netplwiz.dll" [MS]
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}" = "Shell Publishing Wizard Object"
-> {HKLM...CLSID} = "Shell Publishing Wizard Object"
\InProcServer32\(Default) = "C:\WINDOWS\system32\netplwiz.dll" [MS]
"{58f1f272-9240-4f51-b6d4-fd63d1618591}" = "Get a Passport Wizard"
-> {HKLM...CLSID} = "Get a Passport Wizard"
\InProcServer32\(Default) = "C:\WINDOWS\system32\netplwiz.dll" [MS]
"{E88DCCE0-B7B3-11d1-A9F0-00AA0060FA31}" = "Compressed (zipped) Folder"
-> {HKLM...CLSID} = "CompressedFolder"
\InProcServer32\(Default) = "C:\WINDOWS\system32\zipfldr.dll" [MS]
"{BD472F60-27FA-11cf-B8B4-444553540000}" = "Compressed (zipped) Folder Right Drag Handler"
-> {HKLM...CLSID} = "Compressed (zipped) Folder Right Drag Handler"
\InProcServer32\(Default) = "C:\WINDOWS\system32\zipfldr.dll" [MS]
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}" = "Compressed (zipped) Folder SendTo Target"
-> {HKLM...CLSID} = "Compressed (zipped) Folder SendTo Target"
\InProcServer32\(Default) = "C:\WINDOWS\system32\zipfldr.dll" [MS]
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}" = "Channel File"
-> {HKLM...CLSID} = "Channel"
\InProcServer32\(Default) = "C:\WINDOWS\system32\cdfview.dll" [MS]
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}" = "Channel Shortcut"
-> {HKLM...CLSID} = "Channel Shortcut"
\InProcServer32\(Default) = "C:\WINDOWS\system32\cdfview.dll" [MS]
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}" = "Channel Handler Object"
-> {HKLM...CLSID} = "Channel Handler Object"
\InProcServer32\(Default) = "C:\WINDOWS\system32\cdfview.dll" [MS]
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}" = "Channel Menu"
-> {HKLM...CLSID} = "Channel Menu Handler Object"
\InProcServer32\(Default) = "C:\WINDOWS\system32\cdfview.dll" [MS]
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}" = "Channel Properties"
-> {HKLM...CLSID} = "Channel Shortcut Property Pages"
\InProcServer32\(Default) = "C:\WINDOWS\system32\cdfview.dll" [MS]
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}" = "Extensions Manager Folder"
-> {HKLM...CLSID} = "Extensions Manager Folder"
\InProcServer32\(Default) = "C:\WINDOWS\system32\extmgr.dll" [MS]
"{63da6ec0-2e98-11cf-8d82-444553540000}" = "FTP Folders Webview"
-> {HKLM...CLSID} = "Microsoft FTP Folder"
\InProcServer32\(Default) = "C:\WINDOWS\system32\msieftp.dll" [MS]
"{883373C3-BF89-11D1-BE35-080036B11A03}" = "Microsoft DocProp Shell Ext"
-> {HKLM...CLSID} = "Microsoft DocProp Shell Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\docprop2.dll" [MS]
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}" = "Microsoft DocProp Inplace Edit Box Control"
-> {HKLM...CLSID} = "Microsoft DocProp Inplace Edit Box Control"
\InProcServer32\(Default) = "C:\WINDOWS\system32\docprop2.dll" [MS]
"{8EE97210-FD1F-4B19-91DA-67914005F020}" = "Microsoft DocProp Inplace ML Edit Box Control"
-> {HKLM...CLSID} = "Microsoft DocProp Inplace ML Edit Box Control"
\InProcServer32\(Default) = "C:\WINDOWS\system32\docprop2.dll" [MS]
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}" = "Microsoft DocProp Inplace Droplist Combo Control"
-> {HKLM...CLSID} = "Microsoft DocProp Inplace Droplist Combo Control"
\InProcServer32\(Default) = "C:\WINDOWS\system32\docprop2.dll" [MS]
"{6A205B57-2567-4A2C-B881-F787FAB579A3}" = "Microsoft DocProp Inplace Calendar Control"
-> {HKLM...CLSID} = "Microsoft DocProp Inplace Calendar Control"
\InProcServer32\(Default) = "C:\WINDOWS\system32\docprop2.dll" [MS]
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}" = "Microsoft DocProp Inplace Time Control"
-> {HKLM...CLSID} = "Microsoft DocProp Inplace Time Control"
\InProcServer32\(Default) = "C:\WINDOWS\system32\docprop2.dll" [MS]
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}" = "Directory Query UI"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\dsquery.dll" [MS]
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}" = "Shell properties for a DS object"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\dsquery.dll" [MS]
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}" = "Directory Object Find"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\dsquery.dll" [MS]
"{F020E586-5264-11d1-A532-0000F8757D7E}" = "Directory Start/Search Find"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\dsquery.dll" [MS]
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}" = "Directory Property UI"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\dsuiext.dll" [MS]
"{62AE1F9A-126A-11D0-A14B-0800361B1103}" = "Directory Context Menu Verbs"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\dsuiext.dll" [MS]
"{ECF03A33-103D-11d2-854D-006008059367}" = "MyDocs Copy Hook"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\mydocs.dll" [MS]
"{ECF03A32-103D-11d2-854D-006008059367}" = "MyDocs Drop Target"
-> {HKLM...CLSID} = "MyDocs Drop Target"
\InProcServer32\(Default) = "C:\WINDOWS\system32\mydocs.dll" [MS]
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}" = "MyDocs Properties"
-> {HKLM...CLSID} = "MyDocs menu and properties"
\InProcServer32\(Default) = "C:\WINDOWS\system32\mydocs.dll" [MS]
"{750fdf0e-2a26-11d1-a3ea-080036587f03}" = "Offline Files Menu"
-> {HKLM...CLSID} = "Offline Files Menu"
\InProcServer32\(Default) = "C:\WINDOWS\System32\cscui.dll" [MS]
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}" = "Offline Files Folder Options"
-> {HKLM...CLSID} = "Offline Files Folder Options"
\InProcServer32\(Default) = "C:\WINDOWS\System32\cscui.dll" [MS]
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}" = "Offline Files Folder"
-> {HKLM...CLSID} = "Offline Files Folder"
\InProcServer32\(Default) = "C:\WINDOWS\System32\cscui.dll" [MS]
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}" = "Microsoft Agent Character Property Sheet Handler"
-> {HKLM...CLSID} = "Microsoft Agent Character Property Sheet Handler"
\InProcServer32\(Default) = "C:\WINDOWS\msagent\agentpsh.dll" [MS]
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}" = "DfsShell"
-> {HKLM...CLSID} = "DfsShell Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\dfsshlex.dll" [MS]
"{60fd46de-f830-4894-a628-6fa81bc0190d}" = "%DESC_PublishDropTarget%"
-> {HKLM...CLSID} = "DropTarget Object for Photo Printing Wizard"
\InProcServer32\(Default) = "C:\WINDOWS\system32\photowiz.dll" [MS]
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}" = "MMC Icon Handler"
-> {HKLM...CLSID} = "ExtractIcon Class"
\InProcServer32\(Default) = "C:\WINDOWS\System32\mmcshext.dll" [MS]
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}" = ".CAB file viewer"
-> {HKLM...CLSID} = "Cabinet File"
\InProcServer32\(Default) = "cabview.dll" [MS]
"{32714800-2E5F-11d0-8B85-00AA0044F941}" = "For &People..."
-> {HKLM...CLSID} = "For &People..."
\InProcServer32\(Default) = "C:\Program Files\Outlook Express\wabfind.dll" [MS]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {HKLM...CLSID} = "Portable Media Devices"
\InProcServer32\(Default) = "C:\WINDOWS\system32\audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\audiodev.dll" [MS]
"{8DD448E6-C188-4aed-AF92-44956194EB1F}" = "Windows Media Player Play as Playlist Context Menu Handler"
-> {HKLM...CLSID} = "WMP Burn Audio CD Launcher"
\InProcServer32\(Default) = "C:\WINDOWS\system32\wmpshell.dll" [MS]
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}" = "Windows Media Player Burn Audio CD Context Menu Handler"
-> {HKLM...CLSID} = "WMP Play As Playlist Launcher"
\InProcServer32\(Default) = "C:\WINDOWS\system32\wmpshell.dll" [MS]
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}" = "Windows Media Player Add to Playlist Context Menu Handler"
-> {HKLM...CLSID} = "WMP Add To Playlist Launcher"
\InProcServer32\(Default) = "C:\WINDOWS\system32\wmpshell.dll" [MS]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}" = "Web Folders"
-> {HKLM...CLSID} = "Web Folders"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL" [MS]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)

greer

2007-02-22, 02:13

\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{7F67036B-66F1-411A-AD85-759FB9C5B0DB}" = "SampleView"
-> {HKLM...CLSID} = "SampleView"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" ["XSS"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{BF05BB6E-442C-428B-8025-82280B7BC26C}" = "Zen Micro Media Explorer"
-> {HKLM...CLSID} = "Zen Micro Media Explorer"
\InProcServer32\(Default) = "C:\Program Files\Creative\Creative Zen Micro\Zen Micro Media Explorer\CTJBNS2.dll" ["Creative Technology Ltd"]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {HKLM...CLSID} = "AVG7 Find Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}" = "Browseui preloader"
-> {HKLM...CLSID} = "Browseui preloader"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{8C7461EF-2B13-11d2-BE35-3078302C2030}" = "Component Categories cache daemon"
-> {HKLM...CLSID} = "Component Categories cache daemon"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}" = (no title provided)
-> {HKLM...CLSID} = "URL Exec Hook"
\InProcServer32\(Default) = "shell32.dll" [MS]
<<!>> "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}" = "Microsoft AntiMalware ShellExecuteHook"
-> {HKLM...CLSID} = "Microsoft AntiMalware ShellExecuteHook"
\InProcServer32\(Default) = "C:\PROGRA~1\WIFD1F~1\MpShHook.dll" [MS]
<<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["Anti-Malware Development a.s."]
<<!>> "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" = (no title provided)
-> {HKLM...CLSID} = "SABShellExecuteHook Class"
\InProcServer32\(Default) = "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" ["SuperAdBlocker.com"]

HKCU\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"PostBootReminder" = "{7849596a-48ea-486e-8937-a2a3009f31a9}"
-> {HKLM...CLSID} = "PostBootReminder object"
\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"CDBurn" = "{fbeb8a05-beee-4442-804e-409d6c4515e9}"
-> {HKLM...CLSID} = "ShellFolder for CD Burning"
\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"WebCheck" = "{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
-> {HKLM...CLSID} = "WebCheck"
\InProcServer32\(Default) = "C:\WINDOWS\system32\webcheck.dll" [MS]
"SysTray" = "{35CEC8A3-2BE6-11D2-8773-92E220524153}"
-> {HKLM...CLSID} = "SysTray"
\InProcServer32\(Default) = "C:\WINDOWS\system32\stobject.dll" [MS]

HKCU\Software\Microsoft\Command Processor\
"AutoRun" = (value not found)

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\
"Shell" = (value not found)

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\
"load" = (empty string)
"run" = (value not found)

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
"Shell" = (value not found)

HKLM\Software\Microsoft\Command Processor\
"AutoRun" = (empty string)

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\
"AppInit_DLLs" = (value not found)

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
"GinaDLL" = (value not found)
"Shell" = "Explorer.exe" [MS]
"Taskman" = (value not found)
"Userinit" = "C:\WINDOWS\system32\userinit.exe," [MS]
"System" = (empty string)

HKLM\System\CurrentControlSet\Control\SafeBoot\Option\
"UseAlternateShell" = (value not found)

HKLM\System\CurrentControlSet\Control\SecurityProviders\
"SecurityProviders" = "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKLM\System\CurrentControlSet\Control\Session Manager\
"BootExecute" = "autocheck autochk *"

HKLM\System\CurrentControlSet\Control\WOW\
"cmdline" = "C:\WINDOWS\system32\ntvdm.exe" [MS]
"wowcmdline" = "C:\WINDOWS\system32\ntvdm.exe -a C:\WINDOWS\system32\krnl386" [MS]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> !SASWinLogon\DLLName = "C:\Program Files\SUPERAntiSpyware\SASWINLO.dll" ["SUPERAntiSpyware.com"]
crypt32chain\DLLName = "crypt32.dll" [MS]
cryptnet\DLLName = "cryptnet.dll" [MS]
cscdll\DLLName = "cscdll.dll" [MS]
ScCertProp\DLLName = "wlnotify.dll" [MS]
Schedule\DLLName = "wlnotify.dll" [MS]
sclgntfy\DLLName = "sclgntfy.dll" [MS]
SensLogn\DLLName = "WlNotify.dll" [MS]
termsrv\DLLName = "wlnotify.dll" [MS]
wlballoon\DLLName = "wlnotify.dll" [MS]
<<!>> wzcnotif\DLLName = "wzcdlg.dll" [MS]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
Your Image File Name Here without a path\Debugger = "ntsd -d" [MS]

HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logon\

HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logoff\

HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Startup\

HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Shutdown\

HKLM\Software\Classes\PROTOCOLS\Filter\
application/octet-stream\CLSID = "{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"
-> {HKLM...CLSID} = "Cor MIME Filter, CorFltr, CorFltr 1"
\InProcServer32\(Default) = "C:\WINDOWS\system32\mscoree.dll" [MS]
application/x-complus\CLSID = "{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"
-> {HKLM...CLSID} = "Cor MIME Filter, CorFltr, CorFltr 1"
\InProcServer32\(Default) = "C:\WINDOWS\system32\mscoree.dll" [MS]
application/x-msdownload\CLSID = "{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"
-> {HKLM...CLSID} = "Cor MIME Filter, CorFltr, CorFltr 1"
\InProcServer32\(Default) = "C:\WINDOWS\system32\mscoree.dll" [MS]
Class Install Handler\CLSID = "{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"
-> {HKLM...CLSID} = "AP Class Install Handler filter"
\InProcServer32\(Default) = "C:\WINDOWS\system32\urlmon.dll" [MS]
deflate\CLSID = "{8f6b0360-b80d-11d0-a9b3-006097942311}"
-> {HKLM...CLSID} = "AP lzdhtml encoding/decoding Filter"
\InProcServer32\(Default) = "C:\WINDOWS\system32\urlmon.dll" [MS]
gzip\CLSID = "{8f6b0360-b80d-11d0-a9b3-006097942311}"
-> {HKLM...CLSID} = "AP lzdhtml encoding/decoding Filter"
\InProcServer32\(Default) = "C:\WINDOWS\system32\urlmon.dll" [MS]
lzdhtml\CLSID = "{8f6b0360-b80d-11d0-a9b3-006097942311}"
-> {HKLM...CLSID} = "AP lzdhtml encoding/decoding Filter"
\InProcServer32\(Default) = "C:\WINDOWS\system32\urlmon.dll" [MS]
text/webviewhtml\CLSID = "{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"
-> {HKLM...CLSID} = "WebView MIME Filter"
\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{0D2E74C4-3C34-11d2-A27E-00C04FC30871}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
{24F14F01-7B1C-11d1-838f-0000F80461CF}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
{24F14F02-7B1C-11d1-838f-0000F80461CF}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
{66742402-F9B9-11D1-A202-0000F81FEDEE}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
BriefcaseMenu\(Default) = "{85BBD920-42A0-1069-A2E4-08002B30309D}"
-> {HKLM...CLSID} = "Briefcase"
\InProcServer32\(Default) = "syncui.dll" [MS]
Offline Files\(Default) = "{750fdf0e-2a26-11d1-a3ea-080036587f03}"
-> {HKLM...CLSID} = "Offline Files Menu"
\InProcServer32\(Default) = "C:\WINDOWS\System32\cscui.dll" [MS]
Open With\(Default) = "{09799AFB-AD67-11d1-ABCD-00C04FC30936}"
-> {HKLM...CLSID} = "Open With Context Menu Handler"
\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
Open With EncryptionMenu\(Default) = "{A470F8CF-A1E8-4f65-8335-227475AA5C46}"
-> {HKLM...CLSID} = "Encryption Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]
EncryptionMenu\(Default) = "{A470F8CF-A1E8-4f65-8335-227475AA5C46}"
-> {HKLM...CLSID} = "Encryption Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
Offline Files\(Default) = "{750fdf0e-2a26-11d1-a3ea-080036587f03}"
-> {HKLM...CLSID} = "Offline Files Menu"
\InProcServer32\(Default) = "C:\WINDOWS\System32\cscui.dll" [MS]
Sharing\(Default) = "{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"
-> {HKLM...CLSID} = "Shell extensions for sharing"
\InProcServer32\(Default) = "ntshrui.dll" [MS]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
BriefcaseMenu\(Default) = "{85BBD920-42A0-1069-A2E4-08002B30309D}"
-> {HKLM...CLSID} = "Briefcase"
\InProcServer32\(Default) = "syncui.dll" [MS]

HKLM\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
Send To\(Default) = "{7BA4C740-9E81-11CF-99D3-00AA004AE837}"
-> {HKLM...CLSID} = "Microsoft SendTo Service"
\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]

Default executables:
--------------------

HKLM\Software\Classes\.bat\(Default) = "batfile"
HKLM\Software\Classes\batfile\shell\open\command\(Default) = ""%1" %*"

HKLM\Software\Classes\.cmd\(Default) = "cmdfile"
HKLM\Software\Classes\cmdfile\shell\open\command\(Default) = ""%1" %*"

HKLM\Software\Classes\.com\(Default) = "comfile"
HKLM\Software\Classes\comfile\shell\open\command\(Default) = ""%1" %*"

HKLM\Software\Classes\.exe\(Default) = "exefile"
HKLM\Software\Classes\exefile\shell\open\command\(Default) = ""%1" %*"

HKLM\Software\Classes\.hta\(Default) = "htafile"
HKLM\Software\Classes\htafile\shell\open\command\(Default) = "C:\WINDOWS\system32\mshta.exe "%1" %*"

HKLM\Software\Classes\.pif\(Default) = "piffile"
HKLM\Software\Classes\piffile\shell\open\command\(Default) = ""%1" %*"

HKLM\Software\Classes\.scr\(Default) = "scrfile"
HKLM\Software\Classes\scrfile\shell\open\command\(Default) = ""%1" /S"

Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoDriveTypeAutoRun" = (REG_DWORD) hex:0x00000091
{User Configuration|Administrative Templates|Windows Components|AutoPlay Policies|
Turn off Autoplay}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowCpl\

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"DisableRegistryTools" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|System|
Prevent access to registry editing tools}

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate\

HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\

HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel\

HKCU\Software\Policies\Microsoft\Internet Explorer\Download\

HKLM\Software\Policies\Microsoft\Internet Explorer\Download\

HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\

HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\

HKCU\Software\Policies\Microsoft\Internet Explorer\Main\

HKLM\Software\Policies\Microsoft\Internet Explorer\Main\

HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS\

HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS\

HKCU\Software\Policies\Microsoft\Internet Explorer\PhishingFilter\

HKLM\Software\Policies\Microsoft\Internet Explorer\PhishingFilter\

HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions\

HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions\

HKCU\Software\Policies\Microsoft\Internet Explorer\Security\

HKLM\Software\Policies\Microsoft\Internet Explorer\Security\

HKCU\Software\Policies\Microsoft\MMC\{8FC0B734-A0E1-11D1-A7D3-0000F87571E3}\

HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\

HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\

HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\

HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\

HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\

HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\

HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\

HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\

HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\

HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\

HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\

HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\

HKCU\Software\Policies\Microsoft\Windows\Network Connections\

HKCU\Software\Policies\Microsoft\Windows\System\

HKCU\Software\Policies\Microsoft\Windows\Task Scheduler5.0\

HKLM\Software\Policies\Microsoft\Windows\Task Scheduler5.0\

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

greer

2007-02-22, 02:14

"dontdisplaylastusername" = (REG_DWORD) hex:0x00000000
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Interactive logon: Do not display last user name}

"legalnoticetext" = (REG_SZ) (empty string)
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Interactive logon: Message text for users attempting to log on}

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

"InstallVisualStyle" = (REG_EXPAND_SZ) C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
{unrecognized setting}

"InstallTheme" = (REG_EXPAND_SZ) C:\WINDOWS\Resources\Themes\Royale.theme
{unrecognized setting}

HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore\

Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\greer\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = (value not set)

DESKTOP.INI DLL launch in local fixed drive directories:
--------------------------------------------------------

C:\Documents and Settings\Administrator\Local Settings\History\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]

C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]

C:\Documents and Settings\greer\Local Settings\History\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]

C:\Documents and Settings\greer\Local Settings\History\History.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]

C:\Documents and Settings\greer\Local Settings\Temporary Internet Files\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]

C:\Documents and Settings\greer\Local Settings\Temporary Internet Files\Content.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]

C:\Documents and Settings\greer\Local Settings\Temporary Internet Files\Content.IE5\0TQJW92B\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]

C:\Documents and Settings\greer\Local Settings\Temporary Internet Files\Content.IE5\H5AWAE1P\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]

C:\Documents and Settings\greer\Local Settings\Temporary Internet Files\Content.IE5\KX2V0XMR\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]

C:\Documents and Settings\Guest\Local Settings\History\History.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]

C:\Documents and Settings\jake\Local Settings\History\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]

C:\Documents and Settings\jake\Local Settings\History\History.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]

C:\Documents and Settings\jake\Local Settings\Temporary Internet Files\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]

C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]

C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]

C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]

C:\Documents and Settings\Owner\Local Settings\History\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]

C:\Documents and Settings\Owner\Local Settings\History\History.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]

C:\WINDOWS\assembly\DESKTOP.INI
[.ShellClassInfo]
CLSID={1D2680C9-0E2A-469d-B787-065558BC7D43}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\mscoree.dll" [MS]

C:\WINDOWS\Downloaded Program Files\DESKTOP.INI
[.ShellClassInfo]
CLSID={88C6C381-2E85-11d0-94DE-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\occache.dll" [MS]

C:\WINDOWS\Fonts\DESKTOP.INI
[.ShellClassInfo]
UICLSID={BD84B380-8CA2-1069-AB1D-08000948F534}
-> {HKLM...CLSID}\InProcServer32\(Default) = "fontext.dll" [MS]

C:\WINDOWS\system32\config\systemprofile\Local Settings\History\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]

C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]

C:\WINDOWS\Tasks\DESKTOP.INI
[.ShellClassInfo]
CLSID={d6277990-4c6a-11cf-8d87-00aa0060f5bf}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\mstask.dll" [MS]

D:\MiniNT\DESKTOP.INI
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" ["XSS"]

D:\i386\DESKTOP.INI
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" ["XSS"]

D:\updgoi\DESKTOP.INI
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" ["XSS"]

greer

2007-02-22, 02:15

Startup items in "greer" & "All Users" startup folders:
-------------------------------------------------------

C:\Documents and Settings\greer\Start Menu\Programs\Startup

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"BigFix" -> shortcut to: "C:\Program Files\BigFix\BigFix.exe /atstartup" ["BigFix Inc."]
"GetRight - Tray Icon" -> shortcut to: "C:\Program Files\GetRight\getright.exe" ["Headlight Software, Inc."]
"HP Digital Imaging Monitor" -> shortcut to: "C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe" ["Hewlett-Packard Co."]
"HP Image Zone Fast Start" -> shortcut to: "C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe -s" [null data]
"Install Pending Files" -> shortcut to: "C:\Program Files\SIFXINST\SIFXINST.EXE /ApplyPending" ["New Boundary Technologies, Inc."]

Enabled Scheduled Tasks:
------------------------

"MP Scheduled Scan" -> launches: "C:\Program Files\Windows Defender\MpCmdRun.exe Scan -RestrictPrivileges" [MS]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDetect.exe" [file not found]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 19
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{01E04581-4EEE-11D0-BFE9-00AA005B4383}"
-> {HKLM...CLSID} = "&Address"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar5.dll" ["Google Inc."]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{01E04581-4EEE-11D0-BFE9-00AA005B4383}"
-> {HKLM...CLSID} = "&Address"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{0E5CBF21-D15F-11D0-8301-00AA005B4383}"
-> {HKLM...CLSID} = "&Links"
\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar5.dll" ["Google Inc."]
"{4982D40A-C53B-4615-B15B-B5B5E98D167C}"
-> {HKLM...CLSID} = "AOL Toolbar"
\InProcServer32\(Default) = "C:\Program Files\AOL Toolbar\toolbar.dll" ["IE Toolbar"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{4982D40A-C53B-4615-B15B-B5B5E98D167C}" = (no title provided)
-> {HKLM...CLSID} = "AOL Toolbar"
\InProcServer32\(Default) = "C:\Program Files\AOL Toolbar\toolbar.dll" ["IE Toolbar"]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar5.dll" ["Google Inc."]

Explorer Bars

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{30D02401-6A81-11D0-8274-00C04FD5AE38}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Search Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
{EFA24E61-B078-11D0-89E4-00C04FC9E26E}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Favorites Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
{EFA24E62-B078-11D0-89E4-00C04FC9E26E}\(Default) = (no title provided)
-> {HKLM...CLSID} = "History Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
{EFA24E64-B078-11D0-89E4-00C04FC9E26E}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Explorer Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{4D5C8C25-D075-11D0-B416-00C04FB90376}\(Default) = (no title provided)
-> {HKLM...CLSID} = "&Tip of the Day"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Real.com"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Shdocvw.dll" [MS]

HKLM\Software\Classes\CLSID\{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}\(Default) = "&Discuss"
Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32\(Default) = "shdocvw.dll" [MS]

HKLM\Software\Classes\CLSID\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\(Default) = "File Search Explorer Band"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKCU\Software\Microsoft\Internet Explorer\Extensions\

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.5.0_09"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_09"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll" ["Sun Microsystems, Inc."]

{4982D40A-C53B-4615-B15B-B5B5E98D167C}\
"ButtonText" = "AOL Toolbar"
"MenuText" = "AOL Toolbar"
"CLSIDExtension" = "{4982D40A-C53B-4615-B15B-B5B5E98D167C}"
-> {HKLM...CLSID} = "AOL Toolbar"
\InProcServer32\(Default) = "C:\Program Files\AOL Toolbar\toolbar.dll" ["IE Toolbar"]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{A26ABCF0-1C8F-46E7-A67C-0489DC21B9CC}\

{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
"ButtonText" = "AIM"
"Exec" = "C:\Program Files\AIM\aim.exe" ["America Online, Inc."]

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

Internet Explorer Address Prefixes:
-----------------------------------

Prefix for bare domain ("domain-name-here.com")

HKLM\Software\Microsoft\Windows\CurrentVersion\URL\Default Prefix\
(Default) = "http://"

Prefix for specific service (i.e., "www")

HKLM\Software\Microsoft\Windows\CurrentVersion\URL\Prefixes\
"ftp" = "ftp://"
"gopher" = "gopher://"
"home" = "http://"
"mosaic" = "http://"
"www" = "http://"

Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome

Missing lines (compared with English-language version):
[Strings]: 1 line

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" = (no title provided)
-> {HKLM...CLSID} = "Microsoft Url Search Hook"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]

HKLM\Software\Microsoft\Internet Explorer\AboutURLs\
"NavigationFailure" = "res://shdoclc.dll/navcancl.htm" [MS]
"DesktopItemNavigationFailure" = "res://shdoclc.dll/navcancl.htm" [MS]
"NavigationCanceled" = "res://shdoclc.dll/navcancl.htm" [MS]
"OfflineInformation" = "res://shdoclc.dll/offcancl.htm" [MS]
"Home" = hex:0x0000010E
"blank" = "res://mshtml.dll/blank.htm" [MS]
"PostNotCached" = "res://mshtml.dll/repost.htm" [MS]

HOSTS file
----------

HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\
"DataBasePath" = "C:\WINDOWS\System32\drivers\etc"

C:\WINDOWS\System32\drivers\etc\HOSTS

maps: 1 domain name to an IP address,
and this is the localhost IP address

All Running Services (Display Name, Service Name, Path {Service DLL}):
----------------------------------------------------------------------

AOL Connectivity Service, AOL ACS, ""C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe"" ["AOL LLC"]
AOL TopSpeed Monitor, AOL TopSpeedMonitor, "C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe" ["America Online, Inc"]
Application Layer Gateway Service, ALG, "C:\WINDOWS\System32\alg.exe" [MS]
Automatic Updates, wuauserv, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\wuauserv.dll" [MS]}
AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
Background Intelligent Transfer Service, BITS, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\qmgr.dll" [MS]}
COM+ Event System, EventSystem, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\es.dll" [MS]}
COM+ System Application, COMSysApp, "C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}" [MS]
Computer Browser, Browser, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\browser.dll" [MS]}
Creative Service for CDROM Access, Creative Service for CDROM Access, "C:\WINDOWS\system32\CTsvcCDA.EXE" ["Creative Technology Ltd"]
Cryptographic Services, CryptSvc, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\cryptsvc.dll" [MS]}
DCOM Server Process Launcher, DcomLaunch, "C:\WINDOWS\system32\svchost -k DcomLaunch" {"C:\WINDOWS\system32\rpcss.dll" [MS]}
DHCP Client, Dhcp, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\dhcpcsvc.dll" [MS]}
Distributed Link Tracking Client, TrkWks, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\trkwks.dll" [MS]}
DNS Client, Dnscache, "C:\WINDOWS\system32\svchost.exe -k NetworkService" {"C:\WINDOWS\System32\dnsrslvr.dll" [MS]}
Error Reporting Service, ERSvc, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\ersvc.dll" [MS]}
Event Log, Eventlog, "C:\WINDOWS\system32\services.exe" [MS]
Fast User Switching Compatibility, FastUserSwitchingCompatibility, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\shsvcs.dll" [MS]}
Help and Support, helpsvc, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll" [MS]}
HID Input Service, HidServ, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\hidserv.dll" [MS]}
IPSEC Services, PolicyAgent, "C:\WINDOWS\system32\lsass.exe" [MS]
Logical Disk Manager, dmserver, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\dmserver.dll" [MS]}
Media Center Receiver Service, ehRecvr, "C:\WINDOWS\eHome\ehRecvr.exe" [MS]
Media Center Scheduler Service, ehSched, "C:\WINDOWS\eHome\ehSched.exe" [MS]
Network Connections, Netman, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\netman.dll" [MS]}
Network Location Awareness (NLA), Nla, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\mswsock.dll" [MS]}
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
Plug and Play, PlugPlay, "C:\WINDOWS\system32\services.exe" [MS]
Pml Driver HPZ12, Pml Driver HPZ12, "C:\WINDOWS\system32\HPZipm12.exe" ["HP"]
Print Spooler, Spooler, "C:\WINDOWS\system32\spoolsv.exe" [MS]
PrismXL, PrismXL, "C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS" ["New Boundary Technologies, Inc."]
Protected Storage, ProtectedStorage, "C:\WINDOWS\system32\lsass.exe" [MS]
Remote Access Connection Manager, RasMan, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\rasmans.dll" [MS]}
Remote Procedure Call (RPC), RpcSs, "C:\WINDOWS\system32\svchost -k rpcss" {"C:\WINDOWS\System32\rpcss.dll" [MS]}
Remote Registry, RemoteRegistry, "C:\WINDOWS\system32\svchost.exe -k LocalService" {"C:\WINDOWS\system32\regsvc.dll" [MS]}
Secondary Logon, seclogon, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\seclogon.dll" [MS]}
Security Accounts Manager, SamSs, "C:\WINDOWS\system32\lsass.exe" [MS]
Security Center, wscsvc, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\wscsvc.dll" [MS]}
Server, lanmanserver, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\srvsvc.dll" [MS]}
Shell Hardware Detection, ShellHWDetection, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\shsvcs.dll" [MS]}
SSDP Discovery Service, SSDPSRV, "C:\WINDOWS\system32\svchost.exe -k LocalService" {"C:\WINDOWS\System32\ssdpsrv.dll" [MS]}
System Event Notification, SENS, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\sens.dll" [MS]}
System Restore Service, srservice, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\srsvc.dll" [MS]}
Task Scheduler, Schedule, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\schedsvc.dll" [MS]}
TCP/IP NetBIOS Helper, LmHosts, "C:\WINDOWS\system32\svchost.exe -k LocalService" {"C:\WINDOWS\System32\lmhsvc.dll" [MS]}
Telephony, TapiSrv, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\tapisrv.dll" [MS]}
Terminal Services, TermService, "C:\WINDOWS\System32\svchost -k DComLaunch" {"C:\WINDOWS\System32\termsrv.dll" [MS]}
Themes, Themes, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\shsvcs.dll" [MS]}
Viewpoint Manager Service, Viewpoint Manager Service, ""C:\Program Files\Viewpoint\Common\ViewpointService.exe"" ["Viewpoint Corporation"]
WebClient, WebClient, "C:\WINDOWS\system32\svchost.exe -k LocalService" {"C:\WINDOWS\System32\webclnt.dll" [MS]}
Windows Audio, AudioSrv, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\audiosrv.dll" [MS]}
Windows Firewall/Internet Connection Sharing (ICS), SharedAccess, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\ipnathlp.dll" [MS]}
Windows Image Acquisition (WIA), stisvc, "C:\WINDOWS\system32\svchost.exe -k imgsvc" {"C:\WINDOWS\system32\wiaservc.dll" [MS]}
Windows Management Instrumentation, winmgmt, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\wbem\WMIsvc.dll" [MS]}
Windows Time, W32Time, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\w32time.dll" [MS]}
Wireless Zero Configuration, WZCSVC, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\wzcsvc.dll" [MS]}
Workstation, lanmanworkstation, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\wkssvc.dll" [MS]}

Keyboard Driver Filters:
------------------------

HKLM\System\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\
"UpperFilters" = "kbdclass" [MS]

Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
BJ Language Monitor\Driver = "cnbjmon.dll" [MS]
hpzlnt12\Driver = "hpzlnt12.dll" ["HP"]
Local Port\Driver = "localspl.dll" [MS]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]
PJL Language Monitor\Driver = "pjlmon.dll" [MS]
Standard TCP/IP Port\Driver = "tcpmon.dll" [MS]
USB Monitor\Driver = "usbmon.dll" [MS]

-- (total run time: 91 seconds)
<<!>>: Suspicious data at a malware launch point.

greer

2007-02-22, 02:16

Find AWF report by noahdfear ©2006

21504 byte files found
~~~~~~~~~~~~~

21504 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~

25600 byte files found
~~~~~~~~~~~~~

25600 "C:\Program Files\BigFix\__Data\Gateway\ShellExecute.exe"

25600 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~

26450 byte files found
~~~~~~~~~~~~~

26450 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~

bak folders found
~~~~~~~~~~~

Directory of C:\PROGRA~1\AIM\BAK

08/01/2006 03:35 PM 67,112 aim.exe
1 File(s) 67,112 bytes

Directory of C:\PROGRA~1\AMERIC~1.0\BAK

07/25/2005 10:30 PM 50,776 AOL.EXE
11/06/2006 08:27 PM 24 shellmon.ph
2 File(s) 50,800 bytes

Directory of C:\PROGRA~1\DIGITA~1\BAK

11/15/2004 03:04 PM 135,168 shwiconem.exe
1 File(s) 135,168 bytes

Directory of C:\PROGRA~1\INTELA~1\BAK

07/20/2005 12:55 AM 7,090,176 IntelAudioStudio.exe
1 File(s) 7,090,176 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

10/18/2005 11:58 AM 278,528 iTunesHelper.exe
1 File(s) 278,528 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

10/24/2005 04:49 PM 155,648 qttask.exe
1 File(s) 155,648 bytes

Directory of C:\PROGRA~1\SUPERA~1\BAK

12/10/2006 09:06 AM 1,294,336 SUPERAntiSpyware.exe
1 File(s) 1,294,336 bytes

Directory of C:\PROGRA~1\WIFD1F~1\BAK

04/03/2006 06:12 PM 777,424 MSASCui.exe
1 File(s) 777,424 bytes

Directory of C:\WINDOWS\EHOME\BAK

08/10/2004 11:04 AM 59,392 ehtray.exe
1 File(s) 59,392 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

07/09/2001 11:50 AM 155,648 NeroCheck.exe
1 File(s) 155,648 bytes

Directory of C:\PROGRA~1\CYBERL~1\POWERDVD\BAK

11/02/2004 08:24 PM 32,768 PDVDServ.exe
1 File(s) 32,768 bytes

Directory of C:\PROGRA~1\GRISOFT\AVGFRE~1\BAK

10/21/2006 01:49 PM 406,016 avgcc.exe
1 File(s) 406,016 bytes

Directory of C:\PROGRA~1\HP\HPSOFT~1\BAK

02/16/2005 11:11 PM 49,152 HPWuSchd2.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\PURENE~1\PORTMA~1\BAK

04/05/2004 02:33 PM 99,480 PortAOL.exe
1 File(s) 99,480 bytes

Directory of C:\PROGRA~1\TRENDM~1\ANTIVI~1\BAK

02/17/2004 03:51 PM 950,337 pccguide.exe
02/17/2004 03:51 PM 634,949 PCClient.exe
02/17/2004 03:50 PM 290,816 TMOAgent.exe
3 File(s) 1,876,102 bytes

Directory of C:\DOCUME~1\GREER\DESKTOP\AMERIC~1.0\BAK

07/25/2005 10:30 PM 50,776 AOL.EXE
02/13/2007 05:13 PM 24 shellmon.ph
2 File(s) 50,800 bytes

Directory of C:\DOCUME~1\OWNER\APPLIC~1\CROSOF~1.NET\BAK

0 File(s) 0 bytes

Directory of C:\DOCUME~1\OWNER\DESKTOP\AMERIC~1.0\BAK

07/25/2005 10:30 PM 50,776 AOL.EXE
11/06/2006 08:27 PM 24 shellmon.ph
2 File(s) 50,800 bytes

Directory of C:\PROGRA~1\ADOBE\ACROBA~1.0\READER\BAK

08/18/2005 11:49 AM 307,200 AdobeUpdateManager.exe
1 File(s) 307,200 bytes

Directory of C:\PROGRA~1\COMMON~1\AOL\ACS\BAK

10/23/2006 05:50 AM 71,216 AOLDial.exe
1 File(s) 71,216 bytes

Directory of C:\PROGRA~1\CREATIVE\MEDIAS~1\DETECTOR\BAK

12/02/2004 06:23 PM 102,400 CTDetect.exe
1 File(s) 102,400 bytes

Directory of C:\PROGRA~1\JAVA\JRE15~2.0_0\BIN\BAK

09/07/2006 03:51 PM 49,263 jusched.exe
1 File(s) 49,263 bytes

Directory of C:\PROGRA~1\COMMON~1\AOL\112420~1\EE\BAK

11/02/2005 08:01 PM 50,792 AOLSoftware.exe
1 File(s) 50,792 bytes

Directory of C:\QOOBOX\PURITY\PROGRA~1\COMMON~1\SSTEM3~1\BAK

0 File(s) 0 bytes

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

67112 Aug 1 2006 "C:\Program Files\AIM\aim.exe"
67112 Aug 1 2006 "C:\Program Files\AIM\bak\aim.exe"
0 Nov 5 2006 "C:\Program Files\America Online 9.0\AOL.EXE"
50776 Jul 25 2005 "C:\Program Files\America Online 9.0\bak\AOL.EXE"
35852 Dec 28 2006 "C:\Documents and Settings\greer\Desktop\America Online 9.0\AOL.EXE"
35852 Dec 29 2006 "C:\Documents and Settings\Owner\Desktop\America Online 9.0\AOL.EXE"
50776 Jul 25 2005 "C:\Documents and Settings\greer\Desktop\America Online 9.0\bak\AOL.EXE"
50776 Jul 25 2005 "C:\Documents and Settings\Owner\Desktop\America Online 9.0\bak\AOL.EXE"
24 Oct 17 2006 "C:\Program Files\America Online 9.0\shellmon.ph"
24 Nov 6 2006 "C:\Program Files\America Online 9.0\bak\shellmon.ph"
24 Oct 17 2006 "C:\Documents and Settings\greer\Desktop\America Online 9.0\shellmon.ph"
24 Oct 17 2006 "C:\Documents and Settings\Owner\Desktop\America Online 9.0\shellmon.ph"
6036 Feb 19 2007 "C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\shellmon.ph"
24 Feb 13 2007 "C:\Documents and Settings\greer\Desktop\America Online 9.0\bak\shellmon.ph"
24 Nov 6 2006 "C:\Documents and Settings\Owner\Desktop\America Online 9.0\bak\shellmon.ph"
135168 Nov 15 2004 "C:\Program Files\Digital Media Reader\bak\shwiconem.exe"
7090176 Jul 20 2005 "C:\Program Files\Intel Audio Studio\bak\IntelAudioStudio.exe"
278528 Oct 18 2005 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
155648 Oct 24 2005 "C:\Program Files\QuickTime\bak\qttask.exe"
1310720 Jan 19 2007 "C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE"
1294336 Dec 10 2006 "C:\Program Files\SUPERAntiSpyware\bak\SUPERAntiSpyware.exe"
5585184 Nov 5 2006 "C:\Documents and Settings\greer\My Documents\Computer Cleaning\SUPERAntiSpyware.exe"
777424 Apr 3 2006 "C:\Program Files\Windows Defender\bak\MSASCui.exe"
59392 Aug 10 2004 "C:\WINDOWS\ehome\bak\ehtray.exe"

end of report

greer

2007-02-22, 02:17

Logfile of HijackThis v1.99.1
Scan saved at 6:05:27 PM, on 2/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\notepad.exe
C:\HiJackThis\hijackthis\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1124207719\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Documents and Settings\greer\Desktop\America Online 9.0\AOL.EXE" -b
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WinUpdate] "C:\DOCUME~1\greer\LOCALS~1\Temp\100532875.exe"
O4 - HKCU\..\Run: [WinMedia] C:\DOCUME~1\greer\LOCALS~1\Temp\100532750.exe
O4 - HKCU\..\Run: [WinUpgrade] "C:\DOCUME~1\greer\LOCALS~1\Temp\100532921.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {400429E4-BED4-472E-93BF-F85AB8565DFF} - http://www.terp17.com/ax/axo.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1157719802640
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4056/ftp.coupons.com/r3302/Coupons.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

teacup61

2007-02-26, 19:57

Hello,

This is a lot to do, so please print these instructions or save them to notepad for reference. Take your time and do it all in this exact order!

Please download the following tools, but do not use them yet!

Please download the Fix_Protocol reg file from http://downloads.malwareremoval.com/Nel/FixP.zip and unzip it to your desktop.

Please download WinHelp2002's DelDomains by right-clicking on the following link, and choosing "Save Target As":
http://www.mvps.org/winhelp2002/DelDomains.inf
Save the file to the desktop.

Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop. Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Now, Please reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad. Save it as "All Files" and name it FixFiles.bat Please save it on your desktop.

if exist "C:\Program Files\America Online 9.0\AOL.EXE" del /q "C:\Program Files\America Online 9.0\AOL.EXE"
copy /y "C:\Program Files\America Online 9.0\bak\AOL.EXE" "C:\Program Files\America Online 9.0\AOL.EXE"
if exist "C:\Documents and Settings\greer\Desktop\America Online 9.0\AOL.EXE" del /q "C:\Documents and Settings\greer\Desktop\America Online 9.0\AOL.EXE"
copy /y "C:\Documents and Settings\greer\Desktop\America Online 9.0\bak\AOL.EXE" "C:\Documents and Settings\greer\Desktop\America Online 9.0\AOL.EXE"
if exist "C:\Documents and Settings\Owner\Desktop\America Online 9.0\AOL.EXE" del /q "C:\Documents and Settings\Owner\Desktop\America Online 9.0\AOL.EXE"
copy /y "C:\Documents and Settings\Owner\Desktop\America Online 9.0\bak\AOL.EXE" "C:\Documents and Settings\Owner\Desktop\America Online 9.0\AOL.EXE"
if exist "C:\Program Files\Digital Media Reader\shwiconem.exe" del /q "C:\Program Files\Digital Media Reader\shwiconem.exe"
copy /y "C:\Program Files\Digital Media Reader\bak\shwiconem.exe" "C:\Program Files\Digital Media Reader\shwiconem.exe"
if exist "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" del /q "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe"
copy /y "C:\Program Files\Intel Audio Studio\bak\IntelAudioStudio.exe" "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe"
if exist "C:\Program Files\iTunes\iTunesHelper.exe" del /q "C:\Program Files\iTunes\iTunesHelper.exe"
copy /y "C:\Program Files\iTunes\bak\iTunesHelper.exe" "C:\Program Files\iTunes\iTunesHelper.exe"
if exist "C:\Program Files\QuickTime\qttask.exe" del /q "C:\Program Files\QuickTime\qttask.exe"
copy /y "C:\Program Files\QuickTime\bak\qttask.exe" "C:\Program Files\QuickTime\qttask.exe"
if exist "C:\Program Files\Windows Defender\MSASCui.exe" del /q "C:\Program Files\Windows Defender\MSASCui.exe"
copy /y "C:\Program Files\Windows Defender\bak\MSASCui.exe" "C:\Program Files\Windows Defender\MSASCui.exe"
if exist "C:\WINDOWS\ehome\ehtray.exe" del /q "C:\WINDOWS\ehome\ehtray.exe"
copy /y "C:\WINDOWS\ehome\bak\ehtray.exe" "C:\WINDOWS\ehome\ehtray.exe"

exit

Double click FixFiles.bat. A window will open and close. This is normal.

* Clean your Cache and Cookies in IE: Close all instances of Outlook Express and Internet Explorer
Go to Control Panel > Internet Options > General tab
Click the "Delete Cookies" button
Next to it, Click the "Delete Files" button
When prompted, place a check in: "Delete all offline content", click OK* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed): Go to Tools > Options.
Click Privacy in the menu on the left side of the Options window.
Click the Clear button located to the right of each option (History, Cookies, Cache).
Click OK to close the Options window
Alternatively, you can clear all information stored while browsing by clicking Clear All.
A confirmation dialog box will be shown before clearing the information.* Clean other Temporary files + Recycle bin Go to start > run and type: cleanmgr and click ok.
Let it scan your system for files to remove.
Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
Press OK to remove them.

Navigate to your Prefetch folder and empty everything in there. Not the folder itself!

Using Windows Explorer, search for and delete these files, if present :

C:\DOCUME~1\greer\LOCALS~1\Temp\100532921.exe << This file
C:\DOCUME~1\greer\LOCALS~1\Temp\100532750.exe << This file
C:\DOCUME~1\greer\LOCALS~1\Temp\100532875.exe << This file

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).

Reboot into normal mode, with NO internet connection.

Then go to the desktop, right click on DelDomains.inf, and choose Install. You may not see any noticeable changes or prompts; this is normal.

Double click Fix_Protocol_zones_ranges.reg and allow it to merge with the registry.

Reboot your machine for the changes to take effect.

Navigate to these files. Right click on them and choose properties. Please tell me the company name and version.

C:\Documents and Settings\greer\My Documents\Computer Cleaning\SUPERAntiSpyware.exe << This file
C:\Program Files\SUPERAntiSpyware\bak\SUPERAntiSpyware.exe << This file
C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE << This file

In your reply, please post the results of SDFix, the info on the files, and anew HijackThis log. Let me know how your computer is running also. :)

Thanks,
tea

greer

2007-03-01, 23:03

Logfile of HijackThis v1.99.1
Scan saved at 3:00:00 PM, on 3/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\msiexec.exe
c:\program files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HiJackThis\hijackthis\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1124207719\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {400429E4-BED4-472E-93BF-F85AB8565DFF} - http://www.terp17.com/ax/axo.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1157719802640
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4056/ftp.coupons.com/r3302/Coupons.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

SDFix: Version 1.63

Thu 03/01/2007 - 12:00:39.06

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:

Path:

Restoring Windows Registry Entries
Restoring Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

No Trojan Files Found..

ADS Check:

C:\WINDOWS\system32
No streams found.

Final Check:

Remaining Services:
------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Application Loader"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe:*:Enabled:AOLTsMon"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe:*:Enabled:AOLTopSpeed"
"C:\\Program Files\\Common Files\\AOL\\1124207719\\EE\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1124207719\\EE\\AOLServiceHost.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"="C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"="C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe:*:Enabled:AOL"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Warcraft III\\Warcraft III.exe"="C:\\Program Files\\Warcraft III\\Warcraft III.exe:*:Enabled:Warcraft III"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"="C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe:*:Enabled:Sid Meier's Civilization 4"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe:*:Enabled:AOL TopSpeed"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"%windir%\\system32\\tcpip.exe"="%windir%\\system32\\tcpip.exe:*:Enabled:TCP and UDP Support"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"

Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes :

C:\Documents and Settings\greer\Desktop\America Online 9.0\AOLphx.exe
C:\Documents and Settings\greer\Desktop\America Online 9.0\rbm.exe
C:\Documents and Settings\Owner\Desktop\America Online 9.0\AOLphx.exe
C:\Documents and Settings\Owner\Desktop\America Online 9.0\rbm.exe
C:\Program Files\America Online 9.0\AOLphx.exe
C:\Program Files\America Online 9.0\rbm.exe
C:\RECYCLER\S-1-5-21-1078520640-1829378330-678838565-1009\Dc9.exe
C:\hiberfil.sys
C:\WINDOWS\uccspecb.sys
C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\SBE2.tmp
C:\Documents and Settings\Owner\Desktop\Extra Icons\My Documents2\~WRL1122.tmp
C:\Program Files\InterActual\InterActual Player\itiB4.tmp

Finished

C:\Documents and Settings\greer\My Documents\Computer Cleaning\SUPERAntiSpyware.exe << This file
C:\Program Files\SUPERAntiSpyware\bak\SUPERAntiSpyware.exe << This file
C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE << This file
The Company of all of them is "SUPERAntSpyware.com" and there versions very: 3.3.0.1020, 3.4.0.1000, 3.5.0.1016

teacup61

2007-03-01, 23:25

Hello,

How is it running now? Please run FindAWF again and post the report back here. :)

greer

2007-03-02, 04:30

I just tested AOL and its working great
Everything looks amazing
thanks a ton! :laugh:

Find AWF report by noahdfear ©2006

21504 byte files found
~~~~~~~~~~~~~

21504 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~

25600 byte files found
~~~~~~~~~~~~~

25600 "C:\Program Files\BigFix\__Data\Gateway\ShellExecute.exe"

25600 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~

26450 byte files found
~~~~~~~~~~~~~

26450 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~

bak folders found
~~~~~~~~~~~

Directory of C:\PROGRA~1\AIM\BAK

08/01/2006 03:35 PM 67,112 aim.exe
1 File(s) 67,112 bytes

Directory of C:\PROGRA~1\AMERIC~1.0\BAK

07/25/2005 10:30 PM 50,776 AOL.EXE
11/06/2006 08:27 PM 24 shellmon.ph
2 File(s) 50,800 bytes

Directory of C:\PROGRA~1\DIGITA~1\BAK

11/15/2004 03:04 PM 135,168 shwiconem.exe
1 File(s) 135,168 bytes

Directory of C:\PROGRA~1\INTELA~1\BAK

07/20/2005 12:55 AM 7,090,176 IntelAudioStudio.exe
1 File(s) 7,090,176 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

10/18/2005 11:58 AM 278,528 iTunesHelper.exe
1 File(s) 278,528 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

10/24/2005 04:49 PM 155,648 qttask.exe
1 File(s) 155,648 bytes

Directory of C:\PROGRA~1\SUPERA~1\BAK

12/10/2006 09:06 AM 1,294,336 SUPERAntiSpyware.exe
1 File(s) 1,294,336 bytes

Directory of C:\PROGRA~1\WIFD1F~1\BAK

04/03/2006 06:12 PM 777,424 MSASCui.exe
1 File(s) 777,424 bytes

Directory of C:\WINDOWS\EHOME\BAK

08/10/2004 11:04 AM 59,392 ehtray.exe
1 File(s) 59,392 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

07/09/2001 11:50 AM 155,648 NeroCheck.exe
1 File(s) 155,648 bytes

Directory of C:\PROGRA~1\CYBERL~1\POWERDVD\BAK

11/02/2004 08:24 PM 32,768 PDVDServ.exe
1 File(s) 32,768 bytes

Directory of C:\PROGRA~1\GRISOFT\AVGFRE~1\BAK

10/21/2006 01:49 PM 406,016 avgcc.exe
1 File(s) 406,016 bytes

Directory of C:\PROGRA~1\HP\HPSOFT~1\BAK

02/16/2005 11:11 PM 49,152 HPWuSchd2.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\PURENE~1\PORTMA~1\BAK

04/05/2004 02:33 PM 99,480 PortAOL.exe
1 File(s) 99,480 bytes

Directory of C:\PROGRA~1\TRENDM~1\ANTIVI~1\BAK

02/17/2004 03:51 PM 950,337 pccguide.exe
02/17/2004 03:51 PM 634,949 PCClient.exe
02/17/2004 03:50 PM 290,816 TMOAgent.exe
3 File(s) 1,876,102 bytes

Directory of C:\DOCUME~1\GREER\DESKTOP\AMERIC~1.0\BAK

07/25/2005 10:30 PM 50,776 AOL.EXE
02/13/2007 05:13 PM 24 shellmon.ph
2 File(s) 50,800 bytes

Directory of C:\DOCUME~1\OWNER\APPLIC~1\CROSOF~1.NET\BAK

0 File(s) 0 bytes

Directory of C:\DOCUME~1\OWNER\DESKTOP\AMERIC~1.0\BAK

07/25/2005 10:30 PM 50,776 AOL.EXE
11/06/2006 08:27 PM 24 shellmon.ph
2 File(s) 50,800 bytes

Directory of C:\PROGRA~1\ADOBE\ACROBA~1.0\READER\BAK

08/18/2005 11:49 AM 307,200 AdobeUpdateManager.exe
1 File(s) 307,200 bytes

Directory of C:\PROGRA~1\COMMON~1\AOL\ACS\BAK

10/23/2006 05:50 AM 71,216 AOLDial.exe
1 File(s) 71,216 bytes

Directory of C:\PROGRA~1\CREATIVE\MEDIAS~1\DETECTOR\BAK

12/02/2004 06:23 PM 102,400 CTDetect.exe
1 File(s) 102,400 bytes

Directory of C:\PROGRA~1\JAVA\JRE15~2.0_0\BIN\BAK

09/07/2006 03:51 PM 49,263 jusched.exe
1 File(s) 49,263 bytes

Directory of C:\PROGRA~1\COMMON~1\AOL\112420~1\EE\BAK

11/02/2005 08:01 PM 50,792 AOLSoftware.exe
1 File(s) 50,792 bytes

Directory of C:\QOOBOX\PURITY\PROGRA~1\COMMON~1\SSTEM3~1\BAK

0 File(s) 0 bytes

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

67112 Aug 1 2006 "C:\Program Files\AIM\aim.exe"
67112 Aug 1 2006 "C:\Program Files\AIM\bak\aim.exe"
50776 Jul 25 2005 "C:\Program Files\America Online 9.0\AOL.EXE"
50776 Jul 25 2005 "C:\Program Files\America Online 9.0\bak\AOL.EXE"
50776 Jul 25 2005 "C:\Documents and Settings\greer\Desktop\America Online 9.0\AOL.EXE"
50776 Jul 25 2005 "C:\Documents and Settings\Owner\Desktop\America Online 9.0\AOL.EXE"
50776 Jul 25 2005 "C:\Documents and Settings\greer\Desktop\America Online 9.0\bak\AOL.EXE"
50776 Jul 25 2005 "C:\Documents and Settings\Owner\Desktop\America Online 9.0\bak\AOL.EXE"
24 Oct 17 2006 "C:\Program Files\America Online 9.0\shellmon.ph"
24 Nov 6 2006 "C:\Program Files\America Online 9.0\bak\shellmon.ph"
24 Oct 17 2006 "C:\Documents and Settings\greer\Desktop\America Online 9.0\shellmon.ph"
24 Oct 17 2006 "C:\Documents and Settings\Owner\Desktop\America Online 9.0\shellmon.ph"
5761 Mar 1 2007 "C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\shellmon.ph"
24 Feb 13 2007 "C:\Documents and Settings\greer\Desktop\America Online 9.0\bak\shellmon.ph"
24 Nov 6 2006 "C:\Documents and Settings\Owner\Desktop\America Online 9.0\bak\shellmon.ph"
135168 Nov 15 2004 "C:\Program Files\Digital Media Reader\shwiconem.exe"
135168 Nov 15 2004 "C:\Program Files\Digital Media Reader\bak\shwiconem.exe"
7090176 Jul 20 2005 "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe"
7090176 Jul 20 2005 "C:\Program Files\Intel Audio Studio\bak\IntelAudioStudio.exe"
278528 Oct 18 2005 "C:\Program Files\iTunes\iTunesHelper.exe"
278528 Oct 18 2005 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
155648 Oct 24 2005 "C:\Program Files\QuickTime\qttask.exe"
155648 Oct 24 2005 "C:\Program Files\QuickTime\bak\qttask.exe"
1310720 Jan 19 2007 "C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE"
1294336 Dec 10 2006 "C:\Program Files\SUPERAntiSpyware\bak\SUPERAntiSpyware.exe"
5585184 Nov 5 2006 "C:\Documents and Settings\greer\My Documents\Computer Cleaning\SUPERAntiSpyware.exe"
777424 Apr 3 2006 "C:\Program Files\Windows Defender\MSASCui.exe"
777424 Apr 3 2006 "C:\Program Files\Windows Defender\bak\MSASCui.exe"
59392 Aug 10 2004 "C:\WINDOWS\ehome\ehtray.exe"
59392 Aug 10 2004 "C:\WINDOWS\ehome\bak\ehtray.exe"
155648 Jul 9 2001 "C:\WINDOWS\system32\bak\NeroCheck.exe"
32768 Nov 2 2004 "C:\Program Files\CyberLink\PowerDVD\bak\PDVDServ.exe"
35852 Dec 29 2006 "C:\Program Files\Grisoft\AVG Free\avgcc.exe"
406016 Oct 21 2006 "C:\Program Files\Grisoft\AVG Free\bak\avgcc.exe"
49152 Feb 16 2005 "C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe"
99480 Apr 5 2004 "C:\Program Files\Pure Networks\Port Magic\bak\PortAOL.exe"
950337 Feb 17 2004 "C:\Program Files\Trend Micro\Antivirus\bak\pccguide.exe"
634949 Feb 17 2004 "C:\Program Files\Trend Micro\Antivirus\bak\PCClient.exe"
290816 Feb 17 2004 "C:\Program Files\Trend Micro\Antivirus\bak\TMOAgent.exe"
50776 Jul 25 2005 "C:\Program Files\America Online 9.0\AOL.EXE"
50776 Jul 25 2005 "C:\Program Files\America Online 9.0\bak\AOL.EXE"
50776 Jul 25 2005 "C:\Documents and Settings\greer\Desktop\America Online 9.0\AOL.EXE"
50776 Jul 25 2005 "C:\Documents and Settings\Owner\Desktop\America Online 9.0\AOL.EXE"
50776 Jul 25 2005 "C:\Documents and Settings\greer\Desktop\America Online 9.0\bak\AOL.EXE"
50776 Jul 25 2005 "C:\Documents and Settings\Owner\Desktop\America Online 9.0\bak\AOL.EXE"
24 Oct 17 2006 "C:\Program Files\America Online 9.0\shellmon.ph"
24 Nov 6 2006 "C:\Program Files\America Online 9.0\bak\shellmon.ph"
24 Oct 17 2006 "C:\Documents and Settings\greer\Desktop\America Online 9.0\shellmon.ph"
24 Oct 17 2006 "C:\Documents and Settings\Owner\Desktop\America Online 9.0\shellmon.ph"
5761 Mar 1 2007 "C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\shellmon.ph"
24 Feb 13 2007 "C:\Documents and Settings\greer\Desktop\America Online 9.0\bak\shellmon.ph"
24 Nov 6 2006 "C:\Documents and Settings\Owner\Desktop\America Online 9.0\bak\shellmon.ph"
50776 Jul 25 2005 "C:\Program Files\America Online 9.0\AOL.EXE"
50776 Jul 25 2005 "C:\Program Files\America Online 9.0\bak\AOL.EXE"
50776 Jul 25 2005 "C:\Documents and Settings\greer\Desktop\America Online 9.0\AOL.EXE"
50776 Jul 25 2005 "C:\Documents and Settings\Owner\Desktop\America Online 9.0\AOL.EXE"
50776 Jul 25 2005 "C:\Documents and Settings\greer\Desktop\America Online 9.0\bak\AOL.EXE"
50776 Jul 25 2005 "C:\Documents and Settings\Owner\Desktop\America Online 9.0\bak\AOL.EXE"
24 Oct 17 2006 "C:\Program Files\America Online 9.0\shellmon.ph"
24 Nov 6 2006 "C:\Program Files\America Online 9.0\bak\shellmon.ph"
24 Oct 17 2006 "C:\Documents and Settings\greer\Desktop\America Online 9.0\shellmon.ph"
24 Oct 17 2006 "C:\Documents and Settings\Owner\Desktop\America Online 9.0\shellmon.ph"
5761 Mar 1 2007 "C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\shellmon.ph"
24 Feb 13 2007 "C:\Documents and Settings\greer\Desktop\America Online 9.0\bak\shellmon.ph"
24 Nov 6 2006 "C:\Documents and Settings\Owner\Desktop\America Online 9.0\bak\shellmon.ph"
35852 Dec 29 2006 "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe"
307200 Aug 18 2005 "C:\Program Files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe"
35852 Dec 29 2006 "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"
71216 Oct 23 2006 "C:\Program Files\Common Files\AOL\ACS\bak\AOLDial.exe"
0 Nov 5 2006 "C:\Program Files\Creative\MediaSource\Detector\CTDETECT.EXE"
102400 Dec 2 2004 "C:\Program Files\Creative\MediaSource\Detector\bak\CTDetect.exe"
35852 Dec 29 2006 "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
49263 Sep 7 2006 "C:\Program Files\Java\jre1.5.0_09\bin\bak\jusched.exe"
50736 Sep 25 2006 "C:\Program Files\Common Files\AOL\1124207719\EE\AOLSoftware.exe1167358254"
50792 Nov 2 2005 "C:\Program Files\Common Files\AOL\1124207719\EE\bak\AOLSoftware.exe"

end of report

teacup61

2007-03-03, 20:06

Hello,

That's great to know! :bigthumb: BUT....the last log found others, so we need to do the same type thing again. BTW, big thanks go to Kimberly for helping us with this. :wub:

Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad. Save it as "All Files" and name it FixFiles.bat Please save it on your desktop.

if exist "C:\WINDOWS\system32\NeroCheck.exe" del /q "C:\WINDOWS\system32\NeroCheck.exe"
copy /y "C:\WINDOWS\system32\bak\NeroCheck.exe" "C:\WINDOWS\system32\NeroCheck.exe"
if exist "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" del /q "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
copy /y "C:\Program Files\CyberLink\PowerDVD\bak\PDVDServ.exe" "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
if exist "C:\Program Files\Grisoft\AVG Free\avgcc.exe" del /q "C:\Program Files\Grisoft\AVG Free\avgcc.exe"
copy /y "C:\Program Files\Grisoft\AVG Free\bak\avgcc.exe" "C:\Program Files\Grisoft\AVG Free\avgcc.exe"
if exist "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" del /q "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
copy /y "C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe" "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
if exist "C:\Program Files\Pure Networks\Port Magic\PortAOL.exe" del /q "C:\Program Files\Pure Networks\Port Magic\PortAOL.exe"
copy /y "C:\Program Files\Pure Networks\Port Magic\bak\PortAOL.exe" "C:\Program Files\Pure Networks\Port Magic\PortAOL.exe"
if exist "C:\Program Files\Trend Micro\Antivirus\pccguide.exe" del /q "C:\Program Files\Trend Micro\Antivirus\pccguide.exe"
copy /y "C:\Program Files\Trend Micro\Antivirus\bak\pccguide.exe" "C:\Program Files\Trend Micro\Antivirus\pccguide.exe"
if exist "C:\Program Files\Trend Micro\Antivirus\PCClient.exe" del /q "C:\Program Files\Trend Micro\Antivirus\PCClient.exe"
copy /y "C:\Program Files\Trend Micro\Antivirus\bak\PCClient.exe" "C:\Program Files\Trend Micro\Antivirus\PCClient.exe"
if exist "C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe" del /q "C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe"
copy /y "C:\Program Files\Trend Micro\Antivirus\bak\TMOAgent.exe" "C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe"
if exist "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" del /q "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe"
copy /y "C:\Program Files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe" "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe"
if exist "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" del /q "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"
copy /y "C:\Program Files\Common Files\AOL\ACS\bak\AOLDial.exe" "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"
if exist "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" del /q "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe"
copy /y "C:\Program Files\Creative\MediaSource\Detector\bak\CTDetect.exe" "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe"
if exist "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" del /q "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
copy /y "C:\Program Files\Java\jre1.5.0_09\bin\bak\jusched.exe" "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
exit

A little different this time : Reboot into Safe Mode:
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

Double click FixFiles.bat. A window will open and close. This is normal.

Reboot your computer.

I'd like you to perform an online virus scan with Kaspersky Online Virus Scanner

Navigate (using Internet Explorer only, other browsers won't work) to the following site: http://www.kaspersky.com/virusscanner

Click the "Kaspersky Online Scanner" button (NOT "Kaspersky File Scanner").

* In the new window that opens, click the "Accept" button to accept the user agreement, install the ActiveX control, and download the program.
* When you get the Windows dialog asking if you want to install this software, click the "Install" button.
* The scanner will download the latest definition files. When the "Update progress" line changes to "Ready" and the "NEXT ->" button lights up with a green arrow, click it.
* Click on the "Scan Settings" button, and in the next window select the "extended" database, and click Ok.
* Under "Please select a target to scan:", click My Computer to start the scan.

When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop. Close the Kaspersky On-line Scanner window.

So in your reply, let me know how it's running, and please post the report from Kaspersky. :)

Thanks,
tea

greer

2007-03-04, 21:14

First off thank you and Kimberly very very much for all this help.
At first everything seemed to be working perfectly, now I see otherwise. :sad: My aol start up is all bugged and an error tells me I need to clean out my cache (which doesnt work) before I can log on. Earlier today out of nowhere a command window poped up and started placing .exe applications on my desktop. I did a clean and stopped it, atleast for now. Kaspersky had a lot to say on the topic too
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, March 04, 2007 9:33:14 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 4/03/2007
Kaspersky Anti-Virus database records: 275705
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\

Scan Statistics:
Total number of scanned objects: 82290
Number of viruses found: 7
Number of infected objects: 24 / 0
Number of suspicious objects: 0
Duration of the scan process: 00:46:34

Infected Object Name / Virus Name / Last Action
C:\36110103225.exe Infected: Trojan-Downloader.Win32.Small.ego skipped
C:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\ph Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\variable Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\idb\APP10708.LST Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\idb\greerpalmer\MyDB.idx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\idb\greerpalmer\toolbar.lst Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\idb\SNMaster.idx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aolstderr.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aolstdout.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aoltsmon.lock Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\cache.db Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\server.lock Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7f2efb229832125c785b36689bc21caa_0668e698-72d0-49cc-9c98-8ab6afa26179 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\MSDVRMM_1751840703_6094848_24705 Object is locked skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\SBE2.tmp Object is locked skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\{E908CA0D-92F8-4FE6-854E-680DDA786AED}.TmpSBE Object is locked skipped
C:\Documents and Settings\greer\Application Data\AOL\C_America Online 9.0\IDB\art.idx Object is locked skipped
C:\Documents and Settings\greer\Application Data\AOL\C_America Online 9.0\IDB\sap.dat Object is locked skipped
C:\Documents and Settings\greer\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SUPERANTISPYWARE.LOG Object is locked skipped
C:\Documents and Settings\greer\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\greer\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\greer\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\greer\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\greer\Local Settings\History\History.IE5\MSHist012007030320070304\index.dat Object is locked skipped
C:\Documents and Settings\greer\Local Settings\Temp\hpodvd09.log Object is locked skipped
C:\Documents and Settings\greer\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\greer\My Documents\Computer Cleaning\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\greer\My Documents\Computer Cleaning\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\greer\My Documents\Computer Cleaning\SmitfraudFix.zip ZIP: infected - 1 skipped
C:\Documents and Settings\greer\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\greer\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\greer\UserData\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\a-squared Free\Quarantine\3038f89bb7e8ddcb4bc4b4eb02f26763.a2q/WINDOWS/system32/bkd.exe/InpB/DxcBho.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ay skipped
C:\Program Files\a-squared Free\Quarantine\3038f89bb7e8ddcb4bc4b4eb02f26763.a2q/WINDOWS/system32/bkd.exe/InpB/DxcCore.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ay skipped
C:\Program Files\a-squared Free\Quarantine\3038f89bb7e8ddcb4bc4b4eb02f26763.a2q/WINDOWS/system32/bkd.exe/InpB/Dxc.exe Infected: not-a-virus:AdWare.Win32.SurfSide.bb skipped
C:\Program Files\a-squared Free\Quarantine\3038f89bb7e8ddcb4bc4b4eb02f26763.a2q/WINDOWS/system32/bkd.exe/InpB/DxcRepairInstall.exe Infected: not-a-virus:AdWare.Win32.SurfSide.bb skipped
C:\Program Files\a-squared Free\Quarantine\3038f89bb7e8ddcb4bc4b4eb02f26763.a2q/WINDOWS/system32/bkd.exe/InpB Infected: not-a-virus:AdWare.Win32.SurfSide.bb skipped
C:\Program Files\a-squared Free\Quarantine\3038f89bb7e8ddcb4bc4b4eb02f26763.a2q/WINDOWS/system32/bkd.exe Infected: not-a-virus:AdWare.Win32.SurfSide.bb skipped
C:\Program Files\a-squared Free\Quarantine\3038f89bb7e8ddcb4bc4b4eb02f26763.a2q ZIP: infected - 6 skipped
C:\Program Files\a-squared Free\Quarantine\b5f48b5cb817fc3dc296ba040e1053a6.a2q/WINDOWS/system32/rlls.dll Infected: not-a-virus:AdWare.Win32.RK.l skipped
C:\Program Files\a-squared Free\Quarantine\b5f48b5cb817fc3dc296ba040e1053a6.a2q ZIP: infected - 1 skipped
C:\Program Files\a-squared Free\Quarantine\e96e769a88624c42201058620000fc6d.a2q/WINDOWS/hancerdoem.exe/data.rar/whCC-GIANT3.exe/data.rar/whAgent.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Program Files\a-squared Free\Quarantine\e96e769a88624c42201058620000fc6d.a2q/WINDOWS/hancerdoem.exe/data.rar/whCC-GIANT3.exe/data.rar/whInstaller.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Program Files\a-squared Free\Quarantine\e96e769a88624c42201058620000fc6d.a2q/WINDOWS/hancerdoem.exe/data.rar/whCC-GIANT3.exe/data.rar/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Program Files\a-squared Free\Quarantine\e96e769a88624c42201058620000fc6d.a2q/WINDOWS/hancerdoem.exe/data.rar/whCC-GIANT3.exe/data.rar/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Program Files\a-squared Free\Quarantine\e96e769a88624c42201058620000fc6d.a2q/WINDOWS/hancerdoem.exe/data.rar/whCC-GIANT3.exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Program Files\a-squared Free\Quarantine\e96e769a88624c42201058620000fc6d.a2q/WINDOWS/hancerdoem.exe/data.rar/whCC-GIANT3.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Program Files\a-squared Free\Quarantine\e96e769a88624c42201058620000fc6d.a2q/WINDOWS/hancerdoem.exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Program Files\a-squared Free\Quarantine\e96e769a88624c42201058620000fc6d.a2q/WINDOWS/hancerdoem.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Program Files\a-squared Free\Quarantine\e96e769a88624c42201058620000fc6d.a2q ZIP: infected - 8 skipped
C:\Program Files\BigFix\__Data\Gateway\__Local\Tmp\Gateway_Specific.dat Object is locked skipped
C:\Program Files\BigFix\__Data\Gateway\__Local\Tmp\Gateway_Specific_UK.dat Object is locked skipped
C:\Program Files\BigFix\__Data\Gateway\__Local\Tmp\Gateway_Specific_Vista.dat Object is locked skipped
C:\Program Files\BigFix\__Data\Gateway\__Local\Tmp\Microsoft_Security.dat Object is locked skipped
C:\Program Files\BigFix\__Data\Gateway\__Local\Tmp\Microsoft_Security_UK.dat Object is locked skipped
C:\Program Files\BigFix\__Data\Gateway\__Local\Tmp\Other.dat Object is locked skipped
C:\Program Files\BigFix\__Data\Gateway\__Local\Tmp\Urgent.dat Object is locked skipped
C:\Program Files\BigFix\__Data\Gateway\__Local\Tmp\Welcome.dat Object is locked skipped
C:\Program Files\Common Files\AOL\1124207719\EE\AOLSoftware.exe Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{4653E8F8-6519-4964-B7BD-828D96FBCC0E}\RP781\A0084832.exe Object is locked skipped
C:\System Volume Information\_restore{4653E8F8-6519-4964-B7BD-828D96FBCC0E}\RP832\A0094801.old/EXE-file Infected: not-a-virus:AdWare.Win32.BHO.by skipped
C:\System Volume Information\_restore{4653E8F8-6519-4964-B7BD-828D96FBCC0E}\RP832\A0094801.old Embedded EXE: infected - 1 skipped
C:\System Volume Information\_restore{4653E8F8-6519-4964-B7BD-828D96FBCC0E}\RP839\A0095019.EXE Object is locked skipped
C:\System Volume Information\_restore{4653E8F8-6519-4964-B7BD-828D96FBCC0E}\RP840\A0095214.exe Object is locked skipped
C:\System Volume Information\_restore{4653E8F8-6519-4964-B7BD-828D96FBCC0E}\RP844\A0095338.exe Object is locked skipped
C:\System Volume Information\_restore{4653E8F8-6519-4964-B7BD-828D96FBCC0E}\RP844\A0095339.exe Object is locked skipped
C:\System Volume Information\_restore{4653E8F8-6519-4964-B7BD-828D96FBCC0E}\RP844\A0095340.exe Object is locked skipped
C:\System Volume Information\_restore{4653E8F8-6519-4964-B7BD-828D96FBCC0E}\RP844\A0095342.exe Object is locked skipped
C:\System Volume Information\_restore{4653E8F8-6519-4964-B7BD-828D96FBCC0E}\RP844\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{D1156CB9-AB8A-4086-8E95-7521D52E74FB}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{9C188FBC-16F8-4E7C-8DE2-C82F785733D6}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\_restore{4653E8F8-6519-4964-B7BD-828D96FBCC0E}\RP844\change.log Object is locked skipped

Scan process completed.

teacup61

2007-03-05, 07:26

Hello,

You'll want to print this out again, or save it in notepad. :)

Boot into Safe Mode and find this file and delete it:

C:\36110103225.exe

Reboot your computer.

Run SDFix again and post the report in your reply.

Did you try to reinstall AOL last go round? I want you to uninstall everything AOL and start over with a clean install of it.

Finally, please run FindAWF once more, and post its report.

Let me know of any problems you might be having now. We're hoping for the best here, but there may have been damage done by all the infections that we cannot undo.

Thanks,
tea

greer

2007-03-05, 23:53

The following scans were done after I got rid of all AOL programs, which is why having "AOL" in my report logs scare me.

SDFix: Version 1.63

Mon 03/05/2007 - 15:38:12.60

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:

Path:

Restoring Windows Registry Entries
Restoring Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

No Trojan Files Found..

ADS Check:

C:\WINDOWS\system32
No streams found.

Final Check:

Remaining Services:
------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Application Loader"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe:*:Enabled:AOLTopSpeed"
"C:\\Program Files\\Common Files\\AOL\\1124207719\\EE\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1124207719\\EE\\AOLServiceHost.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"="C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"="C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe:*:Enabled:AOL"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Warcraft III\\Warcraft III.exe"="C:\\Program Files\\Warcraft III\\Warcraft III.exe:*:Enabled:Warcraft III"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"="C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe:*:Enabled:Sid Meier's Civilization 4"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe:*:Enabled:AOL TopSpeed"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"%windir%\\system32\\tcpip.exe"="%windir%\\system32\\tcpip.exe:*:Enabled:TCP and UDP Support"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe:*:Disabled:AOLTsMon"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Disabled:Internet Explorer"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"

Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes :

C:\hiberfil.sys
C:\WINDOWS\uccspecb.sys
C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\SBE1.tmp
C:\Documents and Settings\Owner\Desktop\Extra Icons\My Documents2\~WRL1122.tmp
C:\Program Files\InterActual\InterActual Player\itiB4.tmp

Finished

Find AWF report by noahdfear ©2006

21504 byte files found
~~~~~~~~~~~~~

21504 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~

25600 byte files found
~~~~~~~~~~~~~

25600 "C:\Program Files\BigFix\__Data\Gateway\ShellExecute.exe"

25600 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~

26450 byte files found
~~~~~~~~~~~~~

26450 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~

bak folders found
~~~~~~~~~~~

Directory of C:\PROGRA~1\AIM\BAK

08/01/2006 03:35 PM 67,112 aim.exe
1 File(s) 67,112 bytes

Directory of C:\PROGRA~1\DIGITA~1\BAK

11/15/2004 03:04 PM 135,168 shwiconem.exe
1 File(s) 135,168 bytes

Directory of C:\PROGRA~1\INTELA~1\BAK

07/20/2005 12:55 AM 7,090,176 IntelAudioStudio.exe
1 File(s) 7,090,176 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

10/18/2005 11:58 AM 278,528 iTunesHelper.exe
1 File(s) 278,528 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

10/24/2005 04:49 PM 155,648 qttask.exe
1 File(s) 155,648 bytes

Directory of C:\PROGRA~1\SUPERA~1\BAK

12/10/2006 09:06 AM 1,294,336 SUPERAntiSpyware.exe
1 File(s) 1,294,336 bytes

Directory of C:\PROGRA~1\WIFD1F~1\BAK

04/03/2006 06:12 PM 777,424 MSASCui.exe
1 File(s) 777,424 bytes

Directory of C:\WINDOWS\EHOME\BAK

08/10/2004 11:04 AM 59,392 ehtray.exe
1 File(s) 59,392 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

07/09/2001 11:50 AM 155,648 NeroCheck.exe
1 File(s) 155,648 bytes

Directory of C:\PROGRA~1\CYBERL~1\POWERDVD\BAK

11/02/2004 08:24 PM 32,768 PDVDServ.exe
1 File(s) 32,768 bytes

Directory of C:\PROGRA~1\GRISOFT\AVGFRE~1\BAK

10/21/2006 01:49 PM 406,016 avgcc.exe
1 File(s) 406,016 bytes

Directory of C:\PROGRA~1\HP\HPSOFT~1\BAK

02/16/2005 11:11 PM 49,152 HPWuSchd2.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\TRENDM~1\ANTIVI~1\BAK

02/17/2004 03:51 PM 950,337 pccguide.exe
02/17/2004 03:51 PM 634,949 PCClient.exe
02/17/2004 03:50 PM 290,816 TMOAgent.exe
3 File(s) 1,876,102 bytes

Directory of C:\DOCUME~1\OWNER\APPLIC~1\CROSOF~1.NET\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\ADOBE\ACROBA~1.0\READER\BAK

08/18/2005 11:49 AM 307,200 AdobeUpdateManager.exe
1 File(s) 307,200 bytes

Directory of C:\PROGRA~1\CREATIVE\MEDIAS~1\DETECTOR\BAK

12/02/2004 06:23 PM 102,400 CTDetect.exe
1 File(s) 102,400 bytes

Directory of C:\PROGRA~1\JAVA\JRE15~2.0_0\BIN\BAK

09/07/2006 03:51 PM 49,263 jusched.exe
1 File(s) 49,263 bytes

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

67112 Aug 1 2006 "C:\Program Files\AIM\bak\aim.exe"
135168 Nov 15 2004 "C:\Program Files\Digital Media Reader\shwiconem.exe"
135168 Nov 15 2004 "C:\Program Files\Digital Media Reader\bak\shwiconem.exe"
7090176 Jul 20 2005 "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe"
7090176 Jul 20 2005 "C:\Program Files\Intel Audio Studio\bak\IntelAudioStudio.exe"
278528 Oct 18 2005 "C:\Program Files\iTunes\iTunesHelper.exe"
278528 Oct 18 2005 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
155648 Oct 24 2005 "C:\Program Files\QuickTime\bak\qttask.exe"
1310720 Jan 19 2007 "C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE"
1294336 Dec 10 2006 "C:\Program Files\SUPERAntiSpyware\bak\SUPERAntiSpyware.exe"
5585184 Nov 5 2006 "C:\Documents and Settings\greer\My Documents\Computer Cleaning\SUPERAntiSpyware.exe"
777424 Apr 3 2006 "C:\Program Files\Windows Defender\MSASCui.exe"
777424 Apr 3 2006 "C:\Program Files\Windows Defender\bak\MSASCui.exe"
59392 Aug 10 2004 "C:\WINDOWS\ehome\ehtray.exe"
59392 Aug 10 2004 "C:\WINDOWS\ehome\bak\ehtray.exe"
155648 Jul 9 2001 "C:\WINDOWS\system32\NeroCheck.exe"
155648 Jul 9 2001 "C:\WINDOWS\system32\bak\NeroCheck.exe"
32768 Nov 2 2004 "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
32768 Nov 2 2004 "C:\Program Files\CyberLink\PowerDVD\bak\PDVDServ.exe"
411648 Mar 4 2007 "C:\Program Files\Grisoft\AVG Free\avgcc.exe"
406016 Oct 21 2006 "C:\Program Files\Grisoft\AVG Free\bak\avgcc.exe"
406016 Oct 21 2006 "C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7upd\backup\avgcc.exe"
49152 Feb 16 2005 "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
49152 Feb 16 2005 "C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe"
950337 Feb 17 2004 "C:\Program Files\Trend Micro\Antivirus\pccguide.exe"
950337 Feb 17 2004 "C:\Program Files\Trend Micro\Antivirus\bak\pccguide.exe"
634949 Feb 17 2004 "C:\Program Files\Trend Micro\Antivirus\PCClient.exe"
634949 Feb 17 2004 "C:\Program Files\Trend Micro\Antivirus\bak\PCClient.exe"
290816 Feb 17 2004 "C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe"
290816 Feb 17 2004 "C:\Program Files\Trend Micro\Antivirus\bak\TMOAgent.exe"
307200 Aug 18 2005 "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe"
307200 Aug 18 2005 "C:\Program Files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe"
102400 Dec 2 2004 "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe"
102400 Dec 2 2004 "C:\Program Files\Creative\MediaSource\Detector\bak\CTDetect.exe"
49263 Sep 7 2006 "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
49263 Sep 7 2006 "C:\Program Files\Java\jre1.5.0_09\bin\bak\jusched.exe"

end of report