PDA

View Full Version : Super Slow Computer, Pop-Ups, Etc...



kurt24
2007-03-30, 07:18
Well, after years of safe computing, I have finally gotten some Malware. My computer runs super slow and it's almost impossible to do anything. Well, here are the logs:

Logfile of HijackThis v1.99.1
Scan saved at 11:00:49 PM, on 3/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
F:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
F:\Program Files\Common Files\Symantec Shared\ccProxy.exe
F:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
F:\WINDOWS\system32\CTsvcCDA.EXE
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\MsPMSPSv.exe
F:\WINDOWS\Mixer.exe
F:\Program Files\Common Files\Symantec Shared\ccApp.exe
F:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
F:\Program Files\Microsoft ActiveSync\wcescomm.exe
F:\WINDOWS\system32\clcr.exe
F:\PROGRA~1\MICROS~3\rapimgr.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Desktop\HijakThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - F:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [\\SNYDER-0S2T6B38\EPSON Stylus CX6600 Series] F:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE /P44 "\\SNYDER-0S2T6B38\EPSON Stylus CX6600 Series" /O6 "USB001" /M "Stylus CX6600"
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "F:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [WinPatrol] F:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Creative Detector] "D:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [H/PC Connection Agent] "F:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O8 - Extra context menu item: &AIM Search - res://F:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Yahoo! Search - file:///F:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///F:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///F:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///F:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - F:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - F:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - F:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h cltCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - F:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - F:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - F:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - F:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

Incident Status Location

Spyware:Spyware/Virtumonde Not disinfected F:\WINDOWS\system32\dqtrxphl.dll
Spyware:Spyware/Virtumonde Not disinfected F:\WINDOWS\system32\hgggdcb.dll
Adware:Adware/CWS.AlfaSearch Not disinfected F:\WINDOWS\system32\ccc.dll
Potentially unwanted tool:Application/Restart Not disinfected C:\WINDOWS\SYSTEM\Tools\Restart.exe
Hacktool:HackTool/ExitWin.A Not disinfected C:\WINDOWS\Start Menu\Programs\StartUp\Reboot.exe
Spyware:Cookie/Bfast Not disinfected F:\Documents and Settings\Kurtis Snyder\Application Data\Mozilla\Firefox\Profiles\default.d7t\cookies.txt[.bfast.com/]
Spyware:Cookie/Doubleclick Not disinfected F:\Documents and Settings\Kurtis Snyder\Application Data\Mozilla\Firefox\Profiles\default.d7t\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Atlas DMT Not disinfected F:\Documents and Settings\Kurtis Snyder\Application Data\Mozilla\Firefox\Profiles\default.d7t\cookies.txt[.atdmt.com/]
Spyware:Cookie/RealMedia Not disinfected F:\Documents and Settings\Kurtis Snyder\Application Data\Mozilla\Firefox\Profiles\default.d7t\cookies.txt[.realmedia.com/]
Spyware:Cookie/Advertising Not disinfected F:\Documents and Settings\Kurtis Snyder\Application Data\Mozilla\Firefox\Profiles\default.d7t\cookies.txt[.servedby.advertising.com/]
Spyware:Cookie/Advertising Not disinfected F:\Documents and Settings\Kurtis Snyder\Application Data\Mozilla\Firefox\Profiles\default.d7t\cookies.txt[.advertising.com/]
Spyware:Cookie/FastClick Not disinfected F:\Documents and Settings\Kurtis Snyder\Application Data\Mozilla\Firefox\Profiles\default.d7t\cookies.txt[.fastclick.net/]
Hacktool:Exploit/ByteVerify Not disinfected F:\Documents and Settings\Kurtis Snyder\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-1ebd1e05-1fbd0208.class
Adware:Adware/CWS Not disinfected F:\Documents and Settings\Kurtis Snyder\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\SecurityClassLoader.class-7c728-74071c92.class
Hacktool:Exploit/ByteVerify Not disinfected F:\Documents and Settings\Kurtis Snyder\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv74.jar-2738e991-6fd844e4.zip[Dummy.class]
Hacktool:Exploit/ByteVerify Not disinfected F:\Documents and Settings\Kurtis Snyder\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv74.jar-2738e991-6fd844e4.zip[Matrix.class]
Spyware:Cookie/Atwola Not disinfected F:\Documents and Settings\Kurtis Snyder\Cookies\kurtis snyder@atwola[2].txt
Spyware:Cookie/Com.com Not disinfected F:\Documents and Settings\Kurtis Snyder\Cookies\kurtis snyder@com[2].txt

kurt24
2007-03-30, 07:24
Spyware:Cookie/Kazaa Networks Not disinfected F:\Documents and Settings\Kurtis Snyder\Cookies\kurtis snyder@desktop.kazaa[2].txt
Spyware:Cookie/did-it Not disinfected F:\Documents and Settings\Kurtis Snyder\Cookies\kurtis snyder@did-it[2].txt
Spyware:Cookie/Go Not disinfected F:\Documents and Settings\Kurtis Snyder\Cookies\kurtis snyder@go[1].txt
Spyware:Cookie/Mircx Not disinfected F:\Documents and Settings\Kurtis Snyder\Cookies\kurtis snyder@pop.mircx[1].txt
Spyware:Cookie/Affiliate fuel Not disinfected F:\Documents and Settings\Kurtis Snyder\Cookies\kurtis snyder@www.affiliatefuel[1].txt
Spyware:Cookie/BurstBeacon Not disinfected F:\Documents and Settings\Kurtis Snyder\Cookies\kurtis snyder@www.burstbeacon[2].txt
Adware:Adware/Gator Not disinfected F:\Documents and Settings\Kurtis Snyder\Desktop\New Folder\DivXPro511Adware.exe[Gain_Trickler.exe]
Spyware:Cookie/Hitslink Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookies.txt[counter.hitslink.com/]
Spyware:Cookie/Hitbox Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookies.txt[.hitbox.com/]
Spyware:Cookie/PointRoll Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Mediaplex Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookies.txt[.mediaplex.com/]
Spyware:Cookie/2o7 Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookies.txt[.2o7.net/]
Spyware:Cookie/2o7 Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookies.txt[.112.2o7.net/]
Spyware:Cookie/2o7 Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookies.txt[.2o7.net/]
Spyware:Cookie/Go Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookies.txt[.go.com/]
Spyware:Cookie/WebtrendsLive Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookies.txt[statse.webtrendslive.com/]
Spyware:Cookie/Hitbox Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookies.txt[.ehg-dig.hitbox.com/]
Spyware:Cookie/Go Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookies.txt[.go.com/]
Spyware:Cookie/Doubleclick Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Statcounter Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookies.txt[.statcounter.com/]
Spyware:Cookie/Atlas DMT Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookies.txt[.atdmt.com/]
Spyware:Cookie/Zedo Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookies.txt[.zedo.com/]
Spyware:Cookie/adultfriendfinder Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookies.txt[.adultfriendfinder.com/]
Spyware:Cookie/Falkag Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookies.txt[.as-us.falkag.net/]
Spyware:Cookie/Atwola Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookies.txt[.atwola.com/]
Spyware:Cookie/Serving-sys Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookies.txt[.bs.serving-sys.com/]

kurt24
2007-03-30, 07:25
Spyware:Cookie/BurstNet Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookies.txt[.burstnet.com/]
Spyware:Cookie/Com.com Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookies.txt[.com.com/]
Spyware:Cookie/Overture Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookies.txt[.overture.com/]
Spyware:Cookie/Overture Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookies.txt[.perf.overture.com/]
Spyware:Cookie/QuestionMarket Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookies.txt[.questionmarket.com/]
Spyware:Cookie/RealMedia Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookies.txt[.realmedia.com/]
Spyware:Cookie/WUpd Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookies.txt[.revenue.net/]
Spyware:Cookie/Serving-sys Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookies.txt[.trafficmp.com/]
Spyware:Cookie/Tribalfusion Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Xiti Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookies.txt[.xiti.com/]
Spyware:Cookie/YieldManager Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Searchportal Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookies.txt[searchportal.information.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookies.txt[server.iad.liveperson.net/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookies.txt[server.iad.liveperson.net/hc/45501897]
Spyware:Cookie/BurstBeacon Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookies.txt[www.burstbeacon.com/]
Spyware:Cookie/Tribalfusion Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookiesnew.txt[.tribalfusion.com/]
Spyware:Cookie/Com.com Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookiesnew.txt[.com.com/]
Spyware:Cookie/Atlas DMT Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookiesnew.txt[.atdmt.com/]
Spyware:Cookie/Doubleclick Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookiesnew.txt[.doubleclick.net/]
Spyware:Cookie/Overture Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookiesnew.txt[.overture.com/]
Spyware:Cookie/Falkag Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookiesnew.txt[.as-us.falkag.net/]
Spyware:Cookie/WebtrendsLive Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookiesnew.txt[statse.webtrendslive.com/]
Spyware:Cookie/Advertising Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookiesnew.txt[.advertising.com/]
Spyware:Cookie/FastClick Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookiesnew.txt[.fastclick.net/]
Spyware:Cookie/DriveCleaner Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookiesnew.txt[.drivecleaner.com/]
Spyware:Cookie/DriveCleaner Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookiesnew.txt[www.drivecleaner.com/]

kurt24
2007-03-30, 07:26
Spyware:Cookie/adultfriendfinder Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookiesnew.txt[.adultfriendfinder.com/]
Spyware:Cookie/2o7 Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Profiles\default\hfew7ryo.slt\cookies.txt[.2o7.net/]
Spyware:Cookie/PointRoll Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Profiles\default\hfew7ryo.slt\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Atwola Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Profiles\default\hfew7ryo.slt\cookies.txt[.atwola.com/]
Hacktool:Exploit/ByteVerify Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive1213.jar-366118ff-2b480268.zip[Dummy.class]
Hacktool:Exploit/ByteVerify Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive1213.jar-3be23f5f-30c62f19.zip[Dummy.class]
Hacktool:Exploit/ByteVerify Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\counter.jpg-304d7b5a-70b9278f.zip[Gummy.class]
Hacktool:Exploit/ByteVerify Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-6182d47b-1e1e53da.zip[Dummy.class]
Spyware:Cookie/adultfriendfinder Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Cookies\kurtis snyder@adultfriendfinder[2].txt
Spyware:Cookie/Atlas DMT Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Cookies\kurtis snyder@atdmt[2].txt
Spyware:Cookie/Ccbill Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Cookies\kurtis snyder@ccbill[2].txt
Spyware:Cookie/Cgi-bin Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Cookies\kurtis snyder@cgi-bin[1].txt
Spyware:Cookie/Cgi-bin Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Cookies\kurtis snyder@cgi-bin[4].txt
Spyware:Cookie/Sextracker Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Cookies\kurtis snyder@counter1.sextracker[2].txt
Spyware:Cookie/Sextracker Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Cookies\kurtis snyder@counter10.sextracker[2].txt
Spyware:Cookie/Sextracker Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Cookies\kurtis snyder@counter13.sextracker[1].txt
Spyware:Cookie/Sextracker Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Cookies\kurtis snyder@counter14.sextracker[1].txt
Spyware:Cookie/Sextracker Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Cookies\kurtis snyder@counter15.sextracker[2].txt
Spyware:Cookie/Sextracker Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Cookies\kurtis snyder@counter16.sextracker[2].txt
Spyware:Cookie/Sextracker Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Cookies\kurtis snyder@counter2.sextracker[2].txt
Spyware:Cookie/Sextracker Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Cookies\kurtis snyder@counter3.sextracker[2].txt

kurt24
2007-03-30, 07:27
Spyware:Cookie/Sextracker Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Cookies\kurtis snyder@counter4.sextracker[2].txt
Spyware:Cookie/Sextracker Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Cookies\kurtis snyder@counter5.sextracker[1].txt
Spyware:Cookie/Sextracker Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Cookies\kurtis snyder@counter6.sextracker[2].txt
Spyware:Cookie/Sextracker Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Cookies\kurtis snyder@counter7.sextracker[1].txt
Spyware:Cookie/Sextracker Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Cookies\kurtis snyder@counter8.sextracker[2].txt
Spyware:Cookie/Sextracker Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Cookies\kurtis snyder@counter9.sextracker[2].txt
Spyware:Cookie/cs.sexcounter Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Cookies\kurtis snyder@cs.sexcounter[2].txt
Spyware:Cookie/Doubleclick Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Cookies\kurtis snyder@doubleclick[1].txt
Spyware:Cookie/Findwhat Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Cookies\kurtis snyder@findwhat[2].txt
Spyware:Cookie/MediaTickets Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Cookies\kurtis snyder@kinghost[2].txt
Spyware:Cookie/Mediaplex Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Cookies\kurtis snyder@mediaplex[1].txt
Spyware:Cookie/PayCounter Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Cookies\kurtis snyder@paycounter[2].txt
Spyware:Cookie/SexList Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Cookies\kurtis snyder@sexlist[2].txt
Spyware:Cookie/Sextracker Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Cookies\kurtis snyder@sextracker[1].txt
Spyware:Cookie/Statcounter Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Cookies\kurtis snyder@statcounter[1].txt
Spyware:Cookie/Toplist Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Cookies\kurtis snyder@toplist[2].txt
Spyware:Cookie/Winantivirus Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Cookies\kurtis snyder@winantivirus[1].txt
Spyware:Cookie/XXXCounter Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Cookies\kurtis snyder@xxxcounter[1].txt
Spyware:Cookie/Yadro Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Cookies\kurtis snyder@yadro[1].txt
Adware:Adware/CWS.AlfaSearch Not disinfected F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Local Settings\Temp\win11EC.tmp.exe
Spyware:Spyware/BetterInet Not disinfected F:\System Volume Information\_restore{80829E73-8024-4616-9DCF-3E4F9C008DA0}\RP215\A0107213.cfg
Potentially unwanted tool:Application/P2PNetworking Not disinfected F:\System Volume Information\_restore{80829E73-8024-4616-9DCF-3E4F9C008DA0}\RP215\A0107232.DLL
Potentially unwanted tool:Application/P2PNetworking Not disinfected F:\System Volume Information\_restore{80829E73-8024-4616-9DCF-3E4F9C008DA0}\RP215\A0107233.cpl
Potentially unwanted tool:Application/P2PNetworking Not disinfected F:\System Volume Information\_restore{80829E73-8024-4616-9DCF-3E4F9C008DA0}\RP215\A0107234.exe
Adware:Adware/KeenValue Not disinfected F:\System Volume Information\_restore{80829E73-8024-4616-9DCF-3E4F9C008DA0}\RP216\A0107239.exe
Potentially unwanted tool:Application/Altnet Not disinfected F:\System Volume Information\_restore{80829E73-8024-4616-9DCF-3E4F9C008DA0}\RP216\A0107246.dll
Adware:Adware/Gator Not disinfected F:\System Volume Information\_restore{80829E73-8024-4616-9DCF-3E4F9C008DA0}\RP216\A0107273.dll
Adware:Adware/Gator Not disinfected F:\System Volume Information\_restore{80829E73-8024-4616-9DCF-3E4F9C008DA0}\RP216\A0107277.exe
Adware:Adware/Gator Not disinfected F:\System Volume Information\_restore{80829E73-8024-4616-9DCF-3E4F9C008DA0}\RP216\A0107280.exe
Spyware:Spyware/BetterInet Not disinfected F:\System Volume Information\_restore{80829E73-8024-4616-9DCF-3E4F9C008DA0}\RP217\A0108212.cfg
Spyware:Spyware/BetterInet Not disinfected F:\System Volume Information\_restore{80829E73-8024-4616-9DCF-3E4F9C008DA0}\RP217\A0108248.cfg
Spyware:Spyware/BetterInet Not disinfected F:\System Volume Information\_restore{80829E73-8024-4616-9DCF-3E4F9C008DA0}\RP217\A0108323.cfg
Spyware:Spyware/BetterInet Not disinfected F:\System Volume Information\_restore{80829E73-8024-4616-9DCF-3E4F9C008DA0}\RP217\A0109323.cfg
Adware:Adware/Trymedia Not disinfected F:\System Volume Information\_restore{80829E73-8024-4616-9DCF-3E4F9C008DA0}\RP217\A0109388.exe
Adware:Adware/Trymedia Not disinfected F:\System Volume Information\_restore{80829E73-8024-4616-9DCF-3E4F9C008DA0}\RP217\A0109392.exe
Adware:Adware/Trymedia Not disinfected F:\System Volume Information\_restore{80829E73-8024-4616-9DCF-3E4F9C008DA0}\RP217\A0109393.exe
Adware:Adware/Trymedia Not disinfected F:\System Volume Information\_restore{80829E73-8024-4616-9DCF-3E4F9C008DA0}\RP217\A0109395.exe
Adware:Adware/Trymedia Not disinfected F:\System Volume Information\_restore{80829E73-8024-4616-9DCF-3E4F9C008DA0}\RP217\A0109399.exe
Adware:Adware/Trymedia Not disinfected F:\System Volume Information\_restore{80829E73-8024-4616-9DCF-3E4F9C008DA0}\RP217\A0109400.exe
Potentially unwanted tool:Application/MyWay Not disinfected F:\System Volume Information\_restore{80829E73-8024-4616-9DCF-3E4F9C008DA0}\RP219\A0109548.EXE
Potentially unwanted tool:Application/MyWay Not disinfected F:\System Volume Information\_restore{80829E73-8024-4616-9DCF-3E4F9C008DA0}\RP219\A0109549.DLL
Potentially unwanted tool:Application/MyWay Not disinfected F:\System Volume Information\_restore{80829E73-8024-4616-9DCF-3E4F9C008DA0}\RP219\A0109550.DLL
Potentially unwanted tool:Application/Restart Not disinfected F:\WINDOWS\system32\Tools\Restart.exe
Virus:Trj/Agent.ESE Disinfected F:\WINDOWS\Temp\win17E.tmp.exe
Adware:Adware/Lop Not disinfected F:\WINDOWS\Temp\win192.tmp.exe
Virus:Trj/Agent.ESE Disinfected F:\WINDOWS\Temp\win1A2.tmp.exe

Mr_JAk3
2007-04-02, 21:30
Hello kurt24 and welcome to the Forums :)

You're infected.

Rename HijackThis.exe to Scanner.exe

Disable WinPatrol's realtime protection.
Right-click the running icon of Winpatrol in the system tray
Choose exit. It will automatically restart at next boot.


Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

kurt24
2007-04-02, 23:53
Thanks again for the help! I don't know what I would do without you guys! :red: Here are the new logs:


VundoFix V6.3.19

Checking Java version...

Java version is 1.4.2.4
Old versions of java are exploitable and should be removed.

Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 2:22:44 PM 4/2/2007

Listing files found while scanning....

F:\WINDOWS\system32\ccc.dll
F:\WINDOWS\system32\fccccyy.dll
F:\WINDOWS\system32\hgggdcb.dll
F:\WINDOWS\system32\qqstv.bak1
F:\WINDOWS\system32\qqstv.bak2
F:\WINDOWS\system32\qqstv.ini
F:\WINDOWS\system32\qqstv.ini2
F:\WINDOWS\system32\qqstv.tmp
F:\WINDOWS\system32\ssqrrrs.dll
F:\WINDOWS\system32\vtsqq.dll

Beginning removal...

Attempting to delete F:\WINDOWS\system32\ccc.dll
F:\WINDOWS\system32\ccc.dll Has been deleted!

Attempting to delete F:\WINDOWS\system32\fccccyy.dll
F:\WINDOWS\system32\fccccyy.dll Has been deleted!

Attempting to delete F:\WINDOWS\system32\hgggdcb.dll
F:\WINDOWS\system32\hgggdcb.dll Has been deleted!

Attempting to delete F:\WINDOWS\system32\qqstv.bak1
F:\WINDOWS\system32\qqstv.bak1 Has been deleted!

Attempting to delete F:\WINDOWS\system32\qqstv.bak2
F:\WINDOWS\system32\qqstv.bak2 Has been deleted!

Attempting to delete F:\WINDOWS\system32\qqstv.ini
F:\WINDOWS\system32\qqstv.ini Has been deleted!

Attempting to delete F:\WINDOWS\system32\qqstv.ini2
F:\WINDOWS\system32\qqstv.ini2 Has been deleted!

Attempting to delete F:\WINDOWS\system32\qqstv.tmp
F:\WINDOWS\system32\qqstv.tmp Has been deleted!

Attempting to delete F:\WINDOWS\system32\ssqrrrs.dll
F:\WINDOWS\system32\ssqrrrs.dll Has been deleted!

Attempting to delete F:\WINDOWS\system32\vtsqq.dll
F:\WINDOWS\system32\vtsqq.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.19

Checking Java version...

Java version is 1.4.2.4
Old versions of java are exploitable and should be removed.

Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 2:42:55 PM 4/2/2007

Listing files found while scanning....

F:\WINDOWS\system32\ccc.dll


Logfile of HijackThis v1.99.1
Scan saved at 3:50:50 PM, on 4/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
F:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
F:\Program Files\Common Files\Symantec Shared\ccProxy.exe
F:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
F:\WINDOWS\system32\CTsvcCDA.EXE
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\MsPMSPSv.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\Mixer.exe
F:\WINDOWS\system32\RunDLL32.exe
F:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
F:\Program Files\Microsoft ActiveSync\wcescomm.exe
F:\PROGRA~1\MICROS~3\rapimgr.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Desktop\HijakThis\scaner.exe.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - F:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: (no name) - {21CCFFC2-E8D6-028A-ACC9-0AF035F4FB7A} - F:\WINDOWS\system32\rlkkhkl.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - F:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - F:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: (no name) - {A2270DCF-3A89-4BC2-9F80-CFDB7B01D08B} - F:\WINDOWS\system32\vtsqq.dll (file missing)
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - F:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [\\SNYDER-0S2T6B38\EPSON Stylus CX6600 Series] F:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE /P44 "\\SNYDER-0S2T6B38\EPSON Stylus CX6600 Series" /O6 "USB001" /M "Stylus CX6600"
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "F:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [WinPatrol] F:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Creative Detector] "D:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [H/PC Connection Agent] "F:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O8 - Extra context menu item: &AIM Search - res://F:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Yahoo! Search - file:///F:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///F:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///F:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///F:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - F:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: notifyc - F:\WINDOWS\system32\ccc.dll (file missing)
O20 - Winlogon Notify: WgaLogon - F:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winwea32 - F:\WINDOWS\SYSTEM32\winwea32.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - F:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - F:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h cltCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - F:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - F:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - F:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - F:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

Mr_JAk3
2007-04-03, 21:08
Good work, we'll continue :)

1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

kurt24
2007-04-04, 01:17
OK, here's the ComboFix report. Thanks!!

"Kurtis Snyder" - 07-04-03 17:08:10 Service Pack 2
ComboFix 07-04-04 - Running from: "F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Desktop\ComboFix"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


F:\install.log


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\nm


((((((((((((((((((((((((((((((( Files Created from 2007-03-03 to 2007-04-03 ))))))))))))))))))))))))))))))))))


2007-04-02 14:39 24,576 --a------ F:\WINDOWS\system32\VundoFixSVC.exe
2007-04-02 14:22 <DIR> d-------- F:\VundoFix Backups
2007-03-29 21:38 524,288 --ah----- F:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-03-27 22:47 <DIR> d-------- F:\WINDOWS\system32\ActiveScan
2007-03-26 07:31 85,504 --a------ F:\WINDOWS\system32\rjfekun.dll
2007-03-26 00:35 132,116 --a------ F:\WINDOWS\system32\gptbuvvkj.dll
2007-03-25 23:49 <DIR> d-------- F:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Spybot - Search & Destroy
2007-03-25 23:25 <DIR> d-------- F:\Program Files\BillP Studios
2007-03-25 23:25 <DIR> d-------- F:\DOCUME~1\KURTIS~1.CLE\APPLIC~1\WinPatrol
2007-03-22 22:43 <DIR> d-------- F:\Program Files\Norton Internet Security
2007-03-22 22:41 48,776 --a------ F:\WINDOWS\system32\S32EVNT1.DLL
2007-03-22 22:41 115,000 --a------ F:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-03-22 10:03 85,504 --a------ F:\WINDOWS\system32\bbqolgm.dll
2007-03-22 10:03 64,000 --a------ F:\WINDOWS\system32\rlkkhkl.dll
2007-03-22 10:03 48,640 --a------ F:\WINDOWS\system32\imwvgmj.dll
2007-03-22 10:01 21,504 --a------ F:\WINDOWS\system32\winwea32.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-03 16:26 -------- d-------- F:\Program Files\mozilla thunderbird
2007-03-29 20:59 -------- d-------- F:\Program Files\microsoft activesync
2007-03-23 09:50 -------- d-------- F:\Program Files\google
2007-03-22 22:47 -------- d-------- F:\Program Files\symantec
2007-03-17 16:42 -------- d-------- F:\DOCUME~1\KURTIS~1.CLE\APPLIC~1\symantec
2007-03-08 23:17 -------- d-------- F:\DOCUME~1\KURTIS~1.CLE\APPLIC~1\secondlife
2007-03-08 22:06 98304 --a------ F:\WINDOWS\system32\cmdlineext.dll
2007-03-07 17:17 -------- d-------- F:\DOCUME~1\KURTIS~1.CLE\APPLIC~1\roxio
2007-01-09 21:47 624784 --a------ F:\WINDOWS\system32\symneti.dll
2007-01-09 21:47 242320 --a------ F:\WINDOWS\system32\symredir.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Creative Detector"="\"D:\\Program Files\\Creative\\MediaSource\\Detector\\CTDetect.exe\" /R"
"H/PC Connection Agent"="\"F:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"NvCplDaemon"="RUNDLL32.EXE F:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"C-Media Mixer"="Mixer.exe /startup"
"\\\\SNYDER-0S2T6B38\\EPSON Stylus CX6600 Series"="F:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATI9EA.EXE /P44 \"\\\\SNYDER-0S2T6B38\\EPSON Stylus CX6600 Series\" /O6 \"USB001\" /M \"Stylus CX6600\""
"NvMediaCenter"="RunDLL32.exe NvMCTray.dll,NvTaskbarInit"
"ccApp"="\"F:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"osCheck"="\"F:\\Program Files\\Norton Internet Security\\osCheck.exe\""
"WinPatrol"="F:\\Program Files\\BillP Studios\\WinPatrol\\winpatrol.exe"
"QuickTime Task"="\"D:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"TkBellExe"="\"F:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\F:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
"path"="F:\\Documents and Settings\\All Users.WINDOWS\\Start Menu\\Programs\\Startup\\Adobe Gamma Loader.lnk"
"backup"="F:\\WINDOWS\\pss\\Adobe Gamma Loader.lnkCommon Startup"
"location"="Common Startup"
"command"="F:\\PROGRA~1\\COMMON~1\\Adobe\\CALIBR~1\\ADOBEG~1.EXE "
"item"="Adobe Gamma Loader"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\F:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
"path"="F:\\Documents and Settings\\All Users.WINDOWS\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk"
"backup"="F:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="F:\\PROGRA~1\\MICROS~2\\Office10\\OSA.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Mixer"
"hkey"="HKLM"
"command"="Mixer.exe /startup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FLMOFFICE4DMOUSE]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mouse32a"
"hkey"="HKLM"
"command"="F:\\Program Files\\Micro Innovations\\Optical Scroll\\mouse32a.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="googletalk"
"hkey"="HKCU"
"command"="\"F:\\Program Files\\Google\\Google Talk\\googletalk.exe\" /autostart"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wcescomm"
"hkey"="HKCU"
"command"="\"F:\\PROGRA~1\\MICROS~3\\wcescomm.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hpcmpmgr"
"hkey"="HKLM"
"command"="\"F:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="HPWuSchd2"
"hkey"="HKLM"
"command"="\"F:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hpztsb10"
"hkey"="HKLM"
"command"="F:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb10.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="isuspm"
"hkey"="HKLM"
"command"="F:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\isuspm.exe -startup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="issch"
"hkey"="HKLM"
"command"="\"F:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"F:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"F:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvMcTray"
"hkey"="HKLM"
"command"="RUNDLL32.EXE F:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /install"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"D:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PDVDServ"
"hkey"="HKLM"
"command"="F:\\Program Files\\Roxio\\Roxio DVDMax Player\\PDVDServ.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSUSBRG]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SiSUSBrg"
"hkey"="HKLM"
"command"="F:\\WINDOWS\\SiSUSBrg.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="steam"
"hkey"="HKCU"
"command"="\"d:\\program files\\steam\\steam.exe\" -silent"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="F:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SNDMon"
"hkey"="HKLM"
"command"="F:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"F:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ulead Quick-Drop]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Quick-Drop"
"hkey"="HKLM"
"command"="\"D:\\Program Files\\Ulead Systems\\Ulead DVD MovieFactory 4.0 Disc Creator TBYB\\Ulead Quick-Drop 1.0\\Quick-Drop.exe\" WINDOWCALL"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USIUDF_Eject_Monitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="USISrv"
"hkey"="HKLM"
"command"="F:\\Program Files\\Common Files\\Ulead Systems\\DVD\\USISrv.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ViewMgr"
"hkey"="HKLM"
"command"="F:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoipBuster]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="VoipBuster"
"hkey"="HKCU"
"command"="\"F:\\Program Files\\VoipBuster.com\\VoipBuster\\VoipBuster.exe\" -nosplash -minimized"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SNDSrvc"=dword:00000002
"iPodService"=dword:00000003
"SAVScan"=dword:00000003
"LiveUpdate"=dword:00000003
"LexBceS"=dword:00000002
"Automatic LiveUpdate Scheduler"=dword:00000002
"Ali0wtpssedh"=dword:00000003


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{AF0BE91A-D92D-44F5-9581-64F629762E5A}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"svchost.exe"=""

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\notifyc
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winwea32

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ce0b9ad2-3d64-11d9-a1a5-806d6172696f}]
Shell\AutoRun\command G:\Setup.exe
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_COMHOST


Contents of the 'Scheduled Tasks' folder
F:\WINDOWS\tasks\Norton Internet Security - Run Full System Scan - Kurtis Snyder.job


********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Creative Detector = "D:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R???w0??w????*??w???w????O??w2???m???????????????????L???L??????????wO??w2???m???????????????????k!?sO??w2???m???????????L??????????sm???????????m???????$??????sm???????????????2???????????N??????
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Creative Detector = "D:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R???w0??w????*??w???w????O??w2???m???????????????????L???L??????????wO??w2???m???????????????????k!?sO??w2???m???????????L??????????sm???????????m???????$??????sm???????????????2???????????N??????

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-04-03 17:12:46
F:\ComboFix-quarantined-files.txt ... 07-04-03 17:12

Mr_JAk3
2007-04-04, 21:35
Hello :)

Ok not completely clean yet. I need one more log before we can continue.

Generate a HijackThis Startup list:
Open HijackThis: Click on "Open the Misc Tools Section"
Check the following boxes to the right of "Generate StartupList Log": List also minor sections (Full)
List empty sections (Complete)
Click "Generate StartupListLog"
Click "Yes" at the prompt.
A Notepad window will open with the contents of the HijackThis Startup list displayed
Copy & Paste that log to here

:bigthumb:

kurt24
2007-04-04, 23:09
OK, I've done this! :) Thanks again!

StartupList report, 4/4/2007, 3:08:01 PM
StartupList version: 1.52.2
Started from : F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Desktop\HijakThis\scaner.exe.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
F:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
F:\Program Files\Common Files\Symantec Shared\ccProxy.exe
F:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
F:\WINDOWS\system32\CTsvcCDA.EXE
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\MsPMSPSv.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\Mixer.exe
F:\WINDOWS\system32\RunDLL32.exe
F:\Program Files\Common Files\Symantec Shared\ccApp.exe
F:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
D:\Program Files\QuickTime\qttask.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
F:\Program Files\Microsoft ActiveSync\wcescomm.exe
F:\PROGRA~1\MICROS~3\rapimgr.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Desktop\HijakThis\scaner.exe.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = F:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Cmaudio = RunDll32 cmicnfg.cpl,CMICtrlWnd
NvCplDaemon = RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
C-Media Mixer = Mixer.exe /startup
\\SNYDER-0S2T6B38\EPSON Stylus CX6600 Series = F:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE /P44 "\\SNYDER-0S2T6B38\EPSON Stylus CX6600 Series" /O6 "USB001" /M "Stylus CX6600"
NvMediaCenter = RunDLL32.exe NvMCTray.dll,NvTaskbarInit
ccApp = "F:\Program Files\Common Files\Symantec Shared\ccApp.exe"
osCheck = "F:\Program Files\Norton Internet Security\osCheck.exe"
WinPatrol = F:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
QuickTime Task = "D:\Program Files\QuickTime\qttask.exe" -atboottime
TkBellExe = "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

(Default) =

--------------------------------------------------

Shell & screensaver key from F:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - F:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll - {1E8A6170-7264-4D0F-BEAE-D42A53123C75}
(no name) - F:\WINDOWS\system32\rlkkhkl.dll - {21CCFFC2-E8D6-028A-ACC9-0AF035F4FB7A}
(no name) - F:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - F:\Program Files\Yahoo!\Common\yiesrvc.dll - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}
(no name) - F:\Program Files\Yahoo!\Common\YIeTagBm.dll - {65D886A2-7CA7-479B-BB95-14D1EFB7946A}
(no name) - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
(no name) - (no file) - {77701e16-9bfe-4b63-a5b4-7bd156758a37}
(no name) - F:\WINDOWS\system32\vtsqq.dll (file missing) - {A2270DCF-3A89-4BC2-9F80-CFDB7B01D08B}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Norton Internet Security - Run Full System Scan - Kurtis Snyder.job

--------------------------------------------------

Enumerating Download Program Files:

[ActiveScan Installer Class]
InProcServer32 = F:\WINDOWS\Downloaded Program Files\asinst.dll
CODEBASE = http://acs.pandasoftware.com/activescan/as5free/asinst.cab

[Shockwave Flash Object]
InProcServer32 = F:\WINDOWS\system32\Macromed\Flash\Flash9b.ocx
CODEBASE = http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: F:\WINDOWS\system32\SHELL32.dll
CDBurn: F:\WINDOWS\system32\SHELL32.dll
WebCheck: F:\WINDOWS\System32\webcheck.dll
SysTray: F:\WINDOWS\System32\stobject.dll
WPDShServiceObj: F:\WINDOWS\system32\WPDShServiceObj.dll

--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

svchost.exe =

--------------------------------------------------

End of report, 6,166 bytes
Report generated in 0.047 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Mr_JAk3
2007-04-05, 19:20
Hello :)

You didn't check the the boxes before creting the log. Please try again.

# Check the following boxes to the right of "Generate StartupList Log":

* List also minor sections (Full)
* List empty sections (Complete)

# Click "Generate StartupListLog"

:bigthumb:

kurt24
2007-04-06, 01:53
Hmmm.... I could have sworn I clicked them.:oops: Anyway, here it is again. I made sure and check them this time! Thanks!!

StartupList report, 4/5/2007, 5:51:50 PM
StartupList version: 1.52.2
Started from : F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Desktop\HijakThis\scaner.exe.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
F:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
F:\Program Files\Common Files\Symantec Shared\ccProxy.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\Mixer.exe
F:\WINDOWS\system32\RunDLL32.exe
F:\Program Files\Common Files\Symantec Shared\ccApp.exe
F:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
D:\Program Files\QuickTime\qttask.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
D:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
F:\Program Files\Microsoft ActiveSync\wcescomm.exe
F:\PROGRA~1\MICROS~3\rapimgr.exe
F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
F:\WINDOWS\system32\CTsvcCDA.EXE
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\MsPMSPSv.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Outlook Express\msimn.exe
F:\Program Files\Norton Internet Security\Norton AntiVirus\NAVW32.exe
F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Desktop\HijakThis\scaner.exe.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = F:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Cmaudio = RunDll32 cmicnfg.cpl,CMICtrlWnd
NvCplDaemon = RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
C-Media Mixer = Mixer.exe /startup
\\SNYDER-0S2T6B38\EPSON Stylus CX6600 Series = F:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE /P44 "\\SNYDER-0S2T6B38\EPSON Stylus CX6600 Series" /O6 "USB001" /M "Stylus CX6600"
NvMediaCenter = RunDLL32.exe NvMCTray.dll,NvTaskbarInit
ccApp = "F:\Program Files\Common Files\Symantec Shared\ccApp.exe"
osCheck = "F:\Program Files\Norton Internet Security\osCheck.exe"
WinPatrol = F:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
QuickTime Task = "D:\Program Files\QuickTime\qttask.exe" -atboottime
TkBellExe = "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

(Default) =

--------------------------------------------------

Shell & screensaver key from F:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - F:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll - {1E8A6170-7264-4D0F-BEAE-D42A53123C75}
(no name) - F:\WINDOWS\system32\rlkkhkl.dll - {21CCFFC2-E8D6-028A-ACC9-0AF035F4FB7A}
(no name) - F:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - F:\Program Files\Yahoo!\Common\yiesrvc.dll - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}
(no name) - F:\Program Files\Yahoo!\Common\YIeTagBm.dll - {65D886A2-7CA7-479B-BB95-14D1EFB7946A}
(no name) - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
(no name) - (no file) - {77701e16-9bfe-4b63-a5b4-7bd156758a37}
(no name) - F:\WINDOWS\system32\vtsqq.dll (file missing) - {A2270DCF-3A89-4BC2-9F80-CFDB7B01D08B}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Norton Internet Security - Run Full System Scan - Kurtis Snyder.job

--------------------------------------------------

Enumerating Download Program Files:

[ActiveScan Installer Class]
InProcServer32 = F:\WINDOWS\Downloaded Program Files\asinst.dll
CODEBASE = http://acs.pandasoftware.com/activescan/as5free/asinst.cab

[Shockwave Flash Object]
InProcServer32 = F:\WINDOWS\system32\Macromed\Flash\Flash9b.ocx
CODEBASE = http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: F:\DOCUME~1\KURTIS~1.CLE\LOCALS~1\Temp\symlcsv1.exe|||L

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: F:\WINDOWS\system32\SHELL32.dll
CDBurn: F:\WINDOWS\system32\SHELL32.dll
WebCheck: F:\WINDOWS\System32\webcheck.dll
SysTray: F:\WINDOWS\System32\stobject.dll
WPDShServiceObj: F:\WINDOWS\system32\WPDShServiceObj.dll

--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

svchost.exe =

--------------------------------------------------

End of report, 6,674 bytes
Report generated in 0.172 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Mr_JAk3
2007-04-06, 11:04
Hi :)

For some odd reason, it ain't working...

Let's try with another tool...

Make a new folder in the C:\drive called silentrunners
Download 'silent runners" from here: (direct download)
http://www.silentrunners.org/Silent%20Runners.vbs
Save it to your silentrunners folder.

Click start> run> type cmd and hit enter
Type the following exactly and hit enter after each line.
cd c:\silentrunners and hit enter
"silent runners.vbs" -all and hit enter

Wait until it pops up saying its completed, then post the resulting logfile here
It will be very large. You may need several posts to include everything

kurt24
2007-04-09, 06:23
OK, I've finally gotten some time to run this app. Here is the log file it created. Thanks!! :)

"Silent Runners.vbs", revision R50, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output of all locations checked and all values found.


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
"Creative Detector" = ""D:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R" ["Creative Technology Ltd"]
"H/PC Connection Agent" = ""F:\Program Files\Microsoft ActiveSync\wcescomm.exe"" [MS]

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
"svchost.exe" = "(empty string)" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
"Cmaudio" = "RunDll32 cmicnfg.cpl,CMICtrlWnd" [MS]
"NvCplDaemon" = "RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"C-Media Mixer" = "Mixer.exe /startup" ["C-Media Electronic Inc. (www.cmedia.com.tw)"]
"\\SNYDER-0S2T6B38\EPSON Stylus CX6600 Series" = "F:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE /P44 "\\SNYDER-0S2T6B38\EPSON Stylus CX6600 Series" /O6 "USB001" /M "Stylus CX6600"" ["SEIKO EPSON CORPORATION"]
"NvMediaCenter" = "RunDLL32.exe NvMCTray.dll,NvTaskbarInit" [MS]
"ccApp" = ""F:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"osCheck" = ""F:\Program Files\Norton Internet Security\osCheck.exe"" ["Symantec Corporation"]
"WinPatrol" = "F:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" ["BillP Studios"]
"QuickTime Task" = ""D:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"TkBellExe" = ""F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\

HKLM\Software\Microsoft\Active Setup\Installed Components\
>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\(Default) = "Windows Media Player"
\StubPath = "F:\WINDOWS\inf\unregmp2.exe /ShowWMP" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{1E8A6170-7264-4D0F-BEAE-D42A53123C75}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "F:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll" ["Symantec Corporation"]
{21CCFFC2-E8D6-028A-ACC9-0AF035F4FB7A}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "F:\WINDOWS\system32\rlkkhkl.dll" [null data]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "F:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\(Default) = (no title provided)
-> {HKLM...CLSID} = "UberButton Class"
\InProcServer32\(Default) = "F:\Program Files\Yahoo!\Common\yiesrvc.dll" ["Yahoo!"]
{65D886A2-7CA7-479B-BB95-14D1EFB7946A}\(Default) = (no title provided)
-> {HKLM...CLSID} = "YahooTaggedBM Class"
\InProcServer32\(Default) = "F:\Program Files\Yahoo!\Common\YIeTagBm.dll" ["Yahoo! Inc."]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
{A2270DCF-3A89-4BC2-9F80-CFDB7B01D08B}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "F:\WINDOWS\system32\vtsqq.dll" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{00022613-0000-0000-C000-000000000046}" = "Multimedia File Property Sheet"
-> {HKLM...CLSID} = "Multimedia File Property Sheet"
\InProcServer32\(Default) = "mmsys.cpl" [MS]
"{176d6597-26d3-11d1-b350-080036a75b03}" = "ICM Scanner Management"
-> {HKLM...CLSID} = "ICM Scanner Management"
\InProcServer32\(Default) = "icmui.dll" [MS]
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}" = "NTFS Security Page"
-> {HKLM...CLSID} = "Security Shell Extension"
\InProcServer32\(Default) = "rshx32.dll" [MS]
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}" = "OLE Docfile Property Page"
-> {HKLM...CLSID} = "OLE Docfile Property Page"
\InProcServer32\(Default) = "docprop.dll" [MS]
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}" = "Shell extensions for sharing"
-> {HKLM...CLSID} = "Shell extensions for sharing"
\InProcServer32\(Default) = "ntshrui.dll" [MS]
"{41E300E0-78B6-11ce-849B-444553540000}" = "PlusPack CPL Extension"
-> {HKLM...CLSID} = "PlusPack CPL Extension"
\InProcServer32\(Default) = "F:\WINDOWS\System32\themeui.dll" [MS]
"{42071712-76d4-11d1-8b24-00a0c9068ff3}" = "Display Adapter CPL Extension"
-> {HKLM...CLSID} = "Display Adapter CPL Extension"
\InProcServer32\(Default) = "deskadp.dll" [MS]
"{42071713-76d4-11d1-8b24-00a0c9068ff3}" = "Display Monitor CPL Extension"
-> {HKLM...CLSID} = "Display Monitor CPL Extension"
\InProcServer32\(Default) = "deskmon.dll" [MS]
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{4E40F770-369C-11d0-8922-00A024AB2DBB}" = "DS Security Page"
-> {HKLM...CLSID} = "Security Shell Extension"
\InProcServer32\(Default) = "dssec.dll" [MS]
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}" = "Compatibility Page"
-> {HKLM...CLSID} = "Compatibility Page"
\InProcServer32\(Default) = "SlayerXP.dll" [MS]
"{56117100-C0CD-101B-81E2-00AA004AE837}" = "Shell Scrap DataHandler"
-> {HKLM...CLSID} = "Shell Scrap DataHandler"
\InProcServer32\(Default) = "shscrap.dll" [MS]
"{59099400-57FF-11CE-BD94-0020AF85B590}" = "Disk Copy Extension"
-> {HKLM...CLSID} = "Disk Copy Extension"
\InProcServer32\(Default) = "diskcopy.dll" [MS]
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}" = "Shell extensions for Microsoft Windows Network objects"
-> {HKLM...CLSID} = "Shell extensions for Microsoft Windows Network objects"
\InProcServer32\(Default) = "ntlanui2.dll" [MS]
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}" = "ICM Monitor Management"
-> {HKLM...CLSID} = "ICM Monitor Management"
\InProcServer32\(Default) = "F:\WINDOWS\System32\icmui.dll" [MS]
"{675F097E-4C4D-11D0-B6C1-0800091AA605}" = "ICM Printer Management"
-> {HKLM...CLSID} = "ICM Printer Management"
\InProcServer32\(Default) = "F:\WINDOWS\system32\icmui.dll" [MS]
"{77597368-7b15-11d0-a0c2-080036af3f03}" = "Web Printer Shell Extension"
-> {HKLM...CLSID} = "Web Printer Shell Extension"
\InProcServer32\(Default) = "printui.dll" [MS]

kurt24
2007-04-09, 06:24
"{7988B573-EC89-11cf-9C00-00AA00A14F56}" = "Disk Quota UI"
-> {HKLM...CLSID} = "Microsoft Disk Quota UI"
\InProcServer32\(Default) = "dskquoui.dll" [MS]
"{85BBD920-42A0-1069-A2E4-08002B30309D}" = "Briefcase"
-> {HKLM...CLSID} = "Briefcase"
\InProcServer32\(Default) = "syncui.dll" [MS]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "F:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{BD84B380-8CA2-1069-AB1D-08000948F534}" = "Fonts"
-> {HKLM...CLSID} = "Fonts"
\InProcServer32\(Default) = "fontext.dll" [MS]
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}" = "ICC Profile"
-> {HKLM...CLSID} = "ICC Profile"
\InProcServer32\(Default) = "F:\WINDOWS\system32\icmui.dll" [MS]
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}" = "Printers Security Page"
-> {HKLM...CLSID} = "Security Shell Extension"
\InProcServer32\(Default) = "rshx32.dll" [MS]
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}" = "Shell extensions for sharing"
-> {HKLM...CLSID} = "Shell extensions for sharing"
\InProcServer32\(Default) = "ntshrui.dll" [MS]
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}" = "Display TroubleShoot CPL Extension"
-> {HKLM...CLSID} = "Display TroubleShoot CPL Extension"
\InProcServer32\(Default) = "deskperf.dll" [MS]
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}" = "Crypto PKO Extension"
-> {HKLM...CLSID} = "CryptPKO Class"
\InProcServer32\(Default) = "F:\WINDOWS\system32\cryptext.dll" [MS]
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}" = "Crypto Sign Extension"
-> {HKLM...CLSID} = "CryptSig Class"
\InProcServer32\(Default) = "F:\WINDOWS\system32\cryptext.dll" [MS]
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}" = "Network Connections"
-> {HKLM...CLSID} = "Network Connections"
\InProcServer32\(Default) = "F:\WINDOWS\system32\NETSHELL.dll" [MS]
"{992CFFA0-F557-101A-88EC-00DD010CCC48}" = "Network Connections"
-> {HKLM...CLSID} = "Network Connections"
\InProcServer32\(Default) = "F:\WINDOWS\system32\NETSHELL.dll" [MS]
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}" = "Scanners & Cameras"
-> {HKLM...CLSID} = "Scanners & Cameras"
\InProcServer32\(Default) = "wiashext.dll" [MS]
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}" = "Scanners & Cameras"
-> {HKLM...CLSID} = "Scanners & Cameras"
\InProcServer32\(Default) = "wiashext.dll" [MS]
"{905667aa-acd6-11d2-8080-00805f6596d2}" = "Scanners & Cameras"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "wiashext.dll" [MS]
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}" = "Scanners & Cameras"
-> {HKLM...CLSID} = "Scanners & Cameras"
\InProcServer32\(Default) = "wiashext.dll" [MS]
"{83bbcbf3-b28a-4919-a5aa-73027445d672}" = "Scanners & Cameras"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "wiashext.dll" [MS]
"{F0152790-D56E-4445-850E-4F3117DB740C}" = "Remote Sessions CPL Extension"
-> {HKLM...CLSID} = "Remote Sessions CPL Extension"
\InProcServer32\(Default) = "F:\WINDOWS\System32\remotepg.dll" [MS]
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}" = "Auto Update Property Sheet Extension"
-> {HKLM...CLSID} = "Auto Update Property Sheet Extension"
\InProcServer32\(Default) = "F:\WINDOWS\system32\wuaucpl.cpl" [MS]
"{60254CA5-953B-11CF-8C96-00AA00B8708C}" = "Shell extensions for Windows Script Host"
-> {HKLM...CLSID} = "Shell Extension For Windows Script Host"
\InProcServer32\(Default) = "F:\WINDOWS\System32\wshext.dll" [MS]
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}" = "Microsoft Data Link"
-> {HKLM...CLSID} = "Microsoft OLE DB Service Component Data Links"
\InProcServer32\(Default) = "F:\Program Files\Common Files\System\Ole DB\oledb32.dll" [MS]
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}" = "Tasks Folder Icon Handler"
-> {HKLM...CLSID} = "Scheduling UI icon handler"
\InProcServer32\(Default) = "F:\WINDOWS\System32\mstask.dll" [MS]
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}" = "Tasks Folder Shell Extension"
-> {HKLM...CLSID} = "Scheduling UI property sheet handler"
\InProcServer32\(Default) = "F:\WINDOWS\System32\mstask.dll" [MS]
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}" = "Scheduled Tasks"
-> {HKLM...CLSID} = "Scheduled Tasks"
\InProcServer32\(Default) = "F:\WINDOWS\System32\mstask.dll" [MS]
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}" = "Search"
-> {HKLM...CLSID} = "Search"
\InProcServer32\(Default) = "F:\WINDOWS\system32\shdocvw.dll" [MS]
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}" = "Help and Support"
-> {HKLM...CLSID} = "Help and Support"
\InProcServer32\(Default) = "F:\WINDOWS\system32\shdocvw.dll" [MS]
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}" = "Help and Support"
-> {HKLM...CLSID} = "Windows Security"
\InProcServer32\(Default) = "F:\WINDOWS\system32\shdocvw.dll" [MS]
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}" = "Run..."
-> {HKLM...CLSID} = "Run..."
\InProcServer32\(Default) = "F:\WINDOWS\system32\shdocvw.dll" [MS]
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}" = "Internet"
-> {HKLM...CLSID} = "Internet"
\InProcServer32\(Default) = "F:\WINDOWS\system32\shdocvw.dll" [MS]
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}" = "E-mail"
-> {HKLM...CLSID} = "E-mail"
\InProcServer32\(Default) = "F:\WINDOWS\system32\shdocvw.dll" [MS]
"{D20EA4E1-3957-11d2-A40B-0C5020524152}" = "Fonts"
-> {HKLM...CLSID} = "Fonts"
\InProcServer32\(Default) = "F:\WINDOWS\system32\shdocvw.dll" [MS]
"{D20EA4E1-3957-11d2-A40B-0C5020524153}" = "Administrative Tools"
-> {HKLM...CLSID} = "Administrative Tools"
\InProcServer32\(Default) = "F:\WINDOWS\system32\shdocvw.dll" [MS]
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}" = "Audio Media Properties Handler"
-> {HKLM...CLSID} = "Audio Media Properties Handler"
\InProcServer32\(Default) = "F:\WINDOWS\System32\shmedia.dll" [MS]
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}" = "Video Media Properties Handler"
-> {HKLM...CLSID} = "Video Media Properties Handler"
\InProcServer32\(Default) = "F:\WINDOWS\System32\shmedia.dll" [MS]
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}" = "Wav Properties Handler"
-> {HKLM...CLSID} = "Wav Properties Handler"
\InProcServer32\(Default) = "F:\WINDOWS\System32\shmedia.dll" [MS]
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}" = "Avi Properties Handler"
-> {HKLM...CLSID} = "Avi Properties Handler"
\InProcServer32\(Default) = "F:\WINDOWS\System32\shmedia.dll" [MS]
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}" = "Midi Properties Handler"
-> {HKLM...CLSID} = "Midi Properties Handler"
\InProcServer32\(Default) = "F:\WINDOWS\System32\shmedia.dll" [MS]
"{c5a40261-cd64-4ccf-84cb-c394da41d590}" = "Video Thumbnail Extractor"
-> {HKLM...CLSID} = "Video Thumbnail Extractor"
\InProcServer32\(Default) = "F:\WINDOWS\System32\shmedia.dll" [MS]
"{5E6AB780-7743-11CF-A12B-00AA004AE837}" = "Microsoft Internet Toolbar"
-> {HKLM...CLSID} = "Microsoft Internet Toolbar"
\InProcServer32\(Default) = "F:\WINDOWS\System32\browseui.dll" [MS]
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}" = "Download Status"
-> {HKLM...CLSID} = "Download Status"
\InProcServer32\(Default) = "F:\WINDOWS\System32\browseui.dll" [MS]
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}" = "Augmented Shell Folder"
-> {HKLM...CLSID} = "Augmented Shell Folder"
\InProcServer32\(Default) = "F:\WINDOWS\System32\browseui.dll" [MS]
"{6413BA2C-B461-11d1-A18A-080036B11A03}" = "Augmented Shell Folder 2"
-> {HKLM...CLSID} = "Augmented Shell Folder 2"
\InProcServer32\(Default) = "F:\WINDOWS\System32\browseui.dll" [MS]
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}" = "BandProxy"
-> {HKLM...CLSID} = "BandProxy"
\InProcServer32\(Default) = "F:\WINDOWS\System32\browseui.dll" [MS]
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}" = "Microsoft BrowserBand"
-> {HKLM...CLSID} = "Microsoft BrowserBand"
\InProcServer32\(Default) = "F:\WINDOWS\System32\browseui.dll" [MS]
"{30D02401-6A81-11d0-8274-00C04FD5AE38}" = "Search Band"
-> {HKLM...CLSID} = "Search Band"
\InProcServer32\(Default) = "F:\WINDOWS\System32\browseui.dll" [MS]
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}" = "In-pane search"
-> {HKLM...CLSID} = "In-pane search"
\InProcServer32\(Default) = "F:\WINDOWS\System32\browseui.dll" [MS]
"{07798131-AF23-11d1-9111-00A0C98BA67D}" = "Web Search"
-> {HKLM...CLSID} = "Web Search"
\InProcServer32\(Default) = "F:\WINDOWS\System32\browseui.dll" [MS]
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}" = "Registry Tree Options Utility"
-> {HKLM...CLSID} = "Registry Tree Options Utility"
\InProcServer32\(Default) = "F:\WINDOWS\System32\browseui.dll" [MS]
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}" = "&Address"
-> {HKLM...CLSID} = "&Address"
\InProcServer32\(Default) = "F:\WINDOWS\System32\browseui.dll" [MS]
"{A08C11D2-A228-11d0-825B-00AA005B4383}" = "Address EditBox"
-> {HKLM...CLSID} = "Address EditBox"
\InProcServer32\(Default) = "F:\WINDOWS\System32\browseui.dll" [MS]
"{00BB2763-6A77-11D0-A535-00C04FD7D062}" = "Microsoft AutoComplete"
-> {HKLM...CLSID} = "Microsoft AutoComplete"
\InProcServer32\(Default) = "F:\WINDOWS\System32\browseui.dll" [MS]
"{7376D660-C583-11d0-A3A5-00C04FD706EC}" = "TridentImageExtractor"
-> {HKLM...CLSID} = "TridentImageExtractor"
\InProcServer32\(Default) = "F:\WINDOWS\System32\browseui.dll" [MS]
"{6756A641-DE71-11d0-831B-00AA005B4383}" = "MRU AutoComplete List"
-> {HKLM...CLSID} = "MRU AutoComplete List"
\InProcServer32\(Default) = "F:\WINDOWS\System32\browseui.dll" [MS]
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}" = "Custom MRU AutoCompleted List"
-> {HKLM...CLSID} = "Custom MRU AutoCompleted List"
\InProcServer32\(Default) = "F:\WINDOWS\System32\browseui.dll" [MS]
"{7e653215-fa25-46bd-a339-34a2790f3cb7}" = "Accessible"
-> {HKLM...CLSID} = "Accessible"
\InProcServer32\(Default) = "F:\WINDOWS\System32\browseui.dll" [MS]
"{acf35015-526e-4230-9596-becbe19f0ac9}" = "Track Popup Bar"
-> {HKLM...CLSID} = "Track Popup Bar"
\InProcServer32\(Default) = "F:\WINDOWS\System32\browseui.dll" [MS]
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}" = "Address Bar Parser"
-> {HKLM...CLSID} = "Address Bar Parser"
\InProcServer32\(Default) = "F:\WINDOWS\System32\browseui.dll" [MS]
"{00BB2764-6A77-11D0-A535-00C04FD7D062}" = "Microsoft History AutoComplete List"
-> {HKLM...CLSID} = "Microsoft History AutoComplete List"
\InProcServer32\(Default) = "F:\WINDOWS\System32\browseui.dll" [MS]
"{03C036F1-A186-11D0-824A-00AA005B4383}" = "Microsoft Shell Folder AutoComplete List"
-> {HKLM...CLSID} = "Microsoft Shell Folder AutoComplete List"
\InProcServer32\(Default) = "F:\WINDOWS\System32\browseui.dll" [MS]
"{00BB2765-6A77-11D0-A535-00C04FD7D062}" = "Microsoft Multiple AutoComplete List Container"
-> {HKLM...CLSID} = "Microsoft Multiple AutoComplete List Container"
\InProcServer32\(Default) = "F:\WINDOWS\System32\browseui.dll" [MS]
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}" = "Shell Band Site Menu"
-> {HKLM...CLSID} = "Shell Band Site Menu"
\InProcServer32\(Default) = "F:\WINDOWS\System32\browseui.dll" [MS]
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}" = "Shell DeskBarApp"
-> {HKLM...CLSID} = "Shell DeskBarApp"
\InProcServer32\(Default) = "F:\WINDOWS\System32\browseui.dll" [MS]
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}" = "Shell DeskBar"
-> {HKLM...CLSID} = "Shell DeskBar"
\InProcServer32\(Default) = "F:\WINDOWS\System32\browseui.dll" [MS]
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}" = "Shell Rebar BandSite"
-> {HKLM...CLSID} = "Shell Rebar BandSite"
\InProcServer32\(Default) = "F:\WINDOWS\System32\browseui.dll" [MS]
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}" = "User Assist"
-> {HKLM...CLSID} = "User Assist"
\InProcServer32\(Default) = "F:\WINDOWS\System32\browseui.dll" [MS]
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}" = "Global Folder Settings"
-> {HKLM...CLSID} = "Global Folder Settings"
\InProcServer32\(Default) = "F:\WINDOWS\System32\browseui.dll" [MS]
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}" = "Favorites Band"
-> {HKLM...CLSID} = "Favorites Band"
\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]
"{0A89A860-D7B1-11CE-8350-444553540000}" = "Shell Automation Inproc Service"
-> {HKLM...CLSID} = "Shell Automation Inproc Service"
\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}" = "Shell DocObject Viewer"
-> {HKLM...CLSID} = "Shell DocObject Viewer"
\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}" = "Microsoft Browser Architecture"
-> {HKLM...CLSID} = "Microsoft Browser Architecture"
\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}" = "InternetShortcut"
-> {HKLM...CLSID} = "Internet Shortcut"
\InProcServer32\(Default) = "shdocvw.dll" [MS]
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}" = "Microsoft Url History Service"
-> {HKLM...CLSID} = "Microsoft Url History Service"
\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]
"{FF393560-C2A7-11CF-BFF4-444553540000}" = "History"
-> {HKLM...CLSID} = "History"
\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}" = "Temporary Internet Files"
-> {HKLM...CLSID} = "Temporary Internet Files"
\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}" = "Temporary Internet Files"
-> {HKLM...CLSID} = "Temporary Internet Files"
\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" = "Microsoft Url Search Hook"
-> {HKLM...CLSID} = "Microsoft Url Search Hook"
\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}" = "IE4 Suite Splash Screen"
-> {HKLM...CLSID} = "IE4 Suite Splash Screen"
\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}" = "CDF Extension Copy Hook"
-> {HKLM...CLSID} = "CDF Extension Copy Hook"
\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]
"{131A6951-7F78-11D0-A979-00C04FD705A2}" = "ISFBand OC"
-> {HKLM...CLSID} = "ISFBand OC"
\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}" = "Search Assistant OC"
-> {HKLM...CLSID} = "Search Assistant OC"
\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}" = "The Internet"
-> {HKLM...CLSID} = "The Internet"
\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]
"{871C5380-42A0-1069-A2EA-08002B30309D}" = "Internet Name Space"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}" = "Explorer Band"
-> {HKLM...CLSID} = "Explorer Band"
\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}" = "Sendmail service"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "F:\WINDOWS\System32\sendmail.dll" [MS]
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}" = "Sendmail service"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "F:\WINDOWS\System32\sendmail.dll" [MS]
"{88C6C381-2E85-11D0-94DE-444553540000}" = "ActiveX Cache Folder"
-> {HKLM...CLSID} = "ActiveX Cache Folder"
\InProcServer32\(Default) = "F:\WINDOWS\System32\occache.dll" [MS]
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}" = "WebCheck"
-> {HKLM...CLSID} = "WebCheck"
\InProcServer32\(Default) = "F:\WINDOWS\System32\webcheck.dll" [MS]
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}" = "Subscription Mgr"
-> {HKLM...CLSID} = "Subscription Mgr"
\InProcServer32\(Default) = "F:\WINDOWS\System32\webcheck.dll" [MS]
"{F5175861-2688-11d0-9C5E-00AA00A45957}" = "Subscription Folder"
-> {HKLM...CLSID} = "Subscription Folder"
\InProcServer32\(Default) = "F:\WINDOWS\System32\webcheck.dll" [MS]
"{08165EA0-E946-11CF-9C87-00AA005127ED}" = "WebCheckWebCrawler"
-> {HKLM...CLSID} = "WebCheckWebCrawler"
\InProcServer32\(Default) = "F:\WINDOWS\System32\webcheck.dll" [MS]
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}" = "WebCheckChannelAgent"
-> {HKLM...CLSID} = "WebCheckChannelAgent"
\InProcServer32\(Default) = "F:\WINDOWS\System32\webcheck.dll" [MS]
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}" = "TrayAgent"

kurt24
2007-04-09, 06:25
-> {HKLM...CLSID} = "TrayAgent"
\InProcServer32\(Default) = "F:\WINDOWS\System32\webcheck.dll" [MS]
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}" = "Code Download Agent"
-> {HKLM...CLSID} = "Code Download Agent"
\InProcServer32\(Default) = "F:\WINDOWS\System32\webcheck.dll" [MS]
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}" = "ConnectionAgent"
-> {HKLM...CLSID} = "ConnectionAgent"
\InProcServer32\(Default) = "F:\WINDOWS\System32\webcheck.dll" [MS]
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}" = "PostAgent"
-> {HKLM...CLSID} = "PostAgent"
\InProcServer32\(Default) = "F:\WINDOWS\System32\webcheck.dll" [MS]
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}" = "WebCheck SyncMgr Handler"
-> {HKLM...CLSID} = "WebCheck SyncMgr Handler"
\InProcServer32\(Default) = "F:\WINDOWS\System32\webcheck.dll" [MS]
"{352EC2B7-8B9A-11D1-B8AE-006008059382}" = "Shell Application Manager"
-> {HKLM...CLSID} = "Shell Application Manager"
\InProcServer32\(Default) = "F:\WINDOWS\System32\appwiz.cpl" [MS]
"{0B124F8F-91F0-11D1-B8B5-006008059382}" = "Installed Apps Enumerator"
-> {HKLM...CLSID} = "Installed Apps Enumerator"
\InProcServer32\(Default) = "F:\WINDOWS\System32\appwiz.cpl" [MS]
"{CFCCC7A0-A282-11D1-9082-006008059382}" = "Darwin App Publisher"
-> {HKLM...CLSID} = "Darwin App Publisher"
\InProcServer32\(Default) = "F:\WINDOWS\System32\appwiz.cpl" [MS]
"{e84fda7c-1d6a-45f6-b725-cb260c236066}" = "Shell Image Verbs"
-> {HKLM...CLSID} = "Shell Image Verbs"
\InProcServer32\(Default) = "F:\WINDOWS\System32\shimgvw.dll" [MS]
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}" = "Shell Image Data Factory"
-> {HKLM...CLSID} = "Shell Image Data Factory"
\InProcServer32\(Default) = "F:\WINDOWS\System32\shimgvw.dll" [MS]
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}" = "GDI+ file thumbnail extractor"
-> {HKLM...CLSID} = "GDI+ file thumbnail extractor"
\InProcServer32\(Default) = "F:\WINDOWS\System32\shimgvw.dll" [MS]
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}" = "Summary Info Thumbnail handler (DOCFILES)"
-> {HKLM...CLSID} = "Summary Info Thumbnail handler (DOCFILES)"
\InProcServer32\(Default) = "F:\WINDOWS\System32\shimgvw.dll" [MS]
"{EAB841A0-9550-11cf-8C16-00805F1408F3}" = "HTML Thumbnail Extractor"
-> {HKLM...CLSID} = "HTML Thumbnail Extractor"
\InProcServer32\(Default) = "F:\WINDOWS\System32\shimgvw.dll" [MS]
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}" = "Shell Image Property Handler"
-> {HKLM...CLSID} = "Shell Image Property Handler"
\InProcServer32\(Default) = "F:\WINDOWS\System32\shimgvw.dll" [MS]
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}" = "Web Publishing Wizard"
-> {HKLM...CLSID} = "Web Publishing Wizard"
\InProcServer32\(Default) = "F:\WINDOWS\System32\netplwiz.dll" [MS]
"{add36aa8-751a-4579-a266-d66f5202ccbb}" = "Print Ordering via the Web"
-> {HKLM...CLSID} = "Print Ordering via the Web"
\InProcServer32\(Default) = "F:\WINDOWS\System32\netplwiz.dll" [MS]
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}" = "Shell Publishing Wizard Object"
-> {HKLM...CLSID} = "Shell Publishing Wizard Object"
\InProcServer32\(Default) = "F:\WINDOWS\System32\netplwiz.dll" [MS]
"{58f1f272-9240-4f51-b6d4-fd63d1618591}" = "Get a Passport Wizard"
-> {HKLM...CLSID} = "Get a Passport Wizard"
\InProcServer32\(Default) = "F:\WINDOWS\System32\netplwiz.dll" [MS]
"{E88DCCE0-B7B3-11d1-A9F0-00AA0060FA31}" = "Compressed (zipped) Folder"
-> {HKLM...CLSID} = "CompressedFolder"
\InProcServer32\(Default) = "F:\WINDOWS\System32\zipfldr.dll" [MS]
"{BD472F60-27FA-11cf-B8B4-444553540000}" = "Compressed (zipped) Folder Right Drag Handler"
-> {HKLM...CLSID} = "Compressed (zipped) Folder Right Drag Handler"
\InProcServer32\(Default) = "F:\WINDOWS\System32\zipfldr.dll" [MS]
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}" = "Compressed (zipped) Folder SendTo Target"
-> {HKLM...CLSID} = "Compressed (zipped) Folder SendTo Target"
\InProcServer32\(Default) = "F:\WINDOWS\System32\zipfldr.dll" [MS]
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}" = "Channel File"
-> {HKLM...CLSID} = "Channel"
\InProcServer32\(Default) = "F:\WINDOWS\System32\cdfview.dll" [MS]
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}" = "Channel Shortcut"
-> {HKLM...CLSID} = "Channel Shortcut"
\InProcServer32\(Default) = "F:\WINDOWS\System32\cdfview.dll" [MS]
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}" = "Channel Handler Object"
-> {HKLM...CLSID} = "Channel Handler Object"
\InProcServer32\(Default) = "F:\WINDOWS\System32\cdfview.dll" [MS]
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}" = "Channel Menu"
-> {HKLM...CLSID} = "Channel Menu Handler Object"
\InProcServer32\(Default) = "F:\WINDOWS\System32\cdfview.dll" [MS]
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}" = "Channel Properties"
-> {HKLM...CLSID} = "Channel Shortcut Property Pages"
\InProcServer32\(Default) = "F:\WINDOWS\System32\cdfview.dll" [MS]
"{63da6ec0-2e98-11cf-8d82-444553540000}" = "FTP Folders Webview"
-> {HKLM...CLSID} = "Microsoft FTP Folder"
\InProcServer32\(Default) = "F:\WINDOWS\System32\msieftp.dll" [MS]
"{883373C3-BF89-11D1-BE35-080036B11A03}" = "Microsoft DocProp Shell Ext"
-> {HKLM...CLSID} = "Microsoft DocProp Shell Ext"
\InProcServer32\(Default) = "F:\WINDOWS\System32\docprop2.dll" [MS]
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}" = "Microsoft DocProp Inplace Edit Box Control"
-> {HKLM...CLSID} = "Microsoft DocProp Inplace Edit Box Control"
\InProcServer32\(Default) = "F:\WINDOWS\System32\docprop2.dll" [MS]
"{8EE97210-FD1F-4B19-91DA-67914005F020}" = "Microsoft DocProp Inplace ML Edit Box Control"
-> {HKLM...CLSID} = "Microsoft DocProp Inplace ML Edit Box Control"
\InProcServer32\(Default) = "F:\WINDOWS\System32\docprop2.dll" [MS]
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}" = "Microsoft DocProp Inplace Droplist Combo Control"
-> {HKLM...CLSID} = "Microsoft DocProp Inplace Droplist Combo Control"
\InProcServer32\(Default) = "F:\WINDOWS\System32\docprop2.dll" [MS]
"{6A205B57-2567-4A2C-B881-F787FAB579A3}" = "Microsoft DocProp Inplace Calendar Control"
-> {HKLM...CLSID} = "Microsoft DocProp Inplace Calendar Control"
\InProcServer32\(Default) = "F:\WINDOWS\System32\docprop2.dll" [MS]
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}" = "Microsoft DocProp Inplace Time Control"
-> {HKLM...CLSID} = "Microsoft DocProp Inplace Time Control"
\InProcServer32\(Default) = "F:\WINDOWS\System32\docprop2.dll" [MS]
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}" = "Directory Query UI"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "F:\WINDOWS\System32\dsquery.dll" [MS]
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}" = "Shell properties for a DS object"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "F:\WINDOWS\System32\dsquery.dll" [MS]
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}" = "Directory Object Find"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "F:\WINDOWS\System32\dsquery.dll" [MS]
"{F020E586-5264-11d1-A532-0000F8757D7E}" = "Directory Start/Search Find"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "F:\WINDOWS\System32\dsquery.dll" [MS]
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}" = "Directory Property UI"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "F:\WINDOWS\System32\dsuiext.dll" [MS]
"{62AE1F9A-126A-11D0-A14B-0800361B1103}" = "Directory Context Menu Verbs"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "F:\WINDOWS\System32\dsuiext.dll" [MS]
"{ECF03A33-103D-11d2-854D-006008059367}" = "MyDocs Copy Hook"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "F:\WINDOWS\System32\mydocs.dll" [MS]
"{ECF03A32-103D-11d2-854D-006008059367}" = "MyDocs Drop Target"
-> {HKLM...CLSID} = "MyDocs Drop Target"
\InProcServer32\(Default) = "F:\WINDOWS\System32\mydocs.dll" [MS]
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}" = "MyDocs Properties"
-> {HKLM...CLSID} = "MyDocs menu and properties"
\InProcServer32\(Default) = "F:\WINDOWS\System32\mydocs.dll" [MS]
"{750fdf0e-2a26-11d1-a3ea-080036587f03}" = "Offline Files Menu"
-> {HKLM...CLSID} = "Offline Files Menu"
\InProcServer32\(Default) = "F:\WINDOWS\System32\cscui.dll" [MS]
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}" = "Offline Files Folder Options"
-> {HKLM...CLSID} = "Offline Files Folder Options"
\InProcServer32\(Default) = "F:\WINDOWS\System32\cscui.dll" [MS]
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}" = "Offline Files Folder"
-> {HKLM...CLSID} = "Offline Files Folder"
\InProcServer32\(Default) = "F:\WINDOWS\System32\cscui.dll" [MS]
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}" = "Microsoft Agent Character Property Sheet Handler"
-> {HKLM...CLSID} = "Microsoft Agent Character Property Sheet Handler"
\InProcServer32\(Default) = "F:\WINDOWS\msagent\AgentPsh.dll" [MS]
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}" = "DfsShell"
-> {HKLM...CLSID} = "DfsShell Class"
\InProcServer32\(Default) = "F:\WINDOWS\System32\dfsshlex.dll" [MS]
"{60fd46de-f830-4894-a628-6fa81bc0190d}" = "%DESC_PublishDropTarget%"
-> {HKLM...CLSID} = "DropTarget Object for Photo Printing Wizard"
\InProcServer32\(Default) = "F:\WINDOWS\System32\photowiz.dll" [MS]
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}" = "MMC Icon Handler"
-> {HKLM...CLSID} = "ExtractIcon Class"
\InProcServer32\(Default) = "F:\WINDOWS\System32\mmcshext.dll" [MS]
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}" = ".CAB file viewer"
-> {HKLM...CLSID} = "Cabinet File"
\InProcServer32\(Default) = "cabview.dll" [MS]
"{32714800-2E5F-11d0-8B85-00AA0044F941}" = "For &People..."
-> {HKLM...CLSID} = "For &People..."
\InProcServer32\(Default) = "F:\Program Files\Outlook Express\wabfind.dll" [MS]
"{8DD448E6-C188-4aed-AF92-44956194EB1F}" = "Windows Media Player Burn Audio CD Context Menu Handler"
-> {HKLM...CLSID} = "WMP Burn Audio CD Launcher"
\InProcServer32\(Default) = "F:\WINDOWS\system32\wmpshell.dll" [MS]
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}" = "Windows Media Player Play as Playlist Context Menu Handler"
-> {HKLM...CLSID} = "WMP Play As Playlist Launcher"
\InProcServer32\(Default) = "F:\WINDOWS\system32\wmpshell.dll" [MS]
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}" = "Windows Media Player Add to Playlist Context Menu Handler"
-> {HKLM...CLSID} = "WMP Add To Playlist Launcher"
\InProcServer32\(Default) = "F:\WINDOWS\system32\wmpshell.dll" [MS]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "F:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "F:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "F:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "F:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}" = "Web Folders"
-> {HKLM...CLSID} = "Web Folders"
\InProcServer32\(Default) = "F:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "F:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "F:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "F:\Program Files\WinRAR\rarext.dll" [null data]
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}" = "Set Program Access and Defaults"
-> {HKLM...CLSID} = "Set Program Access and Defaults"
\InProcServer32\(Default) = "F:\WINDOWS\system32\shdocvw.dll" [MS]
"{596AB062-B4D2-4215-9F74-E9109B0A8153}" = "Previous Versions Property Page"
-> {HKLM...CLSID} = "Previous Versions Property Page"
\InProcServer32\(Default) = "F:\WINDOWS\System32\twext.dll" [MS]
"{9DB7A13C-F208-4981-8353-73CC61AE2783}" = "Previous Versions"
-> {HKLM...CLSID} = "Previous Versions"
\InProcServer32\(Default) = "F:\WINDOWS\System32\twext.dll" [MS]
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}" = "Extensions Manager Folder"
-> {HKLM...CLSID} = "Extensions Manager Folder"
\InProcServer32\(Default) = "F:\WINDOWS\System32\extmgr.dll" [MS]
"{1D2680C9-0E2A-469d-B787-065558BC7D43}" = "Fusion Cache"
-> {HKLM...CLSID} = "Fusion Cache"
\InProcServer32\(Default) = "F:\WINDOWS\system32\mscoree.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"

kurt24
2007-04-09, 06:26
\InProcServer32\(Default) = "D:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{5E44E225-A408-11CF-B581-008029601108}" = "Roxio DragToDisc Shell Extension"
-> {HKLM...CLSID} = "Roxio DragToDisc Shell Extension"
\InProcServer32\(Default) = "F:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\shellex.dll" ["Roxio"]
"{A44D5ACC-3411-40DE-9AD3-214FFB2ED7AC}" = "My Media"
-> {HKLM...CLSID} = "My Media"
\InProcServer32\(Default) = "F:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\MediaSX.dll" ["Roxio, Inc."]
"{9DAECC89-B1B8-4BA8-BD7B-6827A83C3621}" = "MuVo NX-TX Media Explorer"
-> {HKLM...CLSID} = "MuVo NX-TX Media Explorer"
\InProcServer32\(Default) = "D:\Program Files\Creative\Creative MuVo NX-TX\CTMvns.dll" ["Creative Technology Ltd"]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "F:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "F:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "F:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "F:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
-> {HKLM...CLSID} = "Shell Search Band"
\InProcServer32\(Default) = "F:\WINDOWS\system32\browseui.dll" [MS]
"{DBD8E168-244D-448C-9922-25508950D1DC}" = "Ulead UDF Driver"
-> {HKLM...CLSID} = "USIShellExt Class"
\InProcServer32\(Default) = "F:\Program Files\Common Files\Ulead Systems\DVD\USIShex.dll" [file not found]
"{acb4a560-3606-11d3-aef4-00104bd0f92d}" = "KodakShellExtension"
-> {HKLM...CLSID} = "KodakShellExtension"
\InProcServer32\(Default) = "F:\Program Files\Common Files\Kodak\ifscore\KodakShX.dll" ["Eastman Kodak Company"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "F:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{35786D3C-B075-49b9-88DD-029876E11C01}" = "Portable Devices"
-> {HKLM...CLSID} = "Portable Devices"
\InProcServer32\(Default) = "F:\WINDOWS\system32\wpdshext.dll" [MS]
"{D6791A63-E7E2-4fee-BF52-5DED8E86E9B8}" = "Portable Devices Menu"
-> {HKLM...CLSID} = "Portable Devices Menu"
\InProcServer32\(Default) = "F:\WINDOWS\system32\wpdshext.dll" [MS]
"{49BF5420-FA7F-11cf-8011-00A0C90A8F78}" = "Mobile Device"
-> {HKLM...CLSID} = "Mobile Device"
\InProcServer32\(Default) = "F:\PROGRA~1\MICROS~3\Wcesview.dll" [MS]
"{e82a2d71-5b2f-43a0-97b8-81be15854de8}" = "ShellLink for Application References"
-> {HKLM...CLSID} = "ShellLink for Application References"
\InProcServer32\(Default) = "F:\WINDOWS\system32\dfshim.dll" [MS]
"{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}" = "Shell Icon Handler for Application References"
-> {HKLM...CLSID} = "Shell Icon Handler for Application References"
\InProcServer32\(Default) = "F:\WINDOWS\system32\dfshim.dll" [MS]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {HKLM...CLSID} = "Portable Media Devices"
\InProcServer32\(Default) = "F:\WINDOWS\system32\Audiodev.dll" [MS]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "F:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}" = "Browseui preloader"
-> {HKLM...CLSID} = "Browseui preloader"
\InProcServer32\(Default) = "F:\WINDOWS\System32\browseui.dll" [MS]
"{8C7461EF-2B13-11d2-BE35-3078302C2030}" = "Component Categories cache daemon"
-> {HKLM...CLSID} = "Component Categories cache daemon"
\InProcServer32\(Default) = "F:\WINDOWS\System32\browseui.dll" [MS]
<<!>> "{AF0BE91A-D92D-44F5-9581-64F629762E5A}" = (no title provided)
-> {HKLM...CLSID} = "F:\WINDOWS\system32\ccc.dll"
\InProcServer32\(Default) = "F:\WINDOWS\system32\ccc.dll" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}" = (no title provided)
-> {HKLM...CLSID} = "URL Exec Hook"
\InProcServer32\(Default) = "shell32.dll" [MS]

HKCU\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"PostBootReminder" = "{7849596a-48ea-486e-8937-a2a3009f31a9}"
-> {HKLM...CLSID} = "PostBootReminder object"
\InProcServer32\(Default) = "F:\WINDOWS\system32\SHELL32.dll" [MS]
"CDBurn" = "{fbeb8a05-beee-4442-804e-409d6c4515e9}"
-> {HKLM...CLSID} = "ShellFolder for CD Burning"
\InProcServer32\(Default) = "F:\WINDOWS\system32\SHELL32.dll" [MS]
"WebCheck" = "{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
-> {HKLM...CLSID} = "WebCheck"
\InProcServer32\(Default) = "F:\WINDOWS\System32\webcheck.dll" [MS]
"SysTray" = "{35CEC8A3-2BE6-11D2-8773-92E220524153}"
-> {HKLM...CLSID} = "SysTray"
\InProcServer32\(Default) = "F:\WINDOWS\System32\stobject.dll" [MS]
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "F:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKCU\Software\Microsoft\Command Processor\
"AutoRun" = (value not found)

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\
"Shell" = (value not found)

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\
"load" = (value not found)
"run" = (value not found)

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
"Shell" = (value not found)

HKLM\Software\Microsoft\Command Processor\
"AutoRun" = (empty string)

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\
"AppInit_DLLs" = (empty string)

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
"GinaDLL" = (value not found)
"Shell" = "Explorer.exe" [MS]
"Taskman" = (value not found)
"Userinit" = "F:\WINDOWS\system32\userinit.exe," [MS]
"System" = (empty string)

HKLM\System\CurrentControlSet\Control\SafeBoot\Option\
"UseAlternateShell" = (value not found)

HKLM\System\CurrentControlSet\Control\SecurityProviders\
<<!>> ("zwebauth.dll" [MS]) "SecurityProviders" = "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll"

HKLM\System\CurrentControlSet\Control\Session Manager\
"BootExecute" = "autocheck autochk *"

HKLM\System\CurrentControlSet\Control\WOW\
"cmdline" = "F:\WINDOWS\system32\ntvdm.exe" [MS]
"wowcmdline" = "F:\WINDOWS\system32\ntvdm.exe -a F:\WINDOWS\system32\krnl386" [MS]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
crypt32chain\DLLName = "crypt32.dll" [MS]
cryptnet\DLLName = "cryptnet.dll" [MS]
cscdll\DLLName = "cscdll.dll" [MS]
<<!>> notifyc\DLLName = "F:\WINDOWS\system32\ccc.dll" [file not found]
ScCertProp\DLLName = "wlnotify.dll" [MS]
Schedule\DLLName = "wlnotify.dll" [MS]
sclgntfy\DLLName = "sclgntfy.dll" [MS]
SensLogn\DLLName = "WlNotify.dll" [MS]
termsrv\DLLName = "wlnotify.dll" [MS]
WgaLogon\DLLName = "WgaLogon.dll" [MS]
<<!>> winwea32\DLLName = "winwea32.dll" [null data]
wlballoon\DLLName = "wlnotify.dll" [MS]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
<<!>> Logo1_.exe\Debugger = "nircmd execmd del /a/f c:\windows\Logo1_.exe" [file not found]
Your Image File Name Here without a path\Debugger = "ntsd -d" [MS]

HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logon\

HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logoff\

HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Startup\

HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Shutdown\

HKLM\Software\Classes\PROTOCOLS\Filter\
application/octet-stream\CLSID = "{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"
-> {HKLM...CLSID} = "Cor MIME Filter, CorFltr, CorFltr 1"
\InProcServer32\(Default) = "mscoree.dll" [MS]
application/x-complus\CLSID = "{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"
-> {HKLM...CLSID} = "Cor MIME Filter, CorFltr, CorFltr 1"
\InProcServer32\(Default) = "mscoree.dll" [MS]
application/x-msdownload\CLSID = "{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"
-> {HKLM...CLSID} = "Cor MIME Filter, CorFltr, CorFltr 1"
\InProcServer32\(Default) = "mscoree.dll" [MS]
Class Install Handler\CLSID = "{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"
-> {HKLM...CLSID} = "AP Class Install Handler filter"
\InProcServer32\(Default) = "F:\WINDOWS\system32\urlmon.dll" [MS]
deflate\CLSID = "{8f6b0360-b80d-11d0-a9b3-006097942311}"
-> {HKLM...CLSID} = "AP lzdhtml encoding/decoding Filter"
\InProcServer32\(Default) = "F:\WINDOWS\system32\urlmon.dll" [MS]
gzip\CLSID = "{8f6b0360-b80d-11d0-a9b3-006097942311}"
-> {HKLM...CLSID} = "AP lzdhtml encoding/decoding Filter"
\InProcServer32\(Default) = "F:\WINDOWS\system32\urlmon.dll" [MS]
lzdhtml\CLSID = "{8f6b0360-b80d-11d0-a9b3-006097942311}"
-> {HKLM...CLSID} = "AP lzdhtml encoding/decoding Filter"
\InProcServer32\(Default) = "F:\WINDOWS\system32\urlmon.dll" [MS]
text/webviewhtml\CLSID = "{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"
-> {HKLM...CLSID} = "WebView MIME Filter"
\InProcServer32\(Default) = "F:\WINDOWS\system32\SHELL32.dll" [MS]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{0D2E74C4-3C34-11d2-A27E-00C04FC30871}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "F:\WINDOWS\system32\SHELL32.dll" [MS]
{24F14F01-7B1C-11d1-838f-0000F80461CF}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "F:\WINDOWS\system32\SHELL32.dll" [MS]
{24F14F02-7B1C-11d1-838f-0000F80461CF}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "F:\WINDOWS\system32\SHELL32.dll" [MS]
{66742402-F9B9-11D1-A202-0000F81FEDEE}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "F:\WINDOWS\system32\SHELL32.dll" [MS]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "F:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Offline Files\(Default) = "{750fdf0e-2a26-11d1-a3ea-080036587f03}"
-> {HKLM...CLSID} = "Offline Files Menu"
\InProcServer32\(Default) = "F:\WINDOWS\System32\cscui.dll" [MS]
Open With\(Default) = "{09799AFB-AD67-11d1-ABCD-00C04FC30936}"
-> {HKLM...CLSID} = "Open With Context Menu Handler"
\InProcServer32\(Default) = "F:\WINDOWS\system32\SHELL32.dll" [MS]
Open With EncryptionMenu\(Default) = "{A470F8CF-A1E8-4f65-8335-227475AA5C46}"
-> {HKLM...CLSID} = "Encryption Context Menu"
\InProcServer32\(Default) = "F:\WINDOWS\system32\SHELL32.dll" [MS]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA}"
-> {HKLM...CLSID} = "IEContextMenu Class"
\InProcServer32\(Default) = "F:\PROGRA~1\NORTON~3\NORTON~1\NavShExt.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "F:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "F:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
EncryptionMenu\(Default) = "{A470F8CF-A1E8-4f65-8335-227475AA5C46}"
-> {HKLM...CLSID} = "Encryption Context Menu"
\InProcServer32\(Default) = "F:\WINDOWS\system32\SHELL32.dll" [MS]
Offline Files\(Default) = "{750fdf0e-2a26-11d1-a3ea-080036587f03}"
-> {HKLM...CLSID} = "Offline Files Menu"
\InProcServer32\(Default) = "F:\WINDOWS\System32\cscui.dll" [MS]
Sharing\(Default) = "{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"
-> {HKLM...CLSID} = "Shell extensions for sharing"
\InProcServer32\(Default) = "ntshrui.dll" [MS]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "F:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "F:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA}"
-> {HKLM...CLSID} = "IEContextMenu Class"
\InProcServer32\(Default) = "F:\PROGRA~1\NORTON~3\NORTON~1\NavShExt.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "F:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "F:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
Send To\(Default) = "{7BA4C740-9E81-11CF-99D3-00AA004AE837}"
-> {HKLM...CLSID} = "Microsoft SendTo Service"
\InProcServer32\(Default) = "F:\WINDOWS\system32\SHELL32.dll" [MS]


Default executables:
--------------------

HKLM\Software\Classes\.bat\(Default) = "batfile"
HKLM\Software\Classes\batfile\shell\open\command\(Default) = ""%1" %*"

HKLM\Software\Classes\.cmd\(Default) = "cmdfile"
HKLM\Software\Classes\cmdfile\shell\open\command\(Default) = ""%1" %*"

HKLM\Software\Classes\.com\(Default) = "comfile"
HKLM\Software\Classes\comfile\shell\open\command\(Default) = ""%1" %*"

HKLM\Software\Classes\.exe\(Default) = "exefile"
HKLM\Software\Classes\exefile\shell\open\command\(Default) = ""%1" %*"

HKLM\Software\Classes\.hta\(Default) = "htafile"
HKLM\Software\Classes\htafile\shell\open\command\(Default) = "F:\WINDOWS\System32\mshta.exe "%1" %*"

HKLM\Software\Classes\.pif\(Default) = "piffile"
HKLM\Software\Classes\piffile\shell\open\command\(Default) = ""%1" %*"

HKLM\Software\Classes\.scr\(Default) = "scrfile"
HKLM\Software\Classes\scrfile\shell\open\command\(Default) = ""%1" /S"


Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoDriveTypeAutoRun" = (REG_DWORD) hex:0x00000091
{Turn off Autoplay}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowCpl\

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate\

HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\

HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel\

HKCU\Software\Policies\Microsoft\Internet Explorer\Download\

HKLM\Software\Policies\Microsoft\Internet Explorer\Download\

HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\

HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\

HKCU\Software\Policies\Microsoft\Internet Explorer\Main\

HKLM\Software\Policies\Microsoft\Internet Explorer\Main\

HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS\

HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS\

HKCU\Software\Policies\Microsoft\Internet Explorer\PhishingFilter\

HKLM\Software\Policies\Microsoft\Internet Explorer\PhishingFilter\

HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions\

HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions\

HKCU\Software\Policies\Microsoft\Internet Explorer\Security\

HKLM\Software\Policies\Microsoft\Internet Explorer\Security\

HKCU\Software\Policies\Microsoft\MMC\{8FC0B734-A0E1-11D1-A7D3-0000F87571E3}\

HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\

HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\

HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\

HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\

HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\

HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\

HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\

HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\

HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\

HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\

HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\

HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\

HKCU\Software\Policies\Microsoft\Windows\Network Connections\

HKCU\Software\Policies\Microsoft\Windows\System\

HKCU\Software\Policies\Microsoft\Windows\Task Scheduler5.0\

HKLM\Software\Policies\Microsoft\Windows\Task Scheduler5.0\

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

kurt24
2007-04-09, 06:27
"dontdisplaylastusername" = (REG_DWORD) hex:0x00000000
{Interactive logon: Do not display last user name}

"legalnoticetext" = (REG_SZ) (empty string)
{Interactive logon: Message text for users attempting to log on}

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Devices: Allow undock without having to log on}

HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore\


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "F:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Desktop Background.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = (value not set)


DESKTOP.INI DLL launch in local fixed drive directories:
--------------------------------------------------------

C:\WINDOWS\FONTS\DESKTOP.INI
[.ShellClassInfo]
UICLSID={BD84B380-8CA2-1069-AB1D-08000948F534}
-> {HKLM...CLSID}\InProcServer32\(Default) = "fontext.dll" [MS]

C:\WINDOWS\Downloaded Program Files\DESKTOP.INI
[.ShellClassInfo]
CLSID={88C6C381-2E85-11d0-94DE-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\occache.dll" [MS]
C:\WINDOWS\Temporary Internet Files\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]

C:\WINDOWS\Temporary Internet Files\Content.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]

C:\WINDOWS\Temporary Internet Files\Content.IE5\4BUXOTGX\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]

C:\WINDOWS\Temporary Internet Files\Content.IE5\KRITC30T\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]

C:\WINDOWS\Temporary Internet Files\Content.IE5\UDW7IV2N\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]

C:\WINDOWS\Temporary Internet Files\Content.IE5\01E3GHU7\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]

C:\WINDOWS\History\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]

C:\WINDOWS\History\History.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]

D: (no DLL launch points found)

E: (no DLL launch points found)

F:\Documents and Settings\Administrator\Local Settings\History\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]

F:\Documents and Settings\Administrator\Local Settings\History\History.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]

F:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]

F:\Documents and Settings\Default User\Local Settings\History\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]

F:\Documents and Settings\Default User\Local Settings\History\History.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]

F:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]

F:\Documents and Settings\Default User.WINDOWS\Local Settings\History\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]

F:\Documents and Settings\Default User.WINDOWS\Local Settings\History\History.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]

F:\Documents and Settings\Default User.WINDOWS\Local Settings\Temporary Internet Files\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]

F:\Documents and Settings\Kurtis Snyder\Local Settings\History\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]

F:\Documents and Settings\Kurtis Snyder\Local Settings\History\History.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]

F:\Documents and Settings\Kurtis Snyder\Local Settings\Temp\History\History.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]

F:\Documents and Settings\Kurtis Snyder\Local Settings\Temp\Temporary Internet Files\Content.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]

F:\Documents and Settings\Kurtis Snyder\Local Settings\Temp\Temporary Internet Files\Content.IE5\6SFKHOI4\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]

F:\Documents and Settings\Kurtis Snyder\Local Settings\Temp\Temporary Internet Files\Content.IE5\K72F4V87\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]

F:\Documents and Settings\Kurtis Snyder\Local Settings\Temp\Temporary Internet Files\Content.IE5\TJNFNHOJ\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]

F:\Documents and Settings\Kurtis Snyder\Local Settings\Temp\Temporary Internet Files\Content.IE5\UV4B8TUP\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]

F:\Documents and Settings\Kurtis Snyder\Local Settings\Temporary Internet Files\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]

F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Local Settings\History\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]

F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Local Settings\History\History.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]

F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Local Settings\Temporary Internet Files\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]

F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Local Settings\Temporary Internet Files\Content.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]

F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Local Settings\Temporary Internet Files\Content.IE5\07JZEO5T\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]

F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Local Settings\Temporary Internet Files\Content.IE5\4RPVQ67T\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]

F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Local Settings\Temporary Internet Files\Content.IE5\6DJK50NM\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]

F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Local Settings\Temporary Internet Files\Content.IE5\6RARQ1YF\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]

F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Local Settings\Temporary Internet Files\Content.IE5\995BS5Y6\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]

F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Local Settings\Temporary Internet Files\Content.IE5\BQ8VBXSX\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]

F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Local Settings\Temporary Internet Files\Content.IE5\G5CDEZ05\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]

F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Local Settings\Temporary Internet Files\Content.IE5\HNZF1XOE\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]

F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Local Settings\Temporary Internet Files\Content.IE5\JB5FF9OW\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]

F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Local Settings\Temporary Internet Files\Content.IE5\LQSTKPIE\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]

F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Local Settings\Temporary Internet Files\Content.IE5\SM2OT8J5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]

F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Local Settings\Temporary Internet Files\Content.IE5\UXTMBUP8\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]

F:\Documents and Settings\LocalService\Local Settings\History\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]

F:\Documents and Settings\LocalService\Local Settings\History\History.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]

F:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]

F:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\History\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]

F:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\History\History.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]

kurt24
2007-04-09, 06:28
F:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temp\History\History.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]

F:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]

F:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]

F:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]

F:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]

F:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\4TSL27GJ\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]

F:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\8VET29I1\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]

F:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\EN6TQJOX\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]

F:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\Y7WF63UN\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]

F:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\History\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]

F:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\History\History.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]

F:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Temporary Internet Files\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]

F:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]

F:\WINDOWS\assembly\DESKTOP.INI
[.ShellClassInfo]
CLSID={1D2680C9-0E2A-469d-B787-065558BC7D43}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\system32\mscoree.dll" [MS]

F:\WINDOWS\Downloaded Program Files\DESKTOP.INI
[.ShellClassInfo]
CLSID={88C6C381-2E85-11d0-94DE-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\occache.dll" [MS]

F:\WINDOWS\Fonts\DESKTOP.INI
[.ShellClassInfo]
UICLSID={BD84B380-8CA2-1069-AB1D-08000948F534}
-> {HKLM...CLSID}\InProcServer32\(Default) = "fontext.dll" [MS]

F:\WINDOWS\system32\config\systemprofile\Local Settings\History\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]

F:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]

F:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]

F:\WINDOWS\Tasks\DESKTOP.INI
[.ShellClassInfo]
CLSID={d6277990-4c6a-11cf-8d87-00aa0060f5bf}
-> {HKLM...CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\mstask.dll" [MS]


Startup items in "Kurtis Snyder" & "All Users" startup folders:
---------------------------------------------------------------

F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Start Menu\Programs\Startup

F:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup


Enabled Scheduled Tasks:
------------------------

"Norton Internet Security - Run Full System Scan - Kurtis Snyder" -> launches: "F:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exe /TASK:"F:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{01E04581-4EEE-11D0-BFE9-00AA005B4383}"
-> {HKLM...CLSID} = "&Address"
\InProcServer32\(Default) = "F:\WINDOWS\System32\browseui.dll" [MS]
"{0E5CBF21-D15F-11D0-8301-00AA005B4383}"
-> {HKLM...CLSID} = "&Links"
\InProcServer32\(Default) = "F:\WINDOWS\system32\SHELL32.dll" [MS]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{90222687-F593-4738-B738-FBEE9C7B26DF}" = "NCO Toolbar"
-> {HKLM...CLSID} = "Show Norton Toolbar"
\InProcServer32\(Default) = "F:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll" ["Symantec Corporation"]

Explorer Bars

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\(Default) = (no title provided)
-> {HKLM...CLSID} = "&Yahoo! Messenger"
\InProcServer32\(Default) = "F:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll" ["Yahoo! Inc."]
{EFA24E61-B078-11D0-89E4-00C04FC9E26E}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Favorites Band"
\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]
{EFA24E62-B078-11D0-89E4-00C04FC9E26E}\(Default) = (no title provided)
-> {HKLM...CLSID} = "History Band"
\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\(Default) = (no title provided)
-> {HKLM...CLSID} = "&Yahoo! Messenger"
\InProcServer32\(Default) = "F:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll" ["Yahoo! Inc."]
{4D5C8C25-D075-11D0-B416-00C04FB90376}\(Default) = (no title provided)
-> {HKLM...CLSID} = "&Tip of the Day"
\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]

HKLM\Software\Classes\CLSID\{30D02401-6A81-11D0-8274-00C04FD5AE38}\(Default) = "Search Band"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "F:\WINDOWS\System32\browseui.dll" [MS]

HKLM\Software\Classes\CLSID\{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}\(Default) = "&Discuss"
Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32\(Default) = "shdocvw.dll" [MS]

HKLM\Software\Classes\CLSID\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\(Default) = "File Search Explorer Band"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "F:\WINDOWS\system32\SHELL32.dll" [MS]

HKLM\Software\Classes\CLSID\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}\(Default) = "Explorer Band"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKCU\Software\Microsoft\Internet Explorer\Extensions\

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in"
\InProcServer32\(Default) = "F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_06"
\InProcServer32\(Default) = "F:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]

{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}\
"ButtonText" = "Create Mobile Favorite"
"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"
-> {HKLM...CLSID} = "Create Mobile Favorite"
\InProcServer32\(Default) = "F:\PROGRA~1\MICROS~3\INetRepl.dll" [MS]

{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}\
"MenuText" = "Create Mobile Favorite..."
"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"
-> {HKLM...CLSID} = "Create Mobile Favorite"
\InProcServer32\(Default) = "F:\PROGRA~1\MICROS~3\INetRepl.dll" [MS]

{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\
"ButtonText" = "Yahoo! Services"
"CLSIDExtension" = "{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}"
-> {HKLM...CLSID} = "UberButton Class"
\InProcServer32\(Default) = "F:\Program Files\Yahoo!\Common\yiesrvc.dll" ["Yahoo!"]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "F:\Program Files\Messenger\msmsgs.exe" [MS]


Internet Explorer Address Prefixes:
-----------------------------------

Prefix for bare domain ("domain-name-here.com")

HKLM\Software\Microsoft\Windows\CurrentVersion\URL\Default Prefix\
(Default) = "http://"

Prefix for specific service (i.e., "www")

HKLM\Software\Microsoft\Windows\CurrentVersion\URL\Prefixes\
"ftp" = "ftp://"
"gopher" = "gopher://"
"home" = "http://"
"mosaic" = "http://"
"www" = "http://"


Miscellaneous IE Hijack Points
------------------------------

F:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings" -- no anomalies found)

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" = (no title provided)
-> {HKLM...CLSID} = "Microsoft Url Search Hook"
\InProcServer32\(Default) = "F:\WINDOWS\System32\shdocvw.dll" [MS]

HKLM\Software\Microsoft\Internet Explorer\AboutURLs\
"NavigationFailure" = "res://shdoclc.dll/navcancl.htm" [MS]
"DesktopItemNavigationFailure" = "res://shdoclc.dll/navcancl.htm" [MS]
"NavigationCanceled" = "res://shdoclc.dll/navcancl.htm" [MS]
"OfflineInformation" = "res://shdoclc.dll/offcancl.htm" [MS]
"Home" = hex:0x0000010E
"blank" = "res://mshtml.dll/blank.htm" [MS]
"PostNotCached" = "res://mshtml.dll/repost.htm" [MS]


HOSTS file
----------

HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\
"DataBasePath" = "F:\WINDOWS\System32\drivers\etc"

F:\WINDOWS\System32\drivers\etc\HOSTS

maps: 1 domain name to an IP address,
and this is the localhost IP address


All Running Services (Display Name, Service Name, Path {Service DLL}):
----------------------------------------------------------------------

Application Layer Gateway Service, ALG, "F:\WINDOWS\System32\alg.exe" [MS]
Automatic LiveUpdate Scheduler, Automatic LiveUpdate Scheduler, ""F:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe"" ["Symantec Corporation"]
Automatic Updates, wuauserv, "F:\WINDOWS\system32\svchost.exe -k netsvcs" {"F:\WINDOWS\system32\wuauserv.dll" [MS]}
COM+ Event System, EventSystem, "F:\WINDOWS\System32\svchost.exe -k netsvcs" {"F:\WINDOWS\System32\es.dll" [MS]}
Computer Browser, Browser, "F:\WINDOWS\System32\svchost.exe -k netsvcs" {"F:\WINDOWS\System32\browser.dll" [MS]}
Creative Service for CDROM Access, Creative Service for CDROM Access, "F:\WINDOWS\system32\CTsvcCDA.EXE" ["Creative Technology Ltd"]
Cryptographic Services, CryptSvc, "F:\WINDOWS\system32\svchost.exe -k netsvcs" {"F:\WINDOWS\System32\cryptsvc.dll" [MS]}
DCOM Server Process Launcher, DcomLaunch, "F:\WINDOWS\system32\svchost -k DcomLaunch" {"F:\WINDOWS\system32\rpcss.dll" [MS]}
DHCP Client, Dhcp, "F:\WINDOWS\System32\svchost.exe -k netsvcs" {"F:\WINDOWS\System32\dhcpcsvc.dll" [MS]}
Distributed Link Tracking Client, TrkWks, "F:\WINDOWS\system32\svchost.exe -k netsvcs" {"F:\WINDOWS\system32\trkwks.dll" [MS]}
DNS Client, Dnscache, "F:\WINDOWS\System32\svchost.exe -k NetworkService" {"F:\WINDOWS\System32\dnsrslvr.dll" [MS]}
Error Reporting Service, ERSvc, "F:\WINDOWS\System32\svchost.exe -k netsvcs" {"F:\WINDOWS\System32\ersvc.dll" [MS]}
Event Log, Eventlog, "F:\WINDOWS\system32\services.exe" [MS]
Fast User Switching Compatibility, FastUserSwitchingCompatibility, "F:\WINDOWS\System32\svchost.exe -k netsvcs" {"F:\WINDOWS\System32\shsvcs.dll" [MS]}
Help and Support, helpsvc, "F:\WINDOWS\System32\svchost.exe -k netsvcs" {"F:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll" [MS]}
HTTP SSL, HTTPFilter, "F:\WINDOWS\System32\svchost.exe -k HTTPFilter" {"F:\WINDOWS\System32\w3ssl.dll" [MS]}
IPSEC Services, PolicyAgent, "F:\WINDOWS\System32\lsass.exe" [MS]
Network Connections, Netman, "F:\WINDOWS\System32\svchost.exe -k netsvcs" {"F:\WINDOWS\System32\netman.dll" [MS]}
Network Location Awareness (NLA), Nla, "F:\WINDOWS\System32\svchost.exe -k netsvcs" {"F:\WINDOWS\System32\mswsock.dll" [MS]}
NVIDIA Display Driver Service, NVSvc, "F:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
Plug and Play, PlugPlay, "F:\WINDOWS\system32\services.exe" [MS]
Protected Storage, ProtectedStorage, "F:\WINDOWS\system32\lsass.exe" [MS]
Remote Access Connection Manager, RasMan, "F:\WINDOWS\System32\svchost.exe -k netsvcs" {"F:\WINDOWS\System32\rasmans.dll" [MS]}
Remote Procedure Call (RPC), RpcSs, "F:\WINDOWS\system32\svchost -k rpcss" {"F:\WINDOWS\System32\rpcss.dll" [MS]}
Secondary Logon, seclogon, "F:\WINDOWS\System32\svchost.exe -k netsvcs" {"F:\WINDOWS\System32\seclogon.dll" [MS]}
Security Accounts Manager, SamSs, "F:\WINDOWS\system32\lsass.exe" [MS]
Server, lanmanserver, "F:\WINDOWS\System32\svchost.exe -k netsvcs" {"F:\WINDOWS\System32\srvsvc.dll" [MS]}
Shell Hardware Detection, ShellHWDetection, "F:\WINDOWS\System32\svchost.exe -k netsvcs" {"F:\WINDOWS\System32\shsvcs.dll" [MS]}
SSDP Discovery Service, SSDPSRV, "F:\WINDOWS\System32\svchost.exe -k LocalService" {"F:\WINDOWS\System32\ssdpsrv.dll" [MS]}
Symantec AppCore Service, SymAppCore, ""F:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe"" ["Symantec Corporation"]
Symantec Core LC, Symantec Core LC, ""F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe"" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon" ["Symantec Corporation"]
Symantec Lic NetConnect service, CLTNetCnService, ""F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h cltCommon" ["Symantec Corporation"]
Symantec Network Proxy, ccProxy, ""F:\Program Files\Common Files\Symantec Shared\ccProxy.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon" ["Symantec Corporation"]
System Event Notification, SENS, "F:\WINDOWS\system32\svchost.exe -k netsvcs" {"F:\WINDOWS\system32\sens.dll" [MS]}
System Restore Service, srservice, "F:\WINDOWS\System32\svchost.exe -k netsvcs" {"F:\WINDOWS\System32\srsvc.dll" [MS]}
Task Scheduler, Schedule, "F:\WINDOWS\System32\svchost.exe -k netsvcs" {"F:\WINDOWS\system32\schedsvc.dll" [MS]}
TCP/IP NetBIOS Helper, LmHosts, "F:\WINDOWS\System32\svchost.exe -k LocalService" {"F:\WINDOWS\System32\lmhsvc.dll" [MS]}
Telephony, TapiSrv, "F:\WINDOWS\System32\svchost.exe -k netsvcs" {"F:\WINDOWS\System32\tapisrv.dll" [MS]}
Terminal Services, TermService, "F:\WINDOWS\System32\svchost -k DComLaunch" {"F:\WINDOWS\System32\termsrv.dll" [MS]}
Themes, Themes, "F:\WINDOWS\System32\svchost.exe -k netsvcs" {"F:\WINDOWS\System32\shsvcs.dll" [MS]}
WebClient, WebClient, "F:\WINDOWS\System32\svchost.exe -k LocalService" {"F:\WINDOWS\System32\webclnt.dll" [MS]}
Windows Audio, AudioSrv, "F:\WINDOWS\System32\svchost.exe -k netsvcs" {"F:\WINDOWS\System32\audiosrv.dll" [MS]}
Windows Firewall/Internet Connection Sharing (ICS), SharedAccess, "F:\WINDOWS\system32\svchost.exe -k netsvcs" {"F:\WINDOWS\System32\ipnathlp.dll" [MS]}
Windows Image Acquisition (WIA), stisvc, "F:\WINDOWS\System32\svchost.exe -k imgsvc" {"F:\WINDOWS\system32\wiaservc.dll" [MS]}
Windows Management Instrumentation, winmgmt, "F:\WINDOWS\system32\svchost.exe -k netsvcs" {"F:\WINDOWS\system32\wbem\WMIsvc.dll" [MS]}
Windows Time, W32Time, "F:\WINDOWS\System32\svchost.exe -k netsvcs" {"F:\WINDOWS\System32\w32time.dll" [MS]}
Wireless Zero Configuration, WZCSVC, "F:\WINDOWS\System32\svchost.exe -k netsvcs" {"F:\WINDOWS\System32\wzcsvc.dll" [MS]}
WMDM PMSP Service, WMDM PMSP Service, "F:\WINDOWS\system32\MsPMSPSv.exe" [MS]
Workstation, lanmanworkstation, "F:\WINDOWS\System32\svchost.exe -k netsvcs" {"F:\WINDOWS\System32\wkssvc.dll" [MS]}


Keyboard Driver Filters:
------------------------

HKLM\System\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\
"UpperFilters" = "kbdclass" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
BJ Language Monitor\Driver = "cnbjmon.dll" [MS]
Lexmark Network Port\Driver = "LEXLMPM.DLL" ["Lexmark International, Inc."]
Local Port\Driver = "localspl.dll" [MS]
PJL Language Monitor\Driver = "pjlmon.dll" [MS]
Standard TCP/IP Port\Driver = "tcpmon.dll" [MS]
USB Monitor\Driver = "usbmon.dll" [MS]


-- (total run time: 388 seconds)
<<!>>: Suspicious data at a malware launch point.

Mr_JAk3
2007-04-10, 09:27
Hello and sorry for the long delay...

You should print these instructions or save these to a text file. Follow these instructions carefully.

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Do NOT run yet.

Make your hidden files visible:
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Uncheck "Hide protected operating system files"
Click Apply and then the OK and close My Computer.

==================

Backup your registry:
Start
Run
Type the following to the box and hit Ok: regedit
A window opens, click on File
Choose Export form the menu
Change the save location to C:\
Give the filename, RegBackUp
Make sure that the filetype is set to Registryfiles (*.reg)
Click on Save and Close the window


Open Notepad (NOT WORDPAD!) and copy the following lines from the quote box below into a new document, leaving a blank line at the end. (don't forget to copy and paste the word REGEDIT4) :


REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"svchost.exe"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{AF0BE91A-D92D-44F5-9581-64F629762E5A}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
"Debugger"=-



Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.

Save the document to your desktop as Fix.reg and filetype: All Files
Go to your desktop and double click on the file to run Fix.reg and when it asks you if you want to merge the contents to the registry, click yes/ok.


Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {21CCFFC2-E8D6-028A-ACC9-0AF035F4FB7A} - F:\WINDOWS\system32\rlkkhkl.dll
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: (no name) - {A2270DCF-3A89-4BC2-9F80-CFDB7B01D08B} - F:\WINDOWS\system32\vtsqq.dll (file missing)
O20 - Winlogon Notify: notifyc - F:\WINDOWS\system32\ccc.dll (file missing)
O20 - Winlogon Notify: winwea32 - F:\WINDOWS\SYSTEM32\winwea32.dll

Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.

Go to the My Computer and delete the following files (if present):
F:\WINDOWS\SYSTEM32\winwea32.dll
F:\WINDOWS\system32\rlkkhkl.dll
F:\WINDOWS\system32\rjfekun.dll
F:\WINDOWS\system32\gptbuvvkj.dll
F:\WINDOWS\system32\bbqolgm.dll
F:\WINDOWS\system32\imwvgmj.dll

Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
Click on Scanner on the toolbar.
Click on the Settings tab.
Under How to act?
Click on Recommended Action and choose Quarantine from the popup menu.
Under How to scan?
All checkboxes should be ticked.
Under Possibly unwanted software:
All checkboxes should be ticked.
Under Reports:
Select Automatically generate report after every scan and uncheck Only if threats were found.
Under What to scan?
Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)
http://img509.imageshack.us/img509/4851/scanavgjk2.jpg
When done, click the Save Scan Report button. (4)
Click the Save Report as button.
Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.

================

When you're ready, please post the following logs to here:
- AVG's report
- a fresh HijackThis log

kurt24
2007-04-14, 15:34
OK, after a LONG work week I finally have some time to post. Everything went fine except that I could not delete "F:\WINDOWS\SYSTEM32\winwea32.dll". Everytime I tried, it said access denied. I check and the file did not have Read Only or anything like that set. Other than that, I was able to delete everything. Here are the logs. Thanks! :)

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 7:22:50 AM 4/14/2007

+ Scan result:



F:\System Volume Information\_restore{80829E73-8024-4616-9DCF-3E4F9C008DA0}\RP216\A0107246.dll -> Adware.Altnet : Cleaned.
F:\Documents and Settings\Kurtis Snyder\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\SecurityClassLoader.class-7c728-74071c92.class -> Adware.CWS : Cleaned.
F:\System Volume Information\_restore{80829E73-8024-4616-9DCF-3E4F9C008DA0}\RP216\A0107277.exe -> Adware.Gator : Cleaned.
F:\System Volume Information\_restore{80829E73-8024-4616-9DCF-3E4F9C008DA0}\RP216\A0107280.exe -> Adware.Gator : Cleaned.
F:\System Volume Information\_restore{80829E73-8024-4616-9DCF-3E4F9C008DA0}\RP219\A0109549.DLL -> Adware.MyWaySpeed : Cleaned.
F:\System Volume Information\_restore{80829E73-8024-4616-9DCF-3E4F9C008DA0}\RP219\A0109550.DLL -> Adware.MyWaySpeed : Cleaned.
F:\System Volume Information\_restore{80829E73-8024-4616-9DCF-3E4F9C008DA0}\RP215\A0107232.DLL -> Adware.P2PNet : Cleaned.
F:\System Volume Information\_restore{80829E73-8024-4616-9DCF-3E4F9C008DA0}\RP215\A0107233.cpl -> Adware.P2PNet : Cleaned.
F:\System Volume Information\_restore{80829E73-8024-4616-9DCF-3E4F9C008DA0}\RP215\A0107234.exe -> Adware.P2PNet : Cleaned.
F:\System Volume Information\_restore{80829E73-8024-4616-9DCF-3E4F9C008DA0}\RP217\A0109388.exe -> Adware.Trymedia : Cleaned.
F:\System Volume Information\_restore{80829E73-8024-4616-9DCF-3E4F9C008DA0}\RP217\A0109392.exe -> Adware.Trymedia : Cleaned.
F:\System Volume Information\_restore{80829E73-8024-4616-9DCF-3E4F9C008DA0}\RP217\A0109393.exe -> Adware.Trymedia : Cleaned.
F:\System Volume Information\_restore{80829E73-8024-4616-9DCF-3E4F9C008DA0}\RP217\A0109395.exe -> Adware.Trymedia : Cleaned.
F:\System Volume Information\_restore{80829E73-8024-4616-9DCF-3E4F9C008DA0}\RP217\A0109399.exe -> Adware.Trymedia : Cleaned.
F:\System Volume Information\_restore{80829E73-8024-4616-9DCF-3E4F9C008DA0}\RP217\A0109400.exe -> Adware.Trymedia : Cleaned.
F:\System Volume Information\_restore{1DB8C853-2499-4ACC-A9A6-F479E1B495EC}\RP812\A0327128.exe -> Adware.Ultimate : Cleaned.
F:\System Volume Information\_restore{1DB8C853-2499-4ACC-A9A6-F479E1B495EC}\RP813\A0328170.dll -> Adware.Virtumonde : Cleaned.
F:\System Volume Information\_restore{1DB8C853-2499-4ACC-A9A6-F479E1B495EC}\RP813\A0328173.dll -> Adware.Virtumonde : Cleaned.
F:\VundoFix Backups\fccccyy.dll.bad -> Adware.Virtumonde : Cleaned.
F:\VundoFix Backups\ssqrrrs.dll.bad -> Adware.Virtumonde : Cleaned.
F:\System Volume Information\_restore{1DB8C853-2499-4ACC-A9A6-F479E1B495EC}\RP810\A0320027.exe -> Downloader.Agent.apb : Cleaned with backup (quarantined).
F:\WINDOWS\system32\clcrb.log -> Downloader.Agent.apb : Cleaned with backup (quarantined).
F:\System Volume Information\_restore{80829E73-8024-4616-9DCF-3E4F9C008DA0}\RP216\A0107239.exe -> Downloader.Keenval.f : Cleaned with backup (quarantined).
F:\Documents and Settings\Kurtis Snyder\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv74.jar-2738e991-6fd844e4.zip/Matrix.class -> Downloader.OpenStream.c : Cleaned with backup (quarantined).
F:\System Volume Information\_restore{1DB8C853-2499-4ACC-A9A6-F479E1B495EC}\RP806\A0314849.exe -> Logger.Agent.or : Cleaned with backup (quarantined).
F:\System Volume Information\_restore{1DB8C853-2499-4ACC-A9A6-F479E1B495EC}\RP807\A0314870.exe -> Logger.Agent.or : Cleaned with backup (quarantined).
F:\System Volume Information\_restore{1DB8C853-2499-4ACC-A9A6-F479E1B495EC}\RP808\A0314886.exe -> Logger.Agent.or : Cleaned with backup (quarantined).
F:\System Volume Information\_restore{1DB8C853-2499-4ACC-A9A6-F479E1B495EC}\RP808\A0314900.exe -> Logger.Agent.or : Cleaned with backup (quarantined).
F:\System Volume Information\_restore{1DB8C853-2499-4ACC-A9A6-F479E1B495EC}\RP808\A0314966.exe -> Logger.Agent.or : Cleaned with backup (quarantined).
F:\System Volume Information\_restore{1DB8C853-2499-4ACC-A9A6-F479E1B495EC}\RP809\A0317015.exe -> Logger.Agent.or : Cleaned with backup (quarantined).
F:\Documents and Settings\Kurtis Snyder\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv74.jar-2738e991-6fd844e4.zip/Dummy.class -> Not-A-Virus.Exploit.ByteVerify : Cleaned with backup (quarantined).
:mozilla.5:F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Profiles\default\hfew7ryo.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.19:F:\Documents and Settings\Kurtis Snyder\Application Data\Mozilla\Firefox\Profiles\default.d7t\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.20:F:\Documents and Settings\Kurtis Snyder\Application Data\Mozilla\Firefox\Profiles\default.d7t\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.95:F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookiesnew.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.96:F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookiesnew.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.97:F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookiesnew.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.98:F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookiesnew.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.99:F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookiesnew.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.12:F:\Documents and Settings\Kurtis Snyder\Application Data\Mozilla\Firefox\Profiles\default.d7t\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.55:F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookiesnew.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.8:F:\Documents and Settings\Kurtis Snyder\Application Data\Mozilla\Firefox\Profiles\default.d7t\cookies.txt -> TrackingCookie.Bfast : Cleaned.
:mozilla.25:F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookiesnew.txt -> TrackingCookie.Com : Cleaned.
:mozilla.26:F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookiesnew.txt -> TrackingCookie.Com : Cleaned.
:mozilla.11:F:\Documents and Settings\Kurtis Snyder\Application Data\Mozilla\Firefox\Profiles\default.d7t\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.86:F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookiesnew.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.157:F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookiesnew.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.158:F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookiesnew.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.159:F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookiesnew.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.160:F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookiesnew.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.161:F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookiesnew.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.89:F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookiesnew.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.105:F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookiesnew.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.106:F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookiesnew.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.107:F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookiesnew.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.108:F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookiesnew.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.109:F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookiesnew.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.21:F:\Documents and Settings\Kurtis Snyder\Application Data\Mozilla\Firefox\Profiles\default.d7t\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.22:F:\Documents and Settings\Kurtis Snyder\Application Data\Mozilla\Firefox\Profiles\default.d7t\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.118:F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookiesnew.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.120:F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookiesnew.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.87:F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookiesnew.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.88:F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookiesnew.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.6:F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Profiles\default\hfew7ryo.slt\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.7:F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Profiles\default\hfew7ryo.slt\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.8:F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Profiles\default\hfew7ryo.slt\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.18:F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Profiles\default\hfew7ryo.slt\cookies.txt -> TrackingCookie.Real : Cleaned.
:mozilla.19:F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Profiles\default\hfew7ryo.slt\cookies.txt -> TrackingCookie.Real : Cleaned.
:mozilla.14:F:\Documents and Settings\Kurtis Snyder\Application Data\Mozilla\Firefox\Profiles\default.d7t\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.15:F:\Documents and Settings\Kurtis Snyder\Application Data\Mozilla\Firefox\Profiles\default.d7t\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.16:F:\Documents and Settings\Kurtis Snyder\Application Data\Mozilla\Firefox\Profiles\default.d7t\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.33:F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookiesnew.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.34:F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookiesnew.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.35:F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookiesnew.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.36:F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookiesnew.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.37:F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookiesnew.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.38:F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookiesnew.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.39:F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookiesnew.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.40:F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookiesnew.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.41:F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookiesnew.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.42:F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookiesnew.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.43:F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookiesnew.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.44:F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookiesnew.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.45:F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookiesnew.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.46:F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookiesnew.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.47:F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookiesnew.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.10:F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Profiles\default\hfew7ryo.slt\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.11:F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Profiles\default\hfew7ryo.slt\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.12:F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Profiles\default\hfew7ryo.slt\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.139:F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookiesnew.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.140:F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookiesnew.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.141:F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookiesnew.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.142:F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookiesnew.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.143:F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookiesnew.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.144:F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookiesnew.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.145:F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookiesnew.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.146:F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookiesnew.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.147:F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookiesnew.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.148:F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookiesnew.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.149:F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookiesnew.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.150:F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookiesnew.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.151:F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookiesnew.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.152:F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookiesnew.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.153:F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookiesnew.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.154:F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookiesnew.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.155:F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookiesnew.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.156:F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookiesnew.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.100:F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookiesnew.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.101:F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookiesnew.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.102:F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookiesnew.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.103:F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookiesnew.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.104:F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookiesnew.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.14:F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookiesnew.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.90:F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookiesnew.txt -> TrackingCookie.Webtrendslive : Cleaned.
:mozilla.162:F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookiesnew.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.163:F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Application Data\Mozilla\Firefox\Profiles\default.dnh\cookiesnew.txt -> TrackingCookie.Zedo : Cleaned.
F:\Documents and Settings\Kurtis Snyder\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-1ebd1e05-1fbd0208.class -> Trojan.ClassLoader.Dummy.c : Cleaned with backup (quarantined).


::Report end

kurt24
2007-04-14, 15:35
Logfile of HijackThis v1.99.1
Scan saved at 7:29:17 AM, on 4/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
F:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
F:\Program Files\Common Files\Symantec Shared\ccProxy.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Desktop\AntiSpyware\AVG Anti-Spyware 7.5\guard.exe
F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
F:\WINDOWS\system32\CTsvcCDA.EXE
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\MsPMSPSv.exe
F:\WINDOWS\Mixer.exe
F:\WINDOWS\system32\RunDLL32.exe
F:\Program Files\Common Files\Symantec Shared\ccApp.exe
F:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
D:\Program Files\QuickTime\qttask.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
F:\Program Files\Microsoft ActiveSync\wcescomm.exe
F:\PROGRA~1\MICROS~3\rapimgr.exe
F:\WINDOWS\system32\wuauclt.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Desktop\HijakThis\scaner.exe.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - F:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - F:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - F:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - F:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [\\SNYDER-0S2T6B38\EPSON Stylus CX6600 Series] F:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE /P44 "\\SNYDER-0S2T6B38\EPSON Stylus CX6600 Series" /O6 "USB001" /M "Stylus CX6600"
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "F:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [WinPatrol] F:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] F:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKCU\..\Run: [Creative Detector] "D:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [H/PC Connection Agent] "F:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O8 - Extra context menu item: &AIM Search - res://F:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Yahoo! Search - file:///F:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///F:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///F:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///F:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - F:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: WgaLogon - F:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winwea32 - F:\WINDOWS\SYSTEM32\winwea32.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - F:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - F:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Desktop\AntiSpyware\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h cltCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - F:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - F:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - F:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - F:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

Mr_JAk3
2007-04-14, 22:32
Hi, looks much better :)

Ok let's kill the persistant one...

Open HijackThis.
Open the Misc Tools section
Delete a file on Reboot
Copy the following line to the filenamebox and press Open; F:\WINDOWS\SYSTEM32\winwea32.dll
Answer Yes
Reboot the computer if it isn't restarted automatically

Post a fresh hijackthis log and let me know how the computer is running :bigthumb:

kurt24
2007-04-15, 08:11
OK, I did what you said and winwea is now deleted! That's good. The computer is running much faster... back to it's old self! Here is the new logfile :D: :

Logfile of HijackThis v1.99.1
Scan saved at 12:09:07 AM, on 4/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
F:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
F:\Program Files\Common Files\Symantec Shared\ccProxy.exe
F:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Desktop\AntiSpyware\AVG Anti-Spyware 7.5\guard.exe
F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
F:\WINDOWS\system32\CTsvcCDA.EXE
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\MsPMSPSv.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\Mixer.exe
F:\WINDOWS\system32\RunDLL32.exe
F:\Program Files\Common Files\Symantec Shared\ccApp.exe
F:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
D:\Program Files\QuickTime\qttask.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
F:\Program Files\Microsoft ActiveSync\wcescomm.exe
F:\PROGRA~1\MICROS~3\rapimgr.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\wuauclt.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Desktop\HijakThis\scaner.exe.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - F:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - F:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - F:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - F:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [\\SNYDER-0S2T6B38\EPSON Stylus CX6600 Series] F:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE /P44 "\\SNYDER-0S2T6B38\EPSON Stylus CX6600 Series" /O6 "USB001" /M "Stylus CX6600"
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "F:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [WinPatrol] F:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] F:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKCU\..\Run: [Creative Detector] "D:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [H/PC Connection Agent] "F:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O8 - Extra context menu item: &AIM Search - res://F:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Yahoo! Search - file:///F:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///F:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///F:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///F:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - F:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: WgaLogon - F:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winwea32 - winwea32.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - F:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - F:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - F:\Documents and Settings\Kurtis Snyder.CLEARCOM-1\Desktop\AntiSpyware\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h cltCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - F:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - F:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - F:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - F:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

Mr_JAk3
2007-04-15, 21:43
Hi again, it is looking clean now :)

Fix this leftover with Hijackthis and restart the computer:
O20 - Winlogon Notify: winwea32 - winwea32.dll (file missing

Scan again with Hijackthis and the line should be gone now.

Now you can clean AVG's Quarantine:
Open AVG Anti-Spyware
Click Infections
Click Quarantine tab
Click Select all
Click Remove finally
Close the program
You can remove the tools we used.

Then you should update your Java to the latest version (6u1) Start
Control Panel
Add/Remove Programs
Delete the old Java, J2SE Runtime Environment 5.0 Update 6
Download the latest version of Java Runtime Environment (JRE) 6u1 (http://java.sun.com/javase/downloads/index.jsp).
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications."
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement."
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Install it

Now you can make your hidden files hidden again.
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Check "Hide protected operating system files"
Click Apply and then the OK and close My Computer.

=============

Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:
Clear your system restore (http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx)
This will clear the system restore folders from possible malware that was left behind during the cleaning process.

Use ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1)
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.

Use Ad-Aware (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Download and install Ad-Aware. Update it and scan your computer regularly with it.

Use AVG Anti-Spyware (http://www.ewido.net/en/)
Download and install AVG Anti-Spyware. Update it and scan your computer regularly with it.

Use Spybot S&D (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Download and install Spybot S&D. Update it and scan your computer regularly with it.

Install SpywareBlaster (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
SpywareBlaster will prevent spyware from being installed.

Install MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm)
This prevents your computer from connecting to harmful sites.

Use Firefox browser (http://www.mozilla.org)
Firefox is faster and more secure browser than Internet Explorer.

Keep your systen up-to-date (http://windowsupdate.microsoft.com)
Visit Windows Update regularly. How to enable Automatic Updates? (http://www.bleepingcomputer.com/tutorials/tutorial35.html)

Keep your antivirus (http://forum.malwareremoval.com/viewtopic.php?p=53#53) and firewall (http://forum.malwareremoval.com/viewtopic.php?p=56#56) up-to-date
Scan your computer regularly with you antivirus software.

Read this article by TonyKlein (http://forums.spybot.info/showthread.php?t=279)
So how did I get infected in the first place?

Stand Up and Be Counted ! (http://www.malwarecomplaints.info/index.php)
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.


Stay clean and be safe ;)

kurt24
2007-04-19, 16:29
Well, my baby is back to her old self thanks to you Mr_JAk3! Thank you so much for taking your own time to help me rid my computer of that sh**. Thank you, thank you, thank you!! :bigthumb:

Mr_JAk3
2007-04-19, 20:42
That's great news and you're very welcome :D:

As the problem appears to be resolved this topic has been archived.

If you need it re-opened please send a private message (pm) to a forum staff member and provide a link to the thread; this applies only to the original topic starter.

Glad we could help :2thumb: