I think there's malware on my pc that's sending out spam, because I keep getting "mail delivery failed" messages regarding emails that I'm not sending. I'm also getting other strange spam mail that appears to be coming from my own email accounts.

Here is the HiJackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 4:11:47 PM, on 6/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\WINDOWS\anvshell.exe
C:\Program Files\RAMpage\RAMpage.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ClipMate7\clipmate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Wacom\TabUserW.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\hijackthis\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [LiveNote] livenote.exe
O4 - HKLM\..\Run: [RAMpage] "C:\Program Files\RAMpage\RAMpage.exe" U=1 M=28 T=4 LW P="C:\Program Files\RAMpage\RAMpageConfig.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ClipMate7] C:\Program Files\ClipMate7\clipmate.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe
O8 - Extra context menu item: Google AdSense Preview Tool - http://pagead2.googlesyndication.com/pagead/preview/en/preview.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3F0EECCE-E138-11D1-8712-0060083D83F5} (LPViewer Class) - http://www.iseemedia.com/activex/LPControl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1126413452031
O16 - DPF: {77DD44BF-551D-4E3C-82CD-D637D5018D3C} - http://www.surveys.com/promptcast/Installs/SURVEYS.COM%20PROMPTCAST%20SETUP.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://prweb.webex.com/client/v_mywebex-t20/event/ieatgpc.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {ED4E6F97-FA1A-4634-B550-AABFEB8DA009} (TulipPlayer Class) - http://www.exstream.to/tulip/cab/3,0,5,19/TulipPlayer2.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: ASUS Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


When I did the online scan Trend Micro found and deleted Java Byteverify and Alexa. eTrust Antivirus Web Scanner found nothing.

Thank you,

Bear

Hello and welcome to the Forums :)

Let's do some research...nothing bad in HijackThis log.


Please run a GMER Rootkit scan:

Download GMER's application from here:
http://www.gmer.net/gmer.zip

Unzip it and start the GMER.exe
Click the Rootkit tab and click the Scan button.

Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.

Warning ! Please, do not select the "Show all" checkbox during the scan.

Here are the results of the GMER Rootkit scan:

GMER 1.0.12.12244 - http://www.gmer.net
Rootkit scan 2007-06-05 16:04:34
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

SSDT \SystemRoot\System32\vsdatant.sys ZwConnectPort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateFile
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateKey
SSDT \SystemRoot\System32\vsdatant.sys ZwCreatePort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcessEx
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateSection
SSDT 860C6109 ZwCreateThread
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateWaitablePort
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteFile
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDuplicateObject
SSDT \SystemRoot\System32\vsdatant.sys ZwLoadKey
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenFile
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenThread
SSDT \SystemRoot\System32\vsdatant.sys ZwReplaceKey
SSDT \SystemRoot\System32\vsdatant.sys ZwRequestWaitReplyPort
SSDT \SystemRoot\System32\vsdatant.sys ZwRestoreKey
SSDT \SystemRoot\System32\vsdatant.sys ZwSecureConnectPort
SSDT \SystemRoot\System32\vsdatant.sys ZwSetInformationFile
SSDT \SystemRoot\System32\vsdatant.sys ZwSetValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwTerminateProcess

---- Kernel code sections - GMER 1.0.12 ----

.text ntoskrnl.exe!_abnormal_termination + 104 804E2760 12 Bytes [ F0, 61, 1E, F1, 80, C4, 1E, ... ]
? srescan.sys The system cannot find the file specified.
? C:\WINDOWS\System32\DRIVERS\update.sys
.text ntoskrnl.exe!_abnormal_termination + 104 804E2760 12 Bytes [ F0, 61, 1E, F1, 80, C4, 1E, ... ]

---- User code sections - GMER 1.0.12 ----

.text C:\WINDOWS\system32\services.exe[676] kernel32.dll!ReadFile 7C80180E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[676] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[676] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[676] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[676] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[676] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[676] kernel32.dll!WriteFile 7C810D87 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[676] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[676] kernel32.dll!PeekNamedPipe 7C85F90F 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[676] kernel32.dll!WinExec 7C86136D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[676] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[676] WS2_32.dll!select 71AB2DC0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[676] WS2_32.dll!socket 71AB3B91 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[676] WS2_32.dll!bind 71AB3E00 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[676] WS2_32.dll!send 71AB428A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[676] WS2_32.dll!recv 71AB615A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[676] WININET.dll!InternetReadFile 42C2ABBC 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[676] WININET.dll!InternetOpenA 42C2C869 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[676] WININET.dll!InternetOpenUrlA 42C306DD 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[688] kernel32.dll!ReadFile 7C80180E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[688] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[688] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[688] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[688] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[688] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[688] kernel32.dll!WriteFile 7C810D87 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[688] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[688] kernel32.dll!PeekNamedPipe 7C85F90F 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[688] kernel32.dll!WinExec 7C86136D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[688] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[688] WS2_32.dll!select 71AB2DC0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[688] WS2_32.dll!socket 71AB3B91 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[688] WS2_32.dll!bind 71AB3E00 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[688] WS2_32.dll!send 71AB428A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[688] WS2_32.dll!recv 71AB615A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[688] WININET.dll!InternetReadFile 42C2ABBC 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[688] WININET.dll!InternetOpenA 42C2C869 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[688] WININET.dll!InternetOpenUrlA 42C306DD 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[836] kernel32.dll!ReadFile 7C80180E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[836] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[836] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[836] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[836] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[836] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[836] kernel32.dll!WriteFile 7C810D87 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[836] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[836] kernel32.dll!PeekNamedPipe 7C85F90F 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[836] kernel32.dll!WinExec 7C86136D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[836] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[836] WS2_32.dll!select 71AB2DC0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[836] WS2_32.dll!socket 71AB3B91 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[836] WS2_32.dll!bind 71AB3E00 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll

Continuing results from GMER Rootkit scan:

.text C:\WINDOWS\system32\svchost.exe[836] WS2_32.dll!send 71AB428A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[836] WS2_32.dll!recv 71AB615A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[836] WININET.dll!InternetReadFile 42C2ABBC 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[836] WININET.dll!InternetOpenA 42C2C869 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[836] WININET.dll!InternetOpenUrlA 42C306DD 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!ReadFile 7C80180E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!WriteFile 7C810D87 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!PeekNamedPipe 7C85F90F 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!WinExec 7C86136D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[920] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[920] WS2_32.dll!select 71AB2DC0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[920] WS2_32.dll!socket 71AB3B91 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[920] WS2_32.dll!bind 71AB3E00 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[920] WS2_32.dll!send 71AB428A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[920] WS2_32.dll!recv 71AB615A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[920] WININET.dll!InternetReadFile 42C2ABBC 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[920] WININET.dll!InternetOpenA 42C2C869 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[920] WININET.dll!InternetOpenUrlA 42C306DD 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1056] kernel32.dll!ReadFile 7C80180E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1056] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1056] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1056] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1056] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1056] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1056] kernel32.dll!WriteFile 7C810D87 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1056] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1056] kernel32.dll!PeekNamedPipe 7C85F90F 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1056] kernel32.dll!WinExec 7C86136D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1056] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1056] WS2_32.dll!select 71AB2DC0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1056] WS2_32.dll!socket 71AB3B91 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1056] WS2_32.dll!bind 71AB3E00 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1056] WS2_32.dll!send 71AB428A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1056] WS2_32.dll!recv 71AB615A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1056] WININET.dll!InternetReadFile 42C2ABBC 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1056] WININET.dll!InternetOpenA 42C2C869 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1056] WININET.dll!InternetOpenUrlA 42C306DD 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!ReadFile 7C80180E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!WriteFile 7C810D87 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!PeekNamedPipe 7C85F90F 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!WinExec 7C86136D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1100] WS2_32.dll!select 71AB2DC0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1100] WS2_32.dll!socket 71AB3B91 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1100] WS2_32.dll!bind 71AB3E00 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1100] WS2_32.dll!send 71AB428A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1100] WS2_32.dll!recv 71AB615A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1100] WININET.dll!InternetReadFile 42C2ABBC 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1100] WININET.dll!InternetOpenA 42C2C869 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1100] WININET.dll!InternetOpenUrlA 42C306DD 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!ReadFile 7C80180E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!WriteFile 7C810D87 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!PeekNamedPipe 7C85F90F 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!WinExec 7C86136D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1124] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1124] WS2_32.dll!select 71AB2DC0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1124] WS2_32.dll!socket 71AB3B91 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1124] WS2_32.dll!bind 71AB3E00 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1124] WS2_32.dll!send 71AB428A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1124] WS2_32.dll!recv 71AB615A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1124] WININET.dll!InternetReadFile 42C2ABBC 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1124] WININET.dll!InternetOpenA 42C2C869 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1124] WININET.dll!InternetOpenUrlA 42C306DD 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!ReadFile 7C80180E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!WriteFile 7C810D87 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!PeekNamedPipe 7C85F90F 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!WinExec 7C86136D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1224] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1224] WS2_32.dll!select 71AB2DC0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1224] WS2_32.dll!socket 71AB3B91 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1224] WS2_32.dll!bind 71AB3E00 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1224] WS2_32.dll!send 71AB428A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1224] WS2_32.dll!recv 71AB615A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1224] WININET.dll!InternetReadFile 42C2ABBC 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1224] WININET.dll!InternetOpenA 42C2C869 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1224] WININET.dll!InternetOpenUrlA 42C306DD 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1420] kernel32.dll!ReadFile 7C80180E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll

Continuing results from GMER Rootkit scan:

.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1420] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1420] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1420] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1420] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1420] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1420] kernel32.dll!WriteFile 7C810D87 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1420] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1420] kernel32.dll!PeekNamedPipe 7C85F90F 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1420] kernel32.dll!WinExec 7C86136D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1420] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1420] WS2_32.dll!select 71AB2DC0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1420] WS2_32.dll!socket 71AB3B91 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1420] WS2_32.dll!bind 71AB3E00 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1420] WS2_32.dll!send 71AB428A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1420] WS2_32.dll!recv 71AB615A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1420] WININET.dll!InternetReadFile 42C2ABBC 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1420] WININET.dll!InternetOpenA 42C2C869 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1420] WININET.dll!InternetOpenUrlA 42C306DD 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\explorer.exe[1848] kernel32.dll!ReadFile 7C80180E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\explorer.exe[1848] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\explorer.exe[1848] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\explorer.exe[1848] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\explorer.exe[1848] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\explorer.exe[1848] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\explorer.exe[1848] kernel32.dll!WriteFile 7C810D87 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\explorer.exe[1848] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\explorer.exe[1848] kernel32.dll!PeekNamedPipe 7C85F90F 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\explorer.exe[1848] kernel32.dll!WinExec 7C86136D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\explorer.exe[1848] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\explorer.exe[1848] WININET.dll!InternetReadFile 42C2ABBC 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\explorer.exe[1848] WININET.dll!InternetOpenA 42C2C869 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\explorer.exe[1848] WININET.dll!InternetOpenUrlA 42C306DD 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\explorer.exe[1848] WS2_32.dll!select 71AB2DC0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\explorer.exe[1848] WS2_32.dll!socket 71AB3B91 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\explorer.exe[1848] WS2_32.dll!bind 71AB3E00 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\explorer.exe[1848] WS2_32.dll!send 71AB428A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\explorer.exe[1848] WS2_32.dll!recv 71AB615A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[2080] kernel32.dll!ReadFile 7C80180E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[2080] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[2080] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[2080] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[2080] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[2080] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[2080] kernel32.dll!WriteFile 7C810D87 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[2080] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[2080] kernel32.dll!PeekNamedPipe 7C85F90F 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[2080] kernel32.dll!WinExec 7C86136D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[2080] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[2080] WS2_32.dll!select 71AB2DC0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[2080] WS2_32.dll!socket 71AB3B91 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[2080] WS2_32.dll!bind 71AB3E00 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[2080] WS2_32.dll!send 71AB428A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[2080] WS2_32.dll!recv 71AB615A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[2080] WININET.dll!InternetReadFile 42C2ABBC 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[2080] WININET.dll!InternetOpenA 42C2C869 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[2080] WININET.dll!InternetOpenUrlA 42C306DD 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[2504] kernel32.dll!ReadFile 7C80180E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[2504] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[2504] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[2504] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[2504] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[2504] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[2504] kernel32.dll!WriteFile 7C810D87 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[2504] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[2504] kernel32.dll!PeekNamedPipe 7C85F90F 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[2504] kernel32.dll!WinExec 7C86136D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[2504] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[2504] WS2_32.dll!select 71AB2DC0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[2504] WS2_32.dll!socket 71AB3B91 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[2504] WS2_32.dll!bind 71AB3E00 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[2504] WS2_32.dll!send 71AB428A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[2504] WS2_32.dll!recv 71AB615A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[2504] WININET.dll!InternetReadFile 42C2ABBC 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[2504] WININET.dll!InternetOpenA 42C2C869 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[2504] WININET.dll!InternetOpenUrlA 42C306DD 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll

---- Devices - GMER 1.0.12 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [F11F78A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [F11F78A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [F11F78A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F11F78A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [F11F78A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [F11F78A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [F11F78A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [F11F78A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F11F78A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [F11F78A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [F11F78A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [F11F78A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [F11F78A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F11F78A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [F11F78A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [F11F78A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [F11F78A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [F11F78A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F11F78A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [F11F78A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [F11F78A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE [F11F78A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [F11F78A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [F11F78A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP [F11F78A0] vsdatant.sys

---- Files - GMER 1.0.12 ----

File C:\EPIC\
File C:\epson\
File C:\epson10464\
File C:\FreeFromHoverAdGernerator\
File C:\GODADDY\
File C:\Hewlett-Packard\
File C:\HP\
File C:\Internet Marketing Center\
File C:\KEITH\
File C:\Pictures\

---- EOF - GMER 1.0.12 ----

Hmm ok...

those emails that you're receiving may just be spam.

Please do an online scan with Kaspersky WebScanner (http://www.kaspersky.com/virusscanner)

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT

Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)

Scan Options:
Scan Archives
Scan Mail Bases

Click OK
Now under select a target to scan:Select My Computer

This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

Here are the results from the Kaspersky scan:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, June 06, 2007 7:36:24 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 6/06/2007
Kaspersky Anti-Virus database records: 341017
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 128501
Number of viruses found: 10
Number of infected objects: 81 / 0
Number of suspicious objects: 0
Duration of the scan process: 03:11:13

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\00bfe20763eace130ac012a687d1ceeb_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\019d57a528e34e8eb77304a7e3295bfc_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\024ceed2268dbcd60d59560010950c45_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\026367cbc1c04f38a043b27908883edc_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\077b71d4033ceafc908a3e5f1b517cf5_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0795aa8e4b5a7a2676eb5a097a9c9a73_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0889754a8e5ec9298837dc2b744f2538_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\094c287d7dc5cab53a0caabb0d299a1d_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0ec5198c5788c9e2f0f5c66716ce271c_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\12a0369c00bf804c8034139eba1ca6f9_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\18f54700fc559aa8f41642eac1290f11_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\19aa6946a42a4f0a20c4aac7f2b881f5_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\19b52e4be6c0fd066de49d67aca3d223_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\1ab46c95911a4f3bbc62c780a614a38b_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\1abaaadf3732708d59534f098fb005a4_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\1f8043a9fbcc1960b6250f37ed3d7a24_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\20225ebb86a88737def4c99819dc9a80_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\2054eefc25b385a9bea92837e625da0a_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\2056c85330b45c9f14a8f05b43b4798f_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\25b53345ae251bff2db8aacd85fa7f87_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\29093b5ea3ddc0b22c51eb6cd85c3a76_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\29a0c4045a590d609a72faf57d26d511_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\2a3625aecfe9f1ae6cb811230b3243d6_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\2e1ef5583d5ef81a1b6b23ac14f0562b_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\2f8c6d433942be9531ded5cd037ae5c2_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\314fd92dcdc43ebed3d0f0a388b979a7_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3206a5c7255d27d9b076da6de414300e_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\343e2fa7e4d7da12e0d87a2e051bb432_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\35845ad3609f16d425f5ffaf44414207_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\37edebef58223de2d0c3a5d535505999_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\38743915c704c18b405bb61c12e07f00_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\38e05e31758b1910f97c9d87ef74fd2c_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\390df13bcd06d16433fcc20f0f877e84_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3bc789238f0f2c447138ab69d6a63840_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3d1dc15c6ea837ad16aa13804123eb29_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3fabfca06d7d4641a5bc12f0db5ab099_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\4191ba7d28d451232afc0e08a638b649_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\42edaac0b23562baae4c209b6e6b4e5e_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\47146a064c1f5fa89eeb96b49c6c6e9e_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\4750deb12dff978d2201b33cca9299f1_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\48abb6ea40ba7b72da2f4063f47d88be_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\49a61815ea0b5325e206b34293269ae9_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\4a3669eb8a2faad58fc2b1d67bc0cd77_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\4cf9519f39c885cce1830a3532725f07_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\4d560896007048f3c6fd8b4095f4ebba_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\4ece9238ab42fd141bbc93a8aa219eed_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\500d70b43916af3e60c86599fac69ce1_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\513943e3137635dc3fe19094efff6b14_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\530f6e59fee4d870846dbf9b1870df8a_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5356a02e262604ee3a30a366bd544cc9_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\55cbb4161a6eac34eca2b47ca3ac61d5_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5639b7bc5eba763b85cd0fd7de496a13_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\563b1d192446150791d8c965468a942c_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\57ba7073eb72cd9832b151098f70856b_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5a29f04eede5633d7635cbf1d762f078_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5b48ae590daebc432835cac9d49c89f7_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5c5809fb46d6115911f5dda30edbe177_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5cb699b1f5f84577109c2ef3d669b97d_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5cc93b79b56f8b37648cee2d3653aef6_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5d013971d4639ccd4b53dfe63de53c40_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5d1bb0a98e97682b63e2fd3126d48d97_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5d7aa7865950f3ae849e7d57749808b0_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\601c25188c79231b5de5521e5c1ea40c_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\60bca84f4db6f692ad95353a9d1e884f_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\61080f28d4b88c147a0832fd47bf0dce_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\628ab0a7dd4f510446d7cf4019017f9a_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\63cb52a3b1fe2380808872ddb49aaf09_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6587e29a0a418e98647e8f852e73d915_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6654836fb73dc437d153383f70877220_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\665ebacb8bfc90e1d7c7b289cdc44dca_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\686d36f72609537ad7c95f0bba408e46_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6a2184ca3da6345f2f6a5da99e884f20_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6b35f1bc9e704d06e6225d3d78841043_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6b84a4f64c0205acee620b79944c38e1_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6c4e79d1565acec3d8606180fec8e825_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6dfb8fc176d61567722369c9f7cd62f5_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6e87a9ddd193f33271277f1ff9cd1fe1_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6f77be84e32dddb4c50902df997e18a6_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\70379aea12474f013356b6cd9b0bef7c_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\73a597126501f566f62125d2f099d631_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\73c539cf92fa948fa7b22bf777de454d_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\73f96f552b2a87ab76470650e35953eb_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7a518c7433d3d8d2d329b61586e16958_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7b241770916e4cadc0a4a7fa6e011bf8_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7c43764e96552134e47cd95355d2e511_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7d2e6a2e86d0233cd00759c00fec2682_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7d31602dd5f8117dab83cb1f6c2e9f9c_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7de79f54a84a05fef13651f9e28b6d27_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7f1f6d0af764a413411abdb1588bc4e1_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7fc7a2cc3bed504593378d911929b20a_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\80c43cda4ec36411fc6091911fef27df_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\859aeece058261eba619c4c9d9f68edc_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\863e450e10b60a645bc5baa9b1854c58_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\87281d21d1c40686f49cfa54b5038f26_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\880e1f77f955b2270224c40b6a28e48c_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\8821999353d1c68b0bb69e1810ba20d0_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\8da6fcba46af2d5850137f1727e6ec3f_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\8e72b4891d8dc0727bd31cd35d9b40a7_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\8f9b9fcf79ec3b922b59961bec71b99a_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\9259181cbb18b6a147fa9f337f8e7228_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped

Continuing Kaspersky results:

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\941ef9ec8d1ce3bf8c7c019973acc7cf_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\94ae041365cfdf9f2dbbd98f53f1e250_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\9617f8c41223cd3db1768136b383a732_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\96ab6ae8f8314efd84534a1f5c22b113_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\9aaad20fe9fca07a2e0ca99d7f8dd4b7_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\9ce735565bf78a62e7622d3ff74379fa_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\9e64a91b5e06915bda262e17a3377093_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\9e7fb38af69bcbb362720947f6ee7de9_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a115bb55f9f3a44df546767b073a1877_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a11cef9b12271e3e1efbc518e770e2f7_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a15f041291df948af25f8dc27322be70_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a220d8e08b43c1be790ff146b25ed774_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a245c235bae1159028afc99cb9ca354d_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a3ae8d0a06a1b3f8525eb7d8d263e12d_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a3ffe166e93fa6140b0b595da5ce254d_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a4d581731dd71e842c8ebfa8ba7125c5_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a6a0f0db3198681a0eae70d1b73b0ffd_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a6b7cd0ff54db905290a066d9b61a118_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a6d4c71f2597913662b27452ac0b66d5_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a754aae5db6039075ac0ef11b49ba106_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a8ccb06c5d803ce0de76789eae761cf7_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a91e8c537c146cdfd6a8af03b1551b07_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a959caaf32ea9f3c3de714d23426ccb2_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\aab0cde99fe47faa0b545aded951f915_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\aaff3bda7bb3ea203aacf4ebfb365193_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ab2735a92577e2fbb6dec4dd996d910a_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ad664eac6338e5a7b66335a26cdcb8d7_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b31311d7e3b89d2901598ddfd2bcb746_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b4af671c495469c8e16b93adbb2c7a28_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b56f12225301f1db1cf1bb28abf65442_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b598dbc3dc350ffc91f49b34a4615665_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b903435bb189118728666499d4f0e20f_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b9a9008209dc37c65092359787e8aded_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\bbf518dd825b095057b8cff4aa21bbef_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c2e6782d95832a749ed8fd18f8456cfe_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c324db7d77f9efb5cd22d4f849036b22_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c3f4b604c0f6e91bce2b96f0d1c38742_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c4bdc087f9e125ded2665347fe4ba5d5_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c4f0d789989a45c425ab39fb3c8a569b_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c6e985ef57522deb46df9ff0428eefb6_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c702b4a01ef4d7bfeb5175d8295faf71_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c71195ca44d3d3d2a23a678c76d3adaa_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c7461992e132196383180f8da6902a42_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c81a4871a7da4434825354009aea78fa_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c85a45606076e1085ecccb2549fcf005_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c8f2871648a1b7bc2646481b628f718c_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\cbc7794a5ed173d7854905e35e24e1fb_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\cc532f28e875e66f211ec116bb5e0212_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ccfdf97686fcb4aab956e46dfa5a51d6_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\cf12dfec9d728c86269aa22388e8a23b_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d0bdd874c86879e1364e6d57a1d4a462_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d3c74c51664d65b9b4ee76bed4febaed_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d3d1fbd79c38c8db47fec4f0c1d0a5fa_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d994b852d03d1e9acbbe16a17eb45f68_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\daa1d4e2a4e7bab936785c14449b4f5f_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\dad29635b4dd796a6478881a9db049e4_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\dae515cf34aef357c5e0030787330b87_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\db5daa364054c0fd6d739a3667be9e0c_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\dc70940ed5a0a9382bb1cf3e5e4531ac_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e1ed72663fffa22a24667e2b638c7735_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e1f806e9d0b8a4dea29158c88126ecfc_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e72adb61e306e75716bedb873c7ae1c0_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e7c9c45803c39db3f7d52a20650a80d1_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e95752c9ec4ca303ed777165b098b945_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ec1020649880d9e18550550b5af1d929_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ec2f68cab5bc2d9fb4737c5a1494b082_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ee3b23cb11a67d6c979c3ebb7c43b9d2_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\eef1b6aeb2f141f223413d81ea989125_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f1a5f50ec4c284599ba7c9f115d5ee88_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f287e7e4e471e6b86cf11100a81fb7d5_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f4a0f79993c5aa736f195858aef3ff2b_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f52139807405a22a95b1380c4d555264_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f6de43da9655f890fc38fa3fc9923be8_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f81fafcc3e869a634de44e82d293847d_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\fa3903947f9d1098c0e2879dae165d19_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\fa9df10af101926575d61caa70b4c040_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\fd11eab7b604ae2aa33ba9adca4abd07_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\fd664cba0a65019740f6dc156d5e89cd_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ff3ac642cd86f903f9bdfcbd88926a62_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\fff90c2285427d685176350b09750f66_c3bd601f-f4a7-4eff-9579-d459301f721c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-12082006-095706.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\BOPDATA\_Date-20070606_Time-160829093_EnterceptExceptions.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\BOPDATA\_Date-20070606_Time-160829093_EnterceptRules.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\Agent_MOE1.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\PrdMgr_MOE1.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\AccessProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\BufferOverflowProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\OnAccessScanLog.txt Object is locked skipped
C:\Documents and Settings\HTH\.housecall6.6\Quarantine\498c7bba-7ac4e5b0.bac_a01640/GetAccess.class Infected: Trojan.Java.ClassLoader.c skipped
C:\Documents and Settings\HTH\.housecall6.6\Quarantine\498c7bba-7ac4e5b0.bac_a01640/InsecureClassLoader.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\HTH\.housecall6.6\Quarantine\498c7bba-7ac4e5b0.bac_a01640/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a skipped
C:\Documents and Settings\HTH\.housecall6.6\Quarantine\498c7bba-7ac4e5b0.bac_a01640/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v skipped
C:\Documents and Settings\HTH\.housecall6.6\Quarantine\498c7bba-7ac4e5b0.bac_a01640 ZIP: infected - 4 skipped
C:\Documents and Settings\HTH\.housecall6.6\Quarantine\498c7bba-7ac4e5b0.bac_a01640 CryptFF.b: infected - 4 skipped
C:\Documents and Settings\HTH\.housecall6.6\Quarantine\classload.jar-1910af14-4e288d7e.zip.bac_a01640/GetAccess.class Infected: Trojan.Java.ClassLoader.c skipped
C:\Documents and Settings\HTH\.housecall6.6\Quarantine\classload.jar-1910af14-4e288d7e.zip.bac_a01640/InsecureClassLoader.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\HTH\.housecall6.6\Quarantine\classload.jar-1910af14-4e288d7e.zip.bac_a01640/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a skipped
C:\Documents and Settings\HTH\.housecall6.6\Quarantine\classload.jar-1910af14-4e288d7e.zip.bac_a01640/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v skipped
C:\Documents and Settings\HTH\.housecall6.6\Quarantine\classload.jar-1910af14-4e288d7e.zip.bac_a01640 ZIP: infected - 4 skipped
C:\Documents and Settings\HTH\.housecall6.6\Quarantine\classload.jar-1910af14-4e288d7e.zip.bac_a01640 CryptFF.b: infected - 4 skipped
C:\Documents and Settings\HTH\Application Data\Thornsoft Development\ClipMate7\BlobBlob.blb Object is locked skipped
C:\Documents and Settings\HTH\Application Data\Thornsoft Development\ClipMate7\BlobBlob.dat Object is locked skipped
C:\Documents and Settings\HTH\Application Data\Thornsoft Development\ClipMate7\BlobBlob.idx Object is locked skipped
C:\Documents and Settings\HTH\Application Data\Thornsoft Development\ClipMate7\BlobJPG.blb Object is locked skipped
C:\Documents and Settings\HTH\Application Data\Thornsoft Development\ClipMate7\BlobJPG.dat Object is locked skipped
C:\Documents and Settings\HTH\Application Data\Thornsoft Development\ClipMate7\BlobJPG.idx Object is locked skipped
C:\Documents and Settings\HTH\Application Data\Thornsoft Development\ClipMate7\blobpng.blb Object is locked skipped
C:\Documents and Settings\HTH\Application Data\Thornsoft Development\ClipMate7\blobpng.dat Object is locked skipped
C:\Documents and Settings\HTH\Application Data\Thornsoft Development\ClipMate7\blobpng.idx Object is locked skipped

Continuing Kaspersky results:

C:\Documents and Settings\HTH\Application Data\Thornsoft Development\ClipMate7\BlobTXT.blb Object is locked skipped
C:\Documents and Settings\HTH\Application Data\Thornsoft Development\ClipMate7\BlobTXT.dat Object is locked skipped
C:\Documents and Settings\HTH\Application Data\Thornsoft Development\ClipMate7\BlobTXT.idx Object is locked skipped
C:\Documents and Settings\HTH\Application Data\Thornsoft Development\ClipMate7\clip.dat Object is locked skipped
C:\Documents and Settings\HTH\Application Data\Thornsoft Development\ClipMate7\clip.idx Object is locked skipped
C:\Documents and Settings\HTH\Application Data\Thornsoft Development\ClipMate7\ClipData.dat Object is locked skipped
C:\Documents and Settings\HTH\Application Data\Thornsoft Development\ClipMate7\ClipData.idx Object is locked skipped
C:\Documents and Settings\HTH\Application Data\Thornsoft Development\ClipMate7\coll.dat Object is locked skipped
C:\Documents and Settings\HTH\Application Data\Thornsoft Development\ClipMate7\coll.idx Object is locked skipped
C:\Documents and Settings\HTH\Application Data\Thornsoft Development\ClipMate7\dbisam.lck Object is locked skipped
C:\Documents and Settings\HTH\Application Data\Thornsoft Development\ClipMate7\LOG\LOG_2007-06-06.TXT Object is locked skipped
C:\Documents and Settings\HTH\Application Data\Thornsoft Development\ClipMate7\TEMP\5000.cm_dat Object is locked skipped
C:\Documents and Settings\HTH\Application Data\Thornsoft Development\ClipMate7\TEMP\5000.cm_idx Object is locked skipped
C:\Documents and Settings\HTH\Application Data\Thornsoft Development\ClipMate7\TEMP\dbisam.lck Object is locked skipped
C:\Documents and Settings\HTH\Application Data\Thunderbird\Profiles\qzv4a2ng.default\Mail\Local Folders\Outlook Express Mail.sbd\Deleted Items/[From "Hope Connell" <ChandraDick@cekakhanafi.com>][Date Mon, 5 Mar 2007 21:47:58 -0500 (EST)]/UNNAMED/[From "Edgar Mccullough" <wodistillery@freedombound.com>][Date Tue, 6 Mar 2007 05:40:08 +0200]/UNNAMED/[From "Sexy by" <frrnbyimaa@t-dialin.net>][Date Tue, 6 Mar 2007 16:14:00 -0100]/UNNAMED/[From "Addr" <addr6@xinul.com>][Date Tue, 06 Mar 2007 23:13:57 +0800]/love_me_now.exe Infected: Email-Worm.Win32.Bagle.ae skipped
C:\Documents and Settings\HTH\Application Data\Thunderbird\Profiles\qzv4a2ng.default\Mail\Local Folders\Outlook Express Mail.sbd\Deleted Items/[From "Hope Connell" <ChandraDick@cekakhanafi.com>][Date Mon, 5 Mar 2007 21:47:58 -0500 (EST)]/UNNAMED/[From "Edgar Mccullough" <wodistillery@freedombound.com>][Date Tue, 6 Mar 2007 05:40:08 +0200]/UNNAMED/[From "Sexy by" <frrnbyimaa@t-dialin.net>][Date Tue, 6 Mar 2007 16:14:00 -0100]/UNNAMED/[From "Addr" <addr6@xinul.com>][Date Tue, 06 Mar 2007 23:13:57 +0800]/UNNAMED/Message.scr Infected: Email-Worm.Win32.Bagle.fl skipped
C:\Documents and Settings\HTH\Application Data\Thunderbird\Profiles\qzv4a2ng.default\Mail\Local Folders\Outlook Express Mail.sbd\Deleted Items/[From "Hope Connell" <ChandraDick@cekakhanafi.com>][Date Mon, 5 Mar 2007 21:47:58 -0500 (EST)]/UNNAMED/[From "Edgar Mccullough" <wodistillery@freedombound.com>][Date Tue, 6 Mar 2007 05:40:08 +0200]/UNNAMED/[From "Sexy by" <frrnbyimaa@t-dialin.net>][Date Tue, 6 Mar 2007 16:14:00 -0100]/UNNAMED/[From "Addr" <addr6@xinul.com>][Date Tue, 06 Mar 2007 23:13:57 +0800]/UNNAMED/[From "N/A" <jcvojfnl@rdsnet.ro>][D ... /[From "Addr" <addr6@xinul.com>][Date Tue, 06 Mar 2007 21:46:45 +0800]/Common.exe Infected: Email-Worm.Win32.Bagle.fl skipped
C:\Documents and Settings\HTH\Application Data\Thunderbird\Profiles\qzv4a2ng.default\Mail\Local Folders\Outlook Express Mail.sbd\Deleted Items/[From "Hope Connell" <ChandraDick@cekakhanafi.com>][Date Mon, 5 Mar 2007 21:47:58 -0500 (EST)]/UNNAMED/[From "Edgar Mccullough" <wodistillery@freedombound.com>][Date Tue, 6 Mar 2007 05:40:08 +0200]/UNNAMED/[From "Sexy by" <frrnbyimaa@t-dialin.net>][Date Tue, 6 Mar 2007 16:14:00 -0100]/UNNAMED/[From "Addr" <addr6@xinul.com>][Date Tue, 06 Mar 2007 23:13:57 +0800]/UNNAMED/[From "N/A" <jcvojfnl@rdsnet.ro>][Date ... /[From "Addr" <addr6@xinul.com>][Date Tue, 06 Mar 2007 21:46:45 ... /mplay.exe Infected: Email-Worm.Win32.Bagle.ae skipped
C:\Documents and Settings\HTH\Application Data\Thunderbird\Profiles\qzv4a2ng.default\Mail\Local Folders\Outlook Express Mail.sbd\Deleted Items/[From "Hope Connell" <ChandraDick@cekakhanafi.com>][Date Mon, 5 Mar 2007 21:47:58 -0500 (EST)]/UNNAMED/[From "Edgar Mccullough" <wodistillery@freedombound.com>][Date Tue, 6 Mar 2007 05:40:08 +0200]/UNNAMED/[From "Sexy by" <frrnbyimaa@t-dialin.net>][Date Tue, 6 Mar 2007 16:14:00 -0100]/UNNAMED/[From "Addr" <addr6@xinul.com>][Date Tue, 06 Mar 2007 23:13:57 +0800]/UNNAMED/[From "N/A" <jcvojfnl@rdsn ... /[F ... /[From "Addr" <addr6@xinul.com>][Date Tue, 06 Mar 2007 15:01:32 +0800]/love_me.exe Infected: Email-Worm.Win32.Bagle.ae skipped
C:\Documents and Settings\HTH\Application Data\Thunderbird\Profiles\qzv4a2ng.default\Mail\Local Folders\Outlook Express Mail.sbd\Deleted Items/[From "Hope Connell" <ChandraDick@cekakhanafi.com>][Date Mon, 5 Mar 2007 21:47:58 -0500 (EST)]/UNNAMED/[From "Edgar Mccullough" <wodistillery@freedombound.com>][Date Tue, 6 Mar 2007 05:40:08 +0200]/UNNAMED/[From "Sexy by" <frrnbyimaa@t-dialin.net>][Date Tue, 6 Mar 2007 16:14:00 -0100]/UNNAMED/[From "Addr" <addr6@xinul.com>][Date Tue, 06 Mar 2007 23:13:57 +0800]/UNNAMED/[From "N/A" <jcvojfnl@rdsn ... /[From ... /[From "Addr" <addr6@xinul.com>][Date Tue, 06 Mar 2007 15:01: ... /Details.exe Infected: Email-Worm.Win32.Bagle.fl skipped
C:\Documents and Settings\HTH\Application Data\Thunderbird\Profiles\qzv4a2ng.default\Mail\Local Folders\Outlook Express Mail.sbd\Deleted Items/[From "Hope Connell" <ChandraDick@cekakhanafi.com>][Date Mon, 5 Mar 2007 21:47:58 -0500 (EST)]/UNNAMED/[From "Edgar Mccullough" <wodistillery@freedombound.com>][Date Tue, 6 Mar 2007 05:40:08 +0200]/UNNAMED/[From "Sexy by" <frrnbyimaa@t-dialin.net>][Date Tue, 6 Mar 2007 16:14:00 -0100]/UNNAMED/[From "Addr" <addr6@xinul.com>][Date Tue, 06 Mar 2007 23:13:57 +0800]/UNN ... /[From "Goldie Egan" <Earnest ... ... /[From "Addr" <addr6@xinul.com>][Date Wed, 07 Mar 2007 23:15:19 +0800]/xxxporno.exe Infected: Email-Worm.Win32.Bagle.fl skipped
C:\Documents and Settings\HTH\Application Data\Thunderbird\Profiles\qzv4a2ng.default\Mail\Local Folders\Outlook Express Mail.sbd\Deleted Items/[From "Hope Connell" <ChandraDick@cekakhanafi.com>][Date Mon, 5 Mar 2007 21:47:58 -0500 (EST)]/UNNAMED/[From "Edgar Mccullough" <wodistillery@freedombound.com>][Date Tue, 6 Mar 2007 05:40:08 +0200]/UNNAMED/[From "Sexy by" <frrnbyimaa@t-dialin.net>][Date Tue, 6 Mar 2007 16:14:00 -0100]/UNNAMED/[From "Addr" <addr6@xinul.com>][Date Tue, 06 Mar 2007 23:13:57 +0800]/UNN ... /[From "Goldie Egan" <Earnest ... /[Fr ... /[From "Addr" <addr6@xinul.com>][Date Wed, 07 Mar 2007 23:15:19 ... /mplay.exe Infected: Email-Worm.Win32.Bagle.ae skipped
C:\Documents and Settings\HTH\Application Data\Thunderbird\Profiles\qzv4a2ng.default\Mail\Local Folders\Outlook Express Mail.sbd\Deleted Items/[From "Hope Connell" <ChandraDick@cekakhanafi.com>][Date Mon, 5 Mar 2007 21:47:58 -0500 (EST)]/UNNAMED/[From "Edgar Mccullough" <wodistillery@freedombound.com>][Date Tue, 6 Mar 2007 05:40:08 +0200]/UNNAMED/[From "Sexy by" <frrnbyimaa@t-dialin.net>][Date Tue, 6 Mar 2007 16:14:00 -0100]/UNNAMED/[From "Addr" <addr6@xinul.com>][Date Tue, 06 Mar 2007 23:13:57 +0800]/UNN ... /[From "Goldie ... /[From "Angelique ... /[From "Addr" <addr6@xinul.com>][Date Thu, 08 Mar 2007 00:44:47 +0800]/mplay.exe Infected: Email-Worm.Win32.Bagle.ae skipped
C:\Documents and Settings\HTH\Application Data\Thunderbird\Profiles\qzv4a2ng.default\Mail\Local Folders\Outlook Express Mail.sbd\Deleted Items/[From "Hope Connell" <ChandraDick@cekakhanafi.com>][Date Mon, 5 Mar 2007 21:47:58 -0500 (EST)]/UNNAMED/[From "Edgar Mccullough" <wodistillery@freedombound.com>][Date Tue, 6 Mar 2007 05:40:08 +0200]/UNNAMED/[From "Sexy by" <frrnbyimaa@t-dialin.net>][Date Tue, 6 Mar 2007 16:14:00 -0100]/UNNAMED/[From "Addr" <addr6@xinul.com>][Date Tue, 06 Mar 2007 23:13:57 +0800]/UNN ... /[From "Goldie ... /[From "Angelique K ... /[From "Addr" <addr6@xinul.com>][Date Thu, 08 Mar 2007 00:44 ... /MoreInfo.exe Infected: Email-Worm.Win32.Bagle.fl skipped
C:\Documents and Settings\HTH\Application Data\Thunderbird\Profiles\qzv4a2ng.default\Mail\Local Folders\Outlook Express Mail.sbd\Deleted Items/[From "Hope Connell" <ChandraDick@cekakhanafi.com>][Date Mon, 5 Mar 2007 21:47:58 -0500 (EST)]/UNNAMED/[From "Edgar Mccullough" <wodistillery@freedombound.com>][Date Tue, 6 Mar 2007 05:40:08 +0200]/UNNAMED/[From "Sexy by" <frrnbyimaa@t-dialin.net>][Date Tue, 6 Mar 2007 16:14:00 -0100]/UNNAMED/[From "Addr" <addr6@xinul.com>][Date Tue, 06 Mar 2007 23:13:57 +0800]/UNN ... /[From "Goldie ... /[From "Angelique K ... /[From "Addr" <addr6@xinul.com>][Date Thu, 08 Mar 2007 00 ... /love_me_now.exe Infected: Email-Worm.Win32.Bagle.ae skipped
C:\Documents and Settings\HTH\Application Data\Thunderbird\Profiles\qzv4a2ng.default\Mail\Local Folders\Outlook Express Mail.sbd\Deleted Items/[From "Hope Connell" <ChandraDick@cekakhanafi.com>][Date Mon, 5 Mar 2007 21:47:58 -0500 (EST)]/UNNAMED/[From "Edgar Mccullough" <wodistillery@freedombound.com>][Date Tue, 6 Mar 2007 05:40:08 +0200]/UNNAMED/[From "Sexy by" <frrnbyimaa@t-dialin.net>][Date Tue, 6 Mar 2007 16:14:00 -0100]/UNNAMED/[From "Addr" <addr6@xinul.com>][Date Tue, 06 Mar 2007 23:13:57 +0800]/UNN ... /[From "Goldie ... /[From "Angelique K ... /[From "Addr" <addr6@xinul.com>][Date Thu, 08 Mar 2007 ... /XXX_livebabes.scr Infected: Email-Worm.Win32.Bagle.fl skipped
C:\Documents and Settings\HTH\Application Data\Thunderbird\Profiles\qzv4a2ng.default\Mail\Local Folders\Outlook Express Mail.sbd\Deleted Items/[From "Hope Connell" <ChandraDick@cekakhanafi.com>][Date Mon, 5 Mar 2007 21:47:58 -0500 (EST)]/UNNAMED/[From "Edgar Mccullough" <wodistillery@freedombound.com>][Date Tue, 6 Mar 2007 05:40:08 +0200]/UNNAMED/[From "Sexy by" <frrnbyimaa@t-dialin.net>][Date Tue, 6 Mar 2007 16:14:00 -0100]/UNNAMED/[From "Addr" <addr6@xinul.com>][Date Tue, 06 Mar 2007 23:13:57 +0800]/UNN ... /[From "Goldie . ... /[From "BB&T" <customerservice-id9777255186162ib@bbt.com>][Date Thu, 8 Mar 2007 10:07:38 -0500]/html Infected: Trojan-Spy.HTML.Bankfraud.ra skipped
C:\Documents and Settings\HTH\Application Data\Thunderbird\Profiles\qzv4a2ng.default\Mail\Local Folders\Outlook Express Mail.sbd\Deleted Items/[From "Hope Connell" <ChandraDick@cekakhanafi.com>][Date Mon, 5 Mar 2007 21:47:58 -0500 (EST)]/UNNAMED/[From "Edgar Mccullough" <wodistillery@freedombound.com>][Date Tue, 6 Mar 2007 05:40:08 +0200]/UNNAMED/[From "Sexy by" <frrnbyimaa@t-dialin.net>][Date Tue, 6 Mar 2007 16:14:00 -0100]/UNNAMED/[From "Addr" <addr6@xinul.com>][Date Tue, 06 Mar 2007 23:13:57 +0800]/UNN ... /[F ... /[From "BB&T" <customerservice-id9777255186162ib@bbt.com>][Date Thu, 8 Mar 2007 10:07:38 -0500]/cytochemistry.gif Infected: Trojan-Spy.HTML.Bankfraud.ri skipped
C:\Documents and Settings\HTH\Application Data\Thunderbird\Profiles\qzv4a2ng.default\Mail\Local Folders\Outlook Express Mail.sbd\Deleted Items/[From "Hope Connell" <ChandraDick@cekakhanafi.com>][Date Mon, 5 Mar 2007 21:47:58 -0500 (EST)]/UNNAMED/[From "Edgar Mccullough" <wodistillery@freedombound.com>][Date Tue, 6 Mar 2007 05:40:08 +0200]/UNNAMED/[From "Sexy by" <frrnbyimaa@t-dialin.net>][Date Tue, 6 Mar 2007 16:14:00 -0100]/UNNAMED/[From "Addr" <addr6@xinul.com>][Date Tue, 06 Mar 2007 23:13:57 +0800]/UNN ... /[From "G ... /[From Google Alerts <googlealerts-noreply@google.com>][Date Sat, 10 Mar 2007 00:36:12 -0800 ( ... /UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.ri skipped
C:\Documents and Settings\HTH\Application Data\Thunderbird\Profiles\qzv4a2ng.default\Mail\Local Folders\Outlook Express Mail.sbd\Deleted Items/[From "Hope Connell" <ChandraDick@cekakhanafi.com>][Date Mon, 5 Mar 2007 21:47:58 -0500 (EST)]/UNNAMED/[From "Edgar Mccullough" <wodistillery@freedombound.com>][Date Tue, 6 Mar 2007 05:40:08 +0200]/UNNAMED/[From "Sexy by" <frrnbyimaa@t-dialin.net>][Date Tue, 6 Mar 2007 16:14:00 -0100]/UNNAMED/[From "Addr" <addr6@xinul.com>][Date Tue, 06 Mar 2007 23:13:57 +0800]/UNN ... /[From "G ... /[From Google Alerts <googlealerts-noreply@google.com>][Date Sat, 10 Mar 2007 00:36:12 -0800 (PST ... /html Infected: Trojan-Spy.HTML.Bankfraud.ri skipped
C:\Documents and Settings\HTH\Application Data\Thunderbird\Profiles\qzv4a2ng.default\Mail\Local Folders\Outlook Express Mail.sbd\Deleted Items/[From "Hope Connell" <ChandraDick@cekakhanafi.com>][Date Mon, 5 Mar 2007 21:47:58 -0500 (EST)]/UNNAMED/[From "Edgar Mccullough" <wodistillery@freedombound.com>][Date Tue, 6 Mar 2007 05:40:08 +0200]/UNNAMED/[From "Sexy by" <frrnbyimaa@t-dialin.net>][Date Tue, 6 Mar 2007 16:14:00 -0100]/UNNAMED/[From "Addr" <addr6@xinul.com>][Date Tue, 06 Mar 2007 23:13:57 +0800]/UNN ... /[From "G ... /[From Google Alerts <googlealerts-noreply@google.com>][Date Sat, 10 Mar 2007 00:36:12 -0800 (PST)]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.ri skipped
C:\Documents and Settings\HTH\Application Data\Thunderbird\Profiles\qzv4a2ng.default\Mail\Local Folders\Outlook Express Mail.sbd\Deleted Items/[From "Hope Connell" <ChandraDick@cekakhanafi.com>][Date Mon, 5 Mar 2007 21:47:58 -0500 (EST)]/UNNAMED/[From "Edgar Mccullough" <wodistillery@freedombound.com>][Date Tue, 6 Mar 2007 05:40:08 +0200]/UNNAMED/[From "Sexy by" <frrnbyimaa@t-dialin.net>][Date Tue, 6 Mar 2007 16:14:00 -0100]/UNNAMED/[From "Addr" <addr6@xinul.com>][Date Tue, 06 Mar 2007 23:13:57 +0800]/UNN ... /[From "G ... /[From "PMattie ... /[From "Basil U. Goff" <clxbml@mwob.org>][Date Mon, 12 Mar 2007 17:00:07 +0300]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.ri skipped
C:\Documents and Settings\HTH\Application Data\Thunderbird\Profiles\qzv4a2ng.default\Mail\Local Folders\Outlook Express Mail.sbd\Deleted Items/[From "Hope Connell" <ChandraDick@cekakhanafi.com>][Date Mon, 5 Mar 2007 21:47:58 -0500 (EST)]/UNNAMED/[From "Edgar Mccullough" <wodistillery@freedombound.com>][Date Tue, 6 Mar 2007 05:40:08 +0200]/UNNAMED/[From "Sexy by" <frrnbyimaa@t-dialin.net>][Date Tue, 6 Mar 2007 16:14:00 -0100]/UNNAMED/[From "Addr" <addr6@xinul.com>][Date Tue, 06 Mar 2007 23:13:57 +0800]/UNN ... /[From "G ... /[Fro ... /[From "BB&T" <service-num3486624311010ib@bbt.com>][Date Mon, 12 Mar 2007 12:56:05 - ... /UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.ri skipped
C:\Documents and Settings\HTH\Application Data\Thunderbird\Profiles\qzv4a2ng.default\Mail\Local Folders\Outlook Express Mail.sbd\Deleted Items/[From "Hope Connell" <ChandraDick@cekakhanafi.com>][Date Mon, 5 Mar 2007 21:47:58 -0500 (EST)]/UNNAMED/[From "Edgar Mccullough" <wodistillery@freedombound.com>][Date Tue, 6 Mar 2007 05:40:08 +0200]/UNNAMED/[From "Sexy by" <frrnbyimaa@t-dialin.net>][Date Tue, 6 Mar 2007 16:14:00 -0100]/UNNAMED/[From "Addr" <addr6@xinul.com>][Date Tue, 06 Mar 2007 23:13:57 +0800]/UNN ... /[From "G ... /[Fro ... /[From "BB&T" <service-num3486624311010ib@bbt.com>][Date Mon, 12 Mar 2007 12:56:05 -0400]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.ri skipped
C:\Documents and Settings\HTH\Application Data\Thunderbird\Profiles\qzv4a2ng.default\Mail\Local Folders\Outlook Express Mail.sbd\Deleted Items/[From "Hope Connell" <ChandraDick@cekakhanafi.com>][Date Mon, 5 Mar 2007 21:47:58 -0500 (EST)]/UNNAMED/[From "Edgar Mccullough" <wodistillery@freedombound.com>][Date Tue, 6 Mar 2007 05:40:08 +0200]/UNNAMED/[From "Sexy by" <frrnbyimaa@t-dialin.net>][Date Tue, 6 Mar 2007 16:14:00 -0100]/UNNAMED/[From "Addr" <addr6@xinul.com>][Date Tue, 06 Mar 2007 23:13:57 +0800]/UNN ... /[From " ... /[From "GameStop Weekend Specials" <gsnews@email.ebgames.com>][Date Fri, 23 Mar 2007 01:00:00 -0600]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.ri skipped

Continuing Kaspersky results:

C:\Documents and Settings\HTH\Application Data\Thunderbird\Profiles\qzv4a2ng.default\Mail\Local Folders\Outlook Express Mail.sbd\Deleted Items/[From "Hope Connell" <ChandraDick@cekakhanafi.com>][Date Mon, 5 Mar 2007 21:47:58 -0500 (EST)]/UNNAMED/[From "Edgar Mccullough" <wodistillery@freedombound.com>][Date Tue, 6 Mar 2007 05:40:08 +0200]/UNNAMED/[From "Sexy by" <frrnbyimaa@t-dialin.net>][Date Tue, 6 Mar 2007 16:14:00 -0100]/UNNAMED/[From "Addr" <addr6@xinul.com>][Date Tue, 06 Mar 2007 23:13:57 +0800]/UNN ... ... /[From "Mason Adkins" <puttranspo ... /[From "Addr" <addr6@xinul.com>][Date Tue, 06 Mar 2007 04:23:34 +0800]/UNNAMED Infected: Email-Worm.Win32.Bagle.ae skipped
C:\Documents and Settings\HTH\Application Data\Thunderbird\Profiles\qzv4a2ng.default\Mail\Local Folders\Outlook Express Mail.sbd\Deleted Items/[From "Hope Connell" <ChandraDick@cekakhanafi.com>][Date Mon, 5 Mar 2007 21:47:58 -0500 (EST)]/UNNAMED/[From "Edgar Mccullough" <wodistillery@freedombound.com>][Date Tue, 6 Mar 2007 05:40:08 +0200]/UNNAMED/[From "Sexy by" <frrnbyimaa@t-dialin.net>][Date Tue, 6 Mar 2007 16:14:00 -0100]/UNNAMED/[From "Addr" <addr6@xinul.com>][Date Tue, 06 Mar 2007 23:13:57 +0800]/UNN ... ... /[From "Mason Adkins" <puttranspo ... /[From "Addr" <addr6@xinul.com>][Date Tue, 06 Mar 2007 04:23:55 + ... /UNNAMED Infected: Email-Worm.Win32.Bagle.fl skipped
C:\Documents and Settings\HTH\Application Data\Thunderbird\Profiles\qzv4a2ng.default\Mail\Local Folders\Outlook Express Mail.sbd\Deleted Items/[From "Hope Connell" <ChandraDick@cekakhanafi.com>][Date Mon, 5 Mar 2007 21:47:58 -0500 (EST)]/UNNAMED/[From "Edgar Mccullough" <wodistillery@freedombound.com>][Date Tue, 6 Mar 2007 05:40:08 +0200]/UNNAMED/[From "Sexy by" <frrnbyimaa@t-dialin.net>][Date Tue, 6 Mar 2007 16:14:00 -0100]/UNNAMED/[From "Addr" <addr6@xinul.com>][Date Tue, 06 Mar 2007 23:13:57 +0800]/UNN ... ... /[From "Mason Adkins" <puttranspo ... /[From "Addr" <addr6@xinul.com>][Date Tue, 06 Mar 2007 04:23:55 +0800]/UNNAMED Infected: Email-Worm.Win32.Bagle.fl skipped
C:\Documents and Settings\HTH\Application Data\Thunderbird\Profiles\qzv4a2ng.default\Mail\Local Folders\Outlook Express Mail.sbd\Deleted Items/[From "Hope Connell" <ChandraDick@cekakhanafi.com>][Date Mon, 5 Mar 2007 21:47:58 -0500 (EST)]/UNNAMED/[From "Edgar Mccullough" <wodistillery@freedombound.com>][Date Tue, 6 Mar 2007 05:40:08 +0200]/UNNAMED/[From "Sexy by" <frrnbyimaa@t-dialin.net>][Date Tue, 6 Mar 2007 16:14:00 -0100]/UNNAMED/[From "Addr" <addr6@xinul.com>][Date Tue, 06 Mar 2007 23:13:57 +0800]/UNN ... ... /[From "Mason Adkins" <puttransportesmoltedodew@transportesmoltedo.cl>][Date Mon, 5 Mar 2007 19:45:05 +0000]/UNNAMED Infected: Email-Worm.Win32.Bagle.fl skipped
C:\Documents and Settings\HTH\Application Data\Thunderbird\Profiles\qzv4a2ng.default\Mail\Local Folders\Outlook Express Mail.sbd\Deleted Items/[From "Hope Connell" <ChandraDick@cekakhanafi.com>][Date Mon, 5 Mar 2007 21:47:58 -0500 (EST)]/UNNAMED/[From "Edgar Mccullough" <wodistillery@freedombound.com>][Date Tue, 6 Mar 2007 05:40:08 +0200]/UNNAMED/[From "Sexy by" <frrnbyimaa@t-dialin.net>][Date Tue, 6 Mar 2007 16:14:00 -0100]/UNNAMED/[From "Addr" <addr6@xinul.com>][Date Tue, 06 Mar 2007 23:13:57 +0800]/UNN ... /[From "G .. ... /[From ... ... /[From Bvlgari Watches <dfranco@post.com>][Date Mon, 05 Mar 2007 20:59:57 +0300]/UNNAMED Infected: Email-Worm.Win32.Bagle.fl skipped
C:\Documents and Settings\HTH\Application Data\Thunderbird\Profiles\qzv4a2ng.default\Mail\Local Folders\Outlook Express Mail.sbd\Deleted Items/[From "Hope Connell" <ChandraDick@cekakhanafi.com>][Date Mon, 5 Mar 2007 21:47:58 -0500 (EST)]/UNNAMED/[From "Edgar Mccullough" <wodistillery@freedombound.com>][Date Tue, 6 Mar 2007 05:40:08 +0200]/UNNAMED/[From "Sexy by" <frrnbyimaa@t-dialin.net>][Date Tue, 6 Mar 2007 16:14:00 -0100]/UNNAMED/[From "Addr" <addr6@xinul.com>][Date Tue, 06 Mar 2007 23:13:57 +0800]/UNN ... /[From "G .. ... /[From ... /[From "kkk MacDermid" <MacDermid@agrimesh.com>][Date Mon, 5 Mar 2007 19:03:32 +0100]/UNNAMED Infected: Email-Worm.Win32.Bagle.fl skipped
C:\Documents and Settings\HTH\Application Data\Thunderbird\Profiles\qzv4a2ng.default\Mail\Local Folders\Outlook Express Mail.sbd\Deleted Items/[From "Hope Connell" <ChandraDick@cekakhanafi.com>][Date Mon, 5 Mar 2007 21:47:58 -0500 (EST)]/UNNAMED/[From "Edgar Mccullough" <wodistillery@freedombound.com>][Date Tue, 6 Mar 2007 05:40:08 +0200]/UNNAMED/[From "Sexy by" <frrnbyimaa@t-dialin.net>][Date Tue, 6 Mar 2007 16:14:00 -0100]/UNNAMED/[From "Addr" <addr6@xinul.com>][Date Tue, 06 Mar 2007 23:13:57 +0800]/UNN ... /[From "G .. ... /[From Google Al ... /[From "Maryland" <wkdigxer@tpnet.pl>][Date Mon, 5 Mar 2007 17:55:25 -0100]/UNNAMED Infected: Email-Worm.Win32.Bagle.fl skipped
C:\Documents and Settings\HTH\Application Data\Thunderbird\Profiles\qzv4a2ng.default\Mail\Local Folders\Outlook Express Mail.sbd\Deleted Items/[From "Hope Connell" <ChandraDick@cekakhanafi.com>][Date Mon, 5 Mar 2007 21:47:58 -0500 (EST)]/UNNAMED/[From "Edgar Mccullough" <wodistillery@freedombound.com>][Date Tue, 6 Mar 2007 05:40:08 +0200]/UNNAMED/[From "Sexy by" <frrnbyimaa@t-dialin.net>][Date Tue, 6 Mar 2007 16:14:00 -0100]/UNNAMED/[From "Addr" <addr6@xinul.com>][Date Tue, 06 Mar 2007 23:13:57 +0800]/UNN ... /[From "G .. ... /[From Google Alerts <googlealerts-noreply@google.com>][Date Sat, 24 Mar 2007 07:43:10 -0700 (PDT)]/html Infected: Email-Worm.Win32.Bagle.fl skipped
C:\Documents and Settings\HTH\Application Data\Thunderbird\Profiles\qzv4a2ng.default\Mail\Local Folders\Outlook Express Mail.sbd\Deleted Items/[From "Hope Connell" <ChandraDick@cekakhanafi.com>][Date Mon, 5 Mar 2007 21:47:58 -0500 (EST)]/UNNAMED/[From "Edgar Mccullough" <wodistillery@freedombound.com>][Date Tue, 6 Mar 2007 05:40:08 +0200]/UNNAMED/[From "Sexy by" <frrnbyimaa@t-dialin.net>][Date Tue, 6 Mar 2007 16:14:00 -0100]/UNNAMED/[From "Addr" <addr6@xinul.com>][Date Tue, 06 Mar 2007 23:13:57 +0800]/UNN ... /[From "G ... /[From "PMattie YRichmond" <uyxpbsbxo@glenwoodequipment.com>][Date Thu, 08 Mar 2007 21:44:32 + .. ... /html Infected: Email-Worm.Win32.Bagle.fl skipped
C:\Documents and Settings\HTH\Application Data\Thunderbird\Profiles\qzv4a2ng.default\Mail\Local Folders\Outlook Express Mail.sbd\Deleted Items/[From "Hope Connell" <ChandraDick@cekakhanafi.com>][Date Mon, 5 Mar 2007 21:47:58 -0500 (EST)]/UNNAMED/[From "Edgar Mccullough" <wodistillery@freedombound.com>][Date Tue, 6 Mar 2007 05:40:08 +0200]/UNNAMED/[From "Sexy by" <frrnbyimaa@t-dialin.net>][Date Tue, 6 Mar 2007 16:14:00 -0100]/UNNAMED/[From "Addr" <addr6@xinul.com>][Date Tue, 06 Mar 2007 23:13:57 +0800]/UNN ... /[From "G ... /[From "PMattie YRichmond" <uyxpbsbxo@glenwoodequipment.com>][Date Thu, 08 Mar 2007 21:44:32 + ... /UNNAMED Infected: Email-Worm.Win32.Bagle.fl skipped
C:\Documents and Settings\HTH\Application Data\Thunderbird\Profiles\qzv4a2ng.default\Mail\Local Folders\Outlook Express Mail.sbd\Deleted Items/[From "Hope Connell" <ChandraDick@cekakhanafi.com>][Date Mon, 5 Mar 2007 21:47:58 -0500 (EST)]/UNNAMED/[From "Edgar Mccullough" <wodistillery@freedombound.com>][Date Tue, 6 Mar 2007 05:40:08 +0200]/UNNAMED/[From "Sexy by" <frrnbyimaa@t-dialin.net>][Date Tue, 6 Mar 2007 16:14:00 -0100]/UNNAMED/[From "Addr" <addr6@xinul.com>][Date Tue, 06 Mar 2007 23:13:57 +0800]/UNN ... /[From "G ... /[From "PMattie YRichmond" <uyxpbsbxo@glenwoodequipment.com>][Date Thu, 08 Mar 2007 21:44:32 +0600]/UNNAMED Infected: Email-Worm.Win32.Bagle.fl skipped
C:\Documents and Settings\HTH\Application Data\Thunderbird\Profiles\qzv4a2ng.default\Mail\Local Folders\Outlook Express Mail.sbd\Deleted Items/[From "Hope Connell" <ChandraDick@cekakhanafi.com>][Date Mon, 5 Mar 2007 21:47:58 -0500 (EST)]/UNNAMED/[From "Edgar Mccullough" <wodistillery@freedombound.com>][Date Tue, 6 Mar 2007 05:40:08 +0200]/UNNAMED/[From "Sexy by" <frrnbyimaa@t-dialin.net>][Date Tue, 6 Mar 2007 16:14:00 -0100]/UNNAMED/[From "Addr" <addr6@xinul.com>][Date Tue, 06 Mar 2007 23:13:57 +0800]/UNN ... /[From "Goldie ... ... ... / ... /[From SitePro News <spn-h2@sitepronews.com>][Date Thu, 08 Mar 2007 04:30:00 -0500]/html Infected: Email-Worm.Win32.Bagle.fl skipped
C:\Documents and Settings\HTH\Application Data\Thunderbird\Profiles\qzv4a2ng.default\Mail\Local Folders\Outlook Express Mail.sbd\Deleted Items/[From "Hope Connell" <ChandraDick@cekakhanafi.com>][Date Mon, 5 Mar 2007 21:47:58 -0500 (EST)]/UNNAMED/[From "Edgar Mccullough" <wodistillery@freedombound.com>][Date Tue, 6 Mar 2007 05:40:08 +0200]/UNNAMED/[From "Sexy by" <frrnbyimaa@t-dialin.net>][Date Tue, 6 Mar 2007 16:14:00 -0100]/UNNAMED/[From "Addr" <addr6@xinul.com>][Date Tue, 06 Mar 2007 23:13:57 +0800]/UNN ... /[From "Goldie ... ... ... /[From "Brittni Danika" <myked58bnp@gloryroad.net>][Date Thu, 08 Mar 2007 10:57:02 +0100]/html Infected: Email-Worm.Win32.Bagle.fl skipped
C:\Documents and Settings\HTH\Application Data\Thunderbird\Profiles\qzv4a2ng.default\Mail\Local Folders\Outlook Express Mail.sbd\Deleted Items/[From "Hope Connell" <ChandraDick@cekakhanafi.com>][Date Mon, 5 Mar 2007 21:47:58 -0500 (EST)]/UNNAMED/[From "Edgar Mccullough" <wodistillery@freedombound.com>][Date Tue, 6 Mar 2007 05:40:08 +0200]/UNNAMED/[From "Sexy by" <frrnbyimaa@t-dialin.net>][Date Tue, 6 Mar 2007 16:14:00 -0100]/UNNAMED/[From "Addr" <addr6@xinul.com>][Date Tue, 06 Mar 2007 23:13:57 +0800]/UNN ... /[From "Goldie ... ... /[From Gwendoline Sullivan <rdphp@newmancapital.com>][Date Thu, 8 Mar 2007 14:36:06 +0530]/UNNAMED Infected: Email-Worm.Win32.Bagle.fl skipped
C:\Documents and Settings\HTH\Application Data\Thunderbird\Profiles\qzv4a2ng.default\Mail\Local Folders\Outlook Express Mail.sbd\Deleted Items/[From "Hope Connell" <ChandraDick@cekakhanafi.com>][Date Mon, 5 Mar 2007 21:47:58 -0500 (EST)]/UNNAMED/[From "Edgar Mccullough" <wodistillery@freedombound.com>][Date Tue, 6 Mar 2007 05:40:08 +0200]/UNNAMED/[From "Sexy by" <frrnbyimaa@t-dialin.net>][Date Tue, 6 Mar 2007 16:14:00 -0100]/UNNAMED/[From "Addr" <addr6@xinul.com>][Date Tue, 06 Mar 2007 23:13:57 +0800]/UNN ... /[From "Goldie ... /[From "A ... ... /[From "Area Basic" <tiqznjuwl@net.tr>][Date Thu, 8 Mar 2007 09:35:13 -0200]/UNNAMED Infected: Email-Worm.Win32.Bagle.fl skipped
C:\Documents and Settings\HTH\Application Data\Thunderbird\Profiles\qzv4a2ng.default\Mail\Local Folders\Outlook Express Mail.sbd\Deleted Items/[From "Hope Connell" <ChandraDick@cekakhanafi.com>][Date Mon, 5 Mar 2007 21:47:58 -0500 (EST)]/UNNAMED/[From "Edgar Mccullough" <wodistillery@freedombound.com>][Date Tue, 6 Mar 2007 05:40:08 +0200]/UNNAMED/[From "Sexy by" <frrnbyimaa@t-dialin.net>][Date Tue, 6 Mar 2007 16:14:00 -0100]/UNNAMED/[From "Addr" <addr6@xinul.com>][Date Tue, 06 Mar 2007 23:13:57 +0800]/UNN ... /[From "Goldie ... /[From "A ... /[From "Apps" <qifococfha@bostonpilot.com>][Date Thu, 8 Mar 2007 08:20:05 +0800]/UNNAMED Infected: Email-Worm.Win32.Bagle.fl skipped
C:\Documents and Settings\HTH\Application Data\Thunderbird\Profiles\qzv4a2ng.default\Mail\Local Folders\Outlook Express Mail.sbd\Deleted Items/[From "Hope Connell" <ChandraDick@cekakhanafi.com>][Date Mon, 5 Mar 2007 21:47:58 -0500 (EST)]/UNNAMED/[From "Edgar Mccullough" <wodistillery@freedombound.com>][Date Tue, 6 Mar 2007 05:40:08 +0200]/UNNAMED/[From "Sexy by" <frrnbyimaa@t-dialin.net>][Date Tue, 6 Mar 2007 16:14:00 -0100]/UNNAMED/[From "Addr" <addr6@xinul.com>][Date Tue, 06 Mar 2007 23:13:57 +0800]/UNN ... /[From "Goldie ... /[From "Angeli ... /[From "Center" <kobuttu@brimson.net>][Date Wed, 7 Mar 2007 15:33:30 +0500]/UNNAMED Infected: Email-Worm.Win32.Bagle.fl skipped
C:\Documents and Settings\HTH\Application Data\Thunderbird\Profiles\qzv4a2ng.default\Mail\Local Folders\Outlook Express Mail.sbd\Deleted Items/[From "Hope Connell" <ChandraDick@cekakhanafi.com>][Date Mon, 5 Mar 2007 21:47:58 -0500 (EST)]/UNNAMED/[From "Edgar Mccullough" <wodistillery@freedombound.com>][Date Tue, 6 Mar 2007 05:40:08 +0200]/UNNAMED/[From "Sexy by" <frrnbyimaa@t-dialin.net>][Date Tue, 6 Mar 2007 16:14:00 -0100]/UNNAMED/[From "Addr" <addr6@xinul.com>][Date Tue, 06 Mar 2007 23:13:57 +0800]/UNN ... /[From "Goldie ... /[From "Angelique K ... /[From "Addr" <addr6@xinul.com>][Date Thu, 08 Mar 2007 00:59:44 +0800]/UNNAMED Infected: Email-Worm.Win32.Bagle.fl skipped
C:\Documents and Settings\HTH\Application Data\Thunderbird\Profiles\qzv4a2ng.default\Mail\Local Folders\Outlook Express Mail.sbd\Deleted Items/[From "Hope Connell" <ChandraDick@cekakhanafi.com>][Date Mon, 5 Mar 2007 21:47:58 -0500 (EST)]/UNNAMED/[From "Edgar Mccullough" <wodistillery@freedombound.com>][Date Tue, 6 Mar 2007 05:40:08 +0200]/UNNAMED/[From "Sexy by" <frrnbyimaa@t-dialin.net>][Date Tue, 6 Mar 2007 16:14:00 -0100]/UNNAMED/[From "Addr" <addr6@xinul.com>][Date Tue, 06 Mar 2007 23:13:57 +0800]/UNN ... /[From "Goldie ... /[From "Angelique K ... /[From "Addr" <addr6@xinul.com>][Date Thu, 08 Mar 2007 00:44:47 +0800]/UNNAMED Infected: Email-Worm.Win32.Bagle.fl skipped
C:\Documents and Settings\HTH\Application Data\Thunderbird\Profiles\qzv4a2ng.default\Mail\Local Folders\Outlook Express Mail.sbd\Deleted Items/[From "Hope Connell" <ChandraDick@cekakhanafi.com>][Date Mon, 5 Mar 2007 21:47:58 -0500 (EST)]/UNNAMED/[From "Edgar Mccullough" <wodistillery@freedombound.com>][Date Tue, 6 Mar 2007 05:40:08 +0200]/UNNAMED/[From "Sexy by" <frrnbyimaa@t-dialin.net>][Date Tue, 6 Mar 2007 16:14:00 -0100]/UNNAMED/[From "Addr" <addr6@xinul.com>][Date Tue, 06 Mar 2007 23:13:57 +0800]/UNN ... /[From "Goldie ... /[From "Angelique Koch" <dixtuchimportbos@tuchimport.de>][Date Wed, 7 Mar 2007 14:12:39 -0060]/UNNAMED Infected: Email-Worm.Win32.Bagle.fl skipped
C:\Documents and Settings\HTH\Application Data\Thunderbird\Profiles\qzv4a2ng.default\Mail\Local Folders\Outlook Express Mail.sbd\Deleted Items/[From "Hope Connell" <ChandraDick@cekakhanafi.com>][Date Mon, 5 Mar 2007 21:47:58 -0500 (EST)]/UNNAMED/[From "Edgar Mccullough" <wodistillery@freedombound.com>][Date Tue, 6 Mar 2007 05:40:08 +0200]/UNNAMED/[From "Sexy by" <frrnbyimaa@t-dialin.net>][Date Tue, 6 Mar 2007 16:14:00 -0100]/UNNAMED/[From "Addr" <addr6@xinul.com>][Date Tue, 06 Mar 2007 23:13:57 +0800]/UNN ... /[From "Goldie Egan" <Earnest ... /[Fr ... /[From "Addr" <addr6@xinul.com>][Date Wed, 07 Mar 2007 23:15:19 +0800]/UNNAMED Infected: Email-Worm.Win32.Bagle.fl skipped
C:\Documents and Settings\HTH\Application Data\Thunderbird\Profiles\qzv4a2ng.default\Mail\Local Folders\Outlook Express Mail.sbd\Deleted Items/[From "Hope Connell" <ChandraDick@cekakhanafi.com>][Date Mon, 5 Mar 2007 21:47:58 -0500 (EST)]/UNNAMED/[From "Edgar Mccullough" <wodistillery@freedombound.com>][Date Tue, 6 Mar 2007 05:40:08 +0200]/UNNAMED/[From "Sexy by" <frrnbyimaa@t-dialin.net>][Date Tue, 6 Mar 2007 16:14:00 -0100]/UNNAMED/[From "Addr" <addr6@xinul.com>][Date Tue, 06 Mar 2007 23:13:57 +0800]/UNN ... /[From "Goldie Egan" <Earnest ... /[From "madethe" <qigzxvvlnlw@cimco.net>][Date Wed, 7 Mar 2007 10:46:17 -05-30]/UNNAMED Infected: Email-Worm.Win32.Bagle.fl skipped
C:\Documents and Settings\HTH\Application Data\Thunderbird\Profiles\qzv4a2ng.default\Mail\Local Folders\Outlook Express Mail.sbd\Deleted Items/[From "Hope Connell" <ChandraDick@cekakhanafi.com>][Date Mon, 5 Mar 2007 21:47:58 -0500 (EST)]/UNNAMED/[From "Edgar Mccullough" <wodistillery@freedombound.com>][Date Tue, 6 Mar 2007 05:40:08 +0200]/UNNAMED/[From "Sexy by" <frrnbyimaa@t-dialin.net>][Date Tue, 6 Mar 2007 16:14:00 -0100]/UNNAMED/[From "Addr" <addr6@xinul.com>][Date Tue, 06 Mar 2007 23:13:57 +0800]/UNN ... /[From "Goldie Egan" <EarnestineKearney@soyouvebeendumped.every1.net>][Date Tue, 6 Mar 2007 23:39:59 -0500 (EST)]/UNNAMED Infected: Email-Worm.Win32.Bagle.fl skipped

Continuing Kaspersky results:

C:\Documents and Settings\HTH\Application Data\Thunderbird\Profiles\qzv4a2ng.default\Mail\Local Folders\Outlook Express Mail.sbd\Deleted Items/[From "Hope Connell" <ChandraDick@cekakhanafi.com>][Date Mon, 5 Mar 2007 21:47:58 -0500 (EST)]/UNNAMED/[From "Edgar Mccullough" <wodistillery@freedombound.com>][Date Tue, 6 Mar 2007 05:40:08 +0200]/UNNAMED/[From "Sexy by" <frrnbyimaa@t-dialin.net>][Date Tue, 6 Mar 2007 16:14:00 -0100]/UNNAMED/[From "Addr" <addr6@xinul.com>][Date Tue, 06 Mar 2007 23:13:57 +0800]/UNNAMED/[From " ... /[From "pancho guenever ... /[From Sex can <bfranks@witty.com>][Date Wed, 07 Mar 2007 05:53:07 +0300]/UNNAMED Infected: Email-Worm.Win32.Bagle.fl skipped
C:\Documents and Settings\HTH\Application Data\Thunderbird\Profiles\qzv4a2ng.default\Mail\Local Folders\Outlook Express Mail.sbd\Deleted Items/[From "Hope Connell" <ChandraDick@cekakhanafi.com>][Date Mon, 5 Mar 2007 21:47:58 -0500 (EST)]/UNNAMED/[From "Edgar Mccullough" <wodistillery@freedombound.com>][Date Tue, 6 Mar 2007 05:40:08 +0200]/UNNAMED/[From "Sexy by" <frrnbyimaa@t-dialin.net>][Date Tue, 6 Mar 2007 16:14:00 -0100]/UNNAMED/[From "Addr" <addr6@xinul.com>][Date Tue, 06 Mar 2007 23:13:57 +0800]/UNNAMED/[From " ... /[From "pancho guenevere" <barbab ... /[From Hockey" <fix@orpea.net>][Date 7 Mar 2007 02:16:47 +0100]/UNNAMED Infected: Email-Worm.Win32.Bagle.fl skipped
C:\Documents and Settings\HTH\Application Data\Thunderbird\Profiles\qzv4a2ng.default\Mail\Local Folders\Outlook Express Mail.sbd\Deleted Items/[From "Hope Connell" <ChandraDick@cekakhanafi.com>][Date Mon, 5 Mar 2007 21:47:58 -0500 (EST)]/UNNAMED/[From "Edgar Mccullough" <wodistillery@freedombound.com>][Date Tue, 6 Mar 2007 05:40:08 +0200]/UNNAMED/[From "Sexy by" <frrnbyimaa@t-dialin.net>][Date Tue, 6 Mar 2007 16:14:00 -0100]/UNNAMED/[From "Addr" <addr6@xinul.com>][Date Tue, 06 Mar 2007 23:13:57 +0800]/UNNAMED/[From " ... /[From "pancho guenevere" <barbabassancho@physiqueproducts.com>][Date Wed, 7 Mar 2007 02:19:49 +0900]/UNNAMED Infected: Email-Worm.Win32.Bagle.fl skipped
C:\Documents and Settings\HTH\Application Data\Thunderbird\Profiles\qzv4a2ng.default\Mail\Local Folders\Outlook Express Mail.sbd\Deleted Items/[From "Hope Connell" <ChandraDick@cekakhanafi.com>][Date Mon, 5 Mar 2007 21:47:58 -0500 (EST)]/UNNAMED/[From "Edgar Mccullough" <wodistillery@freedombound.com>][Date Tue, 6 Mar 2007 05:40:08 +0200]/UNNAMED/[From "Sexy by" <frrnbyimaa@t-dialin.net>][Date Tue, 6 Mar 2007 16:14:00 -0100]/UNNAMED/[From "Addr" <addr6@xinul.com>][Date Tue, 06 Mar 2007 23:13:57 +0800]/UNNAMED/[From "N/A" ... /[From "Vowels G. Squirrelling" <iceman@glass-island.com>][Date Tue, 06 Mar 2007 16:20:01 +0000]/UNNAMED Infected: Email-Worm.Win32.Bagle.fl skipped
C:\Documents and Settings\HTH\Application Data\Thunderbird\Profiles\qzv4a2ng.default\Mail\Local Folders\Outlook Express Mail.sbd\Deleted Items/[From "Hope Connell" <ChandraDick@cekakhanafi.com>][Date Mon, 5 Mar 2007 21:47:58 -0500 (EST)]/UNNAMED/[From "Edgar Mccullough" <wodistillery@freedombound.com>][Date Tue, 6 Mar 2007 05:40:08 +0200]/UNNAMED/[From "Sexy by" <frrnbyimaa@t-dialin.net>][Date Tue, 6 Mar 2007 16:14:00 -0100]/UNNAMED/[From "Addr" <addr6@xinul.com>][Date Tue, 06 Mar 2007 23:13:57 +0800]/UNNAMED/[From "N/A" ... /[From Google Alerts <googlealerts-noreply@google.com>][Date Mon, 05 Mar 2007 23:13:29 -0800 (PST)]/html Infected: Email-Worm.Win32.Bagle.fl skipped
C:\Documents and Settings\HTH\Application Data\Thunderbird\Profiles\qzv4a2ng.default\Mail\Local Folders\Outlook Express Mail.sbd\Deleted Items/[From "Hope Connell" <ChandraDick@cekakhanafi.com>][Date Mon, 5 Mar 2007 21:47:58 -0500 (EST)]/UNNAMED/[From "Edgar Mccullough" <wodistillery@freedombound.com>][Date Tue, 6 Mar 2007 05:40:08 +0200]/UNNAMED/[From "Sexy by" <frrnbyimaa@t-dialin.net>][Date Tue, 6 Mar 2007 16:14:00 -0100]/UNNAMED/[From "Addr" <addr6@xinul.com>][Date Tue, 06 Mar 2007 23:13:57 +0800]/UNNAMED/[From "N/A" <jcvojfnl@rdsn ... /[From ... /[From "Addr" <addr6@xinul.com>][Date Tue, 06 Mar 2007 15:01:32 +0800]/UNNAMED Infected: Email-Worm.Win32.Bagle.fl skipped
C:\Documents and Settings\HTH\Application Data\Thunderbird\Profiles\qzv4a2ng.default\Mail\Local Folders\Outlook Express Mail.sbd\Deleted Items/[From "Hope Connell" <ChandraDick@cekakhanafi.com>][Date Mon, 5 Mar 2007 21:47:58 -0500 (EST)]/UNNAMED/[From "Edgar Mccullough" <wodistillery@freedombound.com>][Date Tue, 6 Mar 2007 05:40:08 +0200]/UNNAMED/[From "Sexy by" <frrnbyimaa@t-dialin.net>][Date Tue, 6 Mar 2007 16:14:00 -0100]/UNNAMED/[From "Addr" <addr6@xinul.com>][Date Tue, 06 Mar 2007 23:13:57 +0800]/UNNAMED/[From "N/A" <jcvojfnl@rdsn ... /[From --Mark--Hendricks-- <mph@hunteridge.com>][Date Tue, 6 Mar 2007 08:51:05 -0500]/text Infected: Email-Worm.Win32.Bagle.fl skipped
C:\Documents and Settings\HTH\Application Data\Thunderbird\Profiles\qzv4a2ng.default\Mail\Local Folders\Outlook Express Mail.sbd\Deleted Items/[From "Hope Connell" <ChandraDick@cekakhanafi.com>][Date Mon, 5 Mar 2007 21:47:58 -0500 (EST)]/UNNAMED/[From "Edgar Mccullough" <wodistillery@freedombound.com>][Date Tue, 6 Mar 2007 05:40:08 +0200]/UNNAMED/[From "Sexy by" <frrnbyimaa@t-dialin.net>][Date Tue, 6 Mar 2007 16:14:00 -0100]/UNNAMED/[From "Addr" <addr6@xinul.com>][Date Tue, 06 Mar 2007 23:13:57 +0800]/UNNAMED/[From "N/A" <jcvojfnl@rdsnet.ro>][Date ... /[From "Addr" <addr6@xinul.com>][Date Tue, 06 Mar 2007 21:46:45 +0800]/UNNAMED Infected: Email-Worm.Win32.Bagle.fl skipped
C:\Documents and Settings\HTH\Application Data\Thunderbird\Profiles\qzv4a2ng.default\Mail\Local Folders\Outlook Express Mail.sbd\Deleted Items/[From "Hope Connell" <ChandraDick@cekakhanafi.com>][Date Mon, 5 Mar 2007 21:47:58 -0500 (EST)]/UNNAMED/[From "Edgar Mccullough" <wodistillery@freedombound.com>][Date Tue, 6 Mar 2007 05:40:08 +0200]/UNNAMED/[From "Sexy by" <frrnbyimaa@t-dialin.net>][Date Tue, 6 Mar 2007 16:14:00 -0100]/UNNAMED/[From "Addr" <addr6@xinul.com>][Date Tue, 06 Mar 2007 23:13:57 +0800]/UNNAMED/[From "N/A" <jcvojfnl@rdsnet.ro>][Date Tue, 6 Mar 2007 13:56:06 -0200]/UNNAMED Infected: Email-Worm.Win32.Bagle.fl skipped
C:\Documents and Settings\HTH\Application Data\Thunderbird\Profiles\qzv4a2ng.default\Mail\Local Folders\Outlook Express Mail.sbd\Deleted Items/[From "Hope Connell" <ChandraDick@cekakhanafi.com>][Date Mon, 5 Mar 2007 21:47:58 -0500 (EST)]/UNNAMED/[From "Edgar Mccullough" <wodistillery@freedombound.com>][Date Tue, 6 Mar 2007 05:40:08 +0200]/UNNAMED/[From "Sexy by" <frrnbyimaa@t-dialin.net>][Date Tue, 6 Mar 2007 16:14:00 -0100]/UNNAMED/[From "Addr" <addr6@xinul.com>][Date Tue, 06 Mar 2007 23:13:57 +0800]/UNNAMED Infected: Email-Worm.Win32.Bagle.fl skipped
C:\Documents and Settings\HTH\Application Data\Thunderbird\Profiles\qzv4a2ng.default\Mail\Local Folders\Outlook Express Mail.sbd\Deleted Items/[From "Hope Connell" <ChandraDick@cekakhanafi.com>][Date Mon, 5 Mar 2007 21:47:58 -0500 (EST)]/UNNAMED/[From "Edgar Mccullough" <wodistillery@freedombound.com>][Date Tue, 6 Mar 2007 05:40:08 +0200]/UNNAMED/[From "Sexy by" <frrnbyimaa@t-dialin.net>][Date Tue, 6 Mar 2007 16:14:00 -0100]/UNNAMED Infected: Email-Worm.Win32.Bagle.fl skipped
C:\Documents and Settings\HTH\Application Data\Thunderbird\Profiles\qzv4a2ng.default\Mail\Local Folders\Outlook Express Mail.sbd\Deleted Items/[From "Hope Connell" <ChandraDick@cekakhanafi.com>][Date Mon, 5 Mar 2007 21:47:58 -0500 (EST)]/UNNAMED/[From "Edgar Mccullough" <wodistillery@freedombound.com>][Date Tue, 6 Mar 2007 05:40:08 +0200]/UNNAMED Infected: Email-Worm.Win32.Bagle.fl skipped
C:\Documents and Settings\HTH\Application Data\Thunderbird\Profiles\qzv4a2ng.default\Mail\Local Folders\Outlook Express Mail.sbd\Deleted Items/[From "Hope Connell" <ChandraDick@cekakhanafi.com>][Date Mon, 5 Mar 2007 21:47:58 -0500 (EST)]/UNNAMED Infected: Email-Worm.Win32.Bagle.fl skipped
C:\Documents and Settings\HTH\Application Data\Thunderbird\Profiles\qzv4a2ng.default\Mail\Local Folders\Outlook Express Mail.sbd\Deleted Items Mail Berkeley mbox: infected - 57 skipped
C:\Documents and Settings\HTH\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\HTH\Local Settings\Application Data\Identities\{07EA8992-70AD-46A3-A05B-4070923F039A}\Microsoft\Outlook Express\Deleted Items.dbx/[From "Branch Banking and Trust" <services-0355050852541ib@bbt.com>][Date Fri, 23 Mar 2007 02:16:28 -0400 (EDT)]/UNNAMED/html Infected: Trojan-Spy.HTML.Bankfraud.ra skipped
C:\Documents and Settings\HTH\Local Settings\Application Data\Identities\{07EA8992-70AD-46A3-A05B-4070923F039A}\Microsoft\Outlook Express\Deleted Items.dbx/[From "Branch Banking and Trust" <services-0355050852541ib@bbt.com>][Date Fri, 23 Mar 2007 02:16:28 -0400 (EDT)]/UNNAMED/colon.gif Infected: Trojan-Spy.HTML.Bankfraud.ri skipped
C:\Documents and Settings\HTH\Local Settings\Application Data\Identities\{07EA8992-70AD-46A3-A05B-4070923F039A}\Microsoft\Outlook Express\Deleted Items.dbx/[From "Branch Banking and Trust" <services-0355050852541ib@bbt.com>][Date Fri, 23 Mar 2007 02:16:28 -0400 (EDT)]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.ri skipped
C:\Documents and Settings\HTH\Local Settings\Application Data\Identities\{07EA8992-70AD-46A3-A05B-4070923F039A}\Microsoft\Outlook Express\Deleted Items.dbx Mail MS Outlook 5: infected - 3 skipped
C:\Documents and Settings\HTH\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\HTH\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\HTH\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\HTH\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{9B70E510-29A2-44BB-A7B4-4A62E63B2EED} Object is locked skipped
C:\Documents and Settings\HTH\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\HTH\Local Settings\History\History.IE5\MSHist012007060620070607\index.dat Object is locked skipped
C:\Documents and Settings\HTH\Local Settings\Temp\~DF3D9.tmp Object is locked skipped
C:\Documents and Settings\HTH\Local Settings\Temp\~DF7D9E.tmp Object is locked skipped
C:\Documents and Settings\HTH\Local Settings\Temp\~DF84ED.tmp Object is locked skipped
C:\Documents and Settings\HTH\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\HTH\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\HTH\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\HTH\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\HTH\UserData\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\ESftp\esftpv42.exe/data0019/NHInstall.exe Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped
C:\ESftp\esftpv42.exe/data0019/v2.0.2.cab/NHUninstaller.exe Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped
C:\ESftp\esftpv42.exe/data0019/v2.0.2.cab/NHelper.dll Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped
C:\ESftp\esftpv42.exe/data0019/v2.0.2.cab/NHUpdater.exe Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped
C:\ESftp\esftpv42.exe/data0019/v2.0.2.cab Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped
C:\ESftp\esftpv42.exe/data0019 Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped
C:\ESftp\esftpv42.exe Inno: infected - 6 skipped
C:\Program Files\ASUS\Probe\Record\200766 Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{FFA5CE3D-2147-46EA-9F22-0D54AD76096F}\RP1632\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\MOE1.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{2CF12902-96F7-4B35-9295-D6634A76DC56}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\spool\PRINTERS\FP00000.SHD Object is locked skipped
C:\WINDOWS\system32\spool\PRINTERS\FP00000.SPL Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\ZLT076d0.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT076d3.TMP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

OK most of the infections were in Thunderbirds messages. YOu might want to do some cleaning there...

Generate a HijackThis Startup list:
Open HijackThis: Click on "Open the Misc Tools Section"
Check the following boxes to the right of "Generate StartupList Log": List also minor sections (Full)
List empty sections (Complete)
Click "Generate StartupListLog"
Click "Yes" at the prompt.
A Notepad window will open with the contents of the HijackThis Startup list displayed
Copy & Paste that log to here

Here's the HijackThis Startup list:

StartupList report, 6/7/2007, 2:18:52 PM
StartupList version: 1.52.2
Started from : C:\Program Files\hijackthis\hijackthis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.6000.16441)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\anvshell.exe
C:\Program Files\RAMpage\RAMpage.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ClipMate7\clipmate.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\Program Files\Wacom\TabUserW.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBNA.EXE
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\hijackthis\hijackthis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\HTH\Start Menu\Programs\Startup]
SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

CamMonitor = C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
Share-to-Web Namespace Daemon = C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
ASUS Probe = C:\Program Files\ASUS\Probe\AsusProb.exe
NvCplDaemon = RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
nwiz = nwiz.exe /install
anvshell = anvshell.exe
LiveNote = livenote.exe
RAMpage = "C:\Program Files\RAMpage\RAMpage.exe" U=1 M=28 T=4 LW P="C:\Program Files\RAMpage\RAMpageConfig.exe"
ShStatEXE = "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
McAfeeUpdaterUI = "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
SunJavaUpdateSched = "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
Network Associates Error Reporting Service = "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
Windows Defender = "C:\Program Files\Windows Defender\MSASCui.exe" -hide
ZoneAlarm Client = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ClipMate7 = C:\Program Files\ClipMate7\clipmate.exe
ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
WMPNSCFG = C:\Program Files\Windows Media Player\WMPNSCFG.exe
SpybotSD TeaTimer = C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
EPSON Stylus Photo R260 Series = C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBNA.EXE /FU "C:\WINDOWS\TEMP\E_SA7.tmp" /EF "HKCU"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\AutoCADLTScript\shell\open\command

(Default) = C:\WINDOWS\NOTEPAD.EXE "%1"

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\system32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}] *
StubPath = C:\WINDOWS\system32\ieudinit.exe

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{44BBA851-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\wpie4x86.inf,PerUserStub

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp11.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = C:\WINDOWS\system32\ie4uinit.exe -BaseSettings

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\System32\mscories.dll,Install

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

Continuing HijackThis Startup list:

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
SpywareGuard Download Protection - C:\Program Files\SpywareGuard\dlprotect.dll - {4A368E80-174F-4872-96B5-0B27DDD11DB2}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
(no name) - c:\program files\google\googletoolbar3.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}
(no name) - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll - {AE7CD045-E861-484f-8273-0445EE161910}

--------------------------------------------------

Enumerating Task Scheduler jobs:

AppleSoftwareUpdate.job
MP Scheduled Scan.job

--------------------------------------------------

Enumerating Download Program Files:

[{00000075-9980-0010-8000-00AA00389B71}]
CODEBASE = http://codecs.microsoft.com/codecs/i386/voxacm.CAB

[QuickTime Object]
InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[CKAVWebScan Object]
InProcServer32 = C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
CODEBASE = http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab

[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\system32\legitcheckcontrol.dll
CODEBASE = http://go.microsoft.com/fwlink/?linkid=39204

[LPViewer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\LPControl.dll
CODEBASE = http://www.iseemedia.com/activex/LPControl.cab

[MUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\muweb.dll
CODEBASE = http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1126413452031

[{77DD44BF-551D-4E3C-82CD-D637D5018D3C}]
CODEBASE = http://www.surveys.com/promptcast/Installs/SURVEYS.COM%20PROMPTCAST%20SETUP.cab

[WScanCtl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\webscan.dll
CODEBASE = http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab

[Java Plug-in 1.6.0_01]
InProcServer32 = C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

[{9F1C11AA-197B-4942-BA54-47A8489BB47F}]
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37851.8805092593

[Java Plug-in 1.5.0_02]
InProcServer32 = C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab

[Java Plug-in 1.5.0_04]
InProcServer32 = C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab

[Java Plug-in 1.5.0_06]
InProcServer32 = C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

[Java Plug-in 1.5.0_09]
InProcServer32 = C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab

[Java Plug-in 1.5.0_10]
InProcServer32 = C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab

[Java Plug-in 1.5.0_11]
InProcServer32 = C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab

[Java Plug-in 1.6.0_01]
InProcServer32 = C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

[Java Plug-in 1.6.0_01]
InProcServer32 = C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash8.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[GpcContainer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ieatgpc.dll
CODEBASE = https://prweb.webex.com/client/v_mywebex-t20/event/ieatgpc.cab

[Yahoo! Webcam Viewer Wrapper]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\yvwrctl.dll
CODEBASE = http://chat.yahoo.com/cab/yvwrctl.cab

[TulipPlayer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\TulipPlayer2.dll
CODEBASE = http://www.exstream.to/tulip/cab/3,0,5,19/TulipPlayer2.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
NameSpace #4: C:\Program Files\Bonjour\mdnsNSP.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
PPdus ASPI Shell: system32\drivers\Afc.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (system)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
AMD K7 Processor Driver: System32\DRIVERS\amdk7.sys (system)
ANVIOCTL: System32\DRIVERS\anvioctl.sys (system)
ASUS Keyboard Filter Driver: System32\DRIVERS\anvosdnt.sys (system)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
aslm75: \??\C:\WINDOWS\system32\drivers\aslm75.sys (autostart)
Aspi32: System32\drivers\aspi32.sys (autostart)
ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Bonjour Service: "C:\Program Files\Bonjour\mDNSResponder.exe" (autostart)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
dmio: System32\drivers\dmio.sys (disabled)
dmload: System32\drivers\dmload.sys (disabled)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Dmstf30pep: C:\WINDOWS\system32\drivers\acpiec.sys (disabled)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
EIO: \??\C:\WINDOWS\system32\drivers\EIO.sys (manual start)
EntDrv51: \??\C:\WINDOWS\system32\drivers\EntDrv51.sys (manual start)
Eplpdx02: \??\C:\WINDOWS\System32\Drivers\EPLPDX02.SYS (manual start)
EpsonBidirectionalService: C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe (autostart)
EPSON V3 Service4(01): C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE (autostart)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
FltMgr: system32\drivers\fltmgr.sys (system)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
Game Port Enumerator: System32\DRIVERS\gameenum.sys (manual start)
GEARAspiWDM: System32\Drivers\GEARAspiWDM.sys (manual start)
gmer: System32\DRIVERS\gmer.sys (manual start)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Microsoft HID Class Driver: System32\DRIVERS\hidusb.sys (manual start)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
InstallDriver Table Manager: "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe" (manual start)
CD-Burning Filter Driver: System32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)
IPv6 Windows Firewall Driver: system32\drivers\ip6fw.sys (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
iPod Service: "C:\Program Files\iPod\bin\iPodService.exe" (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Macromedia Licensing Service: "C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe" (manual start)
McAfee Framework Service: C:\Program Files\Network Associates\Common Framework\FrameworkService.exe /ServiceStart (autostart)

Continuing HijackThis Startup list:

Network Associates McShield: "C:\Program Files\Network Associates\VirusScan\Mcshield.exe" (autostart)
Network Associates Task Manager: "C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe" (autostart)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: System32\DRIVERS\mouhid.sys (manual start)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\system32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: System32\DRIVERS\mssmbios.sys (manual start)
Microsoft MPU-401 MIDI UART Driver: system32\drivers\msmpu401.sys (manual start)
NaiAvFilter1: system32\drivers\naiavf5x.sys (manual start)
NaiAvTdi1: system32\drivers\mvstdi5x.sys (system)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
nv: System32\DRIVERS\nv4_mini.sys (manual start)
Service for NVIDIA(R) nForce(TM) Audio Enumerator: system32\drivers\nvax.sys (manual start)
NVIDIA nForce MCP Networking Adapter Driver: System32\DRIVERS\NVENET.sys (manual start)
Service for NVIDIA(R) nForce(TM) Audio: system32\drivers\nvapu.sys (manual start)
ASUS Driver Helper Service: %SystemRoot%\System32\nvsvc32.exe (autostart)
NVIDIA nForce AGP Bus Filter: System32\DRIVERS\nv_agp.sys (system)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
PCIIde: System32\DRIVERS\pciide.sys (system)
Pen Class: System32\Drivers\PenClass.sys (system)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Processor Driver: System32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Microsoft Legacy Modem Driver: System32\Drivers\RootMdm.sys (manual start)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: System32\DRIVERS\sr.sys (system)
srescan: system32\ZoneLabs\srescan.sys (system)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
Intel Play QX3 Microscope: system32\drivers\STVqx3.sys (manual start)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{A57A6EA3-0AE4-4961-A2F9-4C7549DE1740} (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
TabletService: C:\WINDOWS\System32\Tablet.exe (autostart)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: System32\DRIVERS\usbehci.sys (manual start)
USB2 Enabled Hub: System32\DRIVERS\usbhub.sys (manual start)
Microsoft USB Open Host Controller Miniport Driver: System32\DRIVERS\usbohci.sys (manual start)
Microsoft USB PRINTER Class: System32\DRIVERS\usbprint.sys (manual start)
Usbscan: System32\DRIVERS\usbscan.sys (manual start)
USB Mass Storage Driver: system32\DRIVERS\USBSTOR.SYS (manual start)
VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)
vsdatant: System32\vsdatant.sys (system)
TrueVector Internet Monitor: C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service (autostart)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Defender: "C:\Program Files\Windows Defender\MsMpEng.exe" (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
Windows Media Player Network Sharing Service: "C:\Program Files\Windows Media Player\WMPNetwk.exe" (autostart)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Windows Driver Foundation - User-mode Driver Framework Platform Driver: system32\DRIVERS\WudfPf.sys (manual start)
Windows Driver Foundation - User-mode Driver Framework Reflector: system32\DRIVERS\wudfrd.sys (manual start)
Windows Driver Foundation - User-mode Driver Framework: %SystemRoot%\system32\svchost.exe -k WudfServiceGroup (manual start)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\New\EPSET32.DLL|C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPSET32.DLL|C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\New\EBAPI4.DLL|C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EBAPI4.DLL|C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\New\EPUPDATE.EXE|C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE|||

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 39,262 bytes
Report generated in 0.219 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Ok nothing bad there but just to be sure...

You should print these instructions or save these to a text file. Follow these instructions carefully.

Download Dr.Web CureIt to the desktop -> ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.
Run a scan with Dr.Web CureIt Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, you should now mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.

When the scan has finished, look if you can click next icon next to the files found http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif
If so, click it and then click the next icon right below and select Move incurable
After the scan, in the menu, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot the computer in Normal Mode,
Post the Cure-it report and a fresh HijackThis log

Results from the Cure-it report:

GoogleMon.exe;C:\KEITH\Gorilla Website Marketing\google monitor;Probably DLOADER.Trojan;Incurable.Moved.;


Fresh HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 8:12:28 PM, on 6/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\WINDOWS\anvshell.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\RAMpage\RAMpage.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ClipMate7\clipmate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBNA.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\System32\Tablet.exe
C:\Program Files\Wacom\TabUserW.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Microsoft Office\Office\EXCEL.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\hijackthis\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [LiveNote] livenote.exe
O4 - HKLM\..\Run: [RAMpage] "C:\Program Files\RAMpage\RAMpage.exe" U=1 M=28 T=4 LW P="C:\Program Files\RAMpage\RAMpageConfig.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ClipMate7] C:\Program Files\ClipMate7\clipmate.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [EPSON Stylus Photo R260 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBNA.EXE /FU "C:\WINDOWS\TEMP\E_SA7.tmp" /EF "HKCU"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe
O8 - Extra context menu item: Google AdSense Preview Tool - http://pagead2.googlesyndication.com/pagead/preview/en/preview.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3F0EECCE-E138-11D1-8712-0060083D83F5} (LPViewer Class) - http://www.iseemedia.com/activex/LPControl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1126413452031
O16 - DPF: {77DD44BF-551D-4E3C-82CD-D637D5018D3C} - http://www.surveys.com/promptcast/Installs/SURVEYS.COM%20PROMPTCAST%20SETUP.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://prweb.webex.com/client/v_mywebex-t20/event/ieatgpc.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {ED4E6F97-FA1A-4634-B550-AABFEB8DA009} (TulipPlayer Class) - http://www.exstream.to/tulip/cab/3,0,5,19/TulipPlayer2.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: ASUS Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Ok good :)

How is the computer running?

The problem persists. I’m still getting suspicious bounce backs and spam mail that appears to be from my own email accounts. In fact, I just got a bounce back while typing this. I’m also getting spam that appears to be from accounts on my own websites, but they’re accounts that don’t exist. For example, some emails say something like this:

From: Kerry <xw @ mywebsite.com>
To: Madeleine <myname @ mywebsite.com>

But the “From” address does not exist because I never created it and while the “To” email address is correct the name “Madeleine” is not. I’ve already had my host check the server for problems and they say everything looks normal, which is why I thought maybe it was malware on my pc that was causing the problem. Maybe it’s really just spam faked to look like it’s coming from my email accounts and websites. Do you know if there’s any way to tell exactly where an email is coming from?

I want to give you some more information that I’m hoping might help us figure out for sure whether or not I have malware. Please bare with me… this might be a little confusing.

I have 10 email accounts that I check regularly using Thunderbird. Nine of these accounts are on 3 domains that are owned by me and one that’s on earthlink.net. Four of these email accounts (all on my domains) have only been made available to very trusted parties. Those 4 accounts do not receive any spam and they have never received any suspicious emails or bounce backs. My 6 other email accounts, one of which is the earthlink.net email account, have at one time or another been available to spammers or vulnerable to email harvesters. These 6 email accounts are the ones getting the suspicious bounce backs and spam. But the eathlink.net email only receives bounce backs. It doesn’t have the other problem I described above. The other problematic accounts have both types of problems.

Now in my opinion, since only my vulnerable accounts are having problems that makes it seem like maybe it’s just spam that’s been faked to look like it’s coming from me and not malware that’s sending spam through my computer. If it were malware wouldn’t it send spam through all my accounts?

But I have an eleventh email account (different domain from the others but same server) that I rarely check and only check through the site’s webmail program - not through Thunderbird. This email is publicly available and although it receives a lot of spam, it does not receive bounce backs or suspicious emails. If the bounce backs etc. were just spam then wouldn’t this eleventh account receive similar spam?

I’m also still concerned about some of the infected files discovered by Kaspersky. I know most of the infections were in Thunderbird messages, but what about these:

C:\ESftp\esftpv42.exe/data0019/NHInstall.exe Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped
C:\ESftp\esftpv42.exe/data0019/v2.0.2.cab/NHUninstaller.exe Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped
C:\ESftp\esftpv42.exe/data0019/v2.0.2.cab/NHelper.dll Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped
C:\ESftp\esftpv42.exe/data0019/v2.0.2.cab/NHUpdater.exe Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped
C:\ESftp\esftpv42.exe/data0019/v2.0.2.cab Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped
C:\ESftp\esftpv42.exe/data0019 Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped
C:\ESftp\esftpv42.exe Inno: infected - 6 skipped


C:\Documents and Settings\HTH\.housecall6.6\Quarantine\498c7bba-7ac4e5b0.bac_a01640/GetAccess.class Infected: Trojan.Java.ClassLoader.c skipped
C:\Documents and Settings\HTH\.housecall6.6\Quarantine\498c7bba-7ac4e5b0.bac_a01640/InsecureClassLoader.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\HTH\.housecall6.6\Quarantine\498c7bba-7ac4e5b0.bac_a01640/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a skipped
C:\Documents and Settings\HTH\.housecall6.6\Quarantine\498c7bba-7ac4e5b0.bac_a01640/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v skipped
C:\Documents and Settings\HTH\.housecall6.6\Quarantine\498c7bba-7ac4e5b0.bac_a01640 ZIP: infected - 4 skipped
C:\Documents and Settings\HTH\.housecall6.6\Quarantine\498c7bba-7ac4e5b0.bac_a01640 CryptFF.b: infected - 4 skipped
C:\Documents and Settings\HTH\.housecall6.6\Quarantine\classload.jar-1910af14-4e288d7e.zip.bac_a01640/GetAccess.class Infected: Trojan.Java.ClassLoader.c skipped
C:\Documents and Settings\HTH\.housecall6.6\Quarantine\classload.jar-1910af14-4e288d7e.zip.bac_a01640/InsecureClassLoader.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\HTH\.housecall6.6\Quarantine\classload.jar-1910af14-4e288d7e.zip.bac_a01640/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a skipped
C:\Documents and Settings\HTH\.housecall6.6\Quarantine\classload.jar-1910af14-4e288d7e.zip.bac_a01640/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v skipped
C:\Documents and Settings\HTH\.housecall6.6\Quarantine\classload.jar-1910af14-4e288d7e.zip.bac_a01640 ZIP: infected - 4 skipped
C:\Documents and Settings\HTH\.housecall6.6\Quarantine\classload.jar-1910af14-4e288d7e.zip.bac_a01640 CryptFF.b: infected - 4 skipped


I also did a scan with ZoneAlarm’s System Checkup and that program claims to have detected 3 spyware infections on my computer. Unfortunately it won’t show me where the infections are. It may just be a marketing gimmick to get me to buy their software, but it still makes me nervous.

Here is one last piece of info – I have no idea if it’s related but I should probably tell you about it just in case. Three or four days ago I had a problem with web pages not completely loading. When I looked at the HTML source code I could see that the web pages would literally just stop downloading. At the same time I was also having trouble receiving my email – it was very slow. This happened off and on for 2 days. During that time I also got a strange Windows error that said, “Generic Host Process for Win32 Services has encountered a problem and needs to close. We are sorry for the inconvenience.” But for the past couple of days everything has downloaded normally so maybe it was just a temporary glitch in my computer.

I hope I didn’t write too much. I just really really want to figure out what’s going on with my computer.

Thanks!

Bear

Hello :)

I believe that the messages are just spam. However there are a few more scans that we could do.

Make a new folder in the C:\drive called silentrunners
Download 'silent runners" from here: (direct download)
http://www.silentrunners.org/Silent%20Runners.vbs
Save it to your silentrunners folder.

Click start> run> type cmd and hit enter
Type the following exactly and hit enter after each line.
cd c:\silentrunners and hit enter
"silent runners.vbs" -all and hit enter

Wait until it pops up saying its completed, then post the resulting logfile here
It will be very large. You may need several posts to include everything

Download F-Secure Blacklight (http://www.f-secure.com/blacklight/try_blacklight.html) and save it to your desktop.

Doubleclick fsbl.exe, accept the agreement, click Scan, then click Next

You'll see a list what have been found. A log will appear to your desktop, it is named fsbl.xxxxxxx.log (xxxxxxx will be random numbers).

DON'T choose Rename if something was found!

Post the contents of fsbl.xxxx.log to here (blacklight log from your desktop)

Here are the results from the Silent Runners scan:

"Silent Runners.vbs", revision R50, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output of all locations checked and all values found.


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
"ClipMate7" = "C:\Program Files\ClipMate7\clipmate.exe" ["Thornsoft Development, Inc."]
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"WMPNSCFG" = "C:\Program Files\Windows Media Player\WMPNSCFG.exe" [MS]
"SpybotSD TeaTimer" = "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]
"EPSON Stylus Photo R260 Series" = "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBNA.EXE /FU "C:\WINDOWS\TEMP\E_SA7.tmp" /EF "HKCU"" ["SEIKO EPSON CORPORATION"]

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
"CamMonitor" = "C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [empty string]
"Share-to-Web Namespace Daemon" = "C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" ["Hewlett-Packard"]
"ASUS Probe" = "C:\Program Files\ASUS\Probe\AsusProb.exe" [null data]
"NvCplDaemon" = "RUNDLL32.EXE NvQTwk,NvCplDaemon initialize" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"anvshell" = "anvshell.exe" ["AsusTeK Computer Inc."]
"LiveNote" = "livenote.exe" [null data]
"RAMpage" = ""C:\Program Files\RAMpage\RAMpage.exe" U=1 M=28 T=4 LW P="C:\Program Files\RAMpage\RAMpageConfig.exe"" [null data]
"ShStatEXE" = ""C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE" ["Network Associates, Inc."]
"McAfeeUpdaterUI" = ""C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey" ["Network Associates, Inc."]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"Network Associates Error Reporting Service" = ""C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"" ["Network Associates, Inc."]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"Windows Defender" = ""C:\Program Files\Windows Defender\MSASCui.exe" -hide" [MS]
"ZoneAlarm Client" = ""C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"" ["Zone Labs, LLC"]

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\

HKLM\Software\Microsoft\Active Setup\Installed Components\
>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\(Default) = "Windows Media Player"
\StubPath = "C:\WINDOWS\inf\unregmp2.exe /ShowWMP" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{4A368E80-174F-4872-96B5-0B27DDD11DB2}\(Default) = "SpywareGuard Download Protection"
-> {HKLM...CLSID} = "SpywareGuardDLBLOCK.CBrowserHelper"
\InProcServer32\(Default) = "C:\Program Files\SpywareGuard\dlprotect.dll" [null data]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll" ["Sun Microsystems, Inc."]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Helper"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."]
{AE7CD045-E861-484f-8273-0445EE161910}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEToolbarHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{00022613-0000-0000-C000-000000000046}" = "Multimedia File Property Sheet"
-> {HKLM...CLSID} = "Multimedia File Property Sheet"
\InProcServer32\(Default) = "mmsys.cpl" [MS]
"{176d6597-26d3-11d1-b350-080036a75b03}" = "ICM Scanner Management"
-> {HKLM...CLSID} = "ICM Scanner Management"
\InProcServer32\(Default) = "icmui.dll" [MS]
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}" = "NTFS Security Page"
-> {HKLM...CLSID} = "Security Shell Extension"
\InProcServer32\(Default) = "rshx32.dll" [MS]
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}" = "OLE Docfile Property Page"
-> {HKLM...CLSID} = "OLE Docfile Property Page"
\InProcServer32\(Default) = "docprop.dll" [MS]
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}" = "Shell extensions for sharing"
-> {HKLM...CLSID} = "Shell extensions for sharing"
\InProcServer32\(Default) = "ntshrui.dll" [MS]
"{41E300E0-78B6-11ce-849B-444553540000}" = "PlusPack CPL Extension"
-> {HKLM...CLSID} = "PlusPack CPL Extension"
\InProcServer32\(Default) = "C:\WINDOWS\System32\themeui.dll" [MS]
"{42071712-76d4-11d1-8b24-00a0c9068ff3}" = "Display Adapter CPL Extension"
-> {HKLM...CLSID} = "Display Adapter CPL Extension"
\InProcServer32\(Default) = "deskadp.dll" [MS]
"{42071713-76d4-11d1-8b24-00a0c9068ff3}" = "Display Monitor CPL Extension"
-> {HKLM...CLSID} = "Display Monitor CPL Extension"
\InProcServer32\(Default) = "deskmon.dll" [MS]
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{4E40F770-369C-11d0-8922-00A024AB2DBB}" = "DS Security Page"
-> {HKLM...CLSID} = "Security Shell Extension"
\InProcServer32\(Default) = "dssec.dll" [MS]
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}" = "Compatibility Page"
-> {HKLM...CLSID} = "Compatibility Page"
\InProcServer32\(Default) = "SlayerXP.dll" [MS]
"{56117100-C0CD-101B-81E2-00AA004AE837}" = "Shell Scrap DataHandler"
-> {HKLM...CLSID} = "Shell Scrap DataHandler"
\InProcServer32\(Default) = "shscrap.dll" [MS]
"{59099400-57FF-11CE-BD94-0020AF85B590}" = "Disk Copy Extension"
-> {HKLM...CLSID} = "Disk Copy Extension"
\InProcServer32\(Default) = "diskcopy.dll" [MS]
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}" = "Shell extensions for Microsoft Windows Network objects"
-> {HKLM...CLSID} = "Shell extensions for Microsoft Windows Network objects"
\InProcServer32\(Default) = "ntlanui2.dll" [MS]
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}" = "ICM Monitor Management"
-> {HKLM...CLSID} = "ICM Monitor Management"
\InProcServer32\(Default) = "C:\WINDOWS\System32\icmui.dll" [MS]
"{675F097E-4C4D-11D0-B6C1-0800091AA605}" = "ICM Printer Management"
-> {HKLM...CLSID} = "ICM Printer Management"
\InProcServer32\(Default) = "C:\WINDOWS\system32\icmui.dll" [MS]
"{77597368-7b15-11d0-a0c2-080036af3f03}" = "Web Printer Shell Extension"
-> {HKLM...CLSID} = "Web Printer Shell Extension"
\InProcServer32\(Default) = "printui.dll" [MS]
"{7988B573-EC89-11cf-9C00-00AA00A14F56}" = "Disk Quota UI"
-> {HKLM...CLSID} = "Microsoft Disk Quota UI"
\InProcServer32\(Default) = "dskquoui.dll" [MS]
"{85BBD920-42A0-1069-A2E4-08002B30309D}" = "Briefcase"
-> {HKLM...CLSID} = "Briefcase"
\InProcServer32\(Default) = "syncui.dll" [MS]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{BD84B380-8CA2-1069-AB1D-08000948F534}" = "Fonts"
-> {HKLM...CLSID} = "Fonts"
\InProcServer32\(Default) = "fontext.dll" [MS]
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}" = "ICC Profile"
-> {HKLM...CLSID} = "ICC Profile"
\InProcServer32\(Default) = "C:\WINDOWS\system32\icmui.dll" [MS]
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}" = "Printers Security Page"
-> {HKLM...CLSID} = "Security Shell Extension"
\InProcServer32\(Default) = "rshx32.dll" [MS]
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}" = "Shell extensions for sharing"
-> {HKLM...CLSID} = "Shell extensions for sharing"
\InProcServer32\(Default) = "ntshrui.dll" [MS]
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}" = "Display TroubleShoot CPL Extension"
-> {HKLM...CLSID} = "Display TroubleShoot CPL Extension"
\InProcServer32\(Default) = "deskperf.dll" [MS]
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}" = "Crypto PKO Extension"
-> {HKLM...CLSID} = "CryptPKO Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\cryptext.dll" [MS]
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}" = "Crypto Sign Extension"
-> {HKLM...CLSID} = "CryptSig Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\cryptext.dll" [MS]
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}" = "Network Connections"
-> {HKLM...CLSID} = "Network Connections"
\InProcServer32\(Default) = "C:\WINDOWS\system32\NETSHELL.dll" [MS]
"{992CFFA0-F557-101A-88EC-00DD010CCC48}" = "Network Connections"
-> {HKLM...CLSID} = "Network Connections"
\InProcServer32\(Default) = "C:\WINDOWS\system32\NETSHELL.dll" [MS]
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}" = "Scanners & Cameras"
-> {HKLM...CLSID} = "Scanners & Cameras"
\InProcServer32\(Default) = "wiashext.dll" [MS]
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}" = "Scanners & Cameras"
-> {HKLM...CLSID} = "Scanners & Cameras"
\InProcServer32\(Default) = "wiashext.dll" [MS]
"{905667aa-acd6-11d2-8080-00805f6596d2}" = "Scanners & Cameras"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "wiashext.dll" [MS]
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}" = "Scanners & Cameras"
-> {HKLM...CLSID} = "Scanners & Cameras"
\InProcServer32\(Default) = "wiashext.dll" [MS]
"{83bbcbf3-b28a-4919-a5aa-73027445d672}" = "Scanners & Cameras"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "wiashext.dll" [MS]
"{F0152790-D56E-4445-850E-4F3117DB740C}" = "Remote Sessions CPL Extension"
-> {HKLM...CLSID} = "Remote Sessions CPL Extension"
\InProcServer32\(Default) = "C:\WINDOWS\System32\remotepg.dll" [MS]
"{60254CA5-953B-11CF-8C96-00AA00B8708C}" = "Shell extensions for Windows Script Host"
-> {HKLM...CLSID} = "Shell Extension For Windows Script Host"
\InProcServer32\(Default) = "C:\WINDOWS\System32\wshext.dll" [MS]
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}" = "Microsoft Data Link"
-> {HKLM...CLSID} = "Microsoft OLE DB Service Component Data Links"
\InProcServer32\(Default) = "C:\Program Files\Common Files\System\Ole DB\oledb32.dll" [MS]
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}" = "Tasks Folder Icon Handler"
-> {HKLM...CLSID} = "Scheduling UI icon handler"
\InProcServer32\(Default) = "C:\WINDOWS\System32\mstask.dll" [MS]
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}" = "Tasks Folder Shell Extension"
-> {HKLM...CLSID} = "Scheduling UI property sheet handler"
\InProcServer32\(Default) = "C:\WINDOWS\System32\mstask.dll" [MS]
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}" = "Scheduled Tasks"
-> {HKLM...CLSID} = "Scheduled Tasks"
\InProcServer32\(Default) = "C:\WINDOWS\System32\mstask.dll" [MS]
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}" = "Search"
-> {HKLM...CLSID} = "Search"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}" = "Help and Support"
-> {HKLM...CLSID} = "Help and Support"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}" = "Help and Support"
-> {HKLM...CLSID} = "Windows Security"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}" = "Run..."
-> {HKLM...CLSID} = "Run..."
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}" = "Internet"
-> {HKLM...CLSID} = "Internet"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}" = "E-mail"
-> {HKLM...CLSID} = "E-mail"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{D20EA4E1-3957-11d2-A40B-0C5020524152}" = "Fonts"
-> {HKLM...CLSID} = "Fonts"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{D20EA4E1-3957-11d2-A40B-0C5020524153}" = "Administrative Tools"
-> {HKLM...CLSID} = "Administrative Tools"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}" = "Audio Media Properties Handler"
-> {HKLM...CLSID} = "Audio Media Properties Handler"
\InProcServer32\(Default) = "C:\WINDOWS\System32\shmedia.dll" [MS]
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}" = "Video Media Properties Handler"
-> {HKLM...CLSID} = "Video Media Properties Handler"
\InProcServer32\(Default) = "C:\WINDOWS\System32\shmedia.dll" [MS]
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}" = "Wav Properties Handler"
-> {HKLM...CLSID} = "Wav Properties Handler"
\InProcServer32\(Default) = "C:\WINDOWS\System32\shmedia.dll" [MS]
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}" = "Avi Properties Handler"
-> {HKLM...CLSID} = "Avi Properties Handler"
\InProcServer32\(Default) = "C:\WINDOWS\System32\shmedia.dll" [MS]
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}" = "Midi Properties Handler"
-> {HKLM...CLSID} = "Midi Properties Handler"
\InProcServer32\(Default) = "C:\WINDOWS\System32\shmedia.dll" [MS]
"{c5a40261-cd64-4ccf-84cb-c394da41d590}" = "Video Thumbnail Extractor"
-> {HKLM...CLSID} = "Video Thumbnail Extractor"
\InProcServer32\(Default) = "C:\WINDOWS\System32\shmedia.dll" [MS]

Continuing Silent Runners scan:

"{5E6AB780-7743-11CF-A12B-00AA004AE837}" = "Microsoft Internet Toolbar"
-> {HKLM...CLSID} = "Microsoft Internet Toolbar"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}" = "Download Status"
-> {HKLM...CLSID} = "Download Status"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}" = "Augmented Shell Folder"
-> {HKLM...CLSID} = "Augmented Shell Folder"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{6413BA2C-B461-11d1-A18A-080036B11A03}" = "Augmented Shell Folder 2"
-> {HKLM...CLSID} = "Augmented Shell Folder 2"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}" = "BandProxy"
-> {HKLM...CLSID} = "BandProxy"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}" = "Microsoft BrowserBand"
-> {HKLM...CLSID} = "Microsoft BrowserBand"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{30D02401-6A81-11d0-8274-00C04FD5AE38}" = "IE Search Band"
-> {HKLM...CLSID} = "IE Search Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}" = "In-pane search"
-> {HKLM...CLSID} = "In-pane search"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{07798131-AF23-11d1-9111-00A0C98BA67D}" = "Web Search"
-> {HKLM...CLSID} = "Web Search"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}" = "Registry Tree Options Utility"
-> {HKLM...CLSID} = "Registry Tree Options Utility"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}" = "&Address"
-> {HKLM...CLSID} = "&Address"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{A08C11D2-A228-11d0-825B-00AA005B4383}" = "Address EditBox"
-> {HKLM...CLSID} = "Address EditBox"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{00BB2763-6A77-11D0-A535-00C04FD7D062}" = "Microsoft AutoComplete"
-> {HKLM...CLSID} = "Microsoft AutoComplete"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{7376D660-C583-11d0-A3A5-00C04FD706EC}" = "TridentImageExtractor"
-> {HKLM...CLSID} = "TridentImageExtractor"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{6756A641-DE71-11d0-831B-00AA005B4383}" = "MRU AutoComplete List"
-> {HKLM...CLSID} = "MRU AutoComplete List"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}" = "Custom MRU AutoCompleted List"
-> {HKLM...CLSID} = "Custom MRU AutoCompleted List"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{7e653215-fa25-46bd-a339-34a2790f3cb7}" = "Accessible"
-> {HKLM...CLSID} = "Accessible"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{acf35015-526e-4230-9596-becbe19f0ac9}" = "Track Popup Bar"
-> {HKLM...CLSID} = "Track Popup Bar"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}" = "Address Bar Parser"
-> {HKLM...CLSID} = "Address Bar Parser"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{00BB2764-6A77-11D0-A535-00C04FD7D062}" = "Microsoft History AutoComplete List"
-> {HKLM...CLSID} = "Microsoft History AutoComplete List"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{03C036F1-A186-11D0-824A-00AA005B4383}" = "Microsoft Shell Folder AutoComplete List"
-> {HKLM...CLSID} = "Microsoft Shell Folder AutoComplete List"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{00BB2765-6A77-11D0-A535-00C04FD7D062}" = "Microsoft Multiple AutoComplete List Container"
-> {HKLM...CLSID} = "Microsoft Multiple AutoComplete List Container"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}" = "Shell Band Site Menu"
-> {HKLM...CLSID} = "Shell Band Site Menu"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}" = "Shell DeskBarApp"
-> {HKLM...CLSID} = "Shell DeskBarApp"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}" = "Shell DeskBar"
-> {HKLM...CLSID} = "Shell DeskBar"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}" = "Shell Rebar BandSite"
-> {HKLM...CLSID} = "Shell Rebar BandSite"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}" = "User Assist"
-> {HKLM...CLSID} = "User Assist"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}" = "Global Folder Settings"
-> {HKLM...CLSID} = "Global Folder Settings"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}" = "Favorites Band"
-> {HKLM...CLSID} = "Favorites Band"
\InProcServer32\(Default) = "C:\WINDOWS\System32\shdocvw.dll" [MS]
"{0A89A860-D7B1-11CE-8350-444553540000}" = "Shell Automation Inproc Service"
-> {HKLM...CLSID} = "Shell Automation Inproc Service"
\InProcServer32\(Default) = "C:\WINDOWS\System32\shdocvw.dll" [MS]
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}" = "Shell DocObject Viewer"
-> {HKLM...CLSID} = "Shell DocObject Viewer"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}" = "Microsoft Browser Architecture"
-> {HKLM...CLSID} = "Microsoft Browser Architecture"
\InProcServer32\(Default) = "C:\WINDOWS\System32\shdocvw.dll" [MS]
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}" = "InternetShortcut"
-> {HKLM...CLSID} = "Internet Shortcut"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}" = "Microsoft Url History Service"
-> {HKLM...CLSID} = "Microsoft Url History Service"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
"{FF393560-C2A7-11CF-BFF4-444553540000}" = "History"
-> {HKLM...CLSID} = "History"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}" = "Temporary Internet Files"
-> {HKLM...CLSID} = "Temporary Internet Files"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}" = "Temporary Internet Files"
-> {HKLM...CLSID} = "Temporary Internet Files"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" = "Microsoft Url Search Hook"
-> {HKLM...CLSID} = "Microsoft Url Search Hook"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}" = "IE4 Suite Splash Screen"
-> {HKLM...CLSID} = "IE4 Suite Splash Screen"
\InProcServer32\(Default) = "C:\WINDOWS\System32\shdocvw.dll" [MS]
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}" = "CDF Extension Copy Hook"
-> {HKLM...CLSID} = "CDF Extension Copy Hook"
\InProcServer32\(Default) = "C:\WINDOWS\System32\shdocvw.dll" [MS]
"{131A6951-7F78-11D0-A979-00C04FD705A2}" = "ISFBand OC"
-> {HKLM...CLSID} = "ISFBand OC"
\InProcServer32\(Default) = "C:\WINDOWS\System32\shdocvw.dll" [MS]
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}" = "Search Assistant OC"
-> {HKLM...CLSID} = "Search Assistant OC"
\InProcServer32\(Default) = "C:\WINDOWS\System32\shdocvw.dll" [MS]
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}" = "The Internet"
-> {HKLM...CLSID} = "The Internet"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
"{871C5380-42A0-1069-A2EA-08002B30309D}" = "Internet Name Space"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}" = "Explorer Band"
-> {HKLM...CLSID} = "Explorer Band"
\InProcServer32\(Default) = "C:\WINDOWS\System32\shdocvw.dll" [MS]
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}" = "Sendmail service"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\System32\sendmail.dll" [MS]
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}" = "Sendmail service"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\System32\sendmail.dll" [MS]
"{88C6C381-2E85-11D0-94DE-444553540000}" = "ActiveX Cache Folder"
-> {HKLM...CLSID} = "ActiveX Cache Folder"
\InProcServer32\(Default) = "C:\WINDOWS\system32\occache.dll" [MS]
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}" = "WebCheck"
-> {HKLM...CLSID} = "WebCheck"
\InProcServer32\(Default) = "C:\WINDOWS\system32\webcheck.dll" [MS]
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}" = "Subscription Mgr"
-> {HKLM...CLSID} = "Subscription Mgr"
\InProcServer32\(Default) = "C:\WINDOWS\system32\webcheck.dll" [MS]
"{F5175861-2688-11d0-9C5E-00AA00A45957}" = "Subscription Folder"
-> {HKLM...CLSID} = "Subscription Folder"
\InProcServer32\(Default) = "C:\WINDOWS\system32\webcheck.dll" [MS]
"{08165EA0-E946-11CF-9C87-00AA005127ED}" = "WebCheckWebCrawler"
-> {HKLM...CLSID} = "WebCheckWebCrawler"
\InProcServer32\(Default) = "C:\WINDOWS\system32\webcheck.dll" [MS]
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}" = "WebCheckChannelAgent"
-> {HKLM...CLSID} = "WebCheckChannelAgent"
\InProcServer32\(Default) = "C:\WINDOWS\System32\webcheck.dll" [MS]
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}" = "TrayAgent"
-> {HKLM...CLSID} = "TrayAgent"
\InProcServer32\(Default) = "C:\WINDOWS\System32\webcheck.dll" [MS]
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}" = "Code Download Agent"
-> {HKLM...CLSID} = "Code Download Agent"
\InProcServer32\(Default) = "C:\WINDOWS\system32\webcheck.dll" [MS]
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}" = "ConnectionAgent"
-> {HKLM...CLSID} = "ConnectionAgent"
\InProcServer32\(Default) = "C:\WINDOWS\System32\webcheck.dll" [MS]
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}" = "PostAgent"
-> {HKLM...CLSID} = "PostAgent"
\InProcServer32\(Default) = "C:\WINDOWS\System32\webcheck.dll" [MS]
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}" = "WebCheck SyncMgr Handler"
-> {HKLM...CLSID} = "WebCheck SyncMgr Handler"
\InProcServer32\(Default) = "C:\WINDOWS\system32\webcheck.dll" [MS]
"{352EC2B7-8B9A-11D1-B8AE-006008059382}" = "Shell Application Manager"
-> {HKLM...CLSID} = "Shell Application Manager"
\InProcServer32\(Default) = "C:\WINDOWS\System32\appwiz.cpl" [MS]
"{0B124F8F-91F0-11D1-B8B5-006008059382}" = "Installed Apps Enumerator"
-> {HKLM...CLSID} = "Installed Apps Enumerator"
\InProcServer32\(Default) = "C:\WINDOWS\System32\appwiz.cpl" [MS]
"{CFCCC7A0-A282-11D1-9082-006008059382}" = "Darwin App Publisher"
-> {HKLM...CLSID} = "Darwin App Publisher"
\InProcServer32\(Default) = "C:\WINDOWS\System32\appwiz.cpl" [MS]
"{e84fda7c-1d6a-45f6-b725-cb260c236066}" = "Shell Image Verbs"
-> {HKLM...CLSID} = "Shell Image Verbs"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shimgvw.dll" [MS]
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}" = "Shell Image Data Factory"
-> {HKLM...CLSID} = "Shell Image Data Factory"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shimgvw.dll" [MS]
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}" = "GDI+ file thumbnail extractor"
-> {HKLM...CLSID} = "GDI+ file thumbnail extractor"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shimgvw.dll" [MS]
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}" = "Summary Info Thumbnail handler (DOCFILES)"
-> {HKLM...CLSID} = "Summary Info Thumbnail handler (DOCFILES)"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shimgvw.dll" [MS]
"{EAB841A0-9550-11cf-8C16-00805F1408F3}" = "HTML Thumbnail Extractor"
-> {HKLM...CLSID} = "HTML Thumbnail Extractor"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shimgvw.dll" [MS]
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}" = "Shell Image Property Handler"
-> {HKLM...CLSID} = "Shell Image Property Handler"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shimgvw.dll" [MS]
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}" = "Web Publishing Wizard"
-> {HKLM...CLSID} = "Web Publishing Wizard"
\InProcServer32\(Default) = "C:\WINDOWS\System32\netplwiz.dll" [MS]
"{add36aa8-751a-4579-a266-d66f5202ccbb}" = "Print Ordering via the Web"
-> {HKLM...CLSID} = "Print Ordering via the Web"
\InProcServer32\(Default) = "C:\WINDOWS\System32\netplwiz.dll" [MS]
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}" = "Shell Publishing Wizard Object"
-> {HKLM...CLSID} = "Shell Publishing Wizard Object"
\InProcServer32\(Default) = "C:\WINDOWS\System32\netplwiz.dll" [MS]
"{58f1f272-9240-4f51-b6d4-fd63d1618591}" = "Get a Passport Wizard"
-> {HKLM...CLSID} = "Get a Passport Wizard"
\InProcServer32\(Default) = "C:\WINDOWS\System32\netplwiz.dll" [MS]
"{E88DCCE0-B7B3-11d1-A9F0-00AA0060FA31}" = "Compressed (zipped) Folder"
-> {HKLM...CLSID} = "CompressedFolder"
\InProcServer32\(Default) = "C:\WINDOWS\System32\zipfldr.dll" [MS]
"{BD472F60-27FA-11cf-B8B4-444553540000}" = "Compressed (zipped) Folder Right Drag Handler"
-> {HKLM...CLSID} = "Compressed (zipped) Folder Right Drag Handler"
\InProcServer32\(Default) = "C:\WINDOWS\System32\zipfldr.dll" [MS]
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}" = "Compressed (zipped) Folder SendTo Target"
-> {HKLM...CLSID} = "Compressed (zipped) Folder SendTo Target"
\InProcServer32\(Default) = "C:\WINDOWS\System32\zipfldr.dll" [MS]
"{63da6ec0-2e98-11cf-8d82-444553540000}" = "FTP Folders Webview"
-> {HKLM...CLSID} = "Microsoft FTP Folder"
\InProcServer32\(Default) = "C:\WINDOWS\System32\msieftp.dll" [MS]
"{883373C3-BF89-11D1-BE35-080036B11A03}" = "Microsoft DocProp Shell Ext"
-> {HKLM...CLSID} = "Microsoft DocProp Shell Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\docprop2.dll" [MS]
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}" = "Microsoft DocProp Inplace Edit Box Control"
-> {HKLM...CLSID} = "Microsoft DocProp Inplace Edit Box Control"
\InProcServer32\(Default) = "C:\WINDOWS\System32\docprop2.dll" [MS]
"{8EE97210-FD1F-4B19-91DA-67914005F020}" = "Microsoft DocProp Inplace ML Edit Box Control"
-> {HKLM...CLSID} = "Microsoft DocProp Inplace ML Edit Box Control"
\InProcServer32\(Default) = "C:\WINDOWS\System32\docprop2.dll" [MS]
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}" = "Microsoft DocProp Inplace Droplist Combo Control"
-> {HKLM...CLSID} = "Microsoft DocProp Inplace Droplist Combo Control"
\InProcServer32\(Default) = "C:\WINDOWS\System32\docprop2.dll" [MS]
"{6A205B57-2567-4A2C-B881-F787FAB579A3}" = "Microsoft DocProp Inplace Calendar Control"
-> {HKLM...CLSID} = "Microsoft DocProp Inplace Calendar Control"
\InProcServer32\(Default) = "C:\WINDOWS\System32\docprop2.dll" [MS]
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}" = "Microsoft DocProp Inplace Time Control"
-> {HKLM...CLSID} = "Microsoft DocProp Inplace Time Control"
\InProcServer32\(Default) = "C:\WINDOWS\System32\docprop2.dll" [MS]
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}" = "Directory Query UI"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\System32\dsquery.dll" [MS]
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}" = "Shell properties for a DS object"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\System32\dsquery.dll" [MS]
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}" = "Directory Object Find"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\System32\dsquery.dll" [MS]
"{F020E586-5264-11d1-A532-0000F8757D7E}" = "Directory Start/Search Find"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\System32\dsquery.dll" [MS]
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}" = "Directory Property UI"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\System32\dsuiext.dll" [MS]

"{62AE1F9A-126A-11D0-A14B-0800361B1103}" = "Directory Context Menu Verbs"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\System32\dsuiext.dll" [MS]
"{ECF03A33-103D-11d2-854D-006008059367}" = "MyDocs Copy Hook"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\System32\mydocs.dll" [MS]
"{ECF03A32-103D-11d2-854D-006008059367}" = "MyDocs Drop Target"
-> {HKLM...CLSID} = "MyDocs Drop Target"
\InProcServer32\(Default) = "C:\WINDOWS\System32\mydocs.dll" [MS]
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}" = "MyDocs Properties"
-> {HKLM...CLSID} = "MyDocs menu and properties"
\InProcServer32\(Default) = "C:\WINDOWS\System32\mydocs.dll" [MS]
"{750fdf0e-2a26-11d1-a3ea-080036587f03}" = "Offline Files Menu"
-> {HKLM...CLSID} = "Offline Files Menu"
\InProcServer32\(Default) = "C:\WINDOWS\System32\cscui.dll" [MS]
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}" = "Offline Files Folder Options"
-> {HKLM...CLSID} = "Offline Files Folder Options"
\InProcServer32\(Default) = "C:\WINDOWS\System32\cscui.dll" [MS]
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}" = "Offline Files Folder"
-> {HKLM...CLSID} = "Offline Files Folder"
\InProcServer32\(Default) = "C:\WINDOWS\System32\cscui.dll" [MS]
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}" = "Microsoft Agent Character Property Sheet Handler"
-> {HKLM...CLSID} = "Microsoft Agent Character Property Sheet Handler"
\InProcServer32\(Default) = "C:\WINDOWS\msagent\agentpsh.dll" [MS]
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}" = "DfsShell"
-> {HKLM...CLSID} = "DfsShell Class"
\InProcServer32\(Default) = "C:\WINDOWS\System32\dfsshlex.dll" [MS]
"{60fd46de-f830-4894-a628-6fa81bc0190d}" = "%DESC_PublishDropTarget%"
-> {HKLM...CLSID} = "DropTarget Object for Photo Printing Wizard"
\InProcServer32\(Default) = "C:\WINDOWS\System32\photowiz.dll" [MS]
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}" = "MMC Icon Handler"
-> {HKLM...CLSID} = "ExtractIcon Class"
\InProcServer32\(Default) = "C:\WINDOWS\System32\mmcshext.dll" [MS]
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}" = ".CAB file viewer"
-> {HKLM...CLSID} = "Cabinet File"
\InProcServer32\(Default) = "cabview.dll" [MS]
"{32714800-2E5F-11d0-8B85-00AA0044F941}" = "For &People..."
-> {HKLM...CLSID} = "For &People..."
\InProcServer32\(Default) = "C:\Program Files\Outlook Express\wabfind.dll" [MS]
"{8DD448E6-C188-4aed-AF92-44956194EB1F}" = "Windows Media Player Burn Audio CD Context Menu Handler"
-> {HKLM...CLSID} = "WMP Burn Audio CD Launcher"
\InProcServer32\(Default) = "C:\WINDOWS\system32\wmpshell.dll" [MS]
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}" = "Windows Media Player Play as Playlist Context Menu Handler"
-> {HKLM...CLSID} = "WMP Play As Playlist Launcher"
\InProcServer32\(Default) = "C:\WINDOWS\system32\wmpshell.dll" [MS]
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}" = "Windows Media Player Add to Playlist Context Menu Handler"
-> {HKLM...CLSID} = "WMP Add To Playlist Launcher"
\InProcServer32\(Default) = "C:\WINDOWS\system32\wmpshell.dll" [MS]
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}" = "Set Program Access and Defaults"
-> {HKLM...CLSID} = "Set Program Access and Defaults"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{1D2680C9-0E2A-469d-B787-065558BC7D43}" = "Fusion Cache"
-> {HKLM...CLSID} = "Fusion Cache"
\InProcServer32\(Default) = "C:\WINDOWS\system32\mscoree.dll" [MS]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}" = "Auto Update Property Sheet Extension"
-> {HKLM...CLSID} = "Auto Update Property Sheet Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\wuaucpl.cpl" [MS]
"{596AB062-B4D2-4215-9F74-E9109B0A8153}" = "Previous Versions Property Page"
-> {HKLM...CLSID} = "Previous Versions Property Page"
\InProcServer32\(Default) = "C:\WINDOWS\System32\twext.dll" [MS]
"{9DB7A13C-F208-4981-8353-73CC61AE2783}" = "Previous Versions"
-> {HKLM...CLSID} = "Previous Versions"
\InProcServer32\(Default) = "C:\WINDOWS\System32\twext.dll" [MS]
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}" = "Extensions Manager Folder"
-> {HKLM...CLSID} = "Extensions Manager Folder"
\InProcServer32\(Default) = "C:\WINDOWS\system32\extmgr.dll" [MS]
"{EE337094-9F50-4B8C-9B53-C00F52A3289B}" = "GF Shell Extension"
-> {HKLM...CLSID} = "GFIconShellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\LizardTech Shared\lt_lib_gf_iconShellEx.dll" ["LizardTech Inc."]
"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}" = "Adobe.Acrobat.ContextMenu"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{2F25CF20-C569-11D1-B94C-00608CB45480}" = "TextPad"
-> {HKLM...CLSID} = "TextPad"
\InProcServer32\(Default) = "C:\Program Files\TextPad 4\System\shellext.dll" ["Helios Software Solutions"]
"{F60C63CE-52AF-4915-AAC9-F100FCDE270F}" = "ClipMate ClipBar 7.0"
-> {HKLM...CLSID} = "ClipMate ClipBar 7"
\InProcServer32\(Default) = "C:\PROGRA~1\CLIPMA~2\CLIPMA~1.DLL" ["Thornsoft Development, Inc."]
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
-> {HKLM...CLSID} = "Shell Search Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"
-> {HKLM...CLSID} = "NeroDigitalIconHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" [file not found]
"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"
-> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" [file not found]
"{07C45BB1-4A8C-4642-A1F5-237E7215FF66}" = "IE Microsoft BrowserBand"
-> {HKLM...CLSID} = "IE Microsoft BrowserBand"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
"{1C1EDB47-CE22-4bbb-B608-77B48F83C823}" = "IE Fade Task"
-> {HKLM...CLSID} = "IE Fade Task"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
"{205D7A97-F16D-4691-86EF-F3075DCCA57D}" = "IE Menu Desk Bar"
-> {HKLM...CLSID} = "IE Menu Desk Bar"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
"{3028902F-6374-48b2-8DC6-9725E775B926}" = "IE AutoComplete"
-> {HKLM...CLSID} = "IE AutoComplete"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
"{43886CD5-6529-41c4-A707-7B3C92C05E68}" = "IE Navigation Bar"
-> {HKLM...CLSID} = "IE Navigation Bar"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
"{44C76ECD-F7FA-411c-9929-1B77BA77F524}" = "IE Menu Site"
-> {HKLM...CLSID} = "IE Menu Site"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
"{4B78D326-D922-44f9-AF2A-07805C2A3560}" = "IE Menu Band"
-> {HKLM...CLSID} = "IE Menu Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
"{6038EF75-ABFC-4e59-AB6F-12D397F6568D}" = "IE Microsoft History AutoComplete List"
-> {HKLM...CLSID} = "IE Microsoft History AutoComplete List"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
"{6B4ECC4F-16D1-4474-94AB-5A763F2A54AE}" = "IE Tracking Shell Menu"
-> {HKLM...CLSID} = "IE Tracking Shell Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
"{6CF48EF8-44CD-45d2-8832-A16EA016311B}" = "IE IShellFolderBand"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
"{73CFD649-CD48-4fd8-A272-2070EA56526B}" = "IE BandProxy"
-> {HKLM...CLSID} = "IE BandProxy"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
"{98FF6D4B-6387-4b0a-8FBD-C5C4BB17B4F8}" = "IE MRU AutoComplete List"
-> {HKLM...CLSID} = "IE MRU AutoComplete List"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
"{9A096BB5-9DC3-4D1C-8526-C3CBF991EA4E}" = "IE RSS Feeder Folder"
-> {HKLM...CLSID} = "IE RSS Feeds Folder"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
"{9D958C62-3954-4b44-8FAB-C4670C1DB4C2}" = "IE Microsoft Shell Folder AutoComplete List"
-> {HKLM...CLSID} = "IE Microsoft Shell Folder AutoComplete List"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
"{B31C5FAE-961F-415b-BAF0-E697A5178B94}" = "IE Microsoft Multiple AutoComplete List Container"
-> {HKLM...CLSID} = "IE Microsoft Multiple AutoComplete List Container"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
"{BC476F4C-D9D7-4100-8D4E-E043F6DEC409}" = "Microsoft Browser Architecture"
-> {HKLM...CLSID} = "Microsoft Browser Architecture"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
"{BFAD62EE-9D54-4b2a-BF3B-76F90697BD2A}" = "IE Shell Rebar BandSite"
-> {HKLM...CLSID} = "IE Shell Rebar BandSite"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
"{E6EE9AAC-F76B-4947-8260-A9F136138E11}" = "IE Shell Band Site Menu"
-> {HKLM...CLSID} = "IE Shell Band Site Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
"{F2CF5485-4E02-4f68-819C-B92DE9277049}" = "&Links"
-> {HKLM...CLSID} = "&Links"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
"{F83DAC1C-9BB9-4f2b-B619-09819DA81B0E}" = "IE Registry Tree Options Utility"
-> {HKLM...CLSID} = "IE Registry Tree Options Utility"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
"{FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75}" = "IE User Assist"
-> {HKLM...CLSID} = "IE User Assist"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
"{FDE7673D-2E19-4145-8376-BBD58C4BC7BA}" = "IE Custom MRU AutoCompleted List"
-> {HKLM...CLSID} = "IE Custom MRU AutoCompleted List"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {HKLM...CLSID} = "Portable Media Devices"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{35786D3C-B075-49b9-88DD-029876E11C01}" = "Portable Devices"
-> {HKLM...CLSID} = "Portable Devices"
\InProcServer32\(Default) = "C:\WINDOWS\system32\wpdshext.dll" [MS]
"{D6791A63-E7E2-4fee-BF52-5DED8E86E9B8}" = "Portable Devices Menu"
-> {HKLM...CLSID} = "Portable Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\wpdshext.dll" [MS]
"{9999A076-A9E2-4C99-8A2B-632FC9429223}" = "Bonjour"
-> {HKLM...CLSID} = "Bonjour"
\InProcServer32\(Default) = "C:\Program Files\Bonjour\ExplorerPlugin.dll" ["Apple Computer, Inc."]
"{81559C35-8464-49F7-BB0E-07A383BEF910}" = (no title provided)
-> {HKLM...CLSID} = "SpywareGuard.Handler"
\InProcServer32\(Default) = "C:\Program Files\SpywareGuard\spywareguard.dll" [null data]
"{D9872D13-7651-4471-9EEE-F0A00218BEBB}" = "Multiscan"
-> {HKLM...CLSID} = "ZLAVShExt Class"
\InProcServer32\(Default) = "C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Inc."]
"{23170F69-40C1-278A-1000-000100020000}" = "7-Zip Shell Extension"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}" = "Browseui preloader"
-> {HKLM...CLSID} = "Browseui preloader"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{8C7461EF-2B13-11d2-BE35-3078302C2030}" = "Component Categories cache daemon"
-> {HKLM...CLSID} = "Component Categories cache daemon"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}" = (no title provided)
-> {HKLM...CLSID} = "URL Exec Hook"
\InProcServer32\(Default) = "shell32.dll" [MS]
<<!>> "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}" = "Microsoft AntiMalware ShellExecuteHook"
-> {HKLM...CLSID} = "Microsoft AntiMalware ShellExecuteHook"
\InProcServer32\(Default) = "C:\PROGRA~1\WIFD1F~1\MpShHook.dll" [MS]
<<!>> "{81559C35-8464-49F7-BB0E-07A383BEF910}" = (no title provided)
-> {HKLM...CLSID} = "SpywareGuard.Handler"
\InProcServer32\(Default) = "C:\Program Files\SpywareGuard\spywareguard.dll" [null data]

HKCU\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"PostBootReminder" = "{7849596a-48ea-486e-8937-a2a3009f31a9}"
-> {HKLM...CLSID} = "PostBootReminder object"
\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"CDBurn" = "{fbeb8a05-beee-4442-804e-409d6c4515e9}"
-> {HKLM...CLSID} = "ShellFolder for CD Burning"
\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"WebCheck" = "{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
-> {HKLM...CLSID} = "WebCheck"
\InProcServer32\(Default) = "C:\WINDOWS\system32\webcheck.dll" [MS]
"SysTray" = "{35CEC8A3-2BE6-11D2-8773-92E220524153}"
-> {HKLM...CLSID} = "SysTray"
\InProcServer32\(Default) = "C:\WINDOWS\System32\stobject.dll" [MS]
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKCU\Software\Microsoft\Command Processor\
"AutoRun" = (value not found)

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\
"Shell" = (value not found)

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\
"load" = (empty string)
"run" = (value not found)

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
"Shell" = (value not found)

HKLM\Software\Microsoft\Command Processor\
"AutoRun" = (empty string)

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\
"AppInit_DLLs" = (empty string)

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
"GinaDLL" = (value not found)
"Shell" = "Explorer.exe" [MS]
"Taskman" = (value not found)
"Userinit" = "C:\WINDOWS\system32\userinit.exe," [MS]
"System" = (empty string)

Continuing Silent Runners scan:

HKLM\System\CurrentControlSet\Control\SafeBoot\Option\
"UseAlternateShell" = (value not found)

HKLM\System\CurrentControlSet\Control\SecurityProviders\
"SecurityProviders" = "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKLM\System\CurrentControlSet\Control\Session Manager\
"BootExecute" = "autocheck autochk *"

HKLM\System\CurrentControlSet\Control\WOW\
"cmdline" = "C:\WINDOWS\system32\ntvdm.exe" [MS]
"wowcmdline" = "C:\WINDOWS\system32\ntvdm.exe -a C:\WINDOWS\system32\krnl386" [MS]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
crypt32chain\DLLName = "crypt32.dll" [MS]
cryptnet\DLLName = "cryptnet.dll" [MS]
cscdll\DLLName = "cscdll.dll" [MS]
ScCertProp\DLLName = "wlnotify.dll" [MS]
Schedule\DLLName = "wlnotify.dll" [MS]
sclgntfy\DLLName = "sclgntfy.dll" [MS]
SensLogn\DLLName = "WlNotify.dll" [MS]
termsrv\DLLName = "wlnotify.dll" [MS]
WgaLogon\DLLName = "WgaLogon.dll" [MS]
wlballoon\DLLName = "wlnotify.dll" [MS]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
Your Image File Name Here without a path\Debugger = "ntsd -d" [MS]

HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logon\

HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logoff\

HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Startup\

HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Shutdown\

HKLM\Software\Classes\PROTOCOLS\Filter\
application/octet-stream\CLSID = "{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"
-> {HKLM...CLSID} = "Cor MIME Filter, CorFltr, CorFltr 1"
\InProcServer32\(Default) = "C:\WINDOWS\System32\mscoree.dll" [MS]
application/x-complus\CLSID = "{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"
-> {HKLM...CLSID} = "Cor MIME Filter, CorFltr, CorFltr 1"
\InProcServer32\(Default) = "C:\WINDOWS\System32\mscoree.dll" [MS]
application/x-msdownload\CLSID = "{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"
-> {HKLM...CLSID} = "Cor MIME Filter, CorFltr, CorFltr 1"
\InProcServer32\(Default) = "C:\WINDOWS\System32\mscoree.dll" [MS]
Class Install Handler\CLSID = "{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"
-> {HKLM...CLSID} = "AP Class Install Handler filter"
\InProcServer32\(Default) = "C:\WINDOWS\system32\urlmon.dll" [MS]
deflate\CLSID = "{8f6b0360-b80d-11d0-a9b3-006097942311}"
-> {HKLM...CLSID} = "AP encoding/decoding Filters"
\InProcServer32\(Default) = "C:\WINDOWS\system32\urlmon.dll" [MS]
gzip\CLSID = "{8f6b0360-b80d-11d0-a9b3-006097942311}"
-> {HKLM...CLSID} = "AP encoding/decoding Filters"
\InProcServer32\(Default) = "C:\WINDOWS\system32\urlmon.dll" [MS]
lzdhtml\CLSID = "{8f6b0360-b80d-11d0-a9b3-006097942311}"
-> {HKLM...CLSID} = "AP encoding/decoding Filters"
\InProcServer32\(Default) = "C:\WINDOWS\system32\urlmon.dll" [MS]
text/webviewhtml\CLSID = "{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"
-> {HKLM...CLSID} = "WebView MIME Filter"
\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{0D2E74C4-3C34-11d2-A27E-00C04FC30871}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
{24F14F01-7B1C-11d1-838f-0000F80461CF}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
{24F14F02-7B1C-11d1-838f-0000F80461CF}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
{66742402-F9B9-11D1-A202-0000F81FEDEE}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"
-> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" [file not found]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]
Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
Offline Files\(Default) = "{750fdf0e-2a26-11d1-a3ea-080036587f03}"
-> {HKLM...CLSID} = "Offline Files Menu"
\InProcServer32\(Default) = "C:\WINDOWS\System32\cscui.dll" [MS]
Open With\(Default) = "{09799AFB-AD67-11d1-ABCD-00C04FC30936}"
-> {HKLM...CLSID} = "Open With Context Menu Handler"
\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
Open With EncryptionMenu\(Default) = "{A470F8CF-A1E8-4f65-8335-227475AA5C46}"
-> {HKLM...CLSID} = "Encryption Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
TextPad\(Default) = "{2F25CF20-C569-11D1-B94C-00608CB45480}"
-> {HKLM...CLSID} = "TextPad"
\InProcServer32\(Default) = "C:\Program Files\TextPad 4\System\shellext.dll" ["Helios Software Solutions"]
VirusScan\(Default) = "{cda2863e-2497-4c49-9b89-06840e070a87}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Network Associates\VirusScan\shext.dll" ["Network Associates, Inc."]
ZLAVShExt\(Default) = "{D9872D13-7651-4471-9EEE-F0A00218BEBB}"
-> {HKLM...CLSID} = "ZLAVShExt Class"
\InProcServer32\(Default) = "C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]
EncryptionMenu\(Default) = "{A470F8CF-A1E8-4f65-8335-227475AA5C46}"
-> {HKLM...CLSID} = "Encryption Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
Offline Files\(Default) = "{750fdf0e-2a26-11d1-a3ea-080036587f03}"
-> {HKLM...CLSID} = "Offline Files Menu"
\InProcServer32\(Default) = "C:\WINDOWS\System32\cscui.dll" [MS]
Sharing\(Default) = "{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"
-> {HKLM...CLSID} = "Shell extensions for sharing"
\InProcServer32\(Default) = "ntshrui.dll" [MS]
VirusScan\(Default) = "{cda2863e-2497-4c49-9b89-06840e070a87}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Network Associates\VirusScan\shext.dll" ["Network Associates, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
VirusScan\(Default) = "{cda2863e-2497-4c49-9b89-06840e070a87}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Network Associates\VirusScan\shext.dll" ["Network Associates, Inc."]
ZLAVShExt\(Default) = "{D9872D13-7651-4471-9EEE-F0A00218BEBB}"
-> {HKLM...CLSID} = "ZLAVShExt Class"
\InProcServer32\(Default) = "C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]

HKLM\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
Send To\(Default) = "{7BA4C740-9E81-11CF-99D3-00AA004AE837}"
-> {HKLM...CLSID} = "Microsoft SendTo Service"
\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]


Default executables:
--------------------

HKLM\Software\Classes\.bat\(Default) = "batfile"
HKLM\Software\Classes\batfile\shell\open\command\(Default) = ""%1" %*"

HKLM\Software\Classes\.cmd\(Default) = "cmdfile"
HKLM\Software\Classes\cmdfile\shell\open\command\(Default) = ""%1" %*"

HKLM\Software\Classes\.com\(Default) = "comfile"
HKLM\Software\Classes\comfile\shell\open\command\(Default) = ""%1" %*"

HKLM\Software\Classes\.exe\(Default) = "exefile"
HKLM\Software\Classes\exefile\shell\open\command\(Default) = ""%1" %*"

HKLM\Software\Classes\.hta\(Default) = "htafile"
HKLM\Software\Classes\htafile\shell\open\command\(Default) = "C:\WINDOWS\system32\mshta.exe "%1" %*"

HKLM\Software\Classes\.pif\(Default) = "piffile"
HKLM\Software\Classes\piffile\shell\open\command\(Default) = ""%1" %*"

HKLM\Software\Classes\.scr\(Default) = "AutoCADLTScript"
<<!>> HKLM\Software\Classes\AutoCADLTScript\shell\open\command\(Default) = "C:\WINDOWS\NOTEPAD.EXE "%1"" [MS]


Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoDriveTypeAutoRun" = (REG_DWORD) hex:0x00000091
{Turn off Autoplay}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowCpl\

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate\

HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\

HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel\

HKCU\Software\Policies\Microsoft\Internet Explorer\Download\

HKLM\Software\Policies\Microsoft\Internet Explorer\Download\

HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\

HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\

HKCU\Software\Policies\Microsoft\Internet Explorer\Main\

HKLM\Software\Policies\Microsoft\Internet Explorer\Main\

HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS\

HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS\

HKCU\Software\Policies\Microsoft\Internet Explorer\PhishingFilter\

HKLM\Software\Policies\Microsoft\Internet Explorer\PhishingFilter\

HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions\

HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions\

HKCU\Software\Policies\Microsoft\Internet Explorer\Security\

HKLM\Software\Policies\Microsoft\Internet Explorer\Security\

HKCU\Software\Policies\Microsoft\MMC\{8FC0B734-A0E1-11D1-A7D3-0000F87571E3}\

HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\

HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\

HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\

HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\

HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\

HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\

HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\

HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\

HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\

HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\

HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\

HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\

HKCU\Software\Policies\Microsoft\Windows\Network Connections\

HKCU\Software\Policies\Microsoft\Windows\System\

HKCU\Software\Policies\Microsoft\Windows\Task Scheduler5.0\

HKLM\Software\Policies\Microsoft\Windows\Task Scheduler5.0\

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"dontdisplaylastusername" = (REG_DWORD) hex:0x00000000
{Interactive logon: Do not display last user name}

"legalnoticetext" = (REG_SZ) (empty string)
{Interactive logon: Message text for users attempting to log on}

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Devices: Allow undock without having to log on}

HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore\


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\HTH\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = (value not set)


DESKTOP.INI DLL launch in local fixed drive directories:
--------------------------------------------------------

C:\Documents and Settings\Default User\Local Settings\History\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\Default User\Local Settings\History\History.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

Continuing Silent Runners scan:

C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\1245FAUK\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\2RIA7U9K\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\J7D6QXZV\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\RNGXASFO\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\HTH\Cookies\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\HTH\Local Settings\Application Data\Microsoft\Feeds Cache\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\HTH\Local Settings\Application Data\Microsoft\Feeds Cache\CWQW7LIS\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\HTH\Local Settings\Application Data\Microsoft\Feeds Cache\HXSZ0HOG\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\HTH\Local Settings\Application Data\Microsoft\Feeds Cache\RROMEAS1\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\HTH\Local Settings\Application Data\Microsoft\Feeds Cache\W7BG2XRI\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\HTH\Local Settings\History\DESKTOP.INI
[.ShellClassInfo]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\HTH\Local Settings\History\History.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\HTH\Local Settings\Temporary Internet Files\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\HTH\Local Settings\Temporary Internet Files\Content.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\HTH2\Local Settings\History\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\HTH2\Local Settings\History\History.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\HTH2\Local Settings\Temporary Internet Files\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\Keith\Local Settings\History\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\Keith\Local Settings\History\History.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\Keith\Local Settings\Temporary Internet Files\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\Keith\Local Settings\Temporary Internet Files\Content.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\Keith\Local Settings\Temporary Internet Files\Content.IE5\1245FAUK\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\Keith\Local Settings\Temporary Internet Files\Content.IE5\2RIA7U9K\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\Keith\Local Settings\Temporary Internet Files\Content.IE5\J7D6QXZV\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\Keith\Local Settings\Temporary Internet Files\Content.IE5\RNGXASFO\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\LocalService\Cookies\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\LocalService\Local Settings\History\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\89K7S3GD\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KDWDK7OZ\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\MN8VQHGL\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SFUREJIR\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\8363676B\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\EP4BKJGX\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\GOE4R0PD\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\SC1FM1ZL\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\PUBLIC\Fonts\DESKTOP.INI
[.ShellClassInfo]
UICLSID={BD84B380-8CA2-1069-AB1D-08000948F534}
-> {HKLM...CLSID}\InProcServer32\(Default) = "fontext.dll" [MS]

C:\WINDOWS\assembly\DESKTOP.INI
[.ShellClassInfo]
CLSID={1D2680C9-0E2A-469d-B787-065558BC7D43}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\mscoree.dll" [MS]

C:\WINDOWS\Downloaded Program Files\DESKTOP.INI
[.ShellClassInfo]
CLSID={88C6C381-2E85-11d0-94DE-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\occache.dll" [MS]

C:\WINDOWS\Fonts\DESKTOP.INI
[.ShellClassInfo]
UICLSID={BD84B380-8CA2-1069-AB1D-08000948F534}
-> {HKLM...CLSID}\InProcServer32\(Default) = "fontext.dll" [MS]

C:\WINDOWS\system32\config\systemprofile\Local Settings\History\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\1245FAUK\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

Continuing Silent Runners scan:

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2RIA7U9K\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\J7D6QXZV\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\RNGXASFO\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\WINDOWS\Tasks\DESKTOP.INI
[.ShellClassInfo]
CLSID={d6277990-4c6a-11cf-8d87-00aa0060f5bf}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\mstask.dll" [MS]

C:\WINDOWS\Temp\History\History.IE5\DESKTOP.INI
[.ShellClassInfo]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\2GBJNBEV\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\N82QQLAE\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\SKCZA6YJ\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\TY2XFO2H\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]


Startup items in "HTH" & "All Users" startup folders:
-----------------------------------------------------

C:\Documents and Settings\HTH\Start Menu\Programs\Startup
"SpywareGuard" -> shortcut to: "C:\Program Files\SpywareGuard\sgmain.exe" [null data]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Acrobat Assistant" -> shortcut to: "C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe" ["Adobe Systems Inc."]
"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]
"TabUserW" -> shortcut to: "C:\Program Files\Wacom\TabUserW.exe" ["Wacom Technology, Corp."]


Enabled Scheduled Tasks:
------------------------

"AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -Task" ["Apple Computer, Inc."]
"MP Scheduled Scan" -> launches: "C:\Program Files\Windows Defender\MpCmdRun.exe Scan -RestrictPrivileges" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "C:\Program Files\Bonjour\mdnsNSP.dll" ["Apple Computer, Inc."]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{01E04581-4EEE-11D0-BFE9-00AA005B4383}"
-> {HKLM...CLSID} = "&Address"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."]
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}"
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{01E04581-4EEE-11D0-BFE9-00AA005B4383}"
-> {HKLM...CLSID} = "&Address"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{0E5CBF21-D15F-11D0-8301-00AA005B4383}"
-> {HKLM...CLSID} = "&Links"
\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."]
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}"
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]
"{F2CF5485-4E02-4F68-819C-B92DE9277049}"
-> {HKLM...CLSID} = "&Links"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."]

Explorer Bars

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{30D02401-6A81-11D0-8274-00C04FD5AE38}\(Default) = (no title provided)
-> {HKLM...CLSID} = "IE Search Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\(Default) = (no title provided)
-> {HKLM...CLSID} = "File Search Explorer Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
{EFA24E61-B078-11D0-89E4-00C04FC9E26E}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Favorites Band"
\InProcServer32\(Default) = "C:\WINDOWS\System32\shdocvw.dll" [MS]
{EFA24E62-B078-11D0-89E4-00C04FC9E26E}\(Default) = (no title provided)
-> {HKLM...CLSID} = "History Band"
\InProcServer32\(Default) = "C:\WINDOWS\System32\shdocvw.dll" [MS]
{EFA24E64-B078-11D0-89E4-00C04FC9E26E}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Explorer Band"
\InProcServer32\(Default) = "C:\WINDOWS\System32\shdocvw.dll" [MS]
{F60C63CE-52AF-4915-AAC9-F100FCDE270F}\(Default) = (no title provided)
-> {HKLM...CLSID} = "ClipMate ClipBar 7"
\InProcServer32\(Default) = "C:\PROGRA~1\CLIPMA~2\CLIPMA~1.DLL" ["Thornsoft Development, Inc."]

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{182EC0BE-5110-49C8-A062-BEB1D02A220B}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]
{4D5C8C25-D075-11D0-B416-00C04FB90376}\(Default) = (no title provided)
-> {HKLM...CLSID} = "&Tip of the Day"
\InProcServer32\(Default) = "C:\WINDOWS\System32\shdocvw.dll" [MS]

HKLM\Software\Classes\CLSID\{9999A076-A9E2-4C99-8A2B-632FC9429223}\(Default) = "Bonjour"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\Program Files\Bonjour\ExplorerPlugin.dll" ["Apple Computer, Inc."]

HKLM\Software\Classes\CLSID\{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}\(Default) = "&Discuss"
Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32\(Default) = "shdocvw.dll" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKCU\Software\Microsoft\Internet Explorer\Extensions\

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.6.0_01"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.6.0_01"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll" ["Sun Microsystems, Inc."]

{7F9DB11C-E358-4CA6-A83D-ACC663939424}\
"ButtonText" = "Bonjour"

{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Internet Explorer Address Prefixes:
-----------------------------------

Prefix for bare domain ("domain-name-here.com")

HKLM\Software\Microsoft\Windows\CurrentVersion\URL\Default Prefix\
(Default) = "http://"

Prefix for specific service (i.e., "www")

HKLM\Software\Microsoft\Windows\CurrentVersion\URL\Prefixes\
"ftp" = "ftp://"
"gopher" = "gopher://"
"home" = "http://"
"mosaic" = "http://"
"www" = "http://"


Miscellaneous IE Hijack Points
------------------------------

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" = (no title provided)
-> {HKLM...CLSID} = "Microsoft Url Search Hook"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

HKLM\Software\Microsoft\Internet Explorer\AboutURLs\
"NavigationFailure" = "res://ieframe.dll/navcancl.htm" [MS]
"DesktopItemNavigationFailure" = "res://ieframe.dll/navcancl.htm" [MS]
"NavigationCanceled" = "res://ieframe.dll/navcancl.htm" [MS]
"OfflineInformation" = "res://ieframe.dll/offcancl.htm" [MS]
"Home" = hex:0x0000010E
"blank" = "res://mshtml.dll/blank.htm" [MS]
"PostNotCached" = "res://ieframe.dll/repost.htm" [MS]
"NoAdd-ons" = "res://ieframe.dll/noaddon.htm" [MS]
"NoAdd-onsInfo" = "res://ieframe.dll/noaddoninfo.htm" [MS]
"SecurityRisk" = "res://ieframe.dll/securityatrisk.htm" [MS]
"Tabs" = "res://ieframe.dll/tabswelcome.htm" [MS]


HOSTS file
----------

HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\
"DataBasePath" = "C:\WINDOWS\System32\drivers\etc"

C:\WINDOWS\System32\drivers\etc\HOSTS

maps: 1 domain name to an IP address,
and this is the localhost IP address


All Running Services (Display Name, Service Name, Path {Service DLL}):
----------------------------------------------------------------------

Application Layer Gateway Service, ALG, "C:\WINDOWS\System32\alg.exe" [MS]
ASUS Driver Helper Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]
Automatic Updates, wuauserv, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\wuauserv.dll" [MS]}
COM+ Event System, EventSystem, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\es.dll" [MS]}
Computer Browser, Browser, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\browser.dll" [MS]}
Cryptographic Services, CryptSvc, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\cryptsvc.dll" [MS]}
DCOM Server Process Launcher, DcomLaunch, "C:\WINDOWS\system32\svchost -k DcomLaunch" {"C:\WINDOWS\system32\rpcss.dll" [MS]}
DHCP Client, Dhcp, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\dhcpcsvc.dll" [MS]}
Distributed Link Tracking Client, TrkWks, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\trkwks.dll" [MS]}
DNS Client, Dnscache, "C:\WINDOWS\System32\svchost.exe -k NetworkService" {"C:\WINDOWS\System32\dnsrslvr.dll" [MS]}
EPSON V3 Service4(01), EPSON_PM_RPCV4_01, "C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE" ["SEIKO EPSON CORPORATION"]
EpsonBidirectionalService, EpsonBidirectionalService, "C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe" [null data]
Error Reporting Service, ERSvc, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\ersvc.dll" [MS]}
Event Log, Eventlog, "C:\WINDOWS\system32\services.exe" [MS]
Fast User Switching Compatibility, FastUserSwitchingCompatibility, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\shsvcs.dll" [MS]}
Help and Support, helpsvc, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll" [MS]}
HTTP SSL, HTTPFilter, "C:\WINDOWS\System32\svchost.exe -k HTTPFilter" {"C:\WINDOWS\System32\w3ssl.dll" [MS]}
IPSEC Services, PolicyAgent, "C:\WINDOWS\System32\lsass.exe" [MS]
McAfee Framework Service, McAfeeFramework, "C:\Program Files\Network Associates\Common Framework\FrameworkService.exe /ServiceStart" ["Network Associates, Inc."]
Network Associates McShield, McShield, ""C:\Program Files\Network Associates\VirusScan\Mcshield.exe"" ["Network Associates, Inc."]
Network Associates Task Manager, McTaskManager, ""C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe"" ["Network Associates, Inc."]
Network Connections, Netman, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\netman.dll" [MS]}
Network Location Awareness (NLA), Nla, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\mswsock.dll" [MS]}
Plug and Play, PlugPlay, "C:\WINDOWS\system32\services.exe" [MS]
Print Spooler, Spooler, "C:\WINDOWS\system32\spoolsv.exe" [MS]
Protected Storage, ProtectedStorage, "C:\WINDOWS\system32\lsass.exe" [MS]
Remote Access Connection Manager, RasMan, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\rasmans.dll" [MS]}
Remote Procedure Call (RPC), RpcSs, "C:\WINDOWS\system32\svchost -k rpcss" {"C:\WINDOWS\system32\rpcss.dll" [MS]}
Secondary Logon, seclogon, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\seclogon.dll" [MS]}
Security Accounts Manager, SamSs, "C:\WINDOWS\system32\lsass.exe" [MS]
Security Center, wscsvc, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\wscsvc.dll" [MS]}
Server, lanmanserver, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\srvsvc.dll" [MS]}
Shell Hardware Detection, ShellHWDetection, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\shsvcs.dll" [MS]}
SSDP Discovery Service, SSDPSRV, "C:\WINDOWS\System32\svchost.exe -k LocalService" {"C:\WINDOWS\System32\ssdpsrv.dll" [MS]}
System Event Notification, SENS, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\sens.dll" [MS]}
System Restore Service, srservice, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\srsvc.dll" [MS]}
TabletService, TabletService, "C:\WINDOWS\System32\Tablet.exe" ["Wacom Technology, Corp."]
Task Scheduler, Schedule, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\schedsvc.dll" [MS]}
TCP/IP NetBIOS Helper, LmHosts, "C:\WINDOWS\System32\svchost.exe -k LocalService" {"C:\WINDOWS\System32\lmhsvc.dll" [MS]}
Telephony, TapiSrv, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\tapisrv.dll" [MS]}
Terminal Services, TermService, "C:\WINDOWS\System32\svchost -k DComLaunch" {"C:\WINDOWS\System32\termsrv.dll" [MS]}
Themes, Themes, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\shsvcs.dll" [MS]}
TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs, LLC"]
Universal Plug and Play Device Host, upnphost, "C:\WINDOWS\System32\svchost.exe -k LocalService" {"C:\WINDOWS\System32\upnphost.dll" [MS]}
WebClient, WebClient, "C:\WINDOWS\System32\svchost.exe -k LocalService" {"C:\WINDOWS\System32\webclnt.dll" [MS]}
Windows Audio, AudioSrv, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\audiosrv.dll" [MS]}
Windows Defender, WinDefend, ""C:\Program Files\Windows Defender\MsMpEng.exe"" [MS]
Windows Firewall/Internet Connection Sharing (ICS), SharedAccess, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\ipnathlp.dll" [MS]}
Windows Image Acquisition (WIA), stisvc, "C:\WINDOWS\System32\svchost.exe -k imgsvc" {"C:\WINDOWS\system32\wiaservc.dll" [MS]}
Windows Management Instrumentation, winmgmt, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\wbem\WMIsvc.dll" [MS]}
Windows Media Player Network Sharing Service, WMPNetworkSvc, ""C:\Program Files\Windows Media Player\WMPNetwk.exe"" [MS]
Windows Time, W32Time, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\w32time.dll" [MS]}
Wireless Zero Configuration, WZCSVC, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\wzcsvc.dll" [MS]}
Workstation, lanmanworkstation, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\wkssvc.dll" [MS]}


Keyboard Driver Filters:
------------------------

HKLM\System\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\
"UpperFilters" = "kbdclass" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Adobe PDF Port\Driver = "C:\WINDOWS\system32\AdobePDF.dll" ["Adobe Systems Incorporated."]
BJ Language Monitor\Driver = "cnbjmon.dll" [MS]
EPSON Printer Port\Driver = "Eplpmx02.DLL" ["MK Systems CO.,LTD."]
EPSON Stylus Photo R260 Series 32MonitorBA\Driver = "E_FLBBNA.DLL" ["SEIKO EPSON CORPORATION"]
EPSON V4 Monitor3SA\Driver = "EBPMON3.DLL" ["SEIKO EPSON CORPORATION"]
EPSON V5 2KMonitor\Driver = "EBPMON2.DLL" ["SEIKO EPSON CORPORATION"]
EPSON V6 2KMonitor\Driver = "EBPMON24.DLL" ["SEIKO EPSON CORPORATION"]
Local Port\Driver = "localspl.dll" [MS]
PJL Language Monitor\Driver = "pjlmon.dll" [MS]
Standard TCP/IP Port\Driver = "tcpmon.dll" [MS]
USB Monitor\Driver = "usbmon.dll" [MS]


-- (total run time: 243 seconds)
<<!>>: Suspicious data at a malware launch point.

Here are the results from the F-Secure Blacklight scan:

06/10/07 14:53:41 [Info]: BlackLight Engine 1.0.61 initialized
06/10/07 14:53:41 [Info]: OS: 5.1 build 2600 (Service Pack 2)
06/10/07 14:53:41 [Note]: 7019 4
06/10/07 14:53:41 [Note]: 7005 0
06/10/07 14:53:55 [Note]: 7006 0
06/10/07 14:53:55 [Note]: 7011 1852
06/10/07 14:53:55 [Note]: 7026 0
06/10/07 14:53:55 [Note]: 7026 0
06/10/07 14:53:58 [Note]: FSRAW library version 1.7.1021

Hello :)

I can't see any signs of malware. Those messages are just spam. I see that you have Thunderbird isntalled. Are you using it's spam filter? It is pretty good and learns too if you teach it.

The unfortunate fact is that there isn't really a way to stop spam. Spam filters are the best solution. Or maybe create a new email adress and try to keep it hidden.

Any other problems :bigthumb:

Yes I do use Thunderbird and it does a great job of catching spam.

I guess you must be right about those messages being spam, but I'm still suspicious of the bounce backs. They look very real and many of them provide no benefit to a spammer - no virus, no phishing scam, no Viagra, no nothing. For example, here is the latest apparent bounce back I've received (emails edited):


This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

somename @ somedomain.nl
SMTP error from remote mail server after RCPT TO:<somename @ somedomain.nl>:
host 194.120.181.67 [194.120.181.67]: 550 <somename @ somedomain.nl>:
Recipient address rejected: User unknown

Why would a spammer send that? They get nothing out of it. It doesn't make any sense.

Anyways, I really appreciate all your help. I think it's awesome that people like you are willing to help total strangers and be so generous with your time.

Thank you very much! :)

Hi :)

We'll sometimes the spammers just wait that the users reply to the messages. This is how they know that the account is real and can sell it forward.

They may also see if the message bounces back -> account doesn't exist. Also it is possible that a hidden image is included in the message and loaded automatically when the message is opened, another method to see if the email account really exists...

Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:
Clear your system restore (http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx)
This will clear the system restore folders from possible malware that was left behind during the cleaning process.

Use ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1)
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.

Use Ad-Aware (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Download and install Ad-Aware. Update it and scan your computer regularly with it.

Use AVG Anti-Spyware (http://www.ewido.net/en/)
Download and install AVG Anti-Spyware. Update it and scan your computer regularly with it.

Use Spybot S&D (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Download and install Spybot S&D. Update it and scan your computer regularly with it.

Install SpywareBlaster (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
SpywareBlaster will prevent spyware from being installed.

Install MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm)
This prevents your computer from connecting to harmful sites.

Use Firefox browser (http://www.mozilla.org)
Firefox is faster and more secure browser than Internet Explorer.

Keep your systen up-to-date (http://windowsupdate.microsoft.com)
Visit Windows Update regularly. How to enable Automatic Updates? (http://www.bleepingcomputer.com/tutorials/tutorial35.html)

Keep your antivirus (http://forum.malwareremoval.com/viewtopic.php?p=53#53) and firewall (http://forum.malwareremoval.com/viewtopic.php?p=56#56) up-to-date
Scan your computer regularly with you antivirus software.

Read this article by TonyKlein (http://forums.spybot.info/showthread.php?t=279)
So how did I get infected in the first place?

Stand Up and Be Counted ! (http://www.malwarecomplaints.info/index.php)
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.


Stay clean and be safe ;)