PDA

View Full Version : Codec Problems - can only work in safe mode?



miss spooky
2006-12-18, 17:48
Afternoon,

My partner was trying to DL K-lite Codec Pk full to use instead of Windows Media Player. He chose this as the reviews for this pack were quite good... He Downloaded it, rebooted the computer and from here things went wrong.
All we get is a blue screen with the following error msg (sorry it's so long):-

***STOP:OXOOOOOOCE (OXF7ODOEO, OXOOOOOOOO, OXF7D02FE0, OXOOOOOOOO DRIVER - UNLOADED-WITHOUT-CANCELLING-PENDING-OPERATIONS***ADDRESS F70D02E0 BASE @ F70D02E0 DATESTAMP 00000000-COLR4-2K.sys

If this is the first time you've seen this stop error screen, restart your computer. If this screen appears again, follow these steps
1) Check to make sure any mew hardware /software is properly installed. If this is a new installation ask your hardware / software manufacture for any windows 2000k updates you may need.
2) If problems cantinue disable or remove any new installed hard/software. Disable BLOS Memory Options such as caching or shadowing. If you need to use safemode to remove or disable components restart your computer, press F8 to select advanced Setup options & then select Safe mode.

refer to your Getting Started Manual for more information on troubleshooting stop errors"

He rebooted a couple of times & kept getting same error message. Restarted again in safemode & uninstalled the program he downloaded.

Still unable to restart in normal mode.

Would appreciate your help.

Here's HJT log.

Logfile of HijackThis v1.99.1
Scan saved at 3:16:43 PM, on 12/18/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Antispyware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O1 - Hosts: 205.238.40.52 www.winmx.com err.winmx.com
O1 - Hosts: 205.238.40.1 cache0.winmx.com test3201.winmx.com test3205.winmx.com
O1 - Hosts: 205.238.40.2 cache1.winmx.com test3202.winmx.com test3206.winmx.com
O1 - Hosts: 82.43.224.20 cache2.winmx.com test3203.winmx.com test3207.winmx.com
O1 - Hosts: 82.204.21.111 cache3.winmx.com test3204.winmx.com test3208.winmx.com
O1 - Hosts: 205.238.40.1 c3310.z1301.winmx.com c3310.z1302.winmx.com c3310.z1303.winmx.com c3310.z1304.winmx.com c3310.z1305.winmx.com c3310.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3311.z1301.winmx.com c3311.z1302.winmx.com c3311.z1303.winmx.com c3311.z1304.winmx.com c3311.z1305.winmx.com c3311.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3312.z1301.winmx.com c3312.z1302.winmx.com c3312.z1303.winmx.com c3312.z1304.winmx.com c3312.z1305.winmx.com c3312.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3313.z1301.winmx.com c3313.z1302.winmx.com c3313.z1303.winmx.com c3313.z1304.winmx.com c3313.z1305.winmx.com c3313.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3314.z1301.winmx.com c3314.z1302.winmx.com c3314.z1303.winmx.com c3314.z1304.winmx.com c3314.z1305.winmx.com c3314.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3315.z1301.winmx.com c3315.z1302.winmx.com c3315.z1303.winmx.com c3315.z1304.winmx.com c3315.z1305.winmx.com c3315.z1306.winmx.com
O1 - Hosts: 82.43.224.20 c3316.z1301.winmx.com c3316.z1302.winmx.com c3316.z1303.winmx.com c3316.z1304.winmx.com c3316.z1305.winmx.com c3316.z1306.winmx.com
O1 - Hosts: 82.43.224.20 c3317.z1301.winmx.com c3317.z1302.winmx.com c3317.z1303.winmx.com c3317.z1304.winmx.com c3317.z1305.winmx.com c3317.z1306.winmx.com
O1 - Hosts: 82.204.21.111 c3318.z1301.winmx.com c3318.z1302.winmx.com c3318.z1303.winmx.com c3318.z1304.winmx.com c3318.z1305.winmx.com c3318.z1306.winmx.com
O1 - Hosts: 82.204.21.111 c3319.z1301.winmx.com c3319.z1302.winmx.com c3319.z1303.winmx.com c3319.z1304.winmx.com c3319.z1305.winmx.com c3319.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3520.z1301.winmx.com c3520.z1302.winmx.com c3520.z1303.winmx.com c3520.z1304.winmx.com c3520.z1305.winmx.com c3520.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3521.z1301.winmx.com c3521.z1302.winmx.com c3521.z1303.winmx.com c3521.z1304.winmx.com c3521.z1305.winmx.com c3521.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3522.z1301.winmx.com c3522.z1302.winmx.com c3522.z1303.winmx.com c3522.z1304.winmx.com c3522.z1305.winmx.com c3522.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3523.z1301.winmx.com c3523.z1302.winmx.com c3523.z1303.winmx.com c3523.z1304.winmx.com c3523.z1305.winmx.com c3523.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3524.z1301.winmx.com c3524.z1302.winmx.com c3524.z1303.winmx.com c3524.z1304.winmx.com c3524.z1305.winmx.com c3524.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3525.z1301.winmx.com c3525.z1302.winmx.com c3525.z1303.winmx.com c3525.z1304.winmx.com c3525.z1305.winmx.com c3525.z1306.winmx.com
O1 - Hosts: 82.43.224.20 c3526.z1301.winmx.com c3526.z1302.winmx.com c3526.z1303.winmx.com c3526.z1304.winmx.com c3526.z1305.winmx.com c3526.z1306.winmx.com
O1 - Hosts: 82.43.224.20 c3527.z1301.winmx.com c3527.z1302.winmx.com c3527.z1303.winmx.com c3527.z1304.winmx.com c3527.z1305.winmx.com c3527.z1306.winmx.com
O1 - Hosts: 82.204.21.111 c3528.z1301.winmx.com c3528.z1302.winmx.com c3528.z1303.winmx.com c3528.z1304.winmx.com c3528.z1305.winmx.com c3528.z1306.winmx.com
O1 - Hosts: 82.204.21.111 c3529.z1301.winmx.com c3529.z1302.winmx.com c3529.z1303.winmx.com c3529.z1304.winmx.com c3529.z1305.winmx.com c3529.z1306.winmx.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1001\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-gb\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-gb\msntb.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Lexmark X6100 Series] "C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe"
O4 - HKLM\..\Run: [MPFTray] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\RunOnce: [MigrateMMDrivers] rundll32.exe mmsys.cpl,mmseRunOnce
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - Startup: Freecom Personal Media Suite.lnk = C:\Program Files\Freecom Personal Media Suite\FCPMS.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: BlueSoleil.lnk = C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O15 - Trusted Zone: http://www.freewebs.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1130231909123
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1131100914278
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} (SAIX) - http://static.zangocash.com/cab/Zango/ie/bridge-c356.cab?6e214b1070662729071b008b35c64779a83d2eebb7c2333879d14edaa31bb60aa45a41eaabcd6422e439fba9ac96f9ce426ab7efb6f169ceb99c2a5c7e:844a4f713710b4d6fd84c831d43d35df
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www5.incredimail.com/contents/setup/downloader/imloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: ptssvc - KODAK - C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE

teacup61
2006-12-22, 07:40
Hello miss spooky,

Welcome to Safer Networking Forums :)

Youch! :sick:

Please download, install, and update AVG Anti-Spyware (formerly Ewido) (http://www.ewido.net/en/download/)


Load AVG Anti-Spyware and then click the Update tab at the top. Under Manual Update click Start update.
After the update finishes (the status bar at the bottom will display "Update successful")
Close AVG. Do not run it yet.


I'm assuming you'll still be in safe mode at this point. Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O1 - Hosts: 205.238.40.52 www.winmx.com err.winmx.com
O1 - Hosts: 205.238.40.1 cache0.winmx.com test3201.winmx.com test3205.winmx.com
O1 - Hosts: 205.238.40.2 cache1.winmx.com test3202.winmx.com test3206.winmx.com
O1 - Hosts: 82.43.224.20 cache2.winmx.com test3203.winmx.com test3207.winmx.com
O1 - Hosts: 82.204.21.111 cache3.winmx.com test3204.winmx.com test3208.winmx.com
O1 - Hosts: 205.238.40.1 c3310.z1301.winmx.com c3310.z1302.winmx.com c3310.z1303.winmx.com c3310.z1304.winmx.com c3310.z1305.winmx.com c3310.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3311.z1301.winmx.com c3311.z1302.winmx.com c3311.z1303.winmx.com c3311.z1304.winmx.com c3311.z1305.winmx.com c3311.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3312.z1301.winmx.com c3312.z1302.winmx.com c3312.z1303.winmx.com c3312.z1304.winmx.com c3312.z1305.winmx.com c3312.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3313.z1301.winmx.com c3313.z1302.winmx.com c3313.z1303.winmx.com c3313.z1304.winmx.com c3313.z1305.winmx.com c3313.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3314.z1301.winmx.com c3314.z1302.winmx.com c3314.z1303.winmx.com c3314.z1304.winmx.com c3314.z1305.winmx.com c3314.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3315.z1301.winmx.com c3315.z1302.winmx.com c3315.z1303.winmx.com c3315.z1304.winmx.com c3315.z1305.winmx.com c3315.z1306.winmx.com
O1 - Hosts: 82.43.224.20 c3316.z1301.winmx.com c3316.z1302.winmx.com c3316.z1303.winmx.com c3316.z1304.winmx.com c3316.z1305.winmx.com c3316.z1306.winmx.com
O1 - Hosts: 82.43.224.20 c3317.z1301.winmx.com c3317.z1302.winmx.com c3317.z1303.winmx.com c3317.z1304.winmx.com c3317.z1305.winmx.com c3317.z1306.winmx.com
O1 - Hosts: 82.204.21.111 c3318.z1301.winmx.com c3318.z1302.winmx.com c3318.z1303.winmx.com c3318.z1304.winmx.com c3318.z1305.winmx.com c3318.z1306.winmx.com
O1 - Hosts: 82.204.21.111 c3319.z1301.winmx.com c3319.z1302.winmx.com c3319.z1303.winmx.com c3319.z1304.winmx.com c3319.z1305.winmx.com c3319.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3520.z1301.winmx.com c3520.z1302.winmx.com c3520.z1303.winmx.com c3520.z1304.winmx.com c3520.z1305.winmx.com c3520.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3521.z1301.winmx.com c3521.z1302.winmx.com c3521.z1303.winmx.com c3521.z1304.winmx.com c3521.z1305.winmx.com c3521.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3522.z1301.winmx.com c3522.z1302.winmx.com c3522.z1303.winmx.com c3522.z1304.winmx.com c3522.z1305.winmx.com c3522.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3523.z1301.winmx.com c3523.z1302.winmx.com c3523.z1303.winmx.com c3523.z1304.winmx.com c3523.z1305.winmx.com c3523.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3524.z1301.winmx.com c3524.z1302.winmx.com c3524.z1303.winmx.com c3524.z1304.winmx.com c3524.z1305.winmx.com c3524.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3525.z1301.winmx.com c3525.z1302.winmx.com c3525.z1303.winmx.com c3525.z1304.winmx.com c3525.z1305.winmx.com c3525.z1306.winmx.com
O1 - Hosts: 82.43.224.20 c3526.z1301.winmx.com c3526.z1302.winmx.com c3526.z1303.winmx.com c3526.z1304.winmx.com c3526.z1305.winmx.com c3526.z1306.winmx.com
O1 - Hosts: 82.43.224.20 c3527.z1301.winmx.com c3527.z1302.winmx.com c3527.z1303.winmx.com c3527.z1304.winmx.com c3527.z1305.winmx.com c3527.z1306.winmx.com
O1 - Hosts: 82.204.21.111 c3528.z1301.winmx.com c3528.z1302.winmx.com c3528.z1303.winmx.com c3528.z1304.winmx.com c3528.z1305.winmx.com c3528.z1306.winmx.com
O1 - Hosts: 82.204.21.111 c3529.z1301.winmx.com c3529.z1302.winmx.com c3529.z1303.winmx.com c3529.z1304.winmx.com c3529.z1305.winmx.com c3529.z1306.winmx.com
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} (SAIX) - http://static.zangocash.com/cab/Zang...84c831d43d35df

Close all browsers and other windows except for HijackThis!, and click "Fix Checked".


In Safe Mode, load AVG Anti-Spyware and click on the Scanner tab at the top and then click on Complete System Scan. This scan can take quite a while to run, so be prepared.
AVG Anti-Spyware will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. AVG Anti-Spyware will display "All actions have been applied" on the right hand side.
Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).
Restart back into Normal Mode, if you can.



Download the Hoster Here
http://www.funkytoad.com/download/hoster.zip

Unzip Hoster to your desktop

Open up the Hoster program.

* Make sure that the "make hosts writable?" button in the upper right corner is enabled.
* Click back up Host files
* then click Restore orginal host files
* close program

In your reply, please post the report from AVG and a new HijackThis log. Please also let me know how your computer is running. :)

Thanks,
tea

miss spooky
2006-12-24, 00:12
Hello Teacup61,

Thank you for helping me.

Updated AVG. Checked items listed above in HJT, on fixing items I had 2 error messages. I've done a screen dump if you want to see first one as it was quite long... following message read " HiJackThis could not write the selected changes to your host file. The probable cause is that some program is denying access to it, or that your user account does not have the rights to write it". The check in question was:-
O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} (SAIX) - http://static.zangocash.com/cab/Zang...84c831d43d35df

althought it has gone.

Ran AVG, no infections found, therfore no report.

Unable to restart in normal mode as blue screen with original stop message still appears so still in "Safe Mode Directory Service Repair". Therefore I have not run Hoster as I wasn't sure if this was just to be run in normal mode.

HJT Log 23.12.06:-

Logfile of HijackThis v1.99.1
Scan saved at 10:00:31 PM, on 12/23/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Antispyware\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1001\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-gb\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-gb\msntb.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Lexmark X6100 Series] "C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe"
O4 - HKLM\..\Run: [MPFTray] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\RunOnce: [MigrateMMDrivers] rundll32.exe mmsys.cpl,mmseRunOnce
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - Startup: Freecom Personal Media Suite.lnk = C:\Program Files\Freecom Personal Media Suite\FCPMS.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: BlueSoleil.lnk = C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O15 - Trusted Zone: http://www.freewebs.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1130231909123
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1131100914278
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www5.incredimail.com/contents/setup/downloader/imloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: ptssvc - KODAK - C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE

Happy Christmas.:present:

teacup61
2006-12-24, 02:16
Hello,

AVG AntiVirus and AVG AntiSpyware are 2 different things. :) Please download AVG AntiSpyware per my directions above. I'll bet the farm that you get a good long report from it. ;) :spider:

Thanks for the holiday wishes. Merry Christmas to you too.http://i135.photobucket.com/albums/q150/teacup61/Gifts1.gif

miss spooky
2006-12-24, 16:46
Hi Teacup61,

Hope you've got a farm! Lol.
Here's the AVG Spyware report:-

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:41:50 AM 12/24/2006

+ Scan result:



C:\Documents and Settings\Administrator\Local Settings\Temp\ICD1.tmp\SAIX.dll -> Adware.180Solutions : Cleaned with backup (quarantined).
HKLM\SOFTWARE\180solutions -> Adware.180Solutions : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CSSecurity.HTMLSecurity -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CSSecurity.HTMLSecurity.1 -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CSSecurity.HTMLSecurity\CLSID -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CSSecurity.HTMLSecurity\CurVer -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\DMProxy.DMProxyCtl -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\DMProxy.DMProxyCtl.1 -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\DMProxy.DMProxyCtl\CLSID -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\DMProxy.DMProxyCtl\CurVer -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\DMServer.DMNotify -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\DMServer.DMNotify.1 -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\DMServer.DMNotify\CLSID -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\DMServer.DMNotify\CurVer -> Adware.CometCursor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1757981266-920026266-1957994488-500\Software\Comet Systems -> Adware.CometCursor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1757981266-920026266-1957994488-500\Software\Comet Systems\Features -> Adware.CometCursor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1757981266-920026266-1957994488-500\Software\Comet Systems\Features\ADZAP -> Adware.CometCursor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1757981266-920026266-1957994488-500\Software\Comet Systems\Features\AUTOSEARCH -> Adware.CometCursor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1757981266-920026266-1957994488-500\Software\Comet Systems\Features\ERRORSEARCH -> Adware.CometCursor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1757981266-920026266-1957994488-500\Software\Comet Systems\Features\FUNBUTTON -> Adware.CometCursor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1757981266-920026266-1957994488-500\Software\Comet Systems\Features\HistZap -> Adware.CometCursor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1757981266-920026266-1957994488-500\Software\Comet Systems\Features\REFBUTTON -> Adware.CometCursor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1757981266-920026266-1957994488-500\Software\Comet Systems\Features\RELATEDSEARCH -> Adware.CometCursor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1757981266-920026266-1957994488-500\Software\Comet Systems\Features\SEARCHASSIST -> Adware.CometCursor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1757981266-920026266-1957994488-500\Software\Comet Systems\Features\SMILEYTOWN -> Adware.CometCursor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1757981266-920026266-1957994488-500\Software\Comet Systems\Features\SUPERCURSORS -> Adware.CometCursor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1757981266-920026266-1957994488-500\Software\Comet Systems\Features\TRAVELASSIST -> Adware.CometCursor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1757981266-920026266-1957994488-500\Software\Comet Systems\Features\TRAVELBUTTON -> Adware.CometCursor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1757981266-920026266-1957994488-500\Software\Comet Systems\Features\WEBBUTTON -> Adware.CometCursor : Cleaned with backup (quarantined).
C:\WINDOWS\iLookup -> Adware.eZula : Cleaned with backup (quarantined).
C:\temp\WebRebates_Auto_InstallSilent_Euro.exe -> Adware.WebRebates : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Adware.WebRebates : Cleaned with backup (quarantined).
C:\temp\WinAdCtlInstPack.exe -> Adware.WinAD : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\MediaAccess.Installer -> Adware.WinAd : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\MediaAccess.Installer\CLSID -> Adware.WinAd : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\MediaAccess.Installer\CurVer -> Adware.WinAd : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\UDConn.UDConnect -> Dialer.Generic : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\UDConn.UDConnect.1 -> Dialer.Generic : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\UDConn.UDConnect\CLSID -> Dialer.Generic : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\UDConn.UDConnect\CurVer -> Dialer.Generic : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Cookies\administrator@247realmedia[1].txt -> TrackingCookie.247realmedia : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@adtech[2].txt -> TrackingCookie.Adtech : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@advertising[1].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@adviva[2].txt -> TrackingCookie.Adviva : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@www.burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wgliokazsdp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@media.fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-autotrader.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-deltatre.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@stat.onestat[2].txt -> TrackingCookie.Onestat : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@bs.serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@tradedoubler[1].txt -> TrackingCookie.Tradedoubler : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@valueclick[1].txt -> TrackingCookie.Valueclick : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@statse.webtrendslive[1].txt -> TrackingCookie.Webtrendslive : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.


::Report end

Tried to reboot into normal mode again but stop message still appears. Haven't run Hoster again for this reason.

Do you guys work over Xmas? Hope not, you all need a break!!

Speak soon.

teacup61
2006-12-25, 05:27
Hello,

Hope you've got a farm! Lol. I do actually! :eek: I have goats and chickens.:laugh: With that combination I just discovered the best, freshest egg nog ever! :D:

Could I see an uninstall list, please?

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

I'd also need a new HijackThis log, please ma'am. ;)

Thank you!
tea

teacup61
2006-12-25, 09:02
Hello miss spooky,

Could you do a couple of other things for me also, please?

I'd like for you to search for a file. It may be hidden, if it's there, so make sure your search includes hidden files and folders. Search for COLR4-2K.sys. If it's there, right click on it, choose properties, and tell me who the maker is, and version, if any.

Create a Startup List

Open HiJackThis
Click on the "Config..." button on the bottom right
Click on the tab "Misc Tools"
Check off the 2 boxes next to the Box that says "Generate StartupList log"
Click on the button "Generate StartupList log"
Copy and past the StartupList from the notepad into your next post

Thanks,
tea

miss spooky
2006-12-25, 11:49
Morning,

I've never tried eggnog?!?

I ran a search for COLRA-2K.sys but never found anything.:sad:

Uninstall log:-

ABBYY FineReader 5.0 Sprint Plus
Adobe Download Manager 2.0 (Remove Only)
Adobe Reader 6.0.1
AMATEURCAMgb
ArcSoft PhotoImpression 4
aspi
AVG Anti-Spyware 7.5
AVG Free Edition
BlueSoleil
BroadJump Client Foundation
CR2
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
ESSTUTOR
Freecom Personal Media Suite 1.34
GPL MPEG-1/2 DirectShow Decoder Filter
HijackThis 1.99.1
IncrediMail Xe
IncrediMail Xe
iTunes
Kaspersky On-line Scanner
Kodak EasyShare software
Lexmark X6100 Series
Macromedia Flash Player 8
Microsoft Office 2000 Premium
Microsoft VGX Q833989
Microsoft XML Parser and SDK
MSN Messenger 7.0
MSN Toolbar
My DSC
Nokia Connectivity Cable Driver
Nokia PC Suite
Notifier
QuickTime
Security Update for Windows 2000 (KB904706)
Spybot - Search & Destroy 1.4
Update Rollup 1 for Windows 2000 SP4
Windows 2000 Hotfix - KB842773
Windows 2000 Hotfix - KB890046
Windows 2000 Hotfix - KB893756
Windows 2000 Hotfix - KB894320
Windows 2000 Hotfix - KB896358
Windows 2000 Hotfix - KB896422
Windows 2000 Hotfix - KB896423
Windows 2000 Hotfix - KB896424
Windows 2000 Hotfix - KB896688
Windows 2000 Hotfix - KB899587
Windows 2000 Hotfix - KB899589
Windows 2000 Hotfix - KB900725
Windows 2000 Hotfix - KB901017
Windows 2000 Hotfix - KB901214
Windows 2000 Hotfix - KB902400
Windows 2000 Hotfix - KB905414
Windows 2000 Hotfix - KB905495
Windows 2000 Hotfix - KB905749
Windows Installer 3.1 (KB893803)
Windows Media Player 9 Hotfix [See KB885492 for more information]
Windows Media Player system update (9 Series)
Windows SR 2.0
WinMX
WinZip
ZipItFast Pro 3.01 - A Free, Fast All in One Archive Utility!

Start Up Log to follow in next post...

miss spooky
2006-12-25, 11:51
Cont.

Start up Log:-

StartupList report, 12/25/2006, 9:39:17 AM
StartupList version: 1.52.2
Started from : C:\Antispyware\HijackThis.EXE
Detected: Windows 2000 SP4 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Antispyware\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Administrator\Start Menu\Programs\Startup]
Freecom Personal Media Suite.lnk = C:\Program Files\Freecom Personal Media Suite\FCPMS.exe

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
BlueSoleil.lnk = C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

SystemTray = SysTray.Exe
Lexmark X6100 Series = "C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe"
MPFTray = C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
MISAggregator =
iTunesHelper = "C:\Program Files\iTunes\iTunesHelper.exe"
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
AVG7_CC = C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
msnappau = "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe"
PCSuiteTrayApplication = C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
DataLayer = C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
BJCFD = C:\Program Files\BroadJump\Client Foundation\CFD.exe
!AVG Anti-Spyware = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

MigrateMMDrivers = rundll32.exe mmsys.cpl,mmseRunOnce

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

(Default) =

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

IncrediMail = C:\Program Files\IncrediMail\bin\IncMail.exe /c
Yahoo! Pager = C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
updateMgr = C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5
PcSync = C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\System32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = "C:\WINDOWS\system32\shmgrate.exe" OCInstallUserConfigIE

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = "C:\WINDOWS\system32\shmgrate.exe" OCInstallUserConfigOE

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{6A5110B5-E14B-4268-A065-EF89FF33C325}] *
StubPath = regsvr32.exe /s /n /i:"S 2 true 3 true 4 true 5 true 6 true 7 true" initpki.dll

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\System32\ie4uinit.exe

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = %SystemRoot%\System32\updcrl.exe -e -u %SystemRoot%\System32\verisignpub1.crl

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI file not found*
run=*INI file not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI file not found*
SCRNSAVE.EXE=*INI file not found*
drivers=*INI file not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe is MISSING!
- .reg open command is normal (regedit.exe %1)
- Unable to retrieve file info on regedit.exe!

Registry check failed!

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\MSN Apps\ST\01.02.3000.1001\en-xu\stmain.dll - {9394EDE7-C8B5-483E-8773-474BF36AF6E4}
(no name) - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-gb\msntb.dll - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Tune-up Application Start.job

--------------------------------------------------

Enumerating Download Program Files:

[DirectAnimation Java Classes]
CODEBASE = file://C:\WINDOWS\Java\classes\dajava.cab
OSD = C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

[Internet Explorer Classes for Java]
CODEBASE = file://C:\WINDOWS\SYSTEM\iejava.cab
OSD = C:\WINDOWS\Downloaded Program Files\Internet Explorer Classes for Java.osd

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINDOWS\Java\classes\xmldso.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

[QuickTime Object]
InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[CKAVWebScan Object]
InProcServer32 = C:\WINDOWS\system32\Kaspersky Lab\Kaspersky On-line Scanner\kavwebscan.dll
CODEBASE = http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab

[Shockwave ActiveX Control]
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\system32\LegitCheckControl.DLL
CODEBASE = http://go.microsoft.com/fwlink/?linkid=48835

[Malicious Software Removal Tool]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\WebCleaner.dll
CODEBASE = http://download.microsoft.com/download/b/d/b/bdb4e4ee-63b2-45ff-9d84-33205bf43143/WebCleaner.cab

[MSN Photo Upload Tool]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MsnPUpld.dll
CODEBASE = http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\wuweb.dll
CODEBASE = http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1130231909123

[MUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\muweb.dll
CODEBASE = http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1131100914278

[{9F1C11AA-197B-4942-BA54-47A8489BB47F}]
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38094.0963773148

[MsnMessengerSetupDownloadControl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MsnMessengerSetupDownloader.ocx
CODEBASE = http://messenger.msn.com/download/msnmessengersetupdownloader.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash8.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash5r42.cab

[IncrediMail]
CODEBASE = http://www5.incredimail.com/contents/setup/downloader/imloader.cab

[MSN Chat Control 4.5]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MSNChat45.ocx
CODEBASE = http://chat.msn.com/controls/msnchat45.cab

Cont...

miss spooky
2006-12-25, 11:52
Start up log cont...

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\rnr20.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
Protocol #1: C:\WINDOWS\system32\msafd.dll
Protocol #2: C:\WINDOWS\system32\msafd.dll
Protocol #3: C:\WINDOWS\system32\msafd.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
Intel AGP Bus Filter: System32\DRIVERS\agp440.sys (system)
Application Management: %SystemRoot%\system32\services.exe (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
atirage3: System32\DRIVERS\atimpab.sys (manual start)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
AVG Anti-Spyware Driver: \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys (system)
AVG Anti-Spyware Guard: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (autostart)
AVG7 Alert Manager Server: C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (autostart)
AVG7 Kernel: \SystemRoot\System32\Drivers\avg7core.sys (system)
AVG7 Resident Driver NT: \SystemRoot\System32\Drivers\avg7rsnt.sys (system)
AVG7 Wrap Driver: \SystemRoot\System32\Drivers\avg7rsw.sys (system)
AVG7 Update Service: C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe (autostart)
AVG Anti-Spyware Clean Driver: System32\DRIVERS\AvgAsCln.sys (system)
AVG E-mail Scanner: C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe (autostart)
AVG Network Redirector: \SystemRoot\System32\Drivers\avgtdi.sys (autostart)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k BITSgroup (autostart)
Bluetooth Audio Service: system32\DRIVERS\blueletaudio.sys (manual start)
BlueSoleil Hid Service: C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe (autostart)
Bonifay: System32\DRIVERS\Bonifay.sys (manual start)
Bluetooth PAN Network Adapter: system32\DRIVERS\btnetdrv.sys (manual start)
Bluetooth USB For Bluetooth Service: System32\Drivers\btcusb.sys (manual start)
Bluetooth HID Enumerator: system32\DRIVERS\vbtenum.sys (manual start)
Bluetooth HID Manager Service: System32\Drivers\BTHidMgr.sys (system)
Bluetooth Network Filter: \??\C:\WINDOWS\system32\drivers\BTNetFilter.sys (manual start)
Closed Caption Decoder: system32\DRIVERS\CCDECODE.sys (manual start)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: C:\WINDOWS\System32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (manual start)
Dual-Mode DSC(2770): System32\Drivers\SQcaptur.sys (manual start)
Kodak Camera Proxy: system32\DRIVERS\DcCam.sys (system)
DcFpoint: system32\DRIVERS\DcFpoint.sys (manual start)
Kodak DCFS2K Driver: system32\drivers\dcfs2k.sys (autostart)
Legacy Polling Service: system32\DRIVERS\DcLps.sys (manual start)
dcptp: system32\DRIVERS\DcPTP.sys (manual start)
DHCP Client: %SystemRoot%\System32\services.exe (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Logical Disk Manager Driver: System32\drivers\dmio.sys (system)
dmload: System32\drivers\dmload.sys (system)
Logical Disk Manager: %SystemRoot%\System32\services.exe (autostart)
Microsoft DirectMusic SW Synth (WDM): system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\services.exe (autostart)
ESS Audio Driver (WDM): system32\drivers\ess.sys (manual start)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
Exportit: system32\DRIVERS\exportit.sys (system)
Fax Service: %systemroot%\system32\faxsvc.exe (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
FltMgr: system32\drivers\fltmgr.sys (system)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
GEARAspiWDM: System32\Drivers\GEARAspiWDM.sys (manual start)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Microsoft HID Class Driver: System32\DRIVERS\hidusb.sys (autostart)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
InstallDriver Table Manager: "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe" (manual start)
IntelIde: System32\DRIVERS\intelide.sys (system)
Intel(R) 536EP V.92 Modem: System32\DRIVERS\Intels51.sys (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
iPodService: C:\Program Files\iPod\bin\iPodService.exe (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (manual start)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Kodak Camera Connection Software: %SystemRoot%\system32\drivers\KodakCCS.exe (autostart)
LexBce Server: C:\WINDOWS\system32\LEXBCES.EXE (autostart)
TCP/IP NetBIOS Helper Service: %SystemRoot%\System32\services.exe (autostart)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Unimodem Streaming Filter Device: system32\drivers\MODEMCSA.sys (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
BDA MPE Filter: system32\DRIVERS\MPE.sys (manual start)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\system32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft Streaming Tee/Sink-to-Sink Converter: system32\drivers\MSTEE.sys (manual start)
NABTS/FEC VBI Codec: system32\DRIVERS\NABTSFEC.sys (manual start)
Microsoft TV/Video Connection: system32\DRIVERS\NdisIP.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (manual start)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (manual start)
NetDetect: \SystemRoot\system32\drivers\netdtect.sys (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NT Apm/Legacy Interface Driver: System32\DRIVERS\NtApm.sys (manual start)
Removable Storage: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
Parallel class driver: System32\DRIVERS\parallel.sys (manual start)
Parallel port driver: System32\DRIVERS\parport.sys (system)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Policy Agent: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Protected Storage: %SystemRoot%\system32\services.exe (autostart)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
ptssvc: C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe (autostart)
PxHelp20: system32\DRIVERS\PxHelp20.sys (system)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Microsoft Streaming Network Raw Channel Access: system32\drivers\RCA.sys (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Registry Service: %SystemRoot%\system32\regsvc.exe (autostart)
Microsoft Legacy Modem Driver: System32\Drivers\RootMdm.sys (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe -s (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card Helper: %SystemRoot%\System32\SCardSvr.exe (manual start)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\system32\MSTask.exe (autostart)
ScsiAccess: C:\WINDOWS\system32\ScsiAccess.EXE (autostart)
SecDrv: \??\C:\WINDOWS\system32\drivers\SECDRV.SYS (manual start)
RunAs Service: %SystemRoot%\system32\services.exe (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Internet Connection Sharing: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
BDA Slip De-Framer: system32\DRIVERS\SLIP.sys (manual start)
EZ Connect USB to Dual Speed Ethernet Converter: System32\DRIVERS\SMCUSB.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
Still Image Service: %systemroot%\system32\stisvc.exe (autostart)
BDA IPSink: system32\DRIVERS\StreamIP.sys (manual start)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
Microsoft System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Telnet: %SystemRoot%\system32\tlntsvr.exe (manual start)
Distributed Link Tracking Client: %SystemRoot%\system32\services.exe (autostart)
Microsoft USB Universal Host Controller Driver: System32\DRIVERS\uhcd.sys (manual start)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB Standard Hub Driver: System32\DRIVERS\usbhub.sys (manual start)
Microsoft USB PRINTER Class: System32\DRIVERS\usbprint.sys (manual start)
USB Scanner Driver: System32\DRIVERS\usbscan.sys (manual start)
USB Mass Storage Driver: system32\DRIVERS\USBSTOR.SYS (manual start)
Utility Manager: %SystemRoot%\System32\UtilMan.exe (manual start)
Virtual Serial port driver: system32\DRIVERS\VComm.sys (manual start)
Bluetooth VComm Manager Service: System32\Drivers\VcommMgr.sys (manual start)
VgaSave: \SystemRoot\System32\drivers\vga.sys (system)
Windows Time: %SystemRoot%\System32\services.exe (manual start)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
Windows Management Instrumentation: %SystemRoot%\System32\WBEM\WinMgmt.exe (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Windows Management Instrumentation Driver Extensions: %SystemRoot%\system32\Services.exe (manual start)
World Standard Teletext Codec: system32\DRIVERS\WSTCODEC.SYS (manual start)
Automatic Updates: %systemroot%\system32\svchost.exe -k wugroup (autostart)
Wireless Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

Network.ConnectionTray: C:\WINDOWS\system32\NETSHELL.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 31,493 bytes
Report generated in 0.691 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

miss spooky
2006-12-25, 11:58
Couldn't find COLR4-2K.sys either...

HJT log:-

Logfile of HijackThis v1.99.1
Scan saved at 9:37:45 AM, on 12/25/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Antispyware\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1001\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-gb\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-gb\msntb.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Lexmark X6100 Series] "C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe"
O4 - HKLM\..\Run: [MPFTray] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\RunOnce: [MigrateMMDrivers] rundll32.exe mmsys.cpl,mmseRunOnce
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - Startup: Freecom Personal Media Suite.lnk = C:\Program Files\Freecom Personal Media Suite\FCPMS.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: BlueSoleil.lnk = C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O15 - Trusted Zone: http://www.freewebs.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1130231909123
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1131100914278
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www5.incredimail.com/contents/setup/downloader/imloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: ptssvc - KODAK - C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE

Mosaic1
2006-12-28, 10:18
Hi miss spooky,

Teacup is taking some time off but will be back. In the meantime I have been asked to look in. I have been reading this thread.

There's a possibility that you had a typo. So let's dop a search for all sys files and see.


Copy the bold print to notepad. Name the file look.bat SAve it on your desktop.
Then double click on look.bat to run it. When finished, it will create and open a file named results.txt on your desktop. Please post the contents of results.txt into your next reply here.

cd \
dir /s /a *.sys >results.txt
Start notepad results.txt


I hope you're still with us. There are a couple of things we can try to get you back into Windows. One is not difficult at all, if it works. But I would really like to see what this file is first and then take it from there.


Mosaic1

miss spooky
2006-12-28, 18:06
Hi Mosaic1,

Thank you for taking over. I guessed Teacup was taking a Xmas break. :coffee:

I've done the scan & here are the results:-

Volume in drive C has no label.
Volume Serial Number is 3869-1805

Directory of C:\

10/09/2004 01:12p 0 MSDOS.SYS
04/23/1999 10:22p 222,390 IO.SYS
12/24/2006 10:51a 419,430,400 PAGEFILE.SYS
3 File(s) 419,652,790 bytes

Directory of C:\WINDOWS\SYSTEM32

05/08/2001 12:00p 9,029 ansi.sys
10/06/2005 09:33a 1,638,672 WIN32K.SYS
05/08/2001 12:00p 4,768 himem.sys
06/19/2003 08:05p 42,537 KEYBOARD.SYS
05/08/2001 12:00p 29,370 ntdos411.sys
05/08/2001 12:00p 29,274 ntdos412.sys
05/08/2001 12:00p 29,146 ntdos404.sys
05/08/2001 12:00p 29,146 ntdos804.sys
06/19/2003 08:05p 33,824 NTIO.SYS
05/08/2001 12:00p 27,097 country.sys
05/08/2001 12:00p 27,866 ntdos.sys
06/19/2003 08:05p 42,809 key01.sys
06/19/2003 08:05p 34,544 ntio404.sys
06/19/2003 08:05p 35,648 ntio411.sys
06/19/2003 08:05p 35,408 ntio412.sys
06/19/2003 08:05p 34,544 ntio804.sys
06/19/2003 08:05p 187,024 spcmdcon.sys
17 File(s) 2,270,706 bytes

Directory of C:\WINDOWS\SYSTEM32\DRIVERS

06/19/2003 08:05p 93,360 ndiswan.sys
05/10/2005 09:20a 513,424 ntfs.sys
06/19/2003 08:05p 37,552 nmnt.sys
09/06/2004 06:06a 161,072 nwrdr.sys
06/19/2003 08:05p 91,408 NWLNKIPX.SYS
06/19/2003 08:05p 65,520 nwlnknb.sys
04/21/2005 08:03a 183,248 rdbss.sys
06/19/2003 08:05p 60,208 parallel.sys
06/19/2003 08:05p 25,104 parport.sys
06/19/2003 08:05p 22,064 pciidex.sys
06/19/2003 08:05p 109,584 pcmcia.sys
06/19/2003 08:05p 60,496 psched.sys
06/19/2003 08:05p 17,680 ptilink.sys
06/19/2003 08:05p 19,920 rasirda.sys
12/02/2004 01:07p 63,280 udfs.sys
05/12/2005 10:25a 320,176 tcpip.sys
06/19/2003 08:05p 62,736 serial.sys
06/19/2003 08:05p 22,064 sonydcam.sys
04/21/2005 08:03a 127,568 AFD.SYS
05/03/2005 09:10a 238,928 SRV.SYS
06/19/2003 08:05p 16,240 tdi.sys
04/14/2005 06:59a 136,880 fltmgr.sys
06/19/2003 08:05p 50,640 videoprt.sys
06/19/2003 08:05p 173,232 UPDATE.SYS
06/19/2003 08:05p 57,264 mf.sys
06/19/2003 08:05p 29,168 modem.sys
06/19/2003 08:05p 59,312 pci.sys
06/19/2003 08:05p 21,776 mouclass.sys
06/19/2003 08:05p 40,176 usbhub.sys
12/12/2002 12:14a 5,248 mspclock.sys
06/19/2003 08:05p 20,688 usbd.sys
06/19/2003 08:05p 32,848 uhcd.sys
07/14/2005 12:24p 74,384 SCSIPORT.SYS
06/19/2003 08:05p 35,344 redbook.sys
06/19/2003 08:05p 34,704 msgpc.sys
05/08/2001 12:00p 57,904 atmarpc.sys
05/08/2001 12:00p 4,080 beep.sys
05/08/2001 12:00p 19,088 cdaudio.sys
04/08/2005 11:51a 175,632 netbt.sys
06/19/2003 08:05p 170,928 ndis.sys
05/08/2001 12:00p 272,496 cinemst2.sys
05/08/2001 12:00p 12,880 class2.sys
06/19/2003 08:05p 9,200 ndistapi.sys
06/19/2003 08:05p 11,792 partmgr.sys
05/08/2001 12:00p 10,064 dxapi.sys
04/30/2005 02:50p 11,860 vbtenum.sys
06/19/2003 08:05p 52,112 rasl2tp.sys
06/19/2003 08:05p 48,464 raspptp.sys
06/19/2003 08:05p 14,160 serenum.sys
05/08/2001 12:00p 34,416 ipfltdrv.sys
05/08/2001 12:00p 19,984 ipinip.sys
06/19/2003 08:05p 10,384 sfloppy.sys
06/19/2003 08:05p 148,400 sfmatalk.sys
05/08/2001 12:00p 4,240 mnmdd.sys
05/08/2001 12:00p 21,328 msfs.sys
07/09/2004 02:58a 15,104 mpe.sys
05/08/2001 12:00p 102,160 nbf.sys
06/19/2003 08:05p 53,552 swmidi.sys
05/08/2001 12:00p 40,432 ndproxy.sys
05/08/2001 12:00p 33,456 netbios.sys
05/08/2001 12:00p 9,680 netdtect.sys
05/08/2001 12:00p 37,040 npfs.sys
05/08/2001 12:00p 2,800 null.sys
05/08/2001 12:00p 12,560 nwlnkflt.sys
05/08/2001 12:00p 35,344 nwlnkfwd.sys
05/08/2001 12:00p 58,480 nwlnkspx.sys
06/19/2003 08:05p 47,568 sysaudio.sys
05/08/2001 12:00p 6,512 parvdm.sys
05/08/2001 12:00p 8,016 rasacd.sys
06/19/2003 08:05p 10,928 tape.sys
06/19/2003 08:05p 32,272 wanarp.sys
05/08/2001 12:00p 16,880 raspti.sys
05/08/2001 12:00p 35,024 rawwan.sys
05/08/2001 12:00p 21,712 rca.sys
05/08/2001 12:00p 6,032 rootmdm.sys
06/19/2003 08:05p 73,872 wdmaud.sys
06/19/2003 08:05p 57,296 irda.sys
06/19/2003 08:05p 10,288 irenum.sys
05/08/2001 12:00p 14,832 smclib.sys
06/19/2003 08:05p 20,208 msircomm.sys
05/08/2001 12:00p 105,840 streams.sys
08/28/2004 10:52p 28,624 SECDRV.SYS
06/19/2003 08:05p 11,984 ndisuio.sys
05/08/2001 12:00p 52,048 tosdvd.sys
05/08/2001 12:00p 22,000 tsbvcap.sys
05/08/2001 12:00p 23,888 usbcamd.sys
05/08/2001 12:00p 59,280 vdmindvd.sys
05/08/2001 12:00p 13,968 vga.sys
06/19/2003 08:05p 19,728 usbehci.sys
05/08/2001 12:00p 4,240 wmilib.sys
05/08/2001 12:00p 12,016 ws2ifsl.sys
05/08/2001 12:00p 12,368 fsvga.sys
05/08/2001 12:00p 88,816 lvcam.sys
05/08/2001 12:00p 79,120 lvcodek.sys
05/08/2001 12:00p 17,424 lvsound.sys
05/08/2001 12:00p 15,120 usbintel.sys
06/19/2003 08:05p 49,776 usbhub20.sys
06/19/2003 08:05p 138,288 usbport.sys
09/21/2003 01:32a 71,888 ksecdd.sys
04/08/2005 11:51a 432,976 mrxsmb.sys
10/27/2006 08:34a 26,912 avg7rsnt.sys
05/20/2004 08:21a 36,918 DcCam.sys
05/20/2004 08:39a 8,022 DcLps.sys
05/20/2004 08:41a 61,564 DcFpoint.sys
06/02/2004 01:17p 151,985 ExportIt.sys
01/16/2006 09:33p 4,288 avg7rsw.sys
10/04/1999 03:03p 13,904 hidusb.sys
05/08/2001 12:00p 33,616 fips.sys
06/02/2004 01:19p 38,705 DCFS2k.sys
06/19/2003 08:05p 21,872 usbprint.sys
06/19/2003 08:05p 12,592 usbscan.sys
12/12/2002 12:14a 5,504 mstee.sys
12/12/2002 12:14a 4,096 swenum.sys
07/09/2004 02:58a 11,392 bdasup.sys
11/15/2006 09:01p 36,592 pxhelp20.sys
11/10/1999 03:34p 71,632 atimpab.sys
05/20/2004 08:45a 68,950 DcPtp.sys
12/12/2002 12:14a 7,424 mskssrv.sys
07/09/2004 02:58a 14,976 streamip.sys
07/09/2004 02:58a 10,112 ndisip.sys
12/02/2004 01:07p 89,328 mup.sys
04/08/2005 11:51a 63,248 cdfs.sys
07/09/2004 02:58a 10,880 slip.sys
09/30/1999 05:26p 64,144 ess.sys
03/30/2004 09:05p 11,904 Bonifay.sys
10/27/2006 08:34a 27,904 avg7rsxp.sys
09/25/1999 10:36a 9,104 NtApm.sys
07/09/2004 02:58a 83,968 nabtsfec.sys
07/09/2004 02:58a 16,384 ccdecode.sys
09/25/1999 10:35a 2,896 audstub.sys
07/09/2004 02:58a 18,688 wstcodec.sys
07/09/2004 02:58a 56,832 msdv.sys
07/19/2005 10:44a 142,288 fastfat.sys
12/12/2002 12:14a 130,304 ks.sys
06/19/2003 08:05p 148,208 portcls.sys
01/16/2006 09:33p 4,992 avgtdi.sys
10/28/1999 03:24p 51,152 DMusic.sys
12/02/2004 01:00p 116,400 ftdisk.sys
08/11/2004 10:42p 67,344 ipnat.sys
08/16/2005 08:40a 30,160 mountmgr.sys
02/02/2005 01:21a 14,408 GEARAspiWDM.sys
06/19/2003 08:05p 21,552 USBSTOR.SYS
01/10/2003 09:30a 25,449 SQCamD.sys
01/10/2003 10:56a 30,921 SQCaptur.sys
12/16/2004 04:32p 13,304 BTNetFilter.sys
10/27/2006 08:34a 778,656 avg7core.sys
06/19/2003 08:05p 42,000 stream.sys
09/25/1999 10:36a 4,816 MSPQM.sys
05/31/2005 03:40p 20,480 blueletaudio.sys
04/28/2003 06:31p 51,169 OXSER.SYS
05/10/2002 01:31p 633,220 Intels51.sys
04/30/2005 02:50p 28,271 BTHidMgr.sys
09/25/1999 10:34a 16,144 MODEMCSA.sys
06/21/2002 09:36a 25,260 SMCUSB.sys
03/21/2004 06:28p 23,420 cdralw2k.sys
03/21/2004 06:28p 58,000 cdr4_2K.sys
03/25/2005 05:18p 82,148 VcommMgr.sys
06/19/2003 08:05p 21,008 agp440.sys
06/19/2003 08:05p 17,840 asyncmac.sys
06/19/2003 08:05p 86,672 atapi.sys
06/19/2003 08:05p 48,496 atmlane.sys
06/19/2003 08:05p 331,088 atmuni.sys
10/19/2004 01:37p 61,312 VComm.sys
06/19/2003 08:05p 27,984 cdrom.sys
06/19/2003 08:05p 34,832 classpnp.sys
06/19/2003 08:05p 30,768 DISK.SYS
06/19/2003 08:05p 14,288 diskdump.sys
06/19/2003 08:05p 7,728 diskperf.sys
06/19/2003 08:05p 56,112 DLC.SYS
06/19/2003 08:05p 369,104 dmboot.sys
06/19/2003 08:05p 137,936 dmio.sys
06/19/2003 08:05p 7,312 dmload.sys
06/19/2003 08:05p 27,440 efs.sys
09/05/2006 04:03p 3,968 AvgAsCln.sys
06/19/2003 08:05p 26,256 fdc.sys
06/19/2003 08:05p 19,312 flpydisk.sys
06/19/2003 08:05p 7,600 fs_rec.sys
06/19/2003 08:05p 24,752 hidclass.sys
06/19/2003 08:05p 23,056 hidparse.sys
06/19/2003 08:05p 46,992 i8042prt.sys
06/19/2003 08:05p 4,624 intelide.sys
06/19/2003 08:05p 64,304 ipsec.sys
06/19/2003 08:05p 19,952 irsir.sys
06/19/2003 08:05p 46,992 isapnp.sys
06/19/2003 08:05p 24,528 kbdclass.sys
06/19/2003 08:05p 148,304 kmixer.sys
02/11/2004 06:29a 48,076 Sio9502k.sys
03/23/2004 03:26a 48,556 SktBt2k.sys
07/03/2003 07:58p 63,488 wssbtr1f.sys
05/31/2005 09:42a 23,000 btcusb.sys
09/21/2004 06:18p 116,021 fw203x.sys
04/30/2005 02:48p 10,804 BtNetDrv.sys
09/21/2004 06:18p 148,830 bcbthub.sys
04/30/2005 02:50p 11,736 VHIDMini.sys
194 File(s) 12,081,621 bytes

Directory of C:\WINDOWS\SYSTEM32\dllcache

05/03/2005 09:10a 238,928 srv.sys
06/19/2003 08:05p 148,208 portcls.sys
06/19/2003 08:05p 42,000 stream.sys
05/08/2001 12:00p 33,616 fips.sys
04/21/2005 08:03a 127,568 afd.sys
04/08/2005 11:51a 63,248 cdfs.sys
07/19/2005 10:44a 142,288 fastfat.sys
10/06/2005 09:33a 1,638,672 win32k.sys
09/21/2003 01:32a 71,888 ksecdd.sys
06/19/2003 08:05p 33,824 NTIO.SYS
05/10/2005 09:20a 513,424 ntfs.sys
07/14/2005 12:24p 74,384 scsiport.sys
12/02/2004 01:07p 63,280 udfs.sys
06/19/2003 08:05p 21,872 usbprint.sys
06/19/2003 08:05p 12,592 usbscan.sys
10/04/1999 03:03p 13,904 hidusb.sys
05/08/2001 12:00p 9,029 ansi.sys
12/12/2002 12:14a 130,304 ks.sys
12/12/2002 12:14a 5,248 mspclock.sys
12/12/2002 12:14a 7,424 mskssrv.sys
12/12/2002 12:14a 4,096 swenum.sys
12/12/2002 12:14a 5,504 mstee.sys
07/09/2004 02:58a 16,384 ccdecode.sys
05/08/2001 12:00p 57,904 atmarpc.sys
07/09/2004 02:58a 56,832 msdv.sys
06/19/2003 08:05p 21,552 usbstor.sys
05/08/2001 12:00p 4,080 beep.sys
05/08/2001 12:00p 11,376 busmouse.sys
04/08/2005 11:51a 175,632 netbt.sys
05/08/2001 12:00p 27,097 country.sys
06/19/2003 08:05p 16,240 tdi.sys
08/16/2005 08:40a 30,160 mountmgr.sys
06/19/2003 08:05p 34,544 ntio404.sys
06/19/2003 08:05p 35,648 ntio411.sys
06/19/2003 08:05p 35,408 ntio412.sys
05/08/2001 12:00p 12,880 class2.sys
06/19/2003 08:05p 34,544 ntio804.sys
09/06/2004 06:06a 161,072 nwrdr.sys
04/14/2005 06:59a 136,880 fltmgr.sys
12/02/2004 01:00p 116,400 ftdisk.sys
08/11/2004 10:42p 67,344 ipnat.sys
10/24/2004 01:10p 77,680 mqac.sys
05/08/2001 12:00p 10,064 dxapi.sys
04/08/2005 11:51a 432,976 mrxsmb.sys
12/02/2004 01:07p 89,328 mup.sys
04/21/2005 08:03a 183,248 rdbss.sys
05/12/2005 10:25a 320,176 tcpip.sys
05/08/2001 12:00p 4,768 himem.sys
05/08/2001 12:00p 34,416 ipfltdrv.sys
05/08/2001 12:00p 19,984 ipinip.sys
05/08/2001 12:00p 4,240 mnmdd.sys
05/08/2001 12:00p 21,328 msfs.sys
05/08/2001 12:00p 40,432 ndproxy.sys
05/08/2001 12:00p 33,456 netbios.sys
05/08/2001 12:00p 9,680 netdtect.sys
05/08/2001 12:00p 37,040 npfs.sys
05/08/2001 12:00p 3,216 mwsetupk.sys
05/08/2001 12:00p 29,146 ntdos404.sys
05/08/2001 12:00p 29,370 ntdos411.sys
05/08/2001 12:00p 27,866 ntdos.sys
05/08/2001 12:00p 29,274 ntdos412.sys
09/24/1999 11:10a 39,200 mwwdm.sys
05/08/2001 12:00p 29,146 ntdos804.sys
05/08/2001 12:00p 102,160 nbf.sys
05/08/2001 12:00p 6,512 parvdm.sys
05/08/2001 12:00p 2,800 null.sys
05/08/2001 12:00p 12,560 nwlnkflt.sys
05/08/2001 12:00p 35,344 nwlnkfwd.sys
05/08/2001 12:00p 58,480 nwlnkspx.sys
05/08/2001 12:00p 8,016 rasacd.sys
05/08/2001 12:00p 16,880 raspti.sys
05/08/2001 12:00p 35,024 rawwan.sys
05/08/2001 12:00p 6,032 rootmdm.sys
05/08/2001 12:00p 14,832 smclib.sys
05/08/2001 12:00p 105,840 streams.sys
05/08/2001 12:00p 9,328 synth.sys
05/08/2001 12:00p 42,736 sndblst.sys
05/08/2001 12:00p 10,800 tcarc.sys
05/08/2001 12:00p 18,864 trident.sys
05/08/2001 12:00p 12,336 spud.sys
05/08/2001 12:00p 4,240 wmilib.sys
05/08/2001 12:00p 13,968 vga.sys
05/08/2001 12:00p 12,016 ws2ifsl.sys
09/25/1999 10:34a 16,144 modemcsa.sys
84 File(s) 6,504,224 bytes

Cont

miss spooky
2006-12-28, 18:07
Cont-

Directory of C:\WINDOWS\ServicePackFiles\i386

06/19/2003 08:05p 59,312 pci.sys
06/19/2003 08:05p 17,520 ppa.sys
06/19/2003 08:05p 27,440 efs.sys
06/19/2003 08:05p 56,112 dlc.sys
06/19/2003 08:05p 26,256 fdc.sys
06/19/2003 08:05p 120,240 afd.sys
06/19/2003 08:05p 85,776 ibmfent5.sys
06/19/2003 08:05p 85,776 hptxnt5.sys
06/19/2003 08:05p 85,776 e100bnt5.sys
06/19/2003 08:05p 87,888 mup.sys
06/19/2003 08:05p 57,264 mf.sys
06/19/2003 08:05p 113,744 ks.sys
06/19/2003 08:05p 16,240 tdi.sys
06/19/2003 08:05p 33,824 ntio.sys
06/19/2003 08:05p 244,944 srv.sys
06/19/2003 08:05p 534,192 ntfs.sys
06/19/2003 08:05p 37,552 nmnt.sys
06/19/2003 08:05p 75,536 mqac.sys
06/19/2003 08:05p 16,048 ppa3.sys
06/19/2003 08:05p 55,920 msdv.sys
06/19/2003 08:05p 29,264 mountmgr.sys
06/19/2003 08:05p 50,640 videoprt.sys
06/19/2003 08:05p 170,928 ndis.sys
06/19/2003 08:05p 12,688 dot4prt.sys
06/19/2003 08:05p 9,968 adicvls.sys
06/19/2003 08:05p 57,296 irda.sys
06/19/2003 08:05p 12,912 hpmc.sys
06/19/2003 08:05p 44,208 dot4.sys
06/19/2003 08:05p 137,936 dmio.sys
06/19/2003 08:05p 30,768 disk.sys
06/19/2003 08:05p 24,752 hidclass.sys
06/19/2003 08:05p 148,208 portcls.sys
05/08/2001 12:00p 33,616 fips.sys
06/19/2003 08:05p 163,120 acpi.sys
06/19/2003 08:05p 61,680 cdfs.sys
06/19/2003 08:05p 62,672 udfs.sys
06/19/2003 08:05p 6,608 dlttape.sys
06/19/2003 08:05p 32,848 uhcd.sys
06/19/2003 08:05p 10,928 tape.sys
06/19/2003 08:05p 21,776 mouclass.sys
06/19/2003 08:05p 23,056 hidparse.sys
06/19/2003 08:05p 20,688 usbd.sys
06/19/2003 08:05p 29,168 modem.sys
06/19/2003 08:05p 24,784 openhci.sys
06/19/2003 08:05p 9,392 seaddsmc.sys
06/19/2003 08:05p 9,680 ddsmc.sys
06/19/2003 08:05p 10,256 nsmmc.sys
06/19/2003 08:05p 18,928 hidbatt.sys
06/19/2003 08:05p 5,168 mstee.sys
06/19/2003 08:05p 34,704 msgpc.sys
06/19/2003 08:05p 11,856 examc.sys
06/19/2003 08:05p 168,624 netbt.sys
06/19/2003 08:05p 140,016 icam3.sys
06/19/2003 08:05p 9,968 jvcmc.sys
06/19/2003 08:05p 9,776 snyaitmc.sys
06/19/2003 08:05p 9,424 atlmc.sys
06/19/2003 08:05p 42,809 key01.sys
06/19/2003 08:05p 86,672 atapi.sys
06/19/2003 08:05p 67,120 ipnat.sys
06/19/2003 08:05p 19,952 irsir.sys
06/19/2003 08:05p 27,984 cdrom.sys
06/19/2003 08:05p 64,304 ipsec.sys
06/19/2003 08:05p 7,184 battc.sys
06/19/2003 08:05p 332,144 tcpip.sys
06/19/2003 08:05p 161,072 nwrdr.sys
05/08/2001 12:00p 27,866 ntdos.sys
06/19/2003 08:05p 10,928 4mmdat.sys
06/19/2003 08:05p 10,288 stkmc.sys
06/19/2003 08:05p 9,808 pnrmc.sys
06/19/2003 08:05p 9,200 ndistapi.sys
06/19/2003 08:05p 34,544 ntio804.sys
06/19/2003 08:05p 34,544 ntio404.sys
06/19/2003 08:05p 35,648 ntio411.sys
06/19/2003 08:05p 35,408 ntio412.sys
06/19/2003 08:05p 174,800 rdbss.sys
06/19/2003 08:05p 4,624 intelide.sys
06/19/2003 08:05p 35,760 sbp2port.sys
06/19/2003 08:05p 74,192 scsiport.sys
06/19/2003 08:05p 11,632 scsiprnt.sys
06/19/2003 08:05p 9,808 gameenum.sys
06/19/2003 08:05p 73,872 wdmaud.sys
06/19/2003 08:05p 42,000 stream.sys
06/19/2003 08:05p 10,160 spctramc.sys
06/19/2003 08:05p 22,416 viaagp.sys
06/19/2003 08:05p 173,232 update.sys
06/19/2003 08:05p 32,272 wanarp.sys
06/19/2003 08:05p 22,768 usbser.sys
06/19/2003 08:05p 40,176 usbhub.sys
06/19/2003 08:05p 8,848 qntmmc.sys
06/19/2003 08:05p 65,520 nwlnknb.sys
05/04/2001 12:05p 27,120 symc8xx.sys
06/19/2003 08:05p 17,840 asyncmac.sys
06/19/2003 08:05p 1,717,936 win32k.sys
06/19/2003 08:05p 10,768 qlstrmc.sys
06/19/2003 08:05p 109,584 pcmcia.sys
06/19/2003 08:05p 3,088 pciide.sys
06/19/2003 08:05p 62,736 serial.sys
06/19/2003 08:05p 34,832 classpnp.sys
06/19/2003 08:05p 11,120 plasmc.sys
06/19/2003 08:05p 53,552 swmidi.sys
06/19/2003 08:05p 11,792 partmgr.sys
06/19/2003 08:05p 11,632 mouhid.sys
06/19/2003 08:05p 25,104 parport.sys
06/19/2003 08:05p 37,680 ohci1394.sys
06/19/2003 08:05p 187,024 spcmdcon.sys
06/19/2003 08:05p 12,432 sonymc.sys
06/19/2003 08:05p 22,064 pciidex.sys
06/19/2003 08:05p 10,384 sfloppy.sys
06/19/2003 08:05p 60,496 psched.sys
06/19/2003 08:05p 382,128 setupdd.sys
06/19/2003 08:05p 48,496 atmlane.sys
06/19/2003 08:05p 418,640 mrxsmb.sys
06/19/2003 08:05p 148,400 sfmatalk.sys
06/19/2003 08:05p 71,888 ksecdd.sys
05/04/2001 12:05p 104,720 ibmtrp.sys
06/19/2003 08:05p 14,160 serenum.sys
06/19/2003 08:05p 21,872 usbprint.sys
06/19/2003 08:05p 60,208 parallel.sys
06/19/2003 08:05p 14,288 diskdump.sys
06/19/2003 08:05p 68,336 i81xnt5.sys
06/19/2003 08:05p 9,392 breecemc.sys
06/19/2003 08:05p 46,992 i8042prt.sys
06/19/2003 08:05p 369,104 dmboot.sys
06/19/2003 08:05p 7,312 dmload.sys
05/08/2001 12:00p 27,097 country.sys
06/19/2003 08:05p 35,344 redbook.sys
06/19/2003 08:05p 91,408 nwlnkipx.sys
06/19/2003 08:05p 21,552 usbstor.sys
06/19/2003 08:05p 22,064 sonydcam.sys
06/19/2003 08:05p 138,288 usbport.sys
06/19/2003 08:05p 12,592 usbscan.sys
06/19/2003 08:05p 47,568 sysaudio.sys
06/19/2003 08:05p 17,680 ptilink.sys
06/19/2003 08:05p 46,992 isapnp.sys
06/19/2003 08:05p 10,288 irenum.sys
06/19/2003 08:05p 11,984 ndisuio.sys
06/19/2003 08:05p 49,776 usbhub20.sys
06/19/2003 08:05p 19,728 usbehci.sys
06/19/2003 08:05p 93,360 ndiswan.sys
06/19/2003 08:05p 10,448 discmc.sys
06/19/2003 08:05p 27,376 smbbatt.sys
06/19/2003 08:05p 148,304 kmixer.sys
06/19/2003 08:05p 9,776 elmsmc.sys
06/19/2003 08:05p 115,504 ftdisk.sys
06/19/2003 08:05p 7,600 fs_rec.sys
06/19/2003 08:05p 7,728 diskperf.sys
06/19/2003 08:05p 24,528 kbdclass.sys
06/19/2003 08:05p 9,904 adicsc.sys
06/19/2003 08:05p 24,176 agpcpq.sys
06/19/2003 08:05p 21,008 agp440.sys
06/19/2003 08:05p 33,328 lp6nds35.sys
06/19/2003 08:05p 11,536 acpiec.sys
06/19/2003 08:05p 9,264 compbatt.sys
06/19/2003 08:05p 40,752 1394bus.sys
06/19/2003 08:05p 42,537 keyboard.sys
06/19/2003 08:05p 10,992 cpqarray.sys
05/04/2001 12:05p 597,776 altnd5.sys
06/19/2003 08:05p 331,088 atmuni.sys
05/04/2001 12:05p 104,656 skfpwin.sys
06/19/2003 08:05p 64,432 adpu160m.sys
06/19/2003 08:05p 19,312 flpydisk.sys
06/19/2003 08:05p 140,496 fastfat.sys
06/19/2003 08:05p 48,464 raspptp.sys
06/19/2003 08:05p 52,112 rasl2tp.sys
06/19/2003 08:05p 19,920 rasirda.sys
06/19/2003 08:05p 20,208 msircomm.sys
06/19/2003 08:05p 9,904 cmbatt.sys
167 File(s) 12,137,189 bytes

Directory of C:\WINDOWS\inf

05/08/2001 12:00p 32,528 wbfirdma.sys
1 File(s) 32,528 bytes

Directory of C:\WINDOWS\twain_32\MyDSC

01/10/2003 09:30a 25,449 SQCamD.sys
01/10/2003 10:56a 30,921 SQCaptur.sys
2 File(s) 56,370 bytes

Directory of C:\Program Files\Common Files\Kodak\kodak_dr

06/02/2004 01:19p 38,705 DCFS2k.sys
05/20/2004 08:39a 8,022 DcLps.sys
05/20/2004 08:45a 68,950 DcPtp.sys
06/02/2004 01:17p 151,985 ExportIt.sys
05/20/2004 08:41a 61,564 DcFpoint.sys
05/20/2004 08:21a 36,918 DcCam.sys
6 File(s) 366,144 bytes

Directory of C:\Program Files\Grisoft\AVG Anti-Spyware 7.5

09/05/2006 04:03p 3,968 avgascln.sys
09/28/2006 02:13p 4,096 guard.sys
2 File(s) 8,064 bytes

Directory of C:\Program Files\Nokia\Connectivity Cable Driver

02/15/2005 04:57p 9,021 nmwcdcm.sys
02/17/2005 01:48p 140,619 nmwcd.sys
02/15/2005 04:57p 6,300 nmwcdc.sys
3 File(s) 155,940 bytes

Directory of C:\Program Files\IVT Corporation\BlueSoleil\Device\Win2k

09/21/2004 06:18p 116,021 fw203x.sys
04/30/2005 02:50p 28,271 BTHidMgr.sys
04/30/2005 02:48p 10,804 BtNetDrv.sys
09/21/2004 06:18p 148,830 bcbthub.sys
04/30/2005 02:50p 11,860 VBTEnum.sys
10/19/2004 01:37p 61,312 VComm.sys
03/25/2005 05:18p 82,148 VcommMgr.sys
04/30/2005 02:50p 11,736 VHIDMini.sys
05/31/2005 03:40p 20,480 blueletaudio.sys
12/16/2004 04:32p 13,304 BTNetFilter.sys
10 File(s) 504,766 bytes

Directory of C:\Program Files\IVT Corporation\BlueSoleil\driver\USB

05/31/2005 09:42a 23,000 btcusb.sys
1 File(s) 23,000 bytes

Directory of C:\Program Files\IVT Corporation\BlueSoleil\driver\PCMCIA

05/30/2001 05:21a 31,677 Btpcmcia.sys
11/25/2002 01:23a 12,240 wppcmcia.sys
2 File(s) 43,917 bytes

Directory of C:\Program Files\IVT Corporation\BlueSoleil\driver\PCMCIA\socket

03/23/2004 10:26a 48,556 SktBt2k.sys
1 File(s) 48,556 bytes

Directory of C:\Documents and Settings\Administrator\My Documents\Misc

04/01/2003 02:39a 211,788 PL2507U.SYS
10/05/2001 01:54p 33,669 tpp300.sys
10/05/2001 01:54p 8,650 tppiosmp.sys
3 File(s) 254,107 bytes

Directory of C:\MSDOS7

04/23/1999 10:22p 9,719 ansi.sys
04/23/1999 10:22p 30,742 country.sys
04/23/1999 10:22p 17,175 display.sys
04/23/1999 10:22p 33,191 himem.sys
04/23/1999 10:22p 3,708 ifshlp.sys
04/23/1999 10:22p 34,566 keyboard.sys
04/23/1999 10:22p 31,942 keybrd2.sys
7 File(s) 161,043 bytes

Total Files Listed:
503 File(s) 454,300,965 bytes
0 Dir(s) 2,493,640,704 bytes free

Mosaic1
2006-12-28, 18:47
Hi miss spooky,

You're welcome. I see nothing there.

I'd like to see if that file is losted in the bootlog please.

If you go into your windows folder and find this file:
Ntbtlog.txt

Open it up and it will be long. Each successful boot to safe mode adds to it.

Go to the last set of entries:

For example, search for the date you last started and then copy and paste only anything listed after that.



I have to go out for most of the afternoon. But I'll be back later. We can search for a rootkit. But it doesn't seem to be running in safe mode so I am not sure how successful we'll be.

And don't give up. There's another option where we start the last known good configuration from the boot menu and see if that gets you in. But I'd like to wait a little bit on that one.

miss spooky
2006-12-28, 19:38
Evening,

Heres the log. There was only one date so I've copied everything:-

Service Pack 412 23 2006 21:49:57.500
Loaded driver \WINDOWS\System32\ntoskrnl.exe
Loaded driver \WINDOWS\System32\hal.dll
Loaded driver \WINDOWS\System32\BOOTVID.dll
Loaded driver pci.sys
Loaded driver isapnp.sys
Loaded driver intelide.sys
Loaded driver \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
Loaded driver MountMgr.sys
Loaded driver ftdisk.sys
Loaded driver Diskperf.sys
Loaded driver \WINDOWS\System32\Drivers\WMILIB.SYS
Loaded driver dmload.sys
Loaded driver dmio.sys
Loaded driver PartMgr.sys
Loaded driver atapi.sys
Loaded driver disk.sys
Loaded driver \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
Loaded driver fltmgr.sys
Loaded driver PxHelp20.sys
Loaded driver Fastfat.sys
Loaded driver KSecDD.sys
Loaded driver NDIS.sys
Loaded driver Mup.sys053
?Loaded driver BTHidMgr.sys
Loaded driver agp440.sys
Did not load driver Bluetooth HID Manager
Did not load driver Bluetooth VComm Manager
Did not load driver Audio Codecs
Did not load driver Legacy Audio Drivers
Did not load driver Media Control Devices
Did not load driver Legacy Video Capture Devices
Did not load driver Video Codecs
Did not load driver WAN Miniport (L2TP)
Did not load driver WAN Miniport (IP)
Did not load driver WAN Miniport (PPTP)
Did not load driver Direct Parallel
Did not load driver Bluetooth PAN Network Adapter
Did not load driver NT Apm/Legacy Interface Node
Did not load driver Standard PC
Did not load driver Bluetooth HID Manager
Did not load driver Bluetooth VComm Manager
Did not load driver Audio Codecs
Did not load driver Legacy Audio Drivers
Did not load driver Media Control Devices
Did not load driver Legacy Video Capture Devices
Did not load driver Video Codecs
Did not load driver WAN Miniport (L2TP)
Did not load driver WAN Miniport (IP)
Did not load driver WAN Miniport (PPTP)
Did not load driver Direct Parallel
Did not load driver Bluetooth PAN Network Adapter
Did not load driver NT Apm/Legacy Interface Node
Did not load driver ES1869 Control Interface (WDM)
Did not load driver ES1869 Plug and Play AudioDrive (WDM)
Did not load driver ECP Printer Port
Did not load driver Communications Port
Did not load driver Communications Port
Did not load driver Intel(R) 536EP V.92 Modem
Did not load driver ATI Technologies Inc. 3D RAGE PRO AGP 2X
Did not load driver Bluetooth HID Manager
Did not load driver Bluetooth HID Manager
Did not load driver Bluetooth VComm Manager
Loaded driver \SystemRoot\system32\DRIVERS\vbtenum.sys
Did not load driver Audio Codecs
Did not load driver Legacy Audio Drivers
Did not load driver Media Control Devices
Did not load driver Legacy Video Capture Devices
Did not load driver Video Codecs
Did not load driver WAN Miniport (L2TP)
Did not load driver WAN Miniport (IP)
Did not load driver WAN Miniport (PPTP)
Did not load driver Direct Parallel
Did not load driver Bluetooth PAN Network Adapter
Did not load driver NT Apm/Legacy Interface Node
Loaded driver \SystemRoot\System32\DRIVERS\parallel.sys
Did not load driver ATI Technologies Inc. 3D RAGE PRO AGP 2X
Did not load driver Intel(R) 536EP V.92 Modem
Loaded driver \SystemRoot\System32\Drivers\Cdr4_2K.SYS
Loaded driver \SystemRoot\System32\DRIVERS\cdrom.sys
Loaded driver \SystemRoot\System32\Drivers\Cdralw2k.SYS
Loaded driver \SystemRoot\System32\Drivers\GEARAspiWDM.sys
Loaded driver \SystemRoot\System32\DRIVERS\Bonifay.sys
Loaded driver \SystemRoot\System32\DRIVERS\uhcd.sys
Loaded driver \SystemRoot\System32\DRIVERS\swenum.sys
Loaded driver \SystemRoot\System32\DRIVERS\update.sys
Did not load driver ES1869 Control Interface (WDM)
Did not load driver ES1869 Plug and Play AudioDrive (WDM)
Loaded driver \SystemRoot\System32\DRIVERS\i8042prt.sys
Loaded driver \SystemRoot\System32\DRIVERS\kbdclass.sys
Did not load driver ECP Printer Port
Did not load driver Communications Port
Did not load driver Communications Port
Loaded driver \SystemRoot\System32\DRIVERS\fdc.sys
Loaded driver \SystemRoot\System32\DRIVERS\mouclass.sys
Loaded driver \SystemRoot\System32\DRIVERS\usbhub.sys
Loaded driver \SystemRoot\System32\DRIVERS\flpydisk.sys
Did not load driver EZ Connect USB to Dual Speed Ethernet Converter
Did not load driver ISSC Bluetooth Device
Loaded driver \SystemRoot\system32\DRIVERS\USBSTOR.SYS
Loaded driver \SystemRoot\System32\DRIVERS\hidusb.sys
Loaded driver \SystemRoot\System32\DRIVERS\usbprint.sys
Did not load driver Lexmark X6100 Series
Did not load driver Lexmark X6100 Series
Did not load driver \SystemRoot\System32\Drivers\lbrtfdc.SYS
Did not load driver \SystemRoot\System32\Drivers\Sfloppy.SYS
Did not load driver \SystemRoot\System32\Drivers\Changer.SYS
Did not load driver \SystemRoot\System32\Drivers\Cdaudio.SYS
Loaded driver \SystemRoot\System32\Drivers\Fs_Rec.SYS
Loaded driver \SystemRoot\system32\DRIVERS\DcCam.sys
Did not load driver \SystemRoot\system32\DRIVERS\exportit.sys
Loaded driver \SystemRoot\System32\Drivers\Beep.SYS
Loaded driver \SystemRoot\System32\Drivers\Null.SYS
Did not load driver \SystemRoot\System32\Drivers\sglfb.SYS
Did not load driver \SystemRoot\System32\Drivers\tga.SYS
Loaded driver \SystemRoot\System32\drivers\vga.sys
Did not load driver mnmdd.SYS
Loaded driver \SystemRoot\System32\Drivers\Msfs.SYS
Loaded driver \SystemRoot\System32\Drivers\Npfs.SYS
Did not load driver RasAcd.SYS
Did not load driver Tcpip.SYS
Did not load driver NetBT.SYS
Did not load driver Parport.SYS
Did not load driver Serial.SYS
Did not load driver \SystemRoot\System32\Drivers\PCIDump.SYS
Did not load driver \SystemRoot\System32\DRIVERS\redbook.sys
Did not load driver Avg7Core.SYS
Did not load driver Avg7RsW.SYS
Did not load driver Avg7RsNT.SYS
Did not load driver Bluetooth HID Manager
Did not load driver Bluetooth VComm Manager
Did not load driver Audio Codecs
Did not load driver Legacy Audio Drivers
Did not load driver Media Control Devices
Did not load driver Legacy Video Capture Devices
Did not load driver Video Codecs
Did not load driver WAN Miniport (L2TP)
Did not load driver WAN Miniport (IP)
Did not load driver WAN Miniport (PPTP)
Did not load driver Direct Parallel
Did not load driver Bluetooth PAN Network Adapter
Did not load driver NT Apm/Legacy Interface Node
Did not load driver ATI Technologies Inc. 3D RAGE PRO AGP 2X
Did not load driver Intel(R) 536EP V.92 Modem
Did not load driver ISSC Bluetooth Device
Did not load driver Lexmark X6100 Series
Did not load driver Lexmark X6100 Series
Did not load driver EZ Connect USB to Dual Speed Ethernet Converter
Did not load driver ES1869 Control Interface (WDM)
Did not load driver ES1869 Plug and Play AudioDrive (WDM)
Did not load driver ECP Printer Port
Did not load driver Communications Port
Did not load driver Communications Port
Did not load driver Bluetooth HID Manager
Did not load driver Bluetooth VComm Manager
Did not load driver Audio Codecs
Did not load driver Legacy Audio Drivers
Did not load driver Media Control Devices
Did not load driver Legacy Video Capture Devices
Did not load driver Video Codecs
Did not load driver WAN Miniport (L2TP)
Did not load driver WAN Miniport (IP)
Did not load driver WAN Miniport (PPTP)
Did not load driver Direct Parallel
Did not load driver Bluetooth PAN Network Adapter
Did not load driver NT Apm/Legacy Interface Node
Did not load driver ATI Technologies Inc. 3D RAGE PRO AGP 2X
Did not load driver Intel(R) 536EP V.92 Modem
Did not load driver ISSC Bluetooth Device
Did not load driver Lexmark X6100 Series
Did not load driver Lexmark X6100 Series
Did not load driver EZ Connect USB to Dual Speed Ethernet Converter
Did not load driver ES1869 Control Interface (WDM)
Did not load driver ES1869 Plug and Play AudioDrive (WDM)
Did not load driver ECP Printer Port
Did not load driver Communications Port
Did not load driver Communications Port
Did not load driver Microsoft WINMM WDM Audio Compatibility Driver
Loaded driver \SystemRoot\System32\Drivers\Cdfs.SYS

Aslo my partner has just said that he has tried to reboot from last known good reboot, but we still end up at blue screen & error msg.

I'm working tonight so won't be back now until tom afternoon / evening.

Speak soon.

Thanks.

Mosaic1
2006-12-29, 09:58
We can try booting another style. Like not loading the video or sound and seeing if that gets you into regular windows. That would be a way of narrowing down the conflict.
But what really bothers me is that you have an error mentioning a sys file and we can't find that file or any information on it on Google.


You can only start in Safe Mode. I have not been posting to the logs in a long time, but I do research.

So I am going to ask you to run a rootkit detector program. However, I am not sure it will run in safe mode. Let's try anyway.

Download gmer from this link:

http://www.majorgeeks.com/GMER_d5198.html

Unzip and double click the gmer.exe file
Select rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
Press scan
When it has finished press save.

Post back the log it creates.
Repeat the process with the Autostarts tab and do the same.
__________________


Do you have an install CD? And /or do you already have Recovery Console installed?

The reason I ask is that we might be able to find that file by booting to Recovery console. Then a copy of the file to another location so we can examine it.


-------------------------

Let's try gmer fisrt and take it fom there. Let me know about the install CD please.

--------------------

Mosaic1
2006-12-29, 10:06
I also noticed that your startuplist shows regedit.exe as missing.

That is a file you need.

miss spooky
2006-12-29, 20:33
Evening,

No more nights for a while now!!

I downloaded gmer.exe but when I went to unzip it then open it the comp rebooted itself. It is doing this everytime I try to open file.

The error message clears to quick to read but I mamaged to get ***stop.....
kmode exception_not_handled

With regards to an install cd, I bought the comp from the paper a cpouple of years ago, but I never got the cd's. I could probably get hold of one if we need to. I'm not sure about recovery console.

I do have rootkitreviver installed but I haven't tried that as I'm not sure whether it's the same sort of program...

Mosaic1
2006-12-30, 08:42
Buying a computer without the install CD is not a good idea. Now you can't format and reinstall if you ever have a major problem if you don't have an install CD. And I am reluctant to try anything dramatic.

I see this computer was actually upgraded from a windows 98 system. That means we may be able to use DOS. That is, if the File system was never changed to NTFS.

Let's find out. Double click on My Computer. Right click on the C:\ drive icon and then click on Properties. You'll see File System there, Is it FAT32 or NTFS?


Go ahead and run Rootkit Revealer. Again, I'm not sure it will run. But let's see.

I'd also like to see if we can get you into normal widnows mode, but using the VGA drivers like those used in Safe mode. That will require an edit of boot.ini.

But again, No CD, No Recovery Console = Not good. If you can use Dos, I prefer that. We'll have to see what filesystem is on that disc.

I'd like to have a look in
Event Viewer for system and application errors too please. It may e easier for me to just go through those.

When Event Viewer opens Right click on Application and click
Save Log file as And give the file a name like apps. Leave the file type alone.
By default it will save as .evt

Find apps.evt and email it to me as an attachment please.

Do the same for system Right click on system and save the log file as sys.evt

I'll load these files into my event viewer and see if there's any information we are in need of.

My email is: edited out now.

Replace the AT with an @ for the email to work please.


-------------

Finally, I need to look at your boot.ini

Can you copy that and send it along too please? That will be found in C:\ too

We'll edit it to add a menu item to load windows with basevideo. And I want to see if there is an MSDOS item on your bootmenu too.

miss spooky
2006-12-30, 14:48
Hi ya,

I've just emailed you with files. Also found FAT32 file.

I've been running Rootkit Revealer for over two hours now, it ran the system
scan but seams to be stuck in cleaning up mode. Is this normal?

Also since trying to install gmer last night, my email seams to have gone
pear shaped, I can't view any received email, I just get a blank screen when
I open then, or I get information from another email?? Fonts also seem to be changing.

Speak soon.

miss spooky
2006-12-30, 16:00
Hi,

Rootkit has just finished - "No descrepancies found"

No report to save...

Cheers.

Mosaic1
2006-12-31, 04:47
Hi,

I just got here, and will only be online for a short time tonight.

Can you email me a copy of your boot.ini please?


Thanks,
Mo

Mosaic1
2006-12-31, 05:10
I am looking at your event viewer saved files. Your kmode bsod created a memory dump we can look at. BUT no promises. These are very technical. However we might get a clue as to the file or files involved.

Can you look in your Windows folder for a file named:
MEMORY.DMP

If you find it, please email it to me.

Rootkit Revealer is not always going to find something. But that doesn't mean there isn't something to find. Rootkits come in different types and so do these utilities which attempt to track them. Not all utilities are effective.


Also, please copy the bold print to notepad. Save the file as searching.bat
double click on searching.bat
When it has finished it will open a file named results.txt.
Please post the contents of results.txt into your next post.

cd \
dir /s /a regedit.* > results.txt
Start notepad results.txt

Mosaic1
2006-12-31, 05:48
For your email problem, I don't know offhand. What email program are you using? Outlook Express or Outlook? possibly nothing and you just go to your ISP site to view it?

Fonts are changing? In all programs? do you have more details?

I am continuing to look at your event viewer files. I see there are 2 chkdsk reports. One of them found problems with some gmer files.

Try a new download of gmer. We need to try and get you into regualr windows mode to run it though. I have asked for a lot of information. Please read carefully. You have quite a few issues.

Mosaic1
2006-12-31, 12:39
I just got your boot.ini file. Please read my other posts and follow those instructions too.

You have a FAT32 filesystem so wwe can boot you to the prompt and look around.

Click here to download a win98 bootdisk:
http://www.dehning.com/download/utilities/bootdisks/boot98sc.exe

I hope you have a working floppy drive. If not, let me know. Otherwise download this setup and then put a floppy in the drive

http://www.dehning.com/download/utilities/bootdisks/boot98sc.exe


Double click on the downloaded .exe and it will install onto the new floppy disc.

Then you can restart the system with that floppy in the drive and get to a prompt.

Looks like this:
C:\

Or C:\windows

I'm not sure. It's been a long time since I have had to use a 98 bootdisk.

If asked to accept CD support, say no. You'll have no mouse here. Be sure to remove the floppy from the drive before you restart the system.

Give it a test and let me know if it works. If not, we may have to have you go into your bios and adjust the boot order.

I want to warn you that you may have both software and hardware issues here. Without an install CD you are in dangerous territory.

Mosaic1
2006-12-31, 12:40
Earlier you said you couldn't read any incoming emails. Is that still the case?


At any rate, I want you to also make a copy of boot.ini and keep it in C:\

So now you'll have both C:\boot.ini

and C:\copy of boot.ini

miss spooky
2006-12-31, 14:12
Afternoon,

I ran a search files & folders and couldn't find a file for MEMORY.DMP.

Tried to reload gmer but the comp still reboots everytime I double click on gmer.exe file.

I'm just about to look at the stuff on your last post.

Here's REGIT Report:

Volume in drive C has no label.
Volume Serial Number is 3869-1805

Directory of C:\WINDOWS\HELP

05/08/2001 12:00p 22,728 regedit.chm
05/08/2001 12:00p 12,861 regedit.hlp
2 File(s) 35,589 bytes

Directory of C:\WINDOWS\SYSTEM32\dllcache

06/19/2003 08:05p 73,488 regedit.exe
1 File(s) 73,488 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

06/19/2003 08:05p 73,488 regedit.exe
1 File(s) 73,488 bytes

Total Files Listed:
4 File(s) 182,565 bytes
0 Dir(s) 2,485,075,968 bytes free

Mosaic1
2006-12-31, 14:23
Let's get a copy of regedit.exe into your windows folder.
Look in this folder for regedit.exe
C:\WINDOWS\SYSTEM32\dllcache


Right click on regedit.exe and click copy on the context menu

Open the Windows Folder. Right click on an empty space and click paste. Now you should have regedit.exe in your windows folder.

Mosaic1
2006-12-31, 14:25
In the event that you aren't seeing all files:

Go here and follow the directions to show all files:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339
-----------------

See if you can find a memory dump file now please.

miss spooky
2006-12-31, 15:12
Afternoon,

Copied boot.ini folder.
Copied regedit.exe into windows
followed instruction to show all files, boxes already unchecked & checked resp. Still unable to find folder. Do you have location?

With regards to email - the incoming emails I had received up to yesterday do not show the content they came in with... i.e we received a conf email from a recruitment agency, but when we highlight it or open it, it shows the info on a message I sent out after I received the incoming email. The emails I have received today i.e your read receipt seem to be ok... I am running Incredimail Premium (outlook).

I downloaded the 98 info & restarted the comp. It ran through the initial promt screen then showed A:\> with a flashing cursor.

No C:\ or C:\Windows

The cursor just flashed away, I didn't know what to do, so I took out disk, & pressed enter. Error message showed "failed drive" Abort, retry & ?. I aborted & tried again. same thing happened so I took out disk & rebooted in safe mnode again. Have tried to reboot into normal windows but keep getting blue screen with original error message.

Mosaic1
2006-12-31, 15:24
The floppy worked. It restarted the system and now we can do something.

Remember that file I had you create to look for sys files?
Let's try it again. Copy the bold to notepad. Save in the C: drive as look.bat

cd \
dir /s /a *.sys > C:\files.txt


Put the floppy in the drive and let it take you to the A:\> prompt.

Once there, Type C:
Press enter.

Now you will be at this prompt:

C:\>
Type look.bat
Press enter.

Once the command has run and you are back at the C:\> prompt, remove the floppy from the drive and restart the computer.

Try pressing CTRL + ALT +DEL twice to do that.

Once back in Safe mode, please find C:\files.txt

Open it and post its contents here. Let's see if we get a different result now for the list of sys files.
Maybe the memory.dmp file wasn't created. We'll deal with that later.

EDIT: But it would be a file, not a folder.

C:\windows\memory.dmp

Mosaic1
2006-12-31, 16:44
When you get back, check your email.

I edited and sent you a file named new boot.ini with directions on what to do.

If we can't get a handle on things, later, we'll do a dance and try to get into regular windows mode without loading the video drivers. Then see if we can run gmer. And if not gmer, then something else.

Let's just see how this all goes. You should see no changes yet. I am gathering ifnormation at this point. Or trying to do.

I have another very big concern. Windows File Protection should have kicked in and replaced regedit automatically for you. The fact that it didn't is a very big worry. So I want to see a registry key and another batch result for a file.

Copy the bold to notepad. Name the file FP.bat

Regedit /e /a fpcheck.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
cd \
dir /s /a sfc*>>fpcheck.txt
Start notepad fpcheck.txt


Double click on FP.bat. When finished it will produce and open a file named fpcheck.txt

Please post the contents of fpcheck.txt into your next post.

miss spooky
2006-12-31, 23:49
The boot up went ok.

Results of FILES.TXT:-


Volume in drive C has no label
Volume Serial Number is 3869-1805

Directory of C:\

MSDOS SYS 0 10-09-04 1:12p
IO SYS 222,390 04-23-99 10:22p
PAGEFILE SYS 419,430,400 12-31-06 12:42p
3 file(s) 419,652,790 bytes

Directory of C:\DOCUME~1\ADMINI~1\MYDOCU~1\MISC

PL2507U SYS 211,788 04-01-03 2:39a
TPP300 SYS 33,669 10-05-01 1:54p
TPPIOSMP SYS 8,650 10-05-01 1:54p
3 file(s) 254,107 bytes

Directory of C:\PROGRA~1\COMMON~1\KODAK\KODAK_DR

DCFS2K SYS 38,705 06-02-04 1:19p
DCLPS SYS 8,022 05-20-04 8:39a
DCPTP SYS 68,950 05-20-04 8:45a
EXPORTIT SYS 151,985 06-02-04 1:17p
DCFPOINT SYS 61,564 05-20-04 8:41a
DCCAM SYS 36,918 05-20-04 8:21a
6 file(s) 366,144 bytes

Directory of C:\PROGRA~1\GRISOFT\AVGANT~1.5

AVGASCLN SYS 3,968 09-05-06 4:03p
GUARD SYS 4,096 09-28-06 2:13p
2 file(s) 8,064 bytes

Directory of C:\PROGRA~1\IVTCOR~1\BLUESO~1\DEVICE\WIN2K

FW203X SYS 116,021 09-21-04 6:18p
BTHIDMGR SYS 28,271 04-30-05 2:50p
BTNETDRV SYS 10,804 04-30-05 2:48p
BCBTHUB SYS 148,830 09-21-04 6:18p
VBTENUM SYS 11,860 04-30-05 2:50p
VCOMM SYS 61,312 10-19-04 1:37p
VCOMMMGR SYS 82,148 03-25-05 5:18p
VHIDMINI SYS 11,736 04-30-05 2:50p
BLUELE~1 SYS 20,480 05-31-05 3:40p
BTNETF~1 SYS 13,304 12-16-04 4:32p
10 file(s) 504,766 bytes

Directory of C:\PROGRA~1\IVTCOR~1\BLUESO~1\DRIVER\PCMCIA

BTPCMCIA SYS 31,677 05-30-01 5:21a
WPPCMCIA SYS 12,240 11-25-02 1:23a
2 file(s) 43,917 bytes

Directory of C:\PROGRA~1\IVTCOR~1\BLUESO~1\DRIVER\PCMCIA\SOCKET

SKTBT2K SYS 48,556 03-23-04 10:26a
1 file(s) 48,556 bytes

Directory of C:\PROGRA~1\IVTCOR~1\BLUESO~1\DRIVER\USB

BTCUSB SYS 23,000 05-31-05 9:42a
1 file(s) 23,000 bytes

Directory of C:\PROGRA~1\NOKIA\CONNEC~1

NMWCDCM SYS 9,021 02-15-05 4:57p
NMWCD SYS 140,619 02-17-05 1:48p
NMWCDC SYS 6,300 02-15-05 4:57p
3 file(s) 155,940 bytes

Directory of C:\WINDOWS\SERVIC~1\I386

PCI SYS 59,312 06-19-03 8:05p
PPA SYS 17,520 06-19-03 8:05p
EFS SYS 27,440 06-19-03 8:05p
DLC SYS 56,112 06-19-03 8:05p
FDC SYS 26,256 06-19-03 8:05p
AFD SYS 120,240 06-19-03 8:05p
IBMFENT5 SYS 85,776 06-19-03 8:05p
HPTXNT5 SYS 85,776 06-19-03 8:05p
E100BNT5 SYS 85,776 06-19-03 8:05p
MUP SYS 87,888 06-19-03 8:05p
MF SYS 57,264 06-19-03 8:05p
KS SYS 113,744 06-19-03 8:05p
TDI SYS 16,240 06-19-03 8:05p
NTIO SYS 33,824 06-19-03 8:05p
SRV SYS 244,944 06-19-03 8:05p
NTFS SYS 534,192 06-19-03 8:05p
NMNT SYS 37,552 06-19-03 8:05p
MQAC SYS 75,536 06-19-03 8:05p
PPA3 SYS 16,048 06-19-03 8:05p
MSDV SYS 55,920 06-19-03 8:05p
MOUNTMGR SYS 29,264 06-19-03 8:05p
VIDEOPRT SYS 50,640 06-19-03 8:05p
NDIS SYS 170,928 06-19-03 8:05p
DOT4PRT SYS 12,688 06-19-03 8:05p
ADICVLS SYS 9,968 06-19-03 8:05p
IRDA SYS 57,296 06-19-03 8:05p
HPMC SYS 12,912 06-19-03 8:05p
DOT4 SYS 44,208 06-19-03 8:05p
DMIO SYS 137,936 06-19-03 8:05p
DISK SYS 30,768 06-19-03 8:05p
HIDCLASS SYS 24,752 06-19-03 8:05p
PORTCLS SYS 148,208 06-19-03 8:05p
FIPS SYS 33,616 05-08-01 12:00p
ACPI SYS 163,120 06-19-03 8:05p
CDFS SYS 61,680 06-19-03 8:05p
UDFS SYS 62,672 06-19-03 8:05p
DLTTAPE SYS 6,608 06-19-03 8:05p
UHCD SYS 32,848 06-19-03 8:05p
TAPE SYS 10,928 06-19-03 8:05p
MOUCLASS SYS 21,776 06-19-03 8:05p
HIDPARSE SYS 23,056 06-19-03 8:05p
USBD SYS 20,688 06-19-03 8:05p
MODEM SYS 29,168 06-19-03 8:05p
OPENHCI SYS 24,784 06-19-03 8:05p
SEADDSMC SYS 9,392 06-19-03 8:05p
DDSMC SYS 9,680 06-19-03 8:05p
NSMMC SYS 10,256 06-19-03 8:05p
HIDBATT SYS 18,928 06-19-03 8:05p
MSTEE SYS 5,168 06-19-03 8:05p
MSGPC SYS 34,704 06-19-03 8:05p
EXAMC SYS 11,856 06-19-03 8:05p
NETBT SYS 168,624 06-19-03 8:05p
ICAM3 SYS 140,016 06-19-03 8:05p
JVCMC SYS 9,968 06-19-03 8:05p
SNYAITMC SYS 9,776 06-19-03 8:05p
ATLMC SYS 9,424 06-19-03 8:05p
KEY01 SYS 42,809 06-19-03 8:05p
ATAPI SYS 86,672 06-19-03 8:05p
IPNAT SYS 67,120 06-19-03 8:05p
IRSIR SYS 19,952 06-19-03 8:05p
CDROM SYS 27,984 06-19-03 8:05p
IPSEC SYS 64,304 06-19-03 8:05p
BATTC SYS 7,184 06-19-03 8:05p
TCPIP SYS 332,144 06-19-03 8:05p
NWRDR SYS 161,072 06-19-03 8:05p
NTDOS SYS 27,866 05-08-01 12:00p
4MMDAT SYS 10,928 06-19-03 8:05p
STKMC SYS 10,288 06-19-03 8:05p
PNRMC SYS 9,808 06-19-03 8:05p
NDISTAPI SYS 9,200 06-19-03 8:05p
NTIO804 SYS 34,544 06-19-03 8:05p
NTIO404 SYS 34,544 06-19-03 8:05p
NTIO411 SYS 35,648 06-19-03 8:05p
NTIO412 SYS 35,408 06-19-03 8:05p
RDBSS SYS 174,800 06-19-03 8:05p
INTELIDE SYS 4,624 06-19-03 8:05p
SBP2PORT SYS 35,760 06-19-03 8:05p
SCSIPORT SYS 74,192 06-19-03 8:05p
SCSIPRNT SYS 11,632 06-19-03 8:05p
GAMEENUM SYS 9,808 06-19-03 8:05p
WDMAUD SYS 73,872 06-19-03 8:05p
STREAM SYS 42,000 06-19-03 8:05p
SPCTRAMC SYS 10,160 06-19-03 8:05p
VIAAGP SYS 22,416 06-19-03 8:05p
UPDATE SYS 173,232 06-19-03 8:05p
WANARP SYS 32,272 06-19-03 8:05p
USBSER SYS 22,768 06-19-03 8:05p
USBHUB SYS 40,176 06-19-03 8:05p
QNTMMC SYS 8,848 06-19-03 8:05p
NWLNKNB SYS 65,520 06-19-03 8:05p
SYMC8XX SYS 27,120 05-04-01 12:05p
ASYNCMAC SYS 17,840 06-19-03 8:05p
WIN32K SYS 1,717,936 06-19-03 8:05p
QLSTRMC SYS 10,768 06-19-03 8:05p
PCMCIA SYS 109,584 06-19-03 8:05p
PCIIDE SYS 3,088 06-19-03 8:05p
SERIAL SYS 62,736 06-19-03 8:05p
CLASSPNP SYS 34,832 06-19-03 8:05p
PLASMC SYS 11,120 06-19-03 8:05p
SWMIDI SYS 53,552 06-19-03 8:05p
PARTMGR SYS 11,792 06-19-03 8:05p
MOUHID SYS 11,632 06-19-03 8:05p
PARPORT SYS 25,104 06-19-03 8:05p
OHCI1394 SYS 37,680 06-19-03 8:05p
SPCMDCON SYS 187,024 06-19-03 8:05p
SONYMC SYS 12,432 06-19-03 8:05p
PCIIDEX SYS 22,064 06-19-03 8:05p
SFLOPPY SYS 10,384 06-19-03 8:05p
PSCHED SYS 60,496 06-19-03 8:05p
SETUPDD SYS 382,128 06-19-03 8:05p
ATMLANE SYS 48,496 06-19-03 8:05p
MRXSMB SYS 418,640 06-19-03 8:05p
SFMATALK SYS 148,400 06-19-03 8:05p
KSECDD SYS 71,888 06-19-03 8:05p
IBMTRP SYS 104,720 05-04-01 12:05p
SERENUM SYS 14,160 06-19-03 8:05p
USBPRINT SYS 21,872 06-19-03 8:05p
PARALLEL SYS 60,208 06-19-03 8:05p
DISKDUMP SYS 14,288 06-19-03 8:05p
I81XNT5 SYS 68,336 06-19-03 8:05p
BREECEMC SYS 9,392 06-19-03 8:05p
I8042PRT SYS 46,992 06-19-03 8:05p
DMBOOT SYS 369,104 06-19-03 8:05p
DMLOAD SYS 7,312 06-19-03 8:05p
COUNTRY SYS 27,097 05-08-01 12:00p
REDBOOK SYS 35,344 06-19-03 8:05p
NWLNKIPX SYS 91,408 06-19-03 8:05p
USBSTOR SYS 21,552 06-19-03 8:05p
SONYDCAM SYS 22,064 06-19-03 8:05p
USBPORT SYS 138,288 06-19-03 8:05p
USBSCAN SYS 12,592 06-19-03 8:05p
SYSAUDIO SYS 47,568 06-19-03 8:05p
PTILINK SYS 17,680 06-19-03 8:05p
ISAPNP SYS 46,992 06-19-03 8:05p
IRENUM SYS 10,288 06-19-03 8:05p
NDISUIO SYS 11,984 06-19-03 8:05p
USBHUB20 SYS 49,776 06-19-03 8:05p
USBEHCI SYS 19,728 06-19-03 8:05p
NDISWAN SYS 93,360 06-19-03 8:05p
DISCMC SYS 10,448 06-19-03 8:05p
SMBBATT SYS 27,376 06-19-03 8:05p
KMIXER SYS 148,304 06-19-03 8:05p
ELMSMC SYS 9,776 06-19-03 8:05p
FTDISK SYS 115,504 06-19-03 8:05p
FS_REC SYS 7,600 06-19-03 8:05p
DISKPERF SYS 7,728 06-19-03 8:05p
KBDCLASS SYS 24,528 06-19-03 8:05p
ADICSC SYS 9,904 06-19-03 8:05p
AGPCPQ SYS 24,176 06-19-03 8:05p
AGP440 SYS 21,008 06-19-03 8:05p
LP6NDS35 SYS 33,328 06-19-03 8:05p
ACPIEC SYS 11,536 06-19-03 8:05p
COMPBATT SYS 9,264 06-19-03 8:05p
1394BUS SYS 40,752 06-19-03 8:05p
KEYBOARD SYS 42,537 06-19-03 8:05p
CPQARRAY SYS 10,992 06-19-03 8:05p
ALTND5 SYS 597,776 05-04-01 12:05p
ATMUNI SYS 331,088 06-19-03 8:05p
SKFPWIN SYS 104,656 05-04-01 12:05p
ADPU160M SYS 64,432 06-19-03 8:05p
FLPYDISK SYS 19,312 06-19-03 8:05p
FASTFAT SYS 140,496 06-19-03 8:05p
RASPPTP SYS 48,464 06-19-03 8:05p
RASL2TP SYS 52,112 06-19-03 8:05p
RASIRDA SYS 19,920 06-19-03 8:05p
MSIRCOMM SYS 20,208 06-19-03 8:05p
CMBATT SYS 9,904 06-19-03 8:05p
167 file(s) 12,137,189 bytes

miss spooky
2006-12-31, 23:51
Cont:

Directory of C:\WINDOWS\SYSTEM32

ANSI SYS 9,029 05-08-01 12:00p
WIN32K SYS 1,638,672 10-06-05 9:33a
HIMEM SYS 4,768 05-08-01 12:00p
KEYBOARD SYS 42,537 06-19-03 8:05p
NTDOS411 SYS 29,370 05-08-01 12:00p
NTDOS412 SYS 29,274 05-08-01 12:00p
NTDOS404 SYS 29,146 05-08-01 12:00p
NTDOS804 SYS 29,146 05-08-01 12:00p
NTIO SYS 33,824 06-19-03 8:05p
COUNTRY SYS 27,097 05-08-01 12:00p
NTDOS SYS 27,866 05-08-01 12:00p
KEY01 SYS 42,809 06-19-03 8:05p
NTIO404 SYS 34,544 06-19-03 8:05p
NTIO411 SYS 35,648 06-19-03 8:05p
NTIO412 SYS 35,408 06-19-03 8:05p
NTIO804 SYS 34,544 06-19-03 8:05p
SPCMDCON SYS 187,024 06-19-03 8:05p
17 file(s) 2,270,706 bytes

Directory of C:\WINDOWS\SYSTEM32\DRIVERS

NDISWAN SYS 93,360 06-19-03 8:05p
NTFS SYS 513,424 05-10-05 9:20a
NMNT SYS 37,552 06-19-03 8:05p
NWRDR SYS 161,072 09-06-04 6:06a
NWLNKIPX SYS 91,408 06-19-03 8:05p
NWLNKNB SYS 65,520 06-19-03 8:05p
RDBSS SYS 183,248 04-21-05 8:03a
PARALLEL SYS 60,208 06-19-03 8:05p
PARPORT SYS 25,104 06-19-03 8:05p
PCIIDEX SYS 22,064 06-19-03 8:05p
PCMCIA SYS 109,584 06-19-03 8:05p
PSCHED SYS 60,496 06-19-03 8:05p
PTILINK SYS 17,680 06-19-03 8:05p
RASIRDA SYS 19,920 06-19-03 8:05p
UDFS SYS 63,280 12-02-04 1:07p
TCPIP SYS 320,176 05-12-05 10:25a
SERIAL SYS 62,736 06-19-03 8:05p
SONYDCAM SYS 22,064 06-19-03 8:05p
AFD SYS 127,568 04-21-05 8:03a
SRV SYS 238,928 05-03-05 9:10a
TDI SYS 16,240 06-19-03 8:05p
FLTMGR SYS 136,880 04-14-05 6:59a
VIDEOPRT SYS 50,640 06-19-03 8:05p
UPDATE SYS 173,232 06-19-03 8:05p
MF SYS 57,264 06-19-03 8:05p
MODEM SYS 29,168 06-19-03 8:05p
PCI SYS 59,312 06-19-03 8:05p
MOUCLASS SYS 21,776 06-19-03 8:05p
USBHUB SYS 40,176 06-19-03 8:05p
MSPCLOCK SYS 5,248 12-12-02 12:14a
USBD SYS 20,688 06-19-03 8:05p
UHCD SYS 32,848 06-19-03 8:05p
SCSIPORT SYS 74,384 07-14-05 12:24p
REDBOOK SYS 35,344 06-19-03 8:05p
MSGPC SYS 34,704 06-19-03 8:05p
ATMARPC SYS 57,904 05-08-01 12:00p
BEEP SYS 4,080 05-08-01 12:00p
CDAUDIO SYS 19,088 05-08-01 12:00p
NETBT SYS 175,632 04-08-05 11:51a
NDIS SYS 170,928 06-19-03 8:05p
CINEMST2 SYS 272,496 05-08-01 12:00p
CLASS2 SYS 12,880 05-08-01 12:00p
NDISTAPI SYS 9,200 06-19-03 8:05p
PARTMGR SYS 11,792 06-19-03 8:05p
DXAPI SYS 10,064 05-08-01 12:00p
VBTENUM SYS 11,860 04-30-05 2:50p
RASL2TP SYS 52,112 06-19-03 8:05p
RASPPTP SYS 48,464 06-19-03 8:05p
SERENUM SYS 14,160 06-19-03 8:05p
IPFLTDRV SYS 34,416 05-08-01 12:00p
IPINIP SYS 19,984 05-08-01 12:00p
SFLOPPY SYS 10,384 06-19-03 8:05p
SFMATALK SYS 148,400 06-19-03 8:05p
MNMDD SYS 4,240 05-08-01 12:00p
MSFS SYS 21,328 05-08-01 12:00p
MPE SYS 15,104 07-09-04 2:58a
NBF SYS 102,160 05-08-01 12:00p
SWMIDI SYS 53,552 06-19-03 8:05p
NDPROXY SYS 40,432 05-08-01 12:00p
NETBIOS SYS 33,456 05-08-01 12:00p
NETDTECT SYS 9,680 05-08-01 12:00p
NPFS SYS 37,040 05-08-01 12:00p
NULL SYS 2,800 05-08-01 12:00p
NWLNKFLT SYS 12,560 05-08-01 12:00p
NWLNKFWD SYS 35,344 05-08-01 12:00p
NWLNKSPX SYS 58,480 05-08-01 12:00p
SYSAUDIO SYS 47,568 06-19-03 8:05p
PARVDM SYS 6,512 05-08-01 12:00p
RASACD SYS 8,016 05-08-01 12:00p
TAPE SYS 10,928 06-19-03 8:05p
WANARP SYS 32,272 06-19-03 8:05p
RASPTI SYS 16,880 05-08-01 12:00p
RAWWAN SYS 35,024 05-08-01 12:00p
RCA SYS 21,712 05-08-01 12:00p
ROOTMDM SYS 6,032 05-08-01 12:00p
WDMAUD SYS 73,872 06-19-03 8:05p
IRDA SYS 57,296 06-19-03 8:05p
IRENUM SYS 10,288 06-19-03 8:05p
SMCLIB SYS 14,832 05-08-01 12:00p
MSIRCOMM SYS 20,208 06-19-03 8:05p
STREAMS SYS 105,840 05-08-01 12:00p
SECDRV SYS 28,624 08-28-04 10:52p
NDISUIO SYS 11,984 06-19-03 8:05p
TOSDVD SYS 52,048 05-08-01 12:00p
TSBVCAP SYS 22,000 05-08-01 12:00p
USBCAMD SYS 23,888 05-08-01 12:00p
VDMINDVD SYS 59,280 05-08-01 12:00p
VGA SYS 13,968 05-08-01 12:00p
USBEHCI SYS 19,728 06-19-03 8:05p
WMILIB SYS 4,240 05-08-01 12:00p
WS2IFSL SYS 12,016 05-08-01 12:00p
FSVGA SYS 12,368 05-08-01 12:00p
LVCAM SYS 88,816 05-08-01 12:00p
LVCODEK SYS 79,120 05-08-01 12:00p
LVSOUND SYS 17,424 05-08-01 12:00p
USBINTEL SYS 15,120 05-08-01 12:00p
USBHUB20 SYS 49,776 06-19-03 8:05p
USBPORT SYS 138,288 06-19-03 8:05p
KSECDD SYS 71,888 09-21-03 1:32a
MRXSMB SYS 432,976 04-08-05 11:51a
AVG7RSNT SYS 26,912 10-27-06 8:34a
DCCAM SYS 36,918 05-20-04 8:21a
DCLPS SYS 8,022 05-20-04 8:39a
DCFPOINT SYS 61,564 05-20-04 8:41a
EXPORTIT SYS 151,985 06-02-04 1:17p
AVG7RSW SYS 4,288 01-16-06 9:33p
HIDUSB SYS 13,904 10-04-99 3:03p
FIPS SYS 33,616 05-08-01 12:00p
DCFS2K SYS 38,705 06-02-04 1:19p
USBPRINT SYS 21,872 06-19-03 8:05p
USBSCAN SYS 12,592 06-19-03 8:05p
MSTEE SYS 5,504 12-12-02 12:14a
SWENUM SYS 4,096 12-12-02 12:14a
BDASUP SYS 11,392 07-09-04 2:58a
PXHELP20 SYS 36,592 11-15-06 9:01p
ATIMPAB SYS 71,632 11-10-99 3:34p
DCPTP SYS 68,950 05-20-04 8:45a
MSKSSRV SYS 7,424 12-12-02 12:14a
STREAMIP SYS 14,976 07-09-04 2:58a
NDISIP SYS 10,112 07-09-04 2:58a
MUP SYS 89,328 12-02-04 1:07p
CDFS SYS 63,248 04-08-05 11:51a
SLIP SYS 10,880 07-09-04 2:58a
ESS SYS 64,144 09-30-99 5:26p
BONIFAY SYS 11,904 03-30-04 9:05p
AVG7RSXP SYS 27,904 10-27-06 8:34a
NTAPM SYS 9,104 09-25-99 10:36a
NABTSFEC SYS 83,968 07-09-04 2:58a
CCDECODE SYS 16,384 07-09-04 2:58a
AUDSTUB SYS 2,896 09-25-99 10:35a
WSTCODEC SYS 18,688 07-09-04 2:58a
MSDV SYS 56,832 07-09-04 2:58a
FASTFAT SYS 142,288 07-19-05 10:44a
KS SYS 130,304 12-12-02 12:14a
PORTCLS SYS 148,208 06-19-03 8:05p
AVGTDI SYS 4,992 01-16-06 9:33p
DMUSIC SYS 51,152 10-28-99 3:24p
FTDISK SYS 116,400 12-02-04 1:00p
IPNAT SYS 67,344 08-11-04 10:42p
MOUNTMGR SYS 30,160 08-16-05 8:40a
GEARAS~1 SYS 14,408 02-02-05 1:21a
USBSTOR SYS 21,552 06-19-03 8:05p
SQCAMD SYS 25,449 01-10-03 9:30a
SQCAPTUR SYS 30,921 01-10-03 10:56a
BTNETF~1 SYS 13,304 12-16-04 4:32p
AVG7CORE SYS 778,656 10-27-06 8:34a
STREAM SYS 42,000 06-19-03 8:05p
MSPQM SYS 4,816 09-25-99 10:36a
BLUELE~1 SYS 20,480 05-31-05 3:40p
OXSER SYS 51,169 04-28-03 6:31p
INTELS51 SYS 633,220 05-10-02 1:31p
BTHIDMGR SYS 28,271 04-30-05 2:50p
MODEMCSA SYS 16,144 09-25-99 10:34a
SMCUSB SYS 25,260 06-21-02 9:36a
CDRALW2K SYS 23,420 03-21-04 6:28p
CDR4_2K SYS 58,000 03-21-04 6:28p
VCOMMMGR SYS 82,148 03-25-05 5:18p
AGP440 SYS 21,008 06-19-03 8:05p
ASYNCMAC SYS 17,840 06-19-03 8:05p
ATAPI SYS 86,672 06-19-03 8:05p
ATMLANE SYS 48,496 06-19-03 8:05p
ATMUNI SYS 331,088 06-19-03 8:05p
VCOMM SYS 61,312 10-19-04 1:37p
CDROM SYS 27,984 06-19-03 8:05p
CLASSPNP SYS 34,832 06-19-03 8:05p
DISK SYS 30,768 06-19-03 8:05p
DISKDUMP SYS 14,288 06-19-03 8:05p
DISKPERF SYS 7,728 06-19-03 8:05p
DLC SYS 56,112 06-19-03 8:05p
DMBOOT SYS 369,104 06-19-03 8:05p
DMIO SYS 137,936 06-19-03 8:05p
DMLOAD SYS 7,312 06-19-03 8:05p
EFS SYS 27,440 06-19-03 8:05p
AVGASCLN SYS 3,968 09-05-06 4:03p
FDC SYS 26,256 06-19-03 8:05p
FLPYDISK SYS 19,312 06-19-03 8:05p
FS_REC SYS 7,600 06-19-03 8:05p
HIDCLASS SYS 24,752 06-19-03 8:05p
HIDPARSE SYS 23,056 06-19-03 8:05p
I8042PRT SYS 46,992 06-19-03 8:05p
INTELIDE SYS 4,624 06-19-03 8:05p
IPSEC SYS 64,304 06-19-03 8:05p
IRSIR SYS 19,952 06-19-03 8:05p
ISAPNP SYS 46,992 06-19-03 8:05p
KBDCLASS SYS 24,528 06-19-03 8:05p
KMIXER SYS 148,304 06-19-03 8:05p
SIO9502K SYS 48,076 02-11-04 6:29a
SKTBT2K SYS 48,556 03-23-04 3:26a
WSSBTR1F SYS 63,488 07-03-03 7:58p
BTCUSB SYS 23,000 05-31-05 9:42a
FW203X SYS 116,021 09-21-04 6:18p
BTNETDRV SYS 10,804 04-30-05 2:48p
BCBTHUB SYS 148,830 09-21-04 6:18p
VHIDMINI SYS 11,736 04-30-05 2:50p
194 file(s) 12,081,621 bytes

Directory of C:\WINDOWS\TWAIN_32\MYDSC

SQCAMD SYS 25,449 01-10-03 9:30a
SQCAPTUR SYS 30,921 01-10-03 10:56a
2 file(s) 56,370 bytes

Total files listed:
411 file(s) 447,603,170 bytes
0 dir(s) 2,378.53 MB free

miss spooky
2006-12-31, 23:53
fpcheck report:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"AutoRestartShell"=dword:00000001
"DefaultDomainName"="G8Y3I8"
"DefaultUserName"="Administrator"
"LegalNoticeCaption"=""
"LegalNoticeText"=""
"PowerdownAfterShutdown"="0"
"ReportBootOk"="1"
"Shell"="Explorer.exe"
"ShutdownWithoutLogon"="1"
"System"=""
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"VmApplet"="rundll32 shell32,Control_RunDLL \"sysdm.cpl\""
"SfcQuota"=dword:ffffffff
"allocatecdroms"="0"
"allocatedasd"="0"
"allocatefloppies"="0"
"cachedlogonscount"="10"
"passwordexpirywarning"=dword:0000000e
"scremoveoption"="0"
"DebugServerCommand"="no"
"Win9xUpg"=dword:00000001
"SFCDisable"=dword:00000000
"ShowLogonOptions"=dword:00000000
"AltDefaultUserName"="Administrator"
"AltDefaultDomainName"="G8Y3I8"
"AutoAdminLogon"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}]
@="Folder Redirection"
"ProcessGroupPolicy"="ProcessGroupPolicy"
"DllName"=hex(2):66,64,65,70,6c,6f,79,2e,64,6c,6c,00
"NoMachinePolicy"=dword:00000001
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000001
"PerUserLocalSettings"=dword:00000001
"NoGPOListChanges"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}]
"Status"=dword:00000000
"LastPolicyTime"=dword:00c2f924
"PrevSlowLink"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]
@="Microsoft Disk Quota"
"NoMachinePolicy"=dword:00000000
"NoUserPolicy"=dword:00000001
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"PerUserLocalSettings"=dword:00000000
"RequiresSuccessfulRegistry"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000000
"DllName"=hex(2):64,73,6b,71,75,6f,74,61,2e,64,6c,6c,00
"ProcessGroupPolicy"="ProcessGroupPolicy"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}]
@="Scripts"
"ProcessGroupPolicy"="ProcessScriptsGroupPolicy"
"DllName"=hex(2):67,70,74,65,78,74,2e,64,6c,6c,00
"NoSlowLink"=dword:00000001
"NoGPOListChanges"=dword:00000001
"NotifyLinkTransition"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]
"ProcessGroupPolicy"="SceProcessSecurityPolicyGPO"
"DllName"=hex(2):73,63,65,63,6c,69,2e,64,6c,6c,00
@="Security"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001
"MaxNoGPOListChangesInterval"=dword:000003c0
"Status"=dword:00000000
"LastPolicyTime"=dword:00d8ae18
"PrevSlowLink"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}]
"ProcessGroupPolicy"="ProcessGroupPolicy"
"DllName"=hex(2):69,65,64,6b,63,73,33,32,2e,64,6c,6c,00
@="Internet Explorer Branding"
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000000
"NoGPOListChanges"=dword:00000001
"NoMachinePolicy"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}]
"ProcessGroupPolicy"="SceProcessEFSRecoveryGPO"
"DllName"=hex(2):73,63,65,63,6c,69,2e,64,6c,6c,00
@="EFS recovery"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"RequireSuccessfulRegistry"=dword:00000001
"Status"=dword:00000000
"LastPolicyTime"=dword:00c2f93d
"PrevSlowLink"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]
@="Application Management"
"DllName"=hex(2):61,70,70,6d,67,6d,74,73,2e,64,6c,6c,00
"ProcessGroupPolicy"="ProcessGroupPolicyObjects"
"NoBackgroundPolicy"=dword:00000001
"RequiresSucessfulRegistry"=dword:00000000
"NoSlowLink"=dword:00000001
"PerUserLocalSettings"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}]
@="IP Security"
"ProcessGroupPolicy"="ProcessIPSECPolicy"
"DllName"=hex(2):67,70,74,65,78,74,2e,64,6c,6c,00
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\PrevOsVersion]
"PlatformName"="Windows 98"
"VersionText"=" A "
"MajorVersion"=dword:00000004
"MinorVersion"=dword:0000000a
"BuildNumber"=dword:040a08ae
"PlatformId"=dword:00000001

Volume in drive C has no label.
Volume Serial Number is 3869-1805

Directory of C:\WINDOWS\SYSTEM32

05/08/2001 12:00p 10,000 sfc.exe
06/19/2003 08:05p 95,024 sfc.dll
04/08/2005 10:34a 973,072 sfcfiles.dll
3 File(s) 1,078,096 bytes

Directory of C:\WINDOWS\SYSTEM32\dllcache

05/08/2001 12:00p 10,000 sfc.exe
04/08/2005 10:34a 973,072 sfcfiles.dll
2 File(s) 983,072 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

06/19/2003 08:05p 95,024 sfc.dll
06/19/2003 08:05p 971,024 sfcfiles.dll
2 File(s) 1,066,048 bytes

Total Files Listed:
7 File(s) 3,127,216 bytes
0 Dir(s) 2,493,034,496 bytes free

miss spooky
2006-12-31, 23:58
Cont:

I haven't received email and still unable to find memory.dmp file.

I'm working a 12hrs shift tomorrow but will be back in the evening (GMT).

Have a happy New Year.

Mosaic1
2007-01-01, 01:06
I don't like what I see there. Not one file is even remotely named as the one you say is there in the error.

And you didn't get the new boot.ini file either because of no email...

We'll work on it more later. But I have to tell you that this could be a hardware issue too. You have an older computer with no install CD and who knows what shape it's in.

What bothers me is that file name. Next boot, please try normal windows again and try to write down the file name mentioned in the error. Maybe the name has changed or you had a typo. It's an unknown in all searches and is therefore a total mystery.

We'll be doing a clean boot tshoot next. We'll start by booting in VGA mode once we get your boot.ini edited. If no joy, we'll remove other startups and see if you can get to Regular Windows. I am not hopeful. But I'll give it a little more time. The problem is you are using this system on the internet and I don't know what's going on in the background. Please tell your Partner not to file share or surf. We need to do some damage control and limit use.

Mosaic1
2007-01-01, 01:42
Plus there is no indicaton as to why File Protection didn't kick in and replace regedit for you.

Your system may not be setup to create a memory dump.
Or it isn't writing it because of some problem, possibly memory. We'll deal with that later if need be.
Let's see if you can load windows in normal mode without your video drivers.

I am attaching a zip file containing new boot.ini

Unzip it to C:\
So now you'll have C:\new boot.ini

Be sure it is unzipped!

Then find boot.ini on C: and right click on it, click Properties and clear the read only attribute. Then rename boot.ini as oldboot.ini

Next, find new boot.ini and rename it to boot.ini

Now restart the computer. Do not press F8 or whatever to get the menu to go to Safe mode. Instead, let it go. When the menu appears, there will be 2 Windows listed. Choose the second one, the one I edited by adding /basevideo at the end.

This will try to get you to regular Windows. See if you get there or still get a BSOD. If you do get in, even though it will have the look of safe mode you'll know it isn't. You'll have sound and no warning that you are in safe mode.

If you get in, see if you can run gmer. Please pay close attention to any error messages you may get.
If you get a BSOD, restart and enter safe mode using the same method you have been using so far.

Let me know how it all goes.

Have a Happy New Year. Talk to you soon.

Mosaic1
2007-01-01, 02:19
PS Don't forget to downoad a fresh copy of gmer. Don't run the old one. Chkdsk found problems with its files. So be sure to use a new copy.

miss spooky
2007-01-01, 02:32
Hi,

I did all the above but still came to blue screen. I doubled checked error message & I had written down file name wrong. I originally said it was COLR4_2k.sys, but when I doubled checked this time, I realised that it is CDR4_2K.sys. Sos.

Back in safe mode.

Mosaic1
2007-01-01, 02:40
Great! That's a CD driver and was just what I was hoping for.

Let's do this.

Have a look at this MS article:

http://support.microsoft.com/kb/821844

Any chance this fits what happened? It sounds like it just may be it. Or close to it.

Mosaic1
2007-01-01, 02:55
Was your partner tryng to install or update the Roxio software?

See this at their help forums. That;s the exact situation you seem to be in. But the cure will not be the xo update they have linked to. You use Windows 2k, not Xp. But if he was trying to update Roxio, then you should look for the solution at Roxio. Let me know.

http://forums.support.roxio.com/index.php?showtopic=14760&st=0&p=79684&#entry79684

Also, forget the gmer. No rootkit. No Spyware. We now know the driver causing the problem and hopefully this will be resolved soon.

Mosaic1
2007-01-01, 18:46
Ok Even if he wasn't trying to install ROXIO, these files were effected by the install of the codec, most likely. This is all inter-related. I hope you are having a good holiday. Post when you get back and we'll have a look at some possible solutions if you haven't already fixed this issue.

miss spooky
2007-01-01, 20:25
Hi ya,

I'm one of the unlucky ones who are working today... Nearly finished though.

I've looked at the info above & asked p to have a look. He was downloading k-lite codec classic pack to replaced windows media player & DIVX. The stuff on the ROXIO site doesn't look familiar, most of the forum stuff is playing problems. I couldn't find anything on actually crashing the comp.

The error message on MS link was simular, but he was downloading a program not adding to one.

I think he uninstalled the program when the comp first crashed.

Happy Holidays.:beerbeerb:

Mosaic1
2007-01-02, 12:22
Just changing those codecs is what caused your problem.


I'd like you to go into My Computer and see if your CD Drive(s) are showing.

Then I'd like to see a registry export.

Copy the bold to notepad. Name as getit.bat
Double click on getit.bat

When finished, it will produce and open a file named filters.txt

Please post the contents of filters.txt into your next reply here.

regedit /a /e filters.txt HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E96 5-E325-11CE-BFC1-08002BE10318}

Start Notepad filters.txt



Then once I see it, I'll have you do a rename of two files and a registry fix.

Next step will be a reboot to regulsar Windows to see if it gets there and reinstalls the CD Drive(s) for you.

miss spooky
2007-01-02, 19:47
Hi ya,

I've set up getit.bat app, double clicked to run and a txt file came up with "Cannot find the Filters text file. Do you want to create a new file?". I clicked YES, and the files saved as filters.txt, but there is nothing in the report. I deleted the bat file & created a new one in case I didn't copy properly but same thing happened?

miss spooky
2007-01-02, 19:48
CD (D) drive is there.

Mosaic1
2007-01-03, 00:54
Let's try to rename the two files and restart into Regular Windows. See if that gets you started.

Sometimes Windows tries to start the file before the registry is finished exporting the key. Please try that batch again. And if you have no luck, say no to createing the filters.txt file and run the batch again, just one more time. If still no luck, then please go to start >Run and type regedit. Press enter. Does the registry open? I hope you haven't lost regedit.exe again.


Next, let's see if we can get you into Regular windows.

Open this folder:
C:\WINDOWS\SYSTEM32\DRIVERS

In the Drivers folder, find this file:
Cdr4_2K.sys

Rename it as oldCdr4_2K.sys

Then find this file in the Drivers folder:
Cdralw2k.sys

Rename it as
oldCdralw2k.sys

-----------
Don't do anything to the other copies of these files in any other folders!

Then restart and see if you can get into Regular Windows.

Let me know how it goes.


Have you ever had Ez CD creator or any other Roxio Software installed on this system?

miss spooky
2007-01-03, 02:09
Progress!!

We're now in regular Windows.

Checked the regedit file in search files - reg editor is still there.

Changed both driver file names & rebooted. All went ok - took a while to boot up but that was expected.

We haven't ever tried to download Ez or Roxio or anything else like that before. The only things we have are Windows Media Player 9 & DIVX which P uninstalled through add & remove programs - though if I go into start / programs it is still there.

miss spooky
2007-01-03, 02:12
Just tried to run the getit.bat but still no filter.txt. Also email is still showing incorrect info.

Mosaic1
2007-01-03, 02:17
That's good news! I think you should test your Media player to see if it plays back files correctly. And see if your CD works. Playback and if it is a CD burner, if that works too.

There are all kinds of things which can go corrupt when you install new Codecs and/ or Roxio Software and /or update Media Player.

I don't know what to tell you about the email. Can you review what's happeneing again for me please? And do you open your emails using Outlook Express?

Mosaic1
2007-01-03, 02:22
start / programs it is still there.

If you right click on that, is it just a shortcut or an actual program?

Mosaic1
2007-01-03, 02:36
I figured out why you didn't get a filters.txt

The forum software added a space in the name of the key we were trying to export. Since that didn;t exist, there was not key exported.

Let's do this again. Download the zip and extract the bat file it contains. Run that and post the contents of filters.txt please.

Mosaic1
2007-01-03, 02:53
After another review of your uninstall list, you had installed aspi. That may have contributed to your troubles. Leave it installed though. We'll have to check to be sure all your multimedia and CD functions are working and then, if not, do some repairs.

At this point, my best advice would be not to make any more of these changes.

miss spooky
2007-01-03, 12:43
Hi ya,

Windows Media Player is working ok, but my CD (D) drive has disappeared.

fil.bat report:-

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}]
"Class"="CDROM"
@="DVD/CD-ROM drives"
"EnumPropPages32"="MmSys.Cpl,MediaPropPageProvider"
"Installer32"="storprop.dll,DvdClassInstaller"
"SilentInstall"="1"
"NoInstallClass"="1"
"TroubleShooter-0"="tshoot.chm,hdw_drives.htm"
"Icon"="-51"
"UpperFilters"=hex(7):43,00,64,00,72,00,61,00,6c,00,77,00,32,00,6b,00,00,00,47,\
00,45,00,41,00,52,00,41,00,73,00,70,00,69,00,57,00,44,00,4d,00,00,00,00,00
"LowerFilters"=hex(7):50,00,78,00,48,00,65,00,6c,00,70,00,32,00,30,00,00,00,43,\
00,64,00,72,00,34,00,5f,00,32,00,4b,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\0000]
"DefaultDvdRegion"=dword:00000001
"EnumPropPages32"="storprop.dll,DvdPropPageProvider"
"InfPath"="cdrom.inf"
"InfSection"="cdrom_install"
"ProviderName"="Microsoft"
"DriverDateData"=hex:00,40,99,31,33,2e,bf,01
"DriverDate"="11-14-1999"
"DriverVersion"="5.0.2183.1"
"MatchingDeviceId"="gencdrom"
"DriverDesc"="CD-ROM Drive"

uninstall list:-

ABBYY FineReader 5.0 Sprint Plus
Adobe Download Manager 2.0 (Remove Only)
Adobe Reader 6.0.1
AMATEURCAMgb
ArcSoft PhotoImpression 4
aspi
AVG Anti-Spyware 7.5
AVG Free Edition
BlueSoleil
BroadJump Client Foundation
CR2
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
ESSTUTOR
Freecom Personal Media Suite 1.34
GPL MPEG-1/2 DirectShow Decoder Filter
HijackThis 1.99.1
IncrediMail Xe
IncrediMail Xe
iTunes
Kaspersky On-line Scanner
Kodak EasyShare software
Lexmark X6100 Series
Macromedia Flash Player 8
Microsoft Office 2000 Premium
Microsoft VGX Q833989
Microsoft XML Parser and SDK
MSN Messenger 7.0
MSN Toolbar
My DSC
Nokia Connectivity Cable Driver
Nokia PC Suite
Notifier
QuickTime
Security Update for Windows 2000 (KB904706)
Spybot - Search & Destroy 1.4
Update Rollup 1 for Windows 2000 SP4
Windows 2000 Hotfix - KB842773
Windows 2000 Hotfix - KB890046
Windows 2000 Hotfix - KB893756
Windows 2000 Hotfix - KB894320
Windows 2000 Hotfix - KB896358
Windows 2000 Hotfix - KB896422
Windows 2000 Hotfix - KB896423
Windows 2000 Hotfix - KB896424
Windows 2000 Hotfix - KB896688
Windows 2000 Hotfix - KB899587
Windows 2000 Hotfix - KB899589
Windows 2000 Hotfix - KB900725
Windows 2000 Hotfix - KB901017
Windows 2000 Hotfix - KB901214
Windows 2000 Hotfix - KB902400
Windows 2000 Hotfix - KB905414
Windows 2000 Hotfix - KB905495
Windows 2000 Hotfix - KB905749
Windows Installer 3.1 (KB893803)
Windows Media Player 9 Hotfix [See KB885492 for more information]
Windows Media Player system update (9 Series)
Windows SR 2.0
WinMX
WinZip
ZipItFast Pro 3.01 - A Free, Fast All in One Archive Utility!

miss spooky
2007-01-03, 12:50
With the email, I run Incredimail Premium which I think is an add on to Miscrosoft Outlook.

Everything was working ok until 30/12/06. For a couple of days I couldn't open up any emails I'd received previous to this date, all I got was a blank screen. Now what happens is that I open a kept email and I get the message from another email in the same window...

This can be from new emails received or ones that have been sent.

IE, If I open up a confirmation email from a recruitment agency, I get the details of an email that I sent from work yesterday. Some though are still blank.

DIVX - When I go into to start / programs the DIVX bundle is there (divx convertor, player, uninstall etc).

Mosaic1
2007-01-03, 16:34
The CD disappearing is why we needed that registry file. The UpperFilters and LowerFilters values need to be deleted.

I have attached a new zip. Extract the regfile it contains and then double click on that. Say yes to the prompt.

Restart and see if the drive's back. If not, then go into the drivers folder again and find the same two files you renamed earlier.

In the Drivers folder, find this file:
Cdr4_2K.sys

Rename it as Cdr4_2K.sysold

Then find this file in the Drivers folder:
Cdralw2k.sys

Rename it as
Cdralw2k.sysold

**They shoud have been replaced by File Protection during your last restart. Rename them and run the attached registry file again. Restart.

See where you stand and let me know please. I don't want to make any more changes until this is settled. Please test your CD drive and if it's a writer, see if that works.

Mosaic1
2007-01-03, 16:38
Are you using Outlook ,a part of Office? Or Outlook Express?

I'm wondering if your inbox is corrupt.

I see you have two uninstall entries for Incredimail.

And if you are file sharing, I would recommend you stop. I see WinMX on the uninstall list.

Many infections are spread through file sharing. It's bad enough when you have the ability to repair or totally reinstall Windows. But you have nothing. You absolutely have to get a legitimate install CD or a new system. Otherwise you'll never know when you'll lose everything. Hardware dies. And Windows does too.

miss spooky
2007-01-04, 00:43
Hi ya,

I'm having trouble with the zip file, when I extract it, it just replaces the filters.txt file I've already got with:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}]
"UpperFilters"=-
"LowerFilters"=-

As it's a normal txt file, when I double click it just opens & display this info... Is this correct?

We are using Microsoft Outlook 2000 Office.

We've never had any problems with Outlook or Incredimail until now.

Mosaic1
2007-01-04, 08:36
Sorry. I shbould have renamed the file. Rename it as filters.reg

Then double click to enter into the registry.

I don't use Outlook and so really am not upp on what it might be other than a corruption of your inbox. That would be my first guess. You might try backing up incredimail so you don't lose all mail and then reinstall it.

miss spooky
2007-01-05, 01:03
Hi ya,

We now have the CD (D) drive back, I have played a CD and all seems to be fine.

With regards to backing up the email, I'm not sure how this is done?

Cheers.

Mosaic1
2007-01-05, 06:06
Here's a page on backing up Outlook.

The issue is whether or not inbox corruption is the problem. Outlook itself has a repair inbox tool. But that might end up deleting some of you emails. See if any of this helps.

Here's a page on Incredimail:
http://email.about.com/cs/incredimailtips/qt/et111002.htm

miss spooky
2007-01-06, 23:44
Hi ya,

I've backed up, uninstalled & reinstalled Incredimail and everything there seems to be working fine. CD (D) drive was still there when I rebooted after uninstall of Incredimail.

Everything seems to be ok, but the computer is very slow, in safe mode it actually speedied up...

To be on the safe side so you want me to run any virus scans, HJT or anything?

Thank ever so much.

Mosaic1
2007-01-07, 00:00
When did this slowdown happen? Was it slow before you had the Windows lock out? Or is it only slow now?

You can post a log later if I ask for one. But please don't until I do. It is too much for my eyes to read so many long reports.

Mosaic1
2007-01-07, 00:31
Before we do anything else, one thing which can really slow you down is if you're running in PIO mode.

Go to Start > run

Paste in this:
devmgmt.msc

Press enter.

This will open Device Manager.


Click the + front of IDE ATA/Atapi controllers.
Double click on Primary IDE and then,
When the properties sheet opens, click the Advanced Settings tab.

Look at current transfer mode. IS it DMA or PIO?

If it says PIO, first be sure that under transfer mode "Use DMA if Available” is selected, then select the driver tab and uninstall the driver and reboot.


Go back in and see if it is using DMA or PIO. Let me know.

miss spooky
2007-01-07, 12:24
I've checked Device Manager, we're already in DMA.

I know what you mean about long reports..

Mosaic1
2007-01-07, 21:56
Please go back into Device Manager and look at all devices. Are there any yellow or red marks there denoting a problem with any of your devices? Let me know what you find.

Let's do this.

To run Chkdsk go to start >Run and type

cmd.exe
Press enter

Copy this command to your clipboard:
chkdsk /r /f

When the prompt appears Right click in the window and click paste on the menu.

Press enter.
You'll be told that the drive is locked and asked if you want to run the check at next boot. Choose yes.

Restart and allow it to run.

When you get back, go to Start >Run and type
Eventvwr.msc

Press enter


Double click on Application in the left pane.
Look in the right pane for an item whose source says winlogon.

Double click on that to get the report chkdsk created.

What does it say?

If you want to copy it, look at the icon which looks like two pages and click on it.

That copies it to your clipboard. Paste that in here.
----------------

Next, defrag you hard drive.


While you are in eventviewer, look for any errors you see repeating themselves in the past few days.

--------------------------

Finally, let's have a look at a silentrunners report just to see what's loading.


Download Silent Runners from here:

http://www.silentrunners.org/Silent%20Runners.vbs

Save it to your C:\ drive.
So you should have c:\silent runners.vbs.
Go to start> run>
Paste in this command and press enter:

"c:\silent runners.vbs" -all


Ok the popup you get that tells you scan has started.
If you get script warning from your antivirus, please allow script to run. It is not dangerous.

Once complete it will tell you and creates a file in c:\ called "Startup Programs [computername/date/time]"

Post contents of log here.

You may need 2 posts to get entire contents of log in.

-------------------

Slow can mean any number of things from bad RAM to problem devices, to an almost full hard drive to problems with certain applications of services running. It's hard to track down.

But in Safe mode far fewer items load. That can make a big difference in performance.


I had asked you if this just started after your recent problem or if this was going on before you were stuck in safe mode. Please let me know. I need clues and information.

miss spooky
2007-01-10, 00:55
Hi,

With regards to the computer being slow, I have noticed that it has been worse since these problems started. The system we have is not state of the art, it's a Intel Pentium 2 processor with a 7GB hard drive, not sure what the RAM is. We run an 80GB external hard drive with all music files & photos on which has freed up space on the c Drive. So it has always been a little on the slow side. But now it has been worse, also we've noticed that when it's on, it's constantly chugging away, like something is trying to down load. Both green lights are on and loading pages in IE can take sometime. Yesterday it took nearly 2 hrs for my partner to load IE and then it just froze. I find if the pages take a while to load, it's easier to close IE down & reopen again, then it seems to load quicker.

Also I've noticed since we've been doing system checkes, that the computer name has inherited the name of my bluetooth... G8Y3I8. I installed my bluetooth (Blue Soleil) back in July with no problems.

Here is the report from Event Viewer:-

Event Type: Information
Event Source: Winlogon
Event Category: None
Event ID: 1001
Date: 1/8/2007
Time: 4:15:27 PM
User: N/A
Computer: G8Y3I8
Description:
Checking file system on C:
The type of the file system is FAT32.

A disk check has been scheduled.
Windows will now check the disk.
Volume Serial Number is 3869-1805
Windows is verifying free space...
Free space verification is complete.
Windows has checked the file system and found no problem.
6285144 KB total disk space.
623840 KB in 497 hidden files.
11572 KB in 2647 folders.
3455240 KB in 24483 files.
2194488 KB are available.

4096 bytes in each allocation unit.
1571286 total allocation units on disk.
548622 allocation units available on disk.

miss spooky
2007-01-10, 00:57
Silent runners Report:-

"Silent Runners.vbs", revision 49, http://www.silentrunners.org/
Operating System: Windows 2000
Output of all locations checked and all values found.


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
"Yahoo! Pager" = "C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet" [file not found]
"updateMgr" = "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5" [file not found]
"PcSync" = "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog" ["Time Information Services Ltd."]
"IncrediMail" = "C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c" ["IncrediMail, Ltd."]

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\
"DelayShred" = ""C:\Program Files\McAfee\McAfee Shared Components\Shredder 5\SHRED32.EXE" /q C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMPOR~1\Content.IE5\W9QBWXA7\NTLWOR~1.SH! C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMPOR~1\Content.IE5\SL6FO1YN\STB0_1~1.SH! C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMPOR~1\Content.IE5\SL6FO1YN\AZA_1_~1.SH! C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMPOR~1\Content.IE5\K34NO7CV\STB_1_~1.SH! C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMPOR~1\Content.IE5\K34NO7CV\TOPC_1~1.SH! C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMPOR~1\Content.IE5\SL6FO1YN\TOPC_1~1.SH! C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMPOR~1\Content.IE5\K34NO7CV\INDEX_~1.SH! C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMPOR~1\Content.IE5\G1EFK5IJ\NTLWOR~2.SH! C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMPOR~1\Content.IE5\GTE7OHE7\AT0308~1.SH! C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMPOR~1\Content.IE5\45CBKNW7\NTLWOR~2.SH! C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMPOR~1\Content.IE5\JMG37LCH\CAHKE113.SH! C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMPOR~1\Content.IE5\I9OJUTQ5\PLAYST~1.SH! C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMPOR~1\Content.IE5\E3B37HQD\CNR_SP~1.SH! C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMPOR~1\Content.IE5\2SGDQ4PV\NTLWOR~1.SH!" [file not found]

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
"SystemTray" = "SysTray.Exe" [MS]
"Lexmark X6100 Series" = ""C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe"" ["Lexmark International, Inc."]
"MPFTray" = "C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE" [file not found]
"MISAggregator" = "(empty string)" [file not found]
"iTunesHelper" = ""C:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Computer, Inc."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"msnappau" = ""C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe"" [MS]
"PCSuiteTrayApplication" = "C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray" ["Nokia"]
"DataLayer" = "C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe" ["Nokia Mobile Phones Ltd."]
"BJCFD" = "C:\Program Files\BroadJump\Client Foundation\CFD.exe" ["BroadJump, Inc."]
"!AVG Anti-Spyware" = ""C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized" ["Anti-Malware Development a.s."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\

HKLM\Software\Microsoft\Active Setup\Installed Components\
>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\(Default) = "Windows Media Player"

miss spooky
2007-01-10, 01:00
\StubPath = "C:\WINDOWS\inf\unregmp2.exe /ShowWMP" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{9394EDE7-C8B5-483E-8773-474BF36AF6E4}\(Default) = (no title provided)
-> {HKLM...CLSID} = "ST"
\InProcServer32\(Default) = "C:\Program Files\MSN Apps\ST\01.02.3000.1001\en-xu\stmain.dll" [MS]
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}\(Default) = (no title provided)
-> {HKLM...CLSID} = "MSNToolBandBHO"
\InProcServer32\(Default) = "C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-gb\msntb.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{00022613-0000-0000-C000-000000000046}" = "Multimedia File Property Sheet"
-> {HKLM...CLSID} = "Multimedia File Property Sheet"
\InProcServer32\(Default) = "mmsys.cpl" [MS]
"{176d6597-26d3-11d1-b350-080036a75b03}" = "ICM Scanner Management"
-> {HKLM...CLSID} = "ICM Scanner Management"
\InProcServer32\(Default) = "icmui.dll" [MS]
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}" = "NTFS Security Page"
-> {HKLM...CLSID} = "Security Shell Extension"
\InProcServer32\(Default) = "rshx32.dll" [MS]
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}" = "OLE Docfile Property Page"
-> {HKLM...CLSID} = "OLE Docfile Property Page"
\InProcServer32\(Default) = "docprop.dll" [MS]
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}" = "Shell extensions for sharing"
-> {HKLM...CLSID} = "Shell extensions for sharing"
\InProcServer32\(Default) = "ntshrui.dll" [MS]
"{41E300E0-78B6-11ce-849B-444553540000}" = "PlusPack CPL Extension"
-> {HKLM...CLSID} = "PlusPack CPL Extension"
\InProcServer32\(Default) = "plustab.dll" [MS]
"{42071712-76d4-11d1-8b24-00a0c9068ff3}" = "Display Adapter CPL Extension"
-> {HKLM...CLSID} = "Display Adapter CPL Extension"
\InProcServer32\(Default) = "deskadp.dll" [MS]
"{42071713-76d4-11d1-8b24-00a0c9068ff3}" = "Display Monitor CPL Extension"
-> {HKLM...CLSID} = "Display Monitor CPL Extension"
\InProcServer32\(Default) = "deskmon.dll" [MS]
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{4E40F770-369C-11d0-8922-00A024AB2DBB}" = "DS Security Page"
-> {HKLM...CLSID} = "Security Shell Extension"
\InProcServer32\(Default) = "dssec.dll" [MS]
"{56117100-C0CD-101B-81E2-00AA004AE837}" = "Shell Scrap DataHandler"
-> {HKLM...CLSID} = "Shell Scrap DataHandler"
\InProcServer32\(Default) = "shscrap.dll" [MS]
"{59099400-57FF-11CE-BD94-0020AF85B590}" = "Disk Copy Extension"
-> {HKLM...CLSID} = "Disk Copy Extension"
\InProcServer32\(Default) = "diskcopy.dll" [MS]
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}" = "Shell extensions for Microsoft Windows Network objects"
-> {HKLM...CLSID} = "Shell extensions for Microsoft Windows Network objects"
\InProcServer32\(Default) = "ntlanui2.dll" [MS]
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}" = "ICM Monitor Management"
-> {HKLM...CLSID} = "ICM Monitor Management"
\InProcServer32\(Default) = "C:\WINDOWS\System32\icmui.dll" [MS]
"{675F097E-4C4D-11D0-B6C1-0800091AA605}" = "ICM Printer Management"
-> {HKLM...CLSID} = "ICM Printer Management"
\InProcServer32\(Default) = "C:\WINDOWS\system32\icmui.dll" [MS]
"{77597368-7b15-11d0-a0c2-080036af3f03}" = "Web Printer Shell Extension"
-> {HKLM...CLSID} = "Web Printer Shell Extension"
\InProcServer32\(Default) = "printui.dll" [MS]
"{7988B573-EC89-11cf-9C00-00AA00A14F56}" = "Disk Quota UI"
-> {HKLM...CLSID} = "Microsoft Disk Quota UI"
\InProcServer32\(Default) = "dskquoui.dll" [MS]
"{85BBD920-42A0-1069-A2E4-08002B30309D}" = "Briefcase"
-> {HKLM...CLSID} = "Briefcase"
\InProcServer32\(Default) = "syncui.dll" [MS]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{BD84B380-8CA2-1069-AB1D-08000948F534}" = "Fonts"
-> {HKLM...CLSID} = "Fonts"
\InProcServer32\(Default) = "fontext.dll" [MS]
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}" = "ICC Profile"
-> {HKLM...CLSID} = "ICC Profile"
\InProcServer32\(Default) = "C:\WINDOWS\system32\icmui.dll" [MS]
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}" = "Printers Security Page"
-> {HKLM...CLSID} = "Security Shell Extension"
\InProcServer32\(Default) = "rshx32.dll" [MS]
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}" = "Shell extensions for sharing"
-> {HKLM...CLSID} = "Shell extensions for sharing"
\InProcServer32\(Default) = "ntshrui.dll" [MS]
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}" = "Display TroubleShoot CPL Extension"
-> {HKLM...CLSID} = "Display TroubleShoot CPL Extension"
\InProcServer32\(Default) = "deskperf.dll" [MS]
"{60254CA5-953B-11CF-8C96-00AA00B8708C}" = "Shell extensions for Windows Script Host"
-> {HKLM...CLSID} = "Shell Extension For Windows Script Host"
\InProcServer32\(Default) = "C:\WINDOWS\System32\wshext.dll" [MS]
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}" = "Crypto PKO Extension"
-> {HKLM...CLSID} = "CryptPKO Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\cryptext.dll" [MS]
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}" = "Crypto Sign Extension"
-> {HKLM...CLSID} = "CryptSig Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\cryptext.dll" [MS]
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}" = "Network and Dial-up Connections"
-> {HKLM...CLSID} = "Network and Dial-up Connections"
\InProcServer32\(Default) = "C:\WINDOWS\system32\NETSHELL.dll" [MS]
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}" = "Tasks Folder Icon Handler"
-> {HKLM...CLSID} = "Scheduling UI icon handler"
\InProcServer32\(Default) = "C:\WINDOWS\System32\mstask.dll" [MS]
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}" = "Tasks Folder Shell Extension"
-> {HKLM...CLSID} = "Scheduling UI property sheet handler"
\InProcServer32\(Default) = "C:\WINDOWS\System32\mstask.dll" [MS]
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}" = "Scheduled Tasks"
-> {HKLM...CLSID} = "Scheduled Tasks"
\InProcServer32\(Default) = "C:\WINDOWS\System32\mstask.dll" [MS]
"{1A9BA3A0-143A-11CF-8350-444553540000}" = "Shell Favorite Folder"
-> {HKLM...CLSID} = "Shell Favorite Folder"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shell32.dll" [MS]
"{20D04FE0-3AEA-1069-A2D8-08002B30309D}" = "My Computer"
-> {HKLM...CLSID} = "My Computer"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shell32.dll" [MS]
"{86747AC0-42A0-1069-A2E6-08002B30309D}" = "Briefcase Folder"
-> {HKLM...CLSID} = "Shell Moniker"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shell32.dll" [MS]
"{0AFACED1-E828-11D1-9187-B532F1E9575D}" = "Folder Shortcut"
-> {HKLM...CLSID} = "Folder Shortcut"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shell32.dll" [MS]
"{12518493-00B2-11d2-9FA5-9E3420524153}" = "Mounted Volume"
-> {HKLM...CLSID} = "Mounted Volume"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shell32.dll" [MS]
"{21B22460-3AEA-1069-A2DC-08002B30309D}" = "File Property Page Extension"
-> {HKLM...CLSID} = "File system attributes"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shell32.dll" [MS]
"{B091E540-83E3-11CF-A713-0020AFD79762}" = "File Types Page"
-> {HKLM...CLSID} = "File Types Page"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shell32.dll" [MS]
"{FBF23B41-E3F0-101B-8488-00AA003E56F8}" = "MIME File Types Hook"
-> {HKLM...CLSID} = "MIME File Types Hook"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shell32.dll" [MS]
"{C2FBB630-2971-11d1-A18C-00C04FD75D13}" = "Microsoft CopyTo Service"
-> {HKLM...CLSID} = "Microsoft CopyTo Service"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shell32.dll" [MS]

miss spooky
2007-01-10, 01:01
"{C2FBB631-2971-11d1-A18C-00C04FD75D13}" = "Microsoft MoveTo Service"
-> {HKLM...CLSID} = "Microsoft MoveTo Service"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shell32.dll" [MS]
"{13709620-C279-11CE-A49E-444553540000}" = "Shell Automation Service"
-> {HKLM...CLSID} = "Shell Automation Service"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shell32.dll" [MS]
"{62112AA1-EBE4-11cf-A5FB-0020AFE7292D}" = "Shell Automation Folder View"
-> {HKLM...CLSID} = "Shell Automation Folder View"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shell32.dll" [MS]
"{4622AD11-FF23-11d0-8D34-00A0C90F2719}" = "Start Menu"
-> {HKLM...CLSID} = "Start Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shell32.dll" [MS]
"{7BA4C740-9E81-11CF-99D3-00AA004AE837}" = "Microsoft SendTo Service"
-> {HKLM...CLSID} = "Microsoft SendTo Service"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shell32.dll" [MS]
"{D969A300-E7FF-11d0-A93B-00A0C90F2719}" = "Microsoft New Object Service"
-> {HKLM...CLSID} = "Microsoft New Object Service"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shell32.dll" [MS]
"{09799AFB-AD67-11d1-ABCD-00C04FC30936}" = "Open With Context Menu Handler"
-> {HKLM...CLSID} = "Open With Context Menu Handler"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shell32.dll" [MS]
"{3FC0B520-68A9-11D0-8D77-00C04FD70822}" = "Display Control Panel HTML Extensions"
-> {HKLM...CLSID} = "Display Control Panel HTML Extensions"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shell32.dll" [MS]
"{75048700-EF1F-11D0-9888-006097DEACF9}" = "ActiveDesktop"
-> {HKLM...CLSID} = "ActiveDesktop"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shell32.dll" [MS]
"{6D5313C0-8C62-11D1-B2CD-006097DF8C11}" = "Folder Options Property Page Extension"
-> {HKLM...CLSID} = "Folder Options Property Page Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shell32.dll" [MS]
"{57651662-CE3E-11D0-8D77-00C04FC99D61}" = "CmdFileIcon"
-> {HKLM...CLSID} = "CmdFileIcon"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shell32.dll" [MS]
"{4657278A-411B-11d2-839A-00C04FD918D0}" = "Shell Drag and Drop helper"
-> {HKLM...CLSID} = "Shell Drag and Drop helper"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shell32.dll" [MS]
"{A470F8CF-A1E8-4f65-8335-227475AA5C46}" = "Add encryption item to context menus in explorer"
-> {HKLM...CLSID} = "Add encryption item to context menus in explorer"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shell32.dll" [MS]
"{5E6AB780-7743-11CF-A12B-00AA004AE837}" = "Microsoft Internet Toolbar"
-> {HKLM...CLSID} = "Microsoft Internet Toolbar"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}" = "Download Status"
-> {HKLM...CLSID} = "Download Status"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{568804CA-CBD7-11d0-9816-00C04FD91972}" = "Menu Shell Folder"
-> {HKLM...CLSID} = "Menu Shell Folder"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{5b4dae26-b807-11d0-9815-00c04fd91972}" = "Menu Band"
-> {HKLM...CLSID} = "Menu Band"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{8278F931-2A3E-11d2-838F-00C04FD918D0}" = "Tracking Shell Menu"
-> {HKLM...CLSID} = "Tracking Shell Menu"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{E13EF4E4-D2F2-11d0-9816-00C04FD91972}" = "Menu Site"
-> {HKLM...CLSID} = "Menu Site"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{ECD4FC4F-521C-11D0-B792-00A0C90312E1}" = "Menu Desk Bar"
-> {HKLM...CLSID} = "Menu Desk Bar"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}" = "Augmented Shell Folder"
-> {HKLM...CLSID} = "Augmented Shell Folder"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{6413BA2C-B461-11d1-A18A-080036B11A03}" = "Augmented Shell Folder 2"
-> {HKLM...CLSID} = "Augmented Shell Folder 2"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}" = "BandProxy"
-> {HKLM...CLSID} = "BandProxy"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{D82BE2B0-5764-11D0-A96E-00C04FD705A2}" = "IShellFolderBand"
-> {HKLM...CLSID} = "IShellFolderBand"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}" = "Microsoft BrowserBand"
-> {HKLM...CLSID} = "Microsoft BrowserBand"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{30D02401-6A81-11d0-8274-00C04FD5AE38}" = "Search Band"
-> {HKLM...CLSID} = "Search Band"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}" = "In-pane search"
-> {HKLM...CLSID} = "In-pane search"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{07798131-AF23-11d1-9111-00A0C98BA67D}" = "Web Search"
-> {HKLM...CLSID} = "Web Search"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{0E5CBF21-D15F-11d0-8301-00AA005B4383}" = "&Links"
-> {HKLM...CLSID} = "&Links"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}" = "Registry Tree Options Utility"
-> {HKLM...CLSID} = "Registry Tree Options Utility"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}" = "&Address"
-> {HKLM...CLSID} = "&Address"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{A08C11D2-A228-11d0-825B-00AA005B4383}" = "Address EditBox"
-> {HKLM...CLSID} = "Address EditBox"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{00BB2763-6A77-11D0-A535-00C04FD7D062}" = "Microsoft AutoComplete"
-> {HKLM...CLSID} = "Microsoft AutoComplete"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{7487cd30-f71a-11d0-9ea7-00805f714772}" = "Thumbnail Image"
-> {HKLM...CLSID} = "Thumbnail Image"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{7376D660-C583-11d0-A3A5-00C04FD706EC}" = "TridentImageExtractor"
-> {HKLM...CLSID} = "TridentImageExtractor"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{6756A641-DE71-11d0-831B-00AA005B4383}" = "MRU AutoComplete List"
-> {HKLM...CLSID} = "MRU AutoComplete List"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{00BB2764-6A77-11D0-A535-00C04FD7D062}" = "Microsoft History AutoComplete List"
-> {HKLM...CLSID} = "Microsoft History AutoComplete List"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{03C036F1-A186-11D0-824A-00AA005B4383}" = "Microsoft Shell Folder AutoComplete List"
-> {HKLM...CLSID} = "Microsoft Shell Folder AutoComplete List"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{00BB2765-6A77-11D0-A535-00C04FD7D062}" = "Microsoft Multiple AutoComplete List Container"
-> {HKLM...CLSID} = "Microsoft Multiple AutoComplete List Container"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}" = "Shell Band Site Menu"
-> {HKLM...CLSID} = "Shell Band Site Menu"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}" = "Shell DeskBarApp"
-> {HKLM...CLSID} = "Shell DeskBarApp"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}" = "Shell DeskBar"
-> {HKLM...CLSID} = "Shell DeskBar"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}" = "Shell Rebar BandSite"
-> {HKLM...CLSID} = "Shell Rebar BandSite"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}" = "User Assist"
-> {HKLM...CLSID} = "User Assist"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}" = "Global Folder Settings"
-> {HKLM...CLSID} = "Global Folder Settings"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}" = "Favorites Band"
-> {HKLM...CLSID} = "Favorites Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{0A89A860-D7B1-11CE-8350-444553540000}" = "Shell Automation Inproc Service"
-> {HKLM...CLSID} = "Shell Automation Inproc Service"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}" = "Shell DocObject Viewer"
-> {HKLM...CLSID} = "Shell DocObject Viewer"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}" = "InternetShortcut"
-> {HKLM...CLSID} = "Internet Shortcut"
\InProcServer32\(Default) = "shdocvw.dll" [MS]
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}" = "Microsoft Url History Service"
-> {HKLM...CLSID} = "Microsoft Url History Service"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{FF393560-C2A7-11CF-BFF4-444553540000}" = "History"
-> {HKLM...CLSID} = "History"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}" = "Temporary Internet Files"
-> {HKLM...CLSID} = "Temporary Internet Files"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" = "Microsoft Url Search Hook"
-> {HKLM...CLSID} = "Microsoft Url Search Hook"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}" = "IE4 Suite Splash Screen"
-> {HKLM...CLSID} = "IE4 Suite Splash Screen"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}" = "CDF Extension Copy Hook"
-> {HKLM...CLSID} = "CDF Extension Copy Hook"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{131A6951-7F78-11D0-A979-00C04FD705A2}" = "ISFBand OC"
-> {HKLM...CLSID} = "ISFBand OC"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}" = "Search Assistant OC"
-> {HKLM...CLSID} = "Search Assistant OC"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}" = "The Internet"
-> {HKLM...CLSID} = "The Internet"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{871C5380-42A0-1069-A2EA-08002B30309D}" = "Internet Name Space"
-> {HKLM...CLSID} = "Internet Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}" = "Sendmail service"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\System32\sendmail.dll" [MS]
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}" = "Sendmail service"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\System32\sendmail.dll" [MS]
"{88C6C381-2E85-11D0-94DE-444553540000}" = "ActiveX Cache Folder"
-> {HKLM...CLSID} = "ActiveX Cache Folder"
\InProcServer32\(Default) = "C:\WINDOWS\System32\occache.dll" [MS]
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}" = "WebCheck"
-> {HKLM...CLSID} = "WebCheck"
\InProcServer32\(Default) = "C:\WINDOWS\System32\webcheck.dll" [MS]
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}" = "Subscription Mgr"
-> {HKLM...CLSID} = "Subscription Mgr"
\InProcServer32\(Default) = "C:\WINDOWS\System32\webcheck.dll" [MS]
"{F5175861-2688-11d0-9C5E-00AA00A45957}" = "Subscription Folder"
-> {HKLM...CLSID} = "Subscription Folder"
\InProcServer32\(Default) = "C:\WINDOWS\System32\webcheck.dll" [MS]
"{08165EA0-E946-11CF-9C87-00AA005127ED}" = "WebCheckWebCrawler"
-> {HKLM...CLSID} = "WebCheckWebCrawler"
\InProcServer32\(Default) = "C:\WINDOWS\System32\webcheck.dll" [MS]
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}" = "WebCheckChannelAgent"
-> {HKLM...CLSID} = "WebCheckChannelAgent"
\InProcServer32\(Default) = "C:\WINDOWS\System32\webcheck.dll" [MS]
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}" = "TrayAgent"
-> {HKLM...CLSID} = "TrayAgent"
\InProcServer32\(Default) = "C:\WINDOWS\System32\webcheck.dll" [MS]
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}" = "Code Download Agent"
-> {HKLM...CLSID} = "Code Download Agent"
\InProcServer32\(Default) = "C:\WINDOWS\System32\webcheck.dll" [MS]
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}" = "ConnectionAgent"
-> {HKLM...CLSID} = "ConnectionAgent"
\InProcServer32\(Default) = "C:\WINDOWS\System32\webcheck.dll" [MS]
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}" = "PostAgent"
-> {HKLM...CLSID} = "PostAgent"
\InProcServer32\(Default) = "C:\WINDOWS\System32\webcheck.dll" [MS]
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}" = "WebCheck SyncMgr Handler"
-> {HKLM...CLSID} = "WebCheck SyncMgr Handler"
\InProcServer32\(Default) = "C:\WINDOWS\System32\webcheck.dll" [MS]
"{8BEBB290-52D0-11D0-B7F4-00C04FD706EC}" = "Thumbnails"
-> {HKLM...CLSID} = "Thumbnails"
\InProcServer32\(Default) = "C:\WINDOWS\System32\thumbvw.dll" [MS]
"{EAB841A0-9550-11CF-8C16-00805F1408F3}" = "HTML Thumbnail Extractor"
-> {HKLM...CLSID} = "HTML Thumbnail Extractor"
\InProcServer32\(Default) = "C:\WINDOWS\System32\thumbvw.dll" [MS]
"{1AEB1360-5AFC-11D0-B806-00C04FD706EC}" = "Office Graphics Filters Thumbnail Extractor"
-> {HKLM...CLSID} = "Office Graphics Filters Thumbnail Extractor"
\InProcServer32\(Default) = "C:\WINDOWS\System32\thumbvw.dll" [MS]
"{9DBD2C50-62AD-11D0-B806-00C04FD706EC}" = "Summary Info Thumbnail handler (DOCFILES)"
-> {HKLM...CLSID} = "Summary Info Thumbnail handler (DOCFILES)"
\InProcServer32\(Default) = "C:\WINDOWS\System32\thumbvw.dll" [MS]
"{500202A0-731E-11D0-B829-00C04FD706EC}" = "LNK file thumbnail interface delegator"
-> {HKLM...CLSID} = "LNK file thumbnail interface delegator"
\InProcServer32\(Default) = "C:\WINDOWS\System32\thumbvw.dll" [MS]
"{352EC2B7-8B9A-11D1-B8AE-006008059382}" = "Shell Application Manager"
-> {HKLM...CLSID} = "%DESC_AppMgr%"
\InProcServer32\(Default) = "C:\WINDOWS\System32\appwiz.cpl" [MS]
"{0B124F8C-91F0-11D1-B8B5-006008059382}" = "Installed Apps Enumerator"
-> {HKLM...CLSID} = "Installed Apps Enumerator"
\InProcServer32\(Default) = "C:\WINDOWS\System32\appwiz.cpl" [MS]
"{CFCCC7A0-A282-11D1-9082-006008059382}" = "Darwin App Publisher"
-> {HKLM...CLSID} = "Darwin App Publisher"
\InProcServer32\(Default) = "C:\WINDOWS\System32\appwiz.cpl" [MS]
"{fe1290f0-cfbd-11cf-a330-00aa00c16e65}" = "Directory Namespace"
-> {HKLM...CLSID} = "Directory"
\InProcServer32\(Default) = "dsfolder.dll" [MS]
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}" = "Shell properties for a DS object"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "dsfolder.dll" [MS]
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}" = "Directory Query UI"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "dsquery.dll" [MS]
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}" = "Directory Object Find"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "dsquery.dll" [MS]
"{F020E586-5264-11d1-A532-0000F8757D7E}" = "Directory Start/Search Find"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "dsquery.dll" [MS]
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}" = "Directory Property UI"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "dsuiext.dll" [MS]
"{62AE1F9A-126A-11D0-A14B-0800361B1103}" = "Directory Context Menu Verbs"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "dsuiext.dll" [MS]
"{450D8FBA-AD25-11D0-98A8-0800361B1103}" = "MyDocs Folder"
-> {HKLM...CLSID} = "My Documents"
\InProcServer32\(Default) = "mydocs.dll" [MS]
"{ECF03A33-103D-11d2-854D-006008059367}" = "MyDocs Copy Hook"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "mydocs.dll" [MS]
"{ECF03A32-103D-11d2-854D-006008059367}" = "MyDocs Drop Target"
-> {HKLM...CLSID} = "MyDocs Drop Target"
\InProcServer32\(Default) = "mydocs.dll" [MS]
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}" = "MyDocs Properties"
-> {HKLM...CLSID} = "MyDocs menu and properties"
\InProcServer32\(Default) = "mydocs.dll" [MS]
"{750fdf0e-2a26-11d1-a3ea-080036587f03}" = "Offline Files Menu"
-> {HKLM...CLSID} = "Offline Files Menu"
\InProcServer32\(Default) = "cscui.dll" [MS]
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}" = "Offline Files Folder Options"
-> {HKLM...CLSID} = "Offline Files Folder Options"
\InProcServer32\(Default) = "cscui.dll" [MS]
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}" = "Offline Files Folder"
-> {HKLM...CLSID} = "Offline Files Folder"
\InProcServer32\(Default) = "cscui.dll" [MS]
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}" = "MMC Icon Handler"
-> {HKLM...CLSID} = "ExtractIcon Class"
\InProcServer32\(Default) = "mmcshext.dll" [MS]
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}" = ".CAB file viewer"
-> {HKLM...CLSID} = "Cabinet"
\InProcServer32\(Default) = "cabview.dll" [MS]
"{7D688A77-C613-11D0-999B-00C04FD655E1}" = "SlowFile Icon Overlay"
-> {HKLM...CLSID} = "SlowFile Icon Overlay"
\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{32683183-48a0-441b-a342-7c2a440a9478}" = "Media Band"
-> {HKLM...CLSID} = "Media Band"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}" = "Custom MRU AutoCompleted List"
-> {HKLM...CLSID} = "Custom MRU AutoCompleted List"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]

miss spooky
2007-01-10, 01:04
"{7e653215-fa25-46bd-a339-34a2790f3cb7}" = "Accessible"
-> {HKLM...CLSID} = "Accessible"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{acf35015-526e-4230-9596-becbe19f0ac9}" = "Track Popup Bar"
-> {HKLM...CLSID} = "Track Popup Bar"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}" = "Address Bar Parser"
-> {HKLM...CLSID} = "Address Bar Parser"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}" = "Microsoft Browser Architecture"
-> {HKLM...CLSID} = "Microsoft Browser Architecture"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}" = "Temporary Internet Files"
-> {HKLM...CLSID} = "Temporary Internet Files"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}" = "Explorer Band"
-> {HKLM...CLSID} = "Explorer Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}" = "Channel File"
-> {HKLM...CLSID} = "Channel"
\InProcServer32\(Default) = "C:\WINDOWS\System32\cdfview.dll" [MS]
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}" = "Channel Shortcut"
-> {HKLM...CLSID} = "Channel Shortcut"
\InProcServer32\(Default) = "C:\WINDOWS\System32\cdfview.dll" [MS]
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}" = "Channel Handler Object"
-> {HKLM...CLSID} = "Channel Handler Object"
\InProcServer32\(Default) = "C:\WINDOWS\System32\cdfview.dll" [MS]
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}" = "Channel Menu"
-> {HKLM...CLSID} = "Channel Menu Handler Object"
\InProcServer32\(Default) = "C:\WINDOWS\System32\cdfview.dll" [MS]
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}" = "Channel Properties"
-> {HKLM...CLSID} = "Channel Shortcut Property Pages"
\InProcServer32\(Default) = "C:\WINDOWS\System32\cdfview.dll" [MS]
"{32714800-2E5F-11d0-8B85-00AA0044F941}" = "For &People..."
-> {HKLM...CLSID} = "For &People..."
\InProcServer32\(Default) = "C:\PROGRA~1\OUTLOO~1\wabfind.dll" [MS]
"{46505a60-4be9-11d2-922c-0060978f9b72}" = "XDC8 Shell Extension"
-> {HKLM...CLSID} = "XDC8 Shell Extension"
\InProcServer32\(Default) = "XDC8LMON.DLL" ["Xerox"]
"{acb4a560-3606-11d3-aef4-00104bd0f92d}" = "KodakShellExtension"
-> {HKLM...CLSID} = "KodakShellExtension"
\InProcServer32\(Default) = "C:\Program Files\Common Files\KODAK\IFSCore\kodakshx.dll" ["Eastman Kodak Company"]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {HKLM...CLSID} = "AVG7 Find Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{40950107-FEA6-4d53-A65F-B2DCBA57DD58}" = "Nokia Phone Browser"
-> {HKLM...CLSID} = "Nokia Phone Browser"
\InProcServer32\(Default) = "C:\Program Files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll" ["Nokia"]
"{FBFE7864-D495-41f0-B7DC-4BB601CC295E}" = "Contact View"
-> {HKLM...CLSID} = "Contact View"
\InProcServer32\(Default) = "C:\Program Files\Nokia\Nokia PC Suite 6\ContactView.dll" ["Nokia"]
"{C0C4375A-5B72-4efe-929D-3B848C3A1E91}" = "Message View"
-> {HKLM...CLSID} = "Message View"
\InProcServer32\(Default) = "C:\Program Files\Nokia\Nokia PC Suite 6\MessageView.dll" ["Nokia"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}" = "Browseui preloader"
-> {HKLM...CLSID} = "Browseui preloader"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{8C7461EF-2B13-11d2-BE35-3078302C2030}" = "Component Categories cache daemon"
-> {HKLM...CLSID} = "Component Categories cache daemon"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]

miss spooky
2007-01-10, 01:07
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}" = (no title provided)
-> {HKLM...CLSID} = "URL Exec Hook"
\InProcServer32\(Default) = "shell32.dll" [MS]
<<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["Anti-Malware Development a.s."]

HKCU\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"Network.ConnectionTray" = "{7007ACCF-3202-11D1-AAD2-00805FC1270E}"
-> {HKLM...CLSID} = "Network Connections Tray"
\InProcServer32\(Default) = "C:\WINDOWS\system32\NETSHELL.dll" [MS]
"WebCheck" = "{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
-> {HKLM...CLSID} = "WebCheck"
\InProcServer32\(Default) = "C:\WINDOWS\System32\webcheck.dll" [MS]
"SysTray" = "{35CEC8A3-2BE6-11D2-8773-92E220524153}"
-> {HKLM...CLSID} = "SysTray"
\InProcServer32\(Default) = "stobject.dll" [MS]

HKCU\Software\Microsoft\Command Processor\
"AutoRun" = (value not found)

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\
"Shell" = (value not found)

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\
"load" = (empty string)
"run" = (value not found)

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
"Shell" = (value not found)

HKLM\Software\Microsoft\Command Processor\
"AutoRun" = (empty string)

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\
"AppInit_DLLs" = (empty string)

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
"GinaDLL" = (value not found)
"Shell" = "Explorer.exe" [MS]
"Taskman" = (value not found)
"Userinit" = "C:\WINDOWS\system32\userinit.exe," [MS]
"System" = (empty string)

HKLM\System\CurrentControlSet\Control\SafeBoot\Option\
"UseAlternateShell" = (value not found)

HKLM\System\CurrentControlSet\Control\SecurityProviders\
"SecurityProviders" = "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKLM\System\CurrentControlSet\Control\Session Manager\
"BootExecute" = "autocheck autochk *"

HKLM\System\CurrentControlSet\Control\WOW\
"cmdline" = "C:\WINDOWS\system32\ntvdm.exe" [MS]
"wowcmdline" = "C:\WINDOWS\system32\ntvdm.exe -a C:\WINDOWS\system32\krnl386" [MS]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
crypt32chain\DLLName = "crypt32.dll" [MS]
cryptnet\DLLName = "cryptnet.dll" [MS]
cscdll\DLLName = "cscdll.dll" [MS]
sclgntfy\DLLName = "sclgntfy.dll" [MS]
SensLogn\DLLName = "WlNotify.dll" [MS]
wzcnotif\DLLName = "wzcdlg.dll" [MS]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
Your Image File Name Here without a path\Debugger = "ntsd -d" [MS]

HKCU\Software\Policies\Microsoft\Windows\System\Scripts\

HKLM\Software\Policies\Microsoft\Windows\System\Scripts\

HKLM\Software\Classes\PROTOCOLS\Filter\
Class Install Handler\CLSID = "{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"
-> {HKLM...CLSID} = "AP Class Install Handler filter"
\InProcServer32\(Default) = "C:\WINDOWS\system32\urlmon.dll" [MS]
deflate\CLSID = "{8f6b0360-b80d-11d0-a9b3-006097942311}"
-> {HKLM...CLSID} = "AP lzdhtml encoding/decoding Filter"
\InProcServer32\(Default) = "C:\WINDOWS\system32\urlmon.dll" [MS]
gzip\CLSID = "{8f6b0360-b80d-11d0-a9b3-006097942311}"
-> {HKLM...CLSID} = "AP lzdhtml encoding/decoding Filter"
\InProcServer32\(Default) = "C:\WINDOWS\system32\urlmon.dll" [MS]
lzdhtml\CLSID = "{8f6b0360-b80d-11d0-a9b3-006097942311}"
-> {HKLM...CLSID} = "AP lzdhtml encoding/decoding Filter"
\InProcServer32\(Default) = "C:\WINDOWS\system32\urlmon.dll" [MS]
text/webviewhtml\CLSID = "{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"
-> {HKLM...CLSID} = "WebView MIME Filter"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shell32.dll" [MS]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{0D2E74C4-3C34-11d2-A27E-00C04FC30871}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\shell32.dll" [MS]
{24F14F01-7B1C-11d1-838f-0000F80461CF}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\shell32.dll" [MS]
{24F14F02-7B1C-11d1-838f-0000F80461CF}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\shell32.dll" [MS]
{66742402-F9B9-11D1-A202-0000F81FEDEE}\(Default) = "Version Column Provider"
-> {HKLM...CLSID} = "Version Column Provider"
\InProcServer32\(Default) = "C:\WINDOWS\System32\docprop2.dll" [MS]
{7f9609be-af9a-11d1-83e0-00c04fb6e984}\(Default) = "Fax Tiff Data Column Provider"
-> {HKLM...CLSID} = "Fax Tiff Data Column Provider"
\InProcServer32\(Default) = "C:\WINDOWS\system32\faxshell.dll" [MS]
{884EA37B-37C0-11d2-BE3F-00A0C9A83DA1}\(Default) = (no title provided)
-> {HKLM...CLSID} = "ShAVColumnProvider class"
\InProcServer32\(Default) = "C:\WINDOWS\System32\docprop2.dll" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
BriefcaseMenu\(Default) = "{85BBD920-42A0-1069-A2E4-08002B30309D}"
-> {HKLM...CLSID} = "Briefcase"
\InProcServer32\(Default) = "syncui.dll" [MS]
Offline Files\(Default) = "{750fdf0e-2a26-11d1-a3ea-080036587f03}"
-> {HKLM...CLSID} = "Offline Files Menu"
\InProcServer32\(Default) = "cscui.dll" [MS]
Open With\(Default) = "{09799AFB-AD67-11d1-ABCD-00C04FC30936}"
-> {HKLM...CLSID} = "Open With Context Menu Handler"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shell32.dll" [MS]
Open With EncryptionMenu\(Default) = "{A470F8CF-A1E8-4f65-8335-227475AA5C46}"
-> {HKLM...CLSID} = "Add encryption item to context menus in explorer"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shell32.dll" [MS]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
ZipItFast!\(Default) = "{00000001-0001-0001-0001-000000000019}"
-> {HKLM...CLSID} = "ZipItFast! - Add to archive..."
\InProcServer32\(Default) = "C:\zipitpro\zShellAd.dll" ["MicroSmarts Enterprise"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]
Offline Files\(Default) = "{750fdf0e-2a26-11d1-a3ea-080036587f03}"
-> {HKLM...CLSID} = "Offline Files Menu"
\InProcServer32\(Default) = "cscui.dll" [MS]
Open With EncryptionMenu\(Default) = "{A470F8CF-A1E8-4f65-8335-227475AA5C46}"
-> {HKLM...CLSID} = "Add encryption item to context menus in explorer"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shell32.dll" [MS]
Sharing\(Default) = "{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"
-> {HKLM...CLSID} = "Shell extensions for sharing"
\InProcServer32\(Default) = "ntshrui.dll" [MS]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
ZipItFast!\(Default) = "{00000001-0001-0001-0001-000000000019}"
-> {HKLM...CLSID} = "ZipItFast! - Add to archive..."
\InProcServer32\(Default) = "C:\zipitpro\zShellAd.dll" ["MicroSmarts Enterprise"]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
BriefcaseMenu\(Default) = "{85BBD920-42A0-1069-A2E4-08002B30309D}"
-> {HKLM...CLSID} = "Briefcase"
\InProcServer32\(Default) = "syncui.dll" [MS]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
ZipItFast!\(Default) = "{00000001-0001-0001-0001-000000000019}"
-> {HKLM...CLSID} = "ZipItFast! - Add to archive..."
\InProcServer32\(Default) = "C:\zipitpro\zShellAd.dll" ["MicroSmarts Enterprise"]

HKLM\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
Send To\(Default) = "{7BA4C740-9E81-11CF-99D3-00AA004AE837}"
-> {HKLM...CLSID} = "Microsoft SendTo Service"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shell32.dll" [MS]

miss spooky
2007-01-10, 01:09
Default executables:
--------------------

HKLM\Software\Classes\.bat\(Default) = "batfile"
HKLM\Software\Classes\batfile\shell\open\command\(Default) = ""%1" %*"

HKLM\Software\Classes\.cmd\(Default) = "cmdfile"
HKLM\Software\Classes\cmdfile\shell\open\command\(Default) = ""%1" %*"

HKLM\Software\Classes\.com\(Default) = "comfile"
HKLM\Software\Classes\comfile\shell\open\command\(Default) = ""%1" %*"

HKLM\Software\Classes\.exe\(Default) = "exefile"
HKLM\Software\Classes\exefile\shell\open\command\(Default) = ""%1" %*"

HKLM\Software\Classes\.hta\(Default) = "htafile"
HKLM\Software\Classes\htafile\shell\open\command\(Default) = "C:\WINDOWS\System32\mshta.exe "%1" %*"

HKLM\Software\Classes\.pif\(Default) = "piffile"
HKLM\Software\Classes\piffile\shell\open\command\(Default) = ""%1" %*"

HKLM\Software\Classes\.scr\(Default) = "scrfile"
HKLM\Software\Classes\scrfile\shell\open\command\(Default) = ""%1" /S"


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoDriveTypeAutoRun" = (REG_DWORD) hex:0x00000095
{User Configuration|Administrative Templates|Windows Components|AutoPlay Policies|
Turn off Autoplay}

"CDRAutoRun" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowCpl\

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"DisableRegistryTools" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|System|
Disable registry editing tools}

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate\

HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\

HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel\

HKCU\Software\Policies\Microsoft\Internet Explorer\Download\

HKLM\Software\Policies\Microsoft\Internet Explorer\Download\

HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\

HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\

HKCU\Software\Policies\Microsoft\Internet Explorer\Main\

HKLM\Software\Policies\Microsoft\Internet Explorer\Main\

HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS\

HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS\

HKCU\Software\Policies\Microsoft\Internet Explorer\PhishingFilter\

HKLM\Software\Policies\Microsoft\Internet Explorer\PhishingFilter\

HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions\

HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions\

HKCU\Software\Policies\Microsoft\Internet Explorer\Security\

HKLM\Software\Policies\Microsoft\Internet Explorer\Security\

HKCU\Software\Policies\Microsoft\MMC\{8FC0B734-A0E1-11D1-A7D3-0000F87571E3}\

HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\

HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\

HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\

HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\

HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\

HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\

HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\

HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\

HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\

HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\

HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\

HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\

HKCU\Software\Policies\Microsoft\Windows\Network Connections\

HKCU\Software\Policies\Microsoft\Windows\System\

HKCU\Software\Policies\Microsoft\Windows\Task Scheduler5.0\

HKLM\Software\Policies\Microsoft\Windows\Task Scheduler5.0\

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"dontdisplaylastusername" = (REG_DWORD) hex:0x00000000
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Interactive logon: Do not display last user name}

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "E:\My Documents\My Pictures\Kodak Pictures\Sea Side 2006-07-03\02-07-06_15231.jpg"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = (value not set)


Autostart via AUTORUN.INF on local fixed drives:
------------------------------------------------

C:\
AUTORUN.INF -> (file not found)

E:\
AUTORUN.INF -> (file not found)


DESKTOP.INI DLL launch in local fixed drive directories:
--------------------------------------------------------

C:\WINDOWS\FONTS\DESKTOP.INI
[.ShellClassInfo]
UICLSID={BD84B380-8CA2-1069-AB1D-08000948F534}
-> {HKLM...CLSID}\InProcServer32\(Default) = "fontext.dll" [MS]

C:\WINDOWS\TASKS\DESKTOP.INI
[.ShellClassInfo]
CLSID={d6277990-4c6a-11cf-8d87-00aa0060f5bf}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\mstask.dll" [MS]

C:\WINDOWS\Downloaded Program Files\DESKTOP.INI
[.ShellClassInfo]
CLSID={88C6C381-2E85-11d0-94DE-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\occache.dll" [MS]

C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]

C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]

C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\8HUNG567\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]

C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\WRGJY1ML\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]

C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\OTA349IB\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]

C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\WDIJKPUF\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]

C:\Documents and Settings\Default User\Local Settings\History\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]

C:\Documents and Settings\Default User\Local Settings\History\History.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]

C:\Documents and Settings\bester\Local Settings\History\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]

C:\Documents and Settings\bester\Local Settings\History\History.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]

C:\Documents and Settings\bester\Local Settings\Temporary Internet Files\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]

C:\Documents and Settings\bester\Local Settings\Temporary Internet Files\Content.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]

C:\Documents and Settings\bester\Local Settings\Temporary Internet Files\Content.IE5\XP83A7Y3\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]

C:\Documents and Settings\bester\Local Settings\Temporary Internet Files\Content.IE5\4XMVOH6J\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]

C:\Documents and Settings\bester\Local Settings\Temporary Internet Files\Content.IE5\89I7K9UZ\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]

C:\Documents and Settings\bester\Local Settings\Temporary Internet Files\Content.IE5\DCISZW80\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]

C:\Documents and Settings\Administrator\Local Settings\History\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]

C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\INPZKUG0\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\ARXJAPQO\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\2Z2LCD4N\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\KN8P2BML\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\QQUM02JU\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\92BZJBP7\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\MR07Q5Y3\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]

E: (no DLL launch points found)

Startup items in "Administrator" & "All Users" startup folders:
---------------------------------------------------------------

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup
"Freecom Personal Media Suite" -> shortcut to: "C:\Program Files\Freecom Personal Media Suite\FCPMS.exe" ["Freecom"]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"Kodak EasyShare software" -> shortcut to: "C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe -h" ["Eastman Kodak Company"]
"WinZip Quick Pick" -> shortcut to: "C:\Program Files\WinZip\WZQKPICK.EXE" ["WinZip Computing LP"]
"BlueSoleil" -> shortcut to: "C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe" ["IVT Corporation"]


Enabled Scheduled Tasks:
------------------------

"Tune-up Application Start" -> launches: "walign" [file not found]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range:
%SystemRoot%\system32\msafd.dll [MS], 1 - 3
%SystemRoot%\system32\rsvpsp.dll [MS], 4 - 5


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{01E04581-4EEE-11D0-BFE9-00AA005B4383}"
-> {HKLM...CLSID} = "&Address"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{0E5CBF21-D15F-11D0-8301-00AA005B4383}"
-> {HKLM...CLSID} = "&Links"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{01E04581-4EEE-11D0-BFE9-00AA005B4383}"
-> {HKLM...CLSID} = "&Address"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{0E5CBF21-D15F-11D0-8301-00AA005B4383}"
-> {HKLM...CLSID} = "&Links"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{FE6BC4EF-5676-484B-88AE-883323913256}"
-> {HKLM...CLSID} = "Starware"
\InProcServer32\(Default) = "C:\PROGRA~1\COMETS~1\Platform\Bin\csietb.dll" [file not found]
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}"
-> {HKLM...CLSID} = "MSN"
\InProcServer32\(Default) = "C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-gb\msntb.dll" [MS]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{8E718888-423F-11D2-876E-00A0C9082467}" = (no title provided)
-> {HKLM...CLSID} = "&Radio"
\InProcServer32\(Default) = "C:\WINDOWS\System32\msdxm.ocx" [MS]
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" = "0"
-> {HKLM...CLSID} = "MSN"
\InProcServer32\(Default) = "C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-gb\msntb.dll" [MS]
Explorer Bars

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{30D02401-6A81-11D0-8274-00C04FD5AE38}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Search Band"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
{32683183-48A0-441B-A342-7C2A440A9478}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Media Band"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\(Default) = (no title provided)
-> {HKLM...CLSID} = "File and Folders Search ActiveX Control"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shell32.dll" [MS]
{EFA24E61-B078-11D0-89E4-00C04FC9E26E}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Favorites Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
{EFA24E62-B078-11D0-89E4-00C04FC9E26E}\(Default) = (no title provided)
-> {HKLM...CLSID} = "History Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{4D5C8C25-D075-11D0-B416-00C04FB90376}\(Default) = (no title provided)
-> {HKLM...CLSID} = "&Tip of the Day"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]

HKLM\Software\Classes\CLSID\{90C61707-C8F8-43DB-A25C-C1F4B18EE41E}\(Default) = "Horizontal Bar"
Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32\(Default) = "C:\PROGRA~1\COMETS~1\Platform\Bin\csband.dll" [file not found]

HKLM\Software\Classes\CLSID\{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}\(Default) = "&Discuss"
Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32\(Default) = "shdocvw.dll" [MS]

HKLM\Software\Classes\CLSID\{EDC4193F-34AD-4D07-AA87-E3FDB89E3E76}\(Default) = "Vertical Bar"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\COMETS~1\Platform\Bin\csband.dll" [file not found]

miss spooky
2007-01-10, 01:10
HKLM\Software\Classes\CLSID\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}\(Default) = "Explorer Band"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKCU\Software\Microsoft\Internet Explorer\Extensions\

HKLM\Software\Microsoft\Internet Explorer\Extensions\


Internet Explorer Address Prefixes:
-----------------------------------

Prefix for bare domain ("domain-name-here.com")

HKLM\Software\Microsoft\Windows\CurrentVersion\URL\Default Prefix\
(Default) = "http://"

Prefix for specific service (i.e., "www")

HKLM\Software\Microsoft\Windows\CurrentVersion\URL\Prefixes\
"ftp" = "ftp://"
"gopher" = "gopher://"
"home" = "http://"
"mosaic" = "http://"
"www" = "http://"

Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings" -- no anomalies found)

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" = (no title provided)
-> {HKLM...CLSID} = "Microsoft Url Search Hook"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]

HKLM\Software\Microsoft\Internet Explorer\AboutURLs\
"NavigationFailure" = "res://shdoclc.dll/navcancl.htm" [MS]
"DesktopItemNavigationFailure" = "res://shdoclc.dll/navcancl.htm" [MS]
"NavigationCanceled" = "res://shdoclc.dll/navcancl.htm" [MS]
"OfflineInformation" = "res://shdoclc.dll/offcancl.htm" [MS]
"Home" = hex:0x0000010E
"blank" = "res://mshtml.dll/blank.htm" [MS]
"PostNotCached" = "res://mshtml.dll/repost.htm" [MS]
"mozilla" = "res://mshtml.dll/about.moz" [MS]


HOSTS file
----------

HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\
"DataBasePath" = "C:\WINDOWS\System32\drivers\etc"

C:\WINDOWS\System32\drivers\etc\HOSTS

maps: 1 domain name to an IP address,
and this is the localhost IP address

All Running Services (Display Name, Service Name, Path {Service DLL}):
----------------------------------------------------------------------

Automatic Updates, wuauserv, "C:\WINDOWS\system32\svchost.exe -k wugroup" {"C:\WINDOWS\system32\wuauserv.dll" [MS]}
AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe" ["Anti-Malware Development a.s."]
AVG E-mail Scanner, AVGEMS, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."]
AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
Background Intelligent Transfer Service, BITS, "C:\WINDOWS\System32\svchost.exe -k BITSgroup" {"C:\WINDOWS\System32\qmgr.dll" [MS]}
BlueSoleil Hid Service, BlueSoleil Hid Service, "C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe" [null data]
COM+ Event System, EventSystem, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\es.dll" [MS]}
DHCP Client, Dhcp, "C:\WINDOWS\System32\services.exe" [MS]
Distributed Link Tracking Client, TrkWks, "C:\WINDOWS\system32\services.exe" [MS]
DNS Client, Dnscache, "C:\WINDOWS\System32\services.exe" [MS]
Event Log, Eventlog, "C:\WINDOWS\system32\services.exe" [MS]
Indexing Service, cisvc, "C:\WINDOWS\System32\cisvc.exe" [MS]
iPodService, iPodService, "C:\Program Files\iPod\bin\iPodService.exe" ["Apple Computer, Inc."]
Kodak Camera Connection Software, KodakCCS, "C:\WINDOWS\system32\drivers\KodakCCS.exe" ["Eastman Kodak Company"]
LexBce Server, LexBceS, "C:\WINDOWS\system32\LEXBCES.EXE" ["Lexmark International, Inc."]
Logical Disk Manager, dmserver, "C:\WINDOWS\System32\services.exe" [MS]
Network Connections, Netman, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\netman.dll" [MS]}
Plug and Play, PlugPlay, "C:\WINDOWS\system32\services.exe" [MS]
Print Spooler, Spooler, "C:\WINDOWS\system32\spoolsv.exe" [MS]
Protected Storage, ProtectedStorage, "C:\WINDOWS\system32\services.exe" [MS]
ptssvc, ptssvc, "C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe" ["KODAK"]
Remote Access Connection Manager, RasMan, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\rasmans.dll" [MS]}
Remote Procedure Call (RPC), RpcSs, "C:\WINDOWS\system32\svchost -k rpcss" {"C:\WINDOWS\system32\rpcss.dll" [MS]}
Removable Storage, NtmsSvc, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\NtmsSvc.dll" [MS]}
RunAs Service, seclogon, "C:\WINDOWS\system32\services.exe" [MS]
ScsiAccess, ScsiAccess, "C:\WINDOWS\system32\ScsiAccess.EXE" [null data]
Security Accounts Manager, SamSs, "C:\WINDOWS\system32\lsass.exe" [MS]
Still Image Service, StiSvc, "C:\WINDOWS\system32\stisvc.exe" [MS]
System Event Notification, SENS, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\sens.dll" [MS]}
Task Scheduler, Schedule, "C:\WINDOWS\system32\MSTask.exe" [MS]
TCP/IP NetBIOS Helper Service, LmHosts, "C:\WINDOWS\System32\services.exe" [MS]
Telephony, TapiSrv, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\tapisrv.dll" [MS]}
Windows Management Instrumentation, WinMgmt, "C:\WINDOWS\System32\WBEM\WinMgmt.exe" [MS]
Windows Management Instrumentation Driver Extensions, Wmi, "C:\WINDOWS\system32\Services.exe" [MS]


Keyboard Driver Filters:
------------------------

HKLM\System\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\
"UpperFilters" = "kbdclass" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
BJ Language Monitor\Driver = "cnbjmon.dll" [MS]
Lexmark Network Port\Driver = "LEXLMPM.DLL" ["Lexmark International, Inc."]
Local Port\Driver = "localspl.dll" [MS]
PJL Language Monitor\Driver = "pjlmon.dll" [MS]
Standard TCP/IP Port\Driver = "tcpmon.dll" [MS]
USB Monitor\Driver = "usbmon.dll" [MS]
Windows NT Fax Monitor\Driver = "msfaxmon.dll" [MS]


-- (total run time: 212 seconds)
<<!>>: Suspicious data at a malware launch point.


This is the end of the report!!

Mosaic1
2007-01-10, 20:04
Let's see if you can repair Internet Explorer. Go to Add Remove programs in control panel

Find internet Explorer on the list and click
Remove. If available, 3 options should appear. Select Repair. Let me know what happens please. If you can't repair, don't remove IE.



May I see a hijackthis log please?

I want to see your running tasks.


Then we'll do some more maintenance.


I take it you saw no problem devices in Device Manager?

miss spooky
2007-01-10, 23:24
Hmm, Can't find Internet Explorer in Add / Remove programs unless it's under a diferent name. I have something called Broadband Client Foundation and I don't know what that is (Unless it;s something to do with my service provider).

In Device Manager I did find some errors:- From 24/12/06 they are files names Windows Event Manager & SAM. Before that date they were DCOM, Service Ctrl Mgr & SAM.

Here's HJT:-

Logfile of HijackThis v1.99.1
Scan saved at 9:11:23 PM, on 1/10/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\Freecom Personal Media Suite\FCPMS.exe
C:\PROGRA~1\INCRED~1\bin\IMAPP.EXE
C:\Antispyware\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1001\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-gb\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-gb\msntb.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Lexmark X6100 Series] "C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe"
O4 - HKLM\..\Run: [MPFTray] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - Startup: Freecom Personal Media Suite.lnk = C:\Program Files\Freecom Personal Media Suite\FCPMS.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: BlueSoleil.lnk = C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
O15 - Trusted Zone: http://www.freewebs.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1130231909123
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1131100914278
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www5.incredimail.com/contents/setup/downloader/imloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: ptssvc - KODAK - C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE

Mosaic1
2007-01-11, 00:29
You have too many startups. Many are not needed.

Plus you're running a service which is notorious for slowing a computer to a crawl.
The indexing service.
Let's set it to manual and see if that helps a bit.



Go to Start >Run
Type services.msc
Press enter.
When the services Panel loads, Find Indexing service on the list.
Double click on it.
This will bring up its properties page.
Look for Startup Type and set it to manual.
Stop the service.
Click the ok button. Close the page.


**If you use MS Office, it may get turned back on. Watch your Task Manager to see if it does.
**Look for cidaemon in task manager.

-------------------------

Now for the hijackthis fixes: (we may do more later)


These are not needed startups. Let's fix them using Hijackthis. If you want to start them do it manually. Hijackthis will create backups for these entries in its backup folder. So don't delete that in the event you change your mind about these entries.


O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5

---------------

This too. It looks like a leftover from McAfee.

O4 - HKLM\..\Run: [MPFTray] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE


And finally, let's remove this from the trusted zone:
O15 - Trusted Zone: http://www.freewebs.com


------------------------

Often you don't have Internet Explorer listed in Add Remove Programs running win2k.

We'll get back to that later.

For now, you have several scanners running in the background. So stopping the indexing servcie will help. But if you have just recently installed the AVG antispyware program, you are going to notice a bit of a slowdown. I'm guessing you're short on RAM.
Let's start with this and see how it goes.

You are just running so much Software, we'll have to see what your system will support at any one given time. Anything you don't need can be started manually. Look at it and see if you really need the other startups.


--------------------

Info on Broadband Client Foundation
http://www.bleepingcomputer.com/startups/CFD.exe-777.html



But something really important is missing. You are not running a firewall.

There will likely be more to do.

miss spooky
2007-01-12, 19:27
Hi,

Sos about the delay I was away for the day yesterday.

I stopped The Indexing Service, fixed the HJT items and looked at the Broadband Client info and followed instructions to remove that. I'm not usre how to change the other systems we have to run manually, I'm not even sure of half the stuff on here.

One thing I havenoticed is that the computer name has taken the name of my Bluetooth and I tried to download some pictures from my phone the last two days & I am unable to connect, I'm not sure if the two are related but I never had any problems with the Bluetooth before the computer ceized.

I wasn't sure if you needed another HJT log, you haven't asked so I haven't done one...

With the firewall, we had one with McAfee, but I presumed that we were still ok with AVG etc after we uninstalled McAfee. I didn't realise we didn't have one...

Speak soon.

miss spooky
2007-01-21, 11:43
Hi,

I know your not supposed to bump, but does anyone know where Mosaic1 is?

Regards

MS.

Mosaic1
2007-01-24, 01:03
Hi,

I somehow missed your response. My apologies. The bluetooth and phone problem is something I amnot familiar with. That's more of a networking issue. Again, you can alwys try an uninstall and reinstall when you have problems with vertain applications.


Three things to have.

Anti Virus
Anti Spyware
Firewall


Be sure you have all three installed and in working order.

I'll look at a new Hijackthis log to see what you still have in your startups. Then we can try pruning out more. Is the system running any faster now?

miss spooky
2007-01-25, 11:45
Hi ya,

Thanks for replying, it must be hard trying to keep track of everyone on here.

The computer does seam to be running better now.

Here's my HJT log.

Logfile of HijackThis v1.99.1
Scan saved at 9:40:01 AM, on 1/25/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe
C:\Antispyware\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1001\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-gb\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-gb\msntb.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Lexmark X6100 Series] "C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - Startup: Freecom Personal Media Suite.lnk = C:\Program Files\Freecom Personal Media Suite\FCPMS.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: BlueSoleil.lnk = C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1130231909123
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1131100914278
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www5.incredimail.com/contents/setup/downloader/imloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: ptssvc - KODAK - C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE

Mosaic1
2007-01-25, 20:26
The most important thing for you to do, is to decide what you want to run in the background all the time. A lot of programs can be manually started when you choose.


This entry is for a backup software. But it is a real hog. It will slow you down tremendously. Do you want it running in the backgrond all the time? Or would it be better to make your backups manually on a schedule. That is your decision. When did you install it?

O4 - Startup: Freecom Personal Media Suite.lnk = C:\Program Files\Freecom Personal Media Suite\FCPMS.exe


Read this:

http://www.what-process.com/process-info.aspx?p=FCPMS.exe


Do you have an external drive, and did it come with that?
http://www.cdrinfo.com/Sections/News/Details.aspx?NewsId=9966

------------------------------

You need a firewall to protect you.

Zone Alarm offers a free firewall if you need one.

http://www.zonelabs.com/store/content/company/products/znalm/freeDownload.jsp

--------------

Let's start with these two and see how your system responds.

Again, the first one is your decision.

Are all your other programs in good working order now?

miss spooky
2007-01-29, 19:36
Hi,

Sos, I thought I'd replied.

I have installed the firewall from the link you supplied.

The Freecom software did come with our external hard drive. This was installed about a year ago. What we have started doing is to exit all application we don't need from the system tray in the bottom right hand corner, the computer has got faster, but I do think it's going to be slow because of the processor we have. It's not very big.

I haven't done backups before - I though this was done automatically?

The other thing I've notice over the past couple of months and I'm not sure if this started at the time the computer crashed, is that I.E when in use sometimes goes off line on it's own. I'm not sure what's causing this?

Mosaic1
2007-01-29, 20:41
Did you read about Freecom software in the link I gave you and how it monopolizes your system?

It does auto backup. But you can choose not to do that and do a manual backup on a schedule instead. Again, that's your choice, but you need to read and educate yourself as to what you have installed on your system.

I have no idea why IE is going offline. That's a broad description. You may be losing your internet connection when that happens. If so, you'll need to get help at another type of forum for that.

miss spooky
2007-02-04, 11:06
Hi ya,

I did read through the links you supplied, but I have decided to leave the software in place for now. MY CPU doesn't seem to be as high as others on that link declare. Mine is now running between 1 & 20% and that is with my email application open & IE running.

I uninstalled / reinstalled the bluetooth & found that there was a driver missing, so that has been corrected and is now running ok.

And as for the other problems, they seem to have been sorted out now. I've downloaded a firewall which should stop any untorward things getting by. I've also told my partner to come on this website to check on anything before he downloads it!!

Thank you for all your help.

MS:bigthumb:

tashi
2007-02-12, 19:37
Glad we could help, as the problem appears to be resolved this topic has been archived.

If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.


Thank you Mosaic1.