Something's hiding

dinosaur58 · Jan 11, 2009

Got infected with a hijacker, deleted files with names starting with seneka using M.B.A.M. A few days, and a few reboots later getting hijacked again, and seneka files returned. Deleted them again [afraid to leave them alone or more damage], again 2nd M.B.A.M. scan [and Spybot scan] show clean, but this time attempted Kazpersky online scan [twice] and something crashed my browser part way through [both times]. Also slow boot up. Clearly something that's good at protecting itself is hinding on my system.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:29

, on 1/11/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\atwtusb.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\TBLMOUSE.EXE
C:\Program Files\Mozilla Firefox\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: Save Flash - res://C:\Program Files\SWF-Get\Flash Saving Plugin\FlashSButton.dll/210
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - C:\Program Files\SWF-Get\Flash Saving Plugin\FlashSButton.dll (HKCU)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1206762645578
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

--
End of file - 4140 bytes

peku006 · Jan 16, 2009

Hello and Welcome to Safer Networking,

My name is peku006and I will be helping you to remove any infection(s) that you may have.
I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

Please observe these rules while we work:

If you don't know, stop and ask! Don't keep going on.
Please reply to this thread. Do not start a new topic.
Please continue to respond until I give you the "All Clear"

If you follow these instructions, everything should go smoothly.

1 - download and run RSIT

Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open. Please post the contents of both log.txt<- (will be maximized) and info.txt<- (will be minimized)

2 - Status Check
Please reply with

1.the logs from RSIT (log.txt ,info.txt)

Thanks peku006

dinosaur58 · Jan 16, 2009

RSIT logs

peku006 - Thanks for your help, logs follow. I did notice some unfamiliar exe files in C:windows. Left them alone awaiting advice.

Logfile of random's system information tool 1.05 (written by random/random)
Run by Administrator at 2009-01-16 07:38:18
Microsoft Windows XP Professional Service Pack 2
System drive C: has 79 GB (69%) free of 114 GB
Total RAM: 958 MB (58% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:38:A, on 1/16/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\atwtusb.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\TBLMOUSE.EXE
C:\WINDOWS\system32\mmc.exe
C:\WINDOWS\system32\DfrgFat.exe
C:\Program Files\Mozilla Firefox\FIREFOX.EXE
C:\Documents and Settings\Administrator.COMPUTER\My Documents\Anti-Smitfraud\R-SysInfoTool.exe
C:\Documents and Settings\Administrator.COMPUTER\My Documents\Anti-Smitfraud\Administrator.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk.disabled
O8 - Extra context menu item: Save Flash - res://C:\Program Files\SWF-Get\Flash Saving Plugin\FlashSButton.dll/210
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - C:\Program Files\SWF-Get\Flash Saving Plugin\FlashSButton.dll (HKCU)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1206762645578
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel

32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

--
End of file - 4720 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2008-06-11 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2008-09-15 1562960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
Java(tm) Plug-In SSV Helper - C:\Program Files\Java\jre6\bin\ssv.dll [2009-01-12 320920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-01-12 34816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-01-12 73728]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"nwiz"=nwiz.exe /install []
"atwtusb"=C:\WINDOWS\system32\atwtusb.exe [2007-03-20 315392]
"Tweak UI"=C:\WINDOWS\system32\TWEAKUI.CPL [1997-11-08 87312]
"NeroFilterCheck"=C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [2007-03-09 153136]
"SoundMan"=C:\WINDOWS\SOUNDMAN.EXE [2005-11-11 90112]
"AVG7_CC"=C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe [2008-11-12 590848]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start

Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE [2000-10-11 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start

Menu^Programs^Startup^Microsoft Office.lnk]
C:\PROGRA~1\MICROS~2\Office\OSA9.EXE [1999-02-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^DOCUME~1^ADMINI~1.COM^Start Menu^Programs^Startup^QuickShelf

2000.lnk]
C:\PROGRA~1\MICROS~4\BOOKSH~1\qshelf2k.exe [2007-10-24 110592]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup
Adobe Gamma Loader.exe.lnk.disabled - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-04-10 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\system32\upnpui.dll [2004-08-04 239616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"=C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll [2008-03-25 79408]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\AVG Anti-Spyware Guard]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoLogoff"=01000000
"NoRecentDocsNetHood"=01000000
"NoSMMyDocs"=01000000
"NoSMMyPictures"=01000000
"NoNetworkConnections"=01000000
"NoUserNameInStartMenu"=01000000
"ForceClassicControlPanel"=1
"NoDrives"=0
"NoDriveAutoRun"=67108863

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\WINDOWS\system32\sessmgr.exe"="C:\WINDOWS\system32\sessmgr.exe:*

isabled

xpsp2res.dll,-22019"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled

xpsp2res.dll,-22019"
"C:\Program Files\uTorrent\uTorrent.exe"="C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent"
"C:\WINDOWS\System32\mmc.exe"="C:\WINDOWS\System32\mmc.exe:*

isabled:Microsoft Management Console"
"C:\Program Files\Grisoft\AVG Free\avginet.exe"="C:\Program Files\Grisoft\AVG Free\avginet.exe:*:Enabled:avginet.exe"
"C:\Program Files\Grisoft\AVG Free\avgamsvr.exe"="C:\Program Files\Grisoft\AVG Free\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\Program Files\Grisoft\AVG Free\avgcc.exe"="C:\Program Files\Grisoft\AVG Free\avgcc.exe:*:Enabled:avgcc.exe"
"C:\Program Files\Grisoft\AVG Free\avgemc.exe"="C:\Program Files\Grisoft\AVG Free\avgemc.exe:*:Enabled:avgemc.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled

xpsp2res.dll,-22019"

======List of files/folders created in the last 1 months======

2009-01-16 07:38:18 ----D---- C:\rsit
2009-01-14 15:25:07 ----HD---- C:\WINDOWS\$NtUninstallKB958687$
2009-01-14 04:10:38 ----SHD---- C:\FOUND.000
2009-01-12 08:30:56 ----D---- C:\Program Files\Common Files\Adobe AIR
2009-01-12 08:26:19 ----A---- C:\WINDOWS\system32\javaws.exe
2009-01-12 08:26:19 ----A---- C:\WINDOWS\system32\javaw.exe
2009-01-12 08:26:19 ----A---- C:\WINDOWS\system32\java.exe
2009-01-12 08:26:19 ----A---- C:\WINDOWS\system32\deploytk.dll
2009-01-11 12:35:53 ----D---- C:\WINDOWS\temp
2009-01-11 12:25:05 ----A---- C:\WINDOWS\gmer_uninstall.cmd
2009-01-11 12:25:05 ----A---- C:\WINDOWS\gmer.ini
2009-01-11 12:25:05 ----A---- C:\WINDOWS\gmer.exe
2009-01-11 12:25:05 ----A---- C:\WINDOWS\gmer.dll
2009-01-11 12:18:32 ----A---- C:\WINDOWS\zip.exe
2009-01-11 12:18:32 ----A---- C:\WINDOWS\VFIND.exe
2009-01-11 12:18:32 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-01-11 12:18:32 ----A---- C:\WINDOWS\SWSC.exe
2009-01-11 12:18:32 ----A---- C:\WINDOWS\SWREG.exe
2009-01-11 12:18:32 ----A---- C:\WINDOWS\sed.exe
2009-01-11 12:18:32 ----A---- C:\WINDOWS\NIRCMD.exe
2009-01-11 12:18:32 ----A---- C:\WINDOWS\grep.exe
2009-01-11 12:18:32 ----A---- C:\WINDOWS\fdsv.exe
2009-01-11 07:54:50 ----D---- C:\Program Files\Trend Micro
2009-01-11 07:29:14 ----D---- C:\VundoFix Backups
2009-01-03 21:17:16 ----A---- C:\WINDOWS\system32\MRT.exe
2009-01-03 21:17:07 ----HD---- C:\WINDOWS\$NtUninstallKB960714$
2009-01-03 12:28:07 ----HD---- C:\WINDOWS\$NtUninstallKB952069_WM9$
2009-01-03 12:28:03 ----HD---- C:\WINDOWS\$NtUninstallKB955839$
2009-01-03 12:27:51 ----HD---- C:\WINDOWS\$NtUninstallKB958215$
2009-01-03 12:27:45 ----HD---- C:\WINDOWS\$NtUninstallKB954600$
2009-01-03 12:27:38 ----HD---- C:\WINDOWS\$NtUninstallKB956802$

======List of files/folders modified in the last 1 months======

2009-01-16 07:27:58 ----A---- C:\WINDOWS\win.ini
2009-01-15 21:32:46 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-01-14 09:15:52 ----A---- C:\WINDOWS\NeroDigital.ini
2009-01-13 23:27:44 ----A---- C:\WINDOWS\system.ini
2009-01-11 20:42:54 ----A---- C:\WINDOWS\ntbtlog.txt
2009-01-11 12:17:04 ----A---- C:\WINDOWS\KPCMS.INI
2009-01-11 08:04:40 ----A---- C:\VundoFix.txt
2009-01-03 21:17:14 ----A---- C:\WINDOWS\imsins.BAK
2009-01-03 12:09:00 ----A---- C:\WINDOWS\system32\183ad728-.txt

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 aiptektp;Pen Pad; C:\WINDOWS\system32\DRIVERS\aiptektp.sys [2006-06-06 22528]
R1 AVG Anti-Spyware Driver;AVG Anti-Spyware Driver; \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys []
R1 Avg7Core;AVG7 Kernel; C:\WINDOWS\System32\Drivers\avg7core.sys [2008-11-12 821856]
R1 Avg7RsW;AVG7 Wrap Driver; C:\WINDOWS\System32\Drivers\avg7rsw.sys [2008-11-12 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP; C:\WINDOWS\System32\Drivers\avg7rsxp.sys [2008-11-12 27776]
R1 AvgArCln;Avg Anti-Rootkit Clean Driver; C:\WINDOWS\System32\DRIVERS\AvgArCln.sys [2007-01-18 3968]
R1 AvgAsCln;AVG Anti-Spyware Clean Driver; C:\WINDOWS\System32\DRIVERS\AvgAsCln.sys [2006-09-06 3968]
R1 AvgClean;AVG7 Clean Driver; C:\WINDOWS\System32\Drivers\avgclean.sys [2008-11-12 10760]
R1 ElbyCDIO;ElbyCDIO Driver; C:\WINDOWS\System32\Drivers\ElbyCDIO.sys [2007-08-07 25160]
R1 VClone;VClone; C:\WINDOWS\system32\DRIVERS\VClone.sys [2007-06-16 31616]
R2 AvgTdi;AVG Network Redirector; C:\WINDOWS\System32\Drivers\avgtdi.sys [2008-11-12 4960]
R2 BCMNTIO;BCMNTIO; \??\C:\PROGRA~1\CHECKIT\DIAGNO~1\BCMNTIO.sys []
R2 MAPMEM;MAPMEM; \??\C:\PROGRA~1\CHECKIT\DIAGNO~1\MAPMEM.sys []
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2005-12-02 3841856]
R3 ElbyDelay;ElbyDelay; C:\WINDOWS\System32\Drivers\ElbyDelay.sys [2007-02-15 11984]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2004-08-04 12160]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2007-09-17 6853088]
R3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\WINDOWS\system32\DRIVERS\NVENETFD.sys [2006-02-17 34176]
R3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINDOWS\system32\DRIVERS\nvnetbus.sys [2006-02-17 13056]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-04 26624]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2004-08-04 17024]
S2 portD;CMS PortIO Service; C:\WINDOWS\system32\DRIVERS\portd2k.sys []
S3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2004-08-04 9600]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Avg7Alrt;AVG7 Alert Manager Server; C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe [2008-11-12 418816]
R2 Avg7UpdSvc;AVG7 Update Service; C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe [2008-11-12 49664]
R2 AVGEMS;AVG E-mail Scanner; C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe [2008-11-12 406528]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-01-12 152984]
S3 AcrSch2Svc;Acronis Scheduler2 Service; C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe [2007-04-19 411168]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 AVG Anti-Spyware Guard;AVG Anti-Spyware Guard; C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe [2008-03-25 312880]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

[2007-10-24 70144]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe

[2007-10-09 36864]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2007-10-11 864256]
S3 NBService;NBService; C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe [2007-03-14 779824]
S3 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe

[2007-10-11 122880]
S3 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe [2007-03-12 271920]
S3 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912]
S4 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2007-09-17 155716]

-----------------EOF-----------------

info.txt logfile of random's system information tool 1.05 2009-01-16 07:38:37

======Uninstall list======

-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
-->C:\Program Files\Nero\Nero 7\\nero\uninstall\UNNERO.exe /UNINSTALL
-->C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
-->C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
-->C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
-->C:\WINDOWS\UNNeroVision.exe /UNINSTALL
-->C:\WINDOWS\UNRecode.exe /UNINSTALL
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Acrobat.com-->C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe -uninstall com.adobe.mauby

4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
Acrobat.com-->MsiExec.exe /I{77DCDCE3-2DED-62F3-8154-05E745472D07}
Ad-Aware SE Personal-->C:\PROGRA~1\LAVASOFT\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\LAVASOFT\AD-AWA~1\INSTALL.LOG
Adobe AIR-->C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{00203668-8170-44A0-BE44-B632FA4D780F}
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Photoshop Elements-->C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop Elements\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop

Elements\Uninst.dll"
Adobe Reader 9-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A90000000001}
Adobe Shockwave Player-->C:\WINDOWS\system32\MACROMED\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\MACROMED\SHOCKW~1\Install.log
Adobe SVG Viewer-->C:\WINDOWS\IsUninst.exe -f"C:\WINDOWS\System32\Adobe\SVG Viewer\Uninst.isu"
Ahead Nero Add-on Pack-->C:\Program Files\Ahead\Nero\uninstall-addonpack.exe
Ahead Nero Burning Rom PlugIn Pack 2.0.2 by MadHacker2k4-->RunDll32

C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation

Information\{2715D1D6-2B81-4DD5-A9DC-6EFF4D5E0993}\setup.exe" -l0x7 -removeonly
Apple Software Update-->MsiExec.exe /I{02DFF6B1-1654-411C-8D7B-FD6052EF016F}
AVG Anti-Rootkit Free-->C:\Program Files\GRISOFT\AVG Anti-Rootkit Free\Uninstall.exe
AVG Anti-Spyware 7.5-->C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
AVG Free Edition-->C:\Program Files\Grisoft\AVG Free\setup.exe /UNINSTALL
BIMP Lite 1.62-->"C:\Documents and Settings\Administrator.COMPUTER\Start Menu\Programs\Accessories\BIMP Lite\uninstall.exe"
Bookshelf 2000-->"C:\Program Files\Microsoft Reference\Bookshelf 2000\bsuninst.exe" /uninstall
CheckIt Diagnostics-->C:\PROGRA~1\CHECKIT\DIAGNO~1\UNWISE.EXE C:\PROGRA~1\CHECKIT\DIAGNO~1\INSTALL.LOG
Cole2k Media - Codec Pack (Advanced)-->C:\WINDOWS\system32\C2MP\Uninst.exe
Combined Community Codec Pack 2007-02-22-->"C:\Program Files\Combined Community Codec Pack\unins001.exe"
Data Lifeguard Tools-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield

Installation Information\{2C0A655C-61E7-428A-8ED2-23A3D20E7DD2}\Setup.exe"
Direct Show Ogg Vorbis Filter (remove only)-->"C:\WINDOWS\system32\OggDSuninst.exe"
DiscWizard for Windows-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield

Installation Information\{A1BC8E02-6B5B-4B4A-A75F-B27A16918C2B}\Setup.exe"
DivX Codec 3.1alpha release-->C:\WINDOWS\system32\rundll32.exe setupapi,InstallHinfSection Remove_DivX 132 C:\WINDOWS\INF\DivX.inf
ERUNT 1.1j-->"C:\Program Files\ERUNT\unins000.exe"
EZ Mask v1.5 for Adobe Photoshop & Photoshop Elements-->C:\WINDOWS\unvise32.exe c:\program files\adobe\photoshop

elements\plug-ins\ezmask1.5_uninstal.log
Flash Saving Plugin-->"C:\Program Files\SWF-Get\Flash Saving Plugin\unins000.exe"
GSpot Codec Information Appliance-->C:\Program Files\GSpot\Uninstall.exe
HijackThis 2.0.2-->"C:\Documents and Settings\Administrator.COMPUTER\My Documents\Anti-Smitfraud\HijackThis.exe" /uninstall
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
IconArt-->C:\PROGRA~1\ACCESS~1\ICONART\UNWISE.EXE C:\PROGRA~1\ACCESS~1\ICONART\INSTALL.LOG
IsoBuster 2.3-->"C:\Program Files\Smart Projects\IsoBuster\Uninst\unins000.exe"
Java(TM) 6 Update 11-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216011FF}
Kaspersky Online Scanner-->C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
Magic ISO Maker v5.4 (build 0251)-->C:\PROGRA~1\MAGICISO\UNWISE.EXE C:\PROGRA~1\MAGICISO\INSTALL.LOG
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Malwarebytes' RogueRemover-->"C:\Program Files\RogueRemover FREE\unins000.exe"
Microsoft .NET Framework 2.0 Service Pack 1-->MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28}
Microsoft .NET Framework 3.0 Service Pack 1-->MsiExec.exe /I{2BA00471-0328-3743-93BD-FA813353A783}
Microsoft Office 2000 Premium-->MsiExec.exe /I{00000409-78E1-11D2-B60F-006097C998E7}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Movkit Batch Video Converter 2.8.8-->"C:\Program Files\Movkit\Movkit Batch Video Converter\unins000.exe"
Mozilla Firefox (2.0.0.16)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Mozilla Thunderbird (2.0.0.6)-->C:\Program Files\Mozilla Thunderbird\uninstall\helper.exe
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 6 Service Pack 2 (KB954459)-->MsiExec.exe /I{1A528690-6A2D-4BC5-B143-8C4AE8D19D96}
Nero 7 Ultra Edition-->MsiExec.exe /I{43FFE159-3199-4188-A1CD-629166AD1033}
Nero Reloaded PlugIn Pack 2.0.4 by GEAR-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup

"C:\Program Files\InstallShield Installation Information\{F3D7915D-6B42-49FA-9FC8-5020479A6A57}\setup.exe" -l0x9 -removeonly
neroxml-->MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
NETGEAR DG632 ADSL Modem-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\00\Intel32\Ctor.dll,LaunchSetup "C:\Program

Files\InstallShield Installation Information\{CC5BCC32-7EAB-4555-B7DC-E7B9BF927C5C}\setup.exe" -l0x9
NVIDIA Drivers-->C:\WINDOWS\system32\nvudisp.exe UninstallGUI
OneTouch Version 3.0-->C:\PROGRA~1\VISION~1\UNWISE.EXE C:\PROGRA~1\VISION~1\INSTALL.LOG
PaperPort 7.02-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\ScanSoft\PaperPort\Config\DeIsL1.isu" -y -c"C:\Program

Files\ScanSoft\PaperPort\UnInstl2.dll"
QuickTime-->MsiExec.exe /I{08CA9554-B5FE-4313-938F-D4A417B81175}
RealPlayer-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek AC'97 Audio-->Alcrmv.exe -r -m
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows XP (KB890046)-->"C:\WINDOWS\$NtUninstallKB890046$\spuninst\spuninst.exe"
Security Update for Windows XP (KB893756)-->"C:\WINDOWS\$NtUninstallKB893756$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896358)-->"C:\WINDOWS\$NtUninstallKB896358$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896423)-->"C:\WINDOWS\$NtUninstallKB896423$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896428)-->"C:\WINDOWS\$NtUninstallKB896428$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899587)-->"C:\WINDOWS\$NtUninstallKB899587$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899591)-->"C:\WINDOWS\$NtUninstallKB899591$\spuninst\spuninst.exe"
Security Update for Windows XP (KB900725)-->"C:\WINDOWS\$NtUninstallKB900725$\spuninst\spuninst.exe"
Security Update for Windows XP (KB901017)-->"C:\WINDOWS\$NtUninstallKB901017$\spuninst\spuninst.exe"
Security Update for Windows XP (KB901214)-->"C:\WINDOWS\$NtUninstallKB901214$\spuninst\spuninst.exe"
Security Update for Windows XP (KB902400)-->"C:\WINDOWS\$NtUninstallKB902400$\spuninst\spuninst.exe"
Security Update for Windows XP (KB905414)-->"C:\WINDOWS\$NtUninstallKB905414$\spuninst\spuninst.exe"
Security Update for Windows XP (KB905749)-->"C:\WINDOWS\$NtUninstallKB905749$\spuninst\spuninst.exe"
Security Update for Windows XP (KB908519)-->"C:\WINDOWS\$NtUninstallKB908519$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911562)-->"C:\WINDOWS\$NtUninstallKB911562$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911927)-->"C:\WINDOWS\$NtUninstallKB911927$\spuninst\spuninst.exe"
Security Update for Windows XP (KB913580)-->"C:\WINDOWS\$NtUninstallKB913580$\spuninst\spuninst.exe"
Security Update for Windows XP (KB914388)-->"C:\WINDOWS\$NtUninstallKB914388$\spuninst\spuninst.exe"
Security Update for Windows XP (KB914389)-->"C:\WINDOWS\$NtUninstallKB914389$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917344)-->"C:\WINDOWS\$NtUninstallKB917344$\spuninst\spuninst.exe"
Security Update for Windows XP (KB918118)-->"C:\WINDOWS\$NtUninstallKB918118$\spuninst\spuninst.exe"
Security Update for Windows XP (KB918439)-->"C:\WINDOWS\$NtUninstallKB918439$\spuninst\spuninst.exe"
Security Update for Windows XP (KB919007)-->"C:\WINDOWS\$NtUninstallKB919007$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920213)-->"C:\WINDOWS\$NtUninstallKB920213$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920670)-->"C:\WINDOWS\$NtUninstallKB920670$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920683)-->"C:\WINDOWS\$NtUninstallKB920683$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920685)-->"C:\WINDOWS\$NtUninstallKB920685$\spuninst\spuninst.exe"
Security Update for Windows XP (KB922819)-->"C:\WINDOWS\$NtUninstallKB922819$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923191)-->"C:\WINDOWS\$NtUninstallKB923191$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923414)-->"C:\WINDOWS\$NtUninstallKB923414$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923689)-->"C:\WINDOWS\$NtUninstallKB923689$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923789)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Security Update for Windows XP (KB923980)-->"C:\WINDOWS\$NtUninstallKB923980$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924270)-->"C:\WINDOWS\$NtUninstallKB924270$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924496)-->"C:\WINDOWS\$NtUninstallKB924496$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924667)-->"C:\WINDOWS\$NtUninstallKB924667$\spuninst\spuninst.exe"
Security Update for Windows XP (KB925902)-->"C:\WINDOWS\$NtUninstallKB925902$\spuninst\spuninst.exe"
Security Update for Windows XP (KB926255)-->"C:\WINDOWS\$NtUninstallKB926255$\spuninst\spuninst.exe"
Security Update for Windows XP (KB926436)-->"C:\WINDOWS\$NtUninstallKB926436$\spuninst\spuninst.exe"
Security Update for Windows XP (KB927779)-->"C:\WINDOWS\$NtUninstallKB927779$\spuninst\spuninst.exe"
Security Update for Windows XP (KB927802)-->"C:\WINDOWS\$NtUninstallKB927802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB928255)-->"C:\WINDOWS\$NtUninstallKB928255$\spuninst\spuninst.exe"
Security Update for Windows XP (KB928843)-->"C:\WINDOWS\$NtUninstallKB928843$\spuninst\spuninst.exe"
Security Update for Windows XP (KB929123)-->"C:\WINDOWS\$NtUninstallKB929123$\spuninst\spuninst.exe"
Security Update for Windows XP (KB930178)-->"C:\WINDOWS\$NtUninstallKB930178$\spuninst\spuninst.exe"
Security Update for Windows XP (KB931261)-->"C:\WINDOWS\$NtUninstallKB931261$\spuninst\spuninst.exe"
Security Update for Windows XP (KB931784)-->"C:\WINDOWS\$NtUninstallKB931784$\spuninst\spuninst.exe"
Security Update for Windows XP (KB932168)-->"C:\WINDOWS\$NtUninstallKB932168$\spuninst\spuninst.exe"
Security Update for Windows XP (KB933729)-->"C:\WINDOWS\$NtUninstallKB933729$\spuninst\spuninst.exe"
Security Update for Windows XP (KB935839)-->"C:\WINDOWS\$NtUninstallKB935839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB935840)-->"C:\WINDOWS\$NtUninstallKB935840$\spuninst\spuninst.exe"
Security Update for Windows XP (KB936021)-->"C:\WINDOWS\$NtUninstallKB936021$\spuninst\spuninst.exe"
Security Update for Windows XP (KB937894)-->"C:\WINDOWS\$NtUninstallKB937894$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938127)-->"C:\WINDOWS\$NtUninstallKB938127$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938829)-->"C:\WINDOWS\$NtUninstallKB938829$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941202)-->"C:\WINDOWS\$NtUninstallKB941202$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941568)-->"C:\WINDOWS\$NtUninstallKB941568$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941644)-->"C:\WINDOWS\$NtUninstallKB941644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941693)-->"C:\WINDOWS\$NtUninstallKB941693$\spuninst\spuninst.exe"
Security Update for Windows XP (KB943055)-->"C:\WINDOWS\$NtUninstallKB943055$\spuninst\spuninst.exe"
Security Update for Windows XP (KB943460)-->"C:\WINDOWS\$NtUninstallKB943460$\spuninst\spuninst.exe"
Security Update for Windows XP (KB943485)-->"C:\WINDOWS\$NtUninstallKB943485$\spuninst\spuninst.exe"
Security Update for Windows XP (KB944338)-->"C:\WINDOWS\$NtUninstallKB944338$\spuninst\spuninst.exe"
Security Update for Windows XP (KB944533)-->"C:\WINDOWS\$NtUninstallKB944533$\spuninst\spuninst.exe"
Security Update for Windows XP (KB944653)-->"C:\WINDOWS\$NtUninstallKB944653$\spuninst\spuninst.exe"
Security Update for Windows XP (KB945553)-->"C:\WINDOWS\$NtUninstallKB945553$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946026)-->"C:\WINDOWS\$NtUninstallKB946026$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB947864)-->"C:\WINDOWS\$NtUninstallKB947864$\spuninst\spuninst.exe"
Security Update for Windows XP (KB948590)-->"C:\WINDOWS\$NtUninstallKB948590$\spuninst\spuninst.exe"
Security Update for Windows XP (KB948881)-->"C:\WINDOWS\$NtUninstallKB948881$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950749)-->"C:\WINDOWS\$NtUninstallKB950749$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950759)-->"C:\WINDOWS\$NtUninstallKB950759$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376)-->"C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953838)-->"C:\WINDOWS\$NtUninstallKB953838$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956390)-->"C:\WINDOWS\$NtUninstallKB956390$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958215)-->"C:\WINDOWS\$NtUninstallKB958215$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960714)-->"C:\WINDOWS\$NtUninstallKB960714$\spuninst\spuninst.exe"
SLD Codec Pack-->C:\Program Files\SLD Codec Pack\uninstall.exe
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster 4.1-->"C:\Program Files\SpywareBlaster\unins000.exe"
System Requirements Lab-->C:\Program Files\SystemRequirementsLab\Uninstall.exe
TeraCopy 1.22 Pro-->"C:\Program Files\TeraCopy\unins000.exe"
Tweak UI-->"C:\WINDOWS\system32\mshta.exe" "res://C:\WINDOWS\system32\TweakUI.exe/uninstall.hta"
UnZixWin-->C:\WINDOWS\st6unst.exe -n "C:\Program Files\UnZixWin\ST6UNST.LOG"
Update for Windows XP (KB894391)-->"C:\WINDOWS\$NtUninstallKB894391$\spuninst\spuninst.exe"
Update for Windows XP (KB900485)-->"C:\WINDOWS\$NtUninstallKB900485$\spuninst\spuninst.exe"
Update for Windows XP (KB908531)-->"C:\WINDOWS\$NtUninstallKB908531$\spuninst\spuninst.exe"
Update for Windows XP (KB910437)-->"C:\WINDOWS\$NtUninstallKB910437$\spuninst\spuninst.exe"
Update for Windows XP (KB911280)-->"C:\WINDOWS\$NtUninstallKB911280$\spuninst\spuninst.exe"
Update for Windows XP (KB916595)-->"C:\WINDOWS\$NtUninstallKB916595$\spuninst\spuninst.exe"
Update for Windows XP (KB920872)-->"C:\WINDOWS\$NtUninstallKB920872$\spuninst\spuninst.exe"
Update for Windows XP (KB922582)-->"C:\WINDOWS\$NtUninstallKB922582$\spuninst\spuninst.exe"
Update for Windows XP (KB925720)-->"C:\WINDOWS\$NtUninstallKB925720$\spuninst\spuninst.exe"
Update for Windows XP (KB927891)-->"C:\WINDOWS\$NtUninstallKB927891$\spuninst\spuninst.exe"
Update for Windows XP (KB930916)-->"C:\WINDOWS\$NtUninstallKB930916$\spuninst\spuninst.exe"
Update for Windows XP (KB938828)-->"C:\WINDOWS\$NtUninstallKB938828$\spuninst\spuninst.exe"
Update for Windows XP (KB942763)-->"C:\WINDOWS\$NtUninstallKB942763$\spuninst\spuninst.exe"
Update for Windows XP (KB942840)-->"C:\WINDOWS\$NtUninstallKB942840$\spuninst\spuninst.exe"
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
USB Tablet Manager-->Rmtablet KNL
VCW VicMan's Photo Editor-->C:\Program Files\VCW VicMan's Photo Editor\uninstal.exe
VirtualCloneDrive-->"C:\Program Files\VirtualCloneDrive\vcd-uninst.exe" /D="C:\Program Files\VirtualCloneDrive"
Windows Installer 3.1 (KB893803)-->"C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"
Windows Media Format Runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Presentation Foundation-->MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows Support Tools-->MsiExec.exe /I{89B078C4-50B0-453E-BF53-3A7E6A0D85FA}
Windows XP Hotfix - KB873339-->C:\WINDOWS\$NtUninstallKB873339$\spuninst\spuninst.exe
Windows XP Hotfix - KB885835-->C:\WINDOWS\$NtUninstallKB885835$\spuninst\spuninst.exe
Windows XP Hotfix - KB885836-->C:\WINDOWS\$NtUninstallKB885836$\spuninst\spuninst.exe
Windows XP Hotfix - KB886185-->C:\WINDOWS\$NtUninstallKB886185$\spuninst\spuninst.exe
Windows XP Hotfix - KB888302-->C:\WINDOWS\$NtUninstallKB888302$\spuninst\spuninst.exe
Windows XP Hotfix - KB890859-->"C:\WINDOWS\$NtUninstallKB890859$\spuninst\spuninst.exe"
Windows XP Hotfix - KB891781-->C:\WINDOWS\$NtUninstallKB891781$\spuninst\spuninst.exe
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe

======Hosts File======

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

======Security center information======

AV: AVG 7.5.552

System event log

Computer Name: COMPUTER
Event Code: 6006
Message: The Event log service was stopped.

Record Number: 16224
Source Name: EventLog
Time Written: 20081102082925.000000-420
Event Type: information
User:

Computer Name: COMPUTER
Event Code: 7036
Message: The IMAPI CD-Burning COM Service service entered the stopped state.

Record Number: 16223
Source Name: Service Control Manager
Time Written: 20081102075447.000000-420
Event Type: information
User:

Computer Name: COMPUTER
Event Code: 7036
Message: The Remote Access Connection Manager service entered the running state.

Record Number: 16222
Source Name: Service Control Manager
Time Written: 20081102075444.000000-420
Event Type: information
User:

Computer Name: COMPUTER
Event Code: 7036
Message: The Computer Browser service entered the running state.

Record Number: 16221
Source Name: Service Control Manager
Time Written: 20081102075443.000000-420
Event Type: information
User:

Computer Name: COMPUTER
Event Code: 7035
Message: The Computer Browser service was successfully sent a start control.

Record Number: 16220
Source Name: Service Control Manager
Time Written: 20081102075443.000000-420
Event Type: information
User: NT AUTHORITY\SYSTEM

Application event log

Computer Name: COMPUTER
Event Code: 100
Message: wuauclt (3660) The database engine 5.01.2600.2180 started.

Record Number: 24491
Source Name: ESENT
Time Written: 20080324034729.000000-360
Event Type: information
User:

Computer Name: COMPUTER
Event Code: 101
Message: wuauclt (3188) The database engine stopped.

Record Number: 24490
Source Name: ESENT
Time Written: 20080324034729.000000-360
Event Type: information
User:

Computer Name: COMPUTER
Event Code: 103
Message: wuaueng.dll (3188) SUS20ClientDataStore: The database engine stopped the instance (0).

Record Number: 24489
Source Name: ESENT
Time Written: 20080324034729.000000-360
Event Type: information
User:

Computer Name: COMPUTER
Event Code: 102
Message: wuaueng.dll (3188) SUS20ClientDataStore: The database engine started a new instance (0).

Record Number: 24488
Source Name: ESENT
Time Written: 20080324034728.000000-360
Event Type: information
User:

Computer Name: COMPUTER
Event Code: 100
Message: wuauclt (3188) The database engine 5.01.2600.2180 started.

Record Number: 24487
Source Name: ESENT
Time Written: 20080324034728.000000-360
Event Type: information
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;C:\Program Files\QuickTime\QTSystem;C:\Program Files\Smart

Projects\IsoBuster;C:\Program Files\Support Tools
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 35 Stepping 2, AuthenticAMD
"PROCESSOR_REVISION"=2302
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"CLASSPATH"=.;C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip

-----------------EOF-----------------

Thanks again, D58

peku006 · Jan 16, 2009

Hi dinosaur58

I do not see anything "unfamiliar exe files in C:windows"
Let us take a deeper look.

Download OTScanIt2.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt2 on your desktop.

Close any open browsers
Open the OTScanit2 folder and double-click on OTScanit2.exe to start the program.
If your Real protection or Antivirus intervenes with OTScanIt, allow it to run.
In the Processes group click ALL
In the Services group click Safe List
In the Drivers group click Safe List
In the Registry group click ALL
In the Rootkit Search group select YES
In the Files Age drop down box click 90 days
Make sure use white list and include all unicode names boxes are checked
In the Files created and Files modified groups select whitelist/file age
in the Additional scans sections please press select Everything and make sure safe list box is checked
Now on the toolbar at the top select "Scan all users" then click the Run Scan button
The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
When done, Notepad will open. Please post this log in your next reply.

Thanks peku006

dinosaur58 · Jan 16, 2009

OTScanIt log

Again thanks,
All of the Exe files in the Windows directory weren't there previously as I recall. Additionally threatexpert.com [admittedly somewhat alarmist] associates all of these both with legitimate apps and a known rootkit: Trojan.NirCmd [PC Tools]. Also if it helps a Scheduled Task [named gcetnfqd] that I did not create appeared [set to run every hour] that called on system32\wvUonLCS.dll [hidden].

OTScanIt2 logfile created on: 1/16/2009 02:47:11 PM - Run 1
OTScanIt2 by OldTimer - Version 1.0.6.2 Folder = C:\Documents and Settings\Administrator.COMPUTER\My Documents\Anti-Smitfraud\OTScanIt2
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

958.46 Mb Total Physical Memory | 643.89 Mb Available Physical Memory | 67.18% Memory free
2.26 Gb Paging File | 2.05 Gb Available in Paging File | 90.92% Paging File free
Paging file location(s): C:\pagefile.sys 0 0;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 111.76 Gb Total Space | 77.06 Gb Free Space | 68.95% Space Free | Partition Type: FAT32
Drive D: | 465.65 Gb Total Space | 236.45 Gb Free Space | 50.78% Space Free | Partition Type: FAT32
Drive E: | 149.01 Gb Total Space | 130.79 Gb Free Space | 87.77% Space Free | Partition Type: FAT32
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: COMPUTER
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 90 Days

[Processes - All]
alg.exe -> %SystemRoot%\System32\alg.exe -> [2004/08/04 01:00:00 | 00,044,544 | ---- | M] (Microsoft Corporation)
atwtusb.exe -> %SystemRoot%\system32\atwtusb.exe -> [2007/03/20 17:43:50 | 00,315,392 | ---- | M] ()
avgamsvr.exe -> %SystemDrive%\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe -> [2008/11/12 11:59:50 | 00,418,816 | ---- | M] (GRISOFT, s.r.o.)
avgcc.exe -> %SystemDrive%\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe -> [2008/11/12 12:08:54 | 00,590,848 | ---- | M] (GRISOFT, s.r.o.)
avgemc.exe -> %SystemDrive%\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe -> [2008/11/12 11:59:50 | 00,406,528 | ---- | M] (GRISOFT, s.r.o.)
avgupsvc.exe -> %SystemDrive%\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe -> [2008/11/12 11:52:56 | 00,049,664 | ---- | M] (GRISOFT, s.r.o.)
csrss.exe -> %SystemRoot%\system32\csrss.exe -> [2004/08/04 01:00:00 | 00,006,144 | ---- | M] (Microsoft Corporation)
explorer.exe -> %SystemRoot%\Explorer.EXE -> [2007/06/13 03:23:08 | 01,033,216 | ---- | M] (Microsoft Corporation)
lsass.exe -> %SystemRoot%\system32\lsass.exe -> [2004/08/04 01:00:00 | 00,013,312 | ---- | M] (Microsoft Corporation)
notepad.exe -> %SystemRoot%\system32\NOTEPAD.EXE -> [2004/08/04 01:00:00 | 00,069,120 | ---- | M] (Microsoft Corporation)
otscanit2.exe -> %UserProfile%\My Documents\Anti-Smitfraud\OTScanIt2\OTScanIt2.exe -> [2009/01/09 09:03:22 | 00,485,376 | ---- | M] (OldTimer

Tools)
services.exe -> %SystemRoot%\system32\services.exe -> [2004/08/04 01:00:00 | 00,108,032 | ---- | M] (Microsoft Corporation)
smss.exe -> %SystemRoot%\System32\smss.exe -> [2004/08/04 01:00:00 | 00,050,688 | ---- | M] (Microsoft Corporation)
soundman.exe -> %SystemRoot%\SOUNDMAN.EXE -> [2005/11/11 14:07:40 | 00,090,112 | ---- | M] (Realtek Semiconductor Corp.)
spoolsv.exe -> %SystemRoot%\system32\spoolsv.exe -> [2005/06/10 16:53:32 | 00,057,856 | ---- | M] (Microsoft Corporation)
svchost.exe -> %SystemRoot%\system32\svchost.exe [C:\WINDOWS\SYSTEM32\SVCHOST -K DCOMLAUNCH] -> [2004/08/04 01:00:00 | 00,014,336 | ---- | M]

(Microsoft Corporation)
-> %SystemRoot%\system32\rpcss.dll [DcomLaunch] -> [2005/07/25 21:39:50 | 00,397,824 | ---- | M] (Microsoft Corporation)
-> %SystemRoot%\System32\termsrv.dll [TermService] -> [2004/08/04 01:00:00 | 00,295,424 | ---- | M] (Microsoft Corporation)
-> %SystemRoot%\system32\regsvc.dll [RemoteRegistry] -> [2004/08/04 01:00:00 | 00,059,904 | ---- | M] (Microsoft Corporation)
svchost.exe -> %SystemRoot%\system32\svchost.exe [C:\WINDOWS\SYSTEM32\SVCHOST -K RPCSS] -> [2004/08/04 01:00:00 | 00,014,336 | ---- | M]

(Microsoft Corporation)
-> %SystemRoot%\System32\rpcss.dll [RpcSs] -> [2005/07/25 21:39:50 | 00,397,824 | ---- | M] (Microsoft Corporation)
svchost.exe -> %SystemRoot%\system32\svchost.exe [C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K IMGSVC] -> [2004/08/04 01:00:00 | 00,014,336 | ---- | M]

(Microsoft Corporation)
-> %SystemRoot%\system32\wiaservc.dll [stisvc] -> [2006/12/19 11:16:48 | 00,333,824 | ---- | M] (Microsoft Corporation)
svchost.exe -> %SystemRoot%\system32\svchost.exe [C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K LOCALSERVICE] -> [2004/08/04 01:00:00 | 00,014,336 | ----

| M] (Microsoft Corporation)
-> %SystemRoot%\system32\alrsvc.dll [Alerter] -> [2004/08/04 01:00:00 | 00,017,408 | ---- | M] (Microsoft Corporation)
-> %SystemRoot%\System32\lmhsvc.dll [LmHosts] -> [2004/08/04 01:00:00 | 00,013,824 | ---- | M] (Microsoft Corporation)
-> %SystemRoot%\system32\regsvc.dll [RemoteRegistry] -> [2004/08/04 01:00:00 | 00,059,904 | ---- | M] (Microsoft Corporation)
-> %SystemRoot%\System32\ssdpsrv.dll [SSDPSRV] -> [2004/08/04 01:00:00 | 00,071,680 | ---- | M] (Microsoft Corporation)
-> %SystemRoot%\System32\upnphost.dll [upnphost] -> [2007/02/05 13:17:02 | 00,185,344 | ---- | M] (Microsoft Corporation)
-> %SystemRoot%\System32\webclnt.dll [WebClient] -> [2006/01/03 20:35:06 | 00,068,096 | ---- | M] (Microsoft Corporation)
svchost.exe -> %SystemRoot%\System32\svchost.exe [C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS] -> [2004/08/04 01:00:00 | 00,014,336 | ---- | M]

(Microsoft Corporation)
-> %SystemRoot%\System32\appmgmts.dll [AppMgmt] -> [2004/08/04 01:00:00 | 00,167,936 | ---- | M] (Microsoft Corporation)
-> %SystemRoot%\System32\audiosrv.dll [AudioSrv] -> [2004/08/04 01:00:00 | 00,042,496 | ---- | M] (Microsoft Corporation)
-> %SystemRoot%\system32\qmgr.dll [BITS] -> [2004/08/04 01:00:00 | 00,382,464 | ---- | M] (Microsoft Corporation)
-> %SystemRoot%\System32\browser.dll [Browser] -> [2004/08/04 01:00:00 | 00,077,312 | ---- | M] (Microsoft Corporation)
-> %SystemRoot%\System32\cryptsvc.dll [CryptSvc] -> [2004/08/04 01:00:00 | 00,060,416 | ---- | M] (Microsoft Corporation)
-> %SystemRoot%\System32\dhcpcsvc.dll [Dhcp] -> [2006/05/19 05:59:42 | 00,111,616 | ---- | M] (Microsoft Corporation)
-> %SystemRoot%\System32\dmserver.dll [dmserver] -> [2004/08/04 01:00:00 | 00,023,552 | ---- | M] (Microsoft Corp.)
-> %SystemRoot%\System32\ersvc.dll [ERSvc] -> [2004/08/04 01:00:00 | 00,023,040 | ---- | M] (Microsoft Corporation)
-> %SystemRoot%\system32\es.dll [EventSystem] -> [2008/07/07 14:32:22 | 00,253,952 | ---- | M] (Microsoft Corporation)
-> %SystemRoot%\System32\shsvcs.dll [FastUserSwitchingCompatibility] -> [2006/12/19 14:52:18 | 00,134,656 | ---- | M] (Microsoft Corporation)
-> %SystemRoot%\PCHealth\HelpCtr\Binaries\pchsvc.dll [helpsvc] -> [2004/08/04 01:00:00 | 00,038,912 | ---- | M] (Microsoft Corporation)
-> %SystemRoot%\System32\hidserv.dll [HidServ] -> File not found
-> %SystemRoot%\System32\srvsvc.dll [lanmanserver] -> [2004/12/07 12:32:34 | 00,096,768 | ---- | M] (Microsoft Corporation)
-> %SystemRoot%\System32\wkssvc.dll [lanmanworkstation] -> [2006/08/17 05:28:28 | 00,132,096 | ---- | M] (Microsoft Corporation)
-> %SystemRoot%\System32\msgsvc.dll [Messenger] -> [2004/08/04 01:00:00 | 00,033,792 | ---- | M] (Microsoft Corporation)
-> %SystemRoot%\System32\netman.dll [Netman] -> [2005/08/22 11:29:46 | 00,197,632 | ---- | M] (Microsoft Corporation)
-> %SystemRoot%\System32\mswsock.dll [Nla] -> [2008/06/20 11:41:10 | 00,245,248 | ---- | M] (Microsoft Corporation)
-> %SystemRoot%\system32\ntmssvc.dll [NtmsSvc] -> [2004/08/04 01:00:00 | 00,435,200 | ---- | M] (Microsoft Corporation)
-> %SystemRoot%\System32\rasauto.dll [RasAuto] -> [2004/08/04 01:00:00 | 00,089,088 | ---- | M] (Microsoft Corporation)
-> %SystemRoot%\System32\rasmans.dll [RasMan] -> [2006/06/22 03:47:18 | 00,181,248 | ---- | M] (Microsoft Corporation)
-> %SystemRoot%\System32\mprdim.dll [RemoteAccess] -> [2004/08/04 01:00:00 | 00,049,152 | ---- | M] (Microsoft Corporation)
-> %SystemRoot%\system32\schedsvc.dll [Schedule] -> [2004/08/04 01:00:00 | 00,190,976 | ---- | M] (Microsoft Corporation)
-> %SystemRoot%\System32\seclogon.dll [seclogon] -> [2004/08/04 01:00:00 | 00,018,944 | ---- | M] (Microsoft Corporation)
-> %SystemRoot%\system32\sens.dll [SENS] -> [2004/08/04 01:00:00 | 00,038,912 | ---- | M] (Microsoft Corporation)
-> %SystemRoot%\System32\ipnathlp.dll [SharedAccess] -> [2004/08/04 01:00:00 | 00,331,264 | ---- | M] (Microsoft Corporation)
-> %SystemRoot%\System32\shsvcs.dll [ShellHWDetection] -> [2006/12/19 14:52:18 | 00,134,656 | ---- | M] (Microsoft Corporation)
-> %SystemRoot%\system32\srsvc.dll [srservice] -> [2004/08/04 01:00:00 | 00,170,496 | ---- | M] (Microsoft Corporation)
-> %SystemRoot%\System32\tapisrv.dll [TapiSrv] -> [2005/07/08 09:27:56 | 00,249,344 | ---- | M] (Microsoft Corporation)
-> %SystemRoot%\System32\shsvcs.dll [Themes] -> [2006/12/19 14:52:18 | 00,134,656 | ---- | M] (Microsoft Corporation)
-> %SystemRoot%\system32\trkwks.dll [TrkWks] -> [2004/08/04 01:00:00 | 00,090,624 | ---- | M] (Microsoft Corporation)
-> %SystemRoot%\system32\w32time.dll [W32Time] -> [2004/08/04 01:00:00 | 00,174,592 | ---- | M] (Microsoft Corporation)
-> %SystemRoot%\system32\wbem\WMIsvc.dll [winmgmt] -> [2004/08/04 01:00:00 | 00,144,896 | ---- | M] (Microsoft Corporation)
-> %SystemRoot%\System32\advapi32.dll [Wmi] -> [2004/08/04 01:00:00 | 00,616,960 | ---- | M] (Microsoft Corporation)
-> %SystemRoot%\system32\wscsvc.dll [wscsvc] -> [2004/08/04 01:00:00 | 00,081,408 | ---- | M] (Microsoft Corporation)
-> %SystemRoot%\system32\wuauserv.dll [wuauserv] -> [2004/08/04 01:00:00 | 00,006,656 | ---- | M] (Microsoft Corporation)
-> %SystemRoot%\System32\wzcsvc.dll [WZCSVC] -> [2004/08/04 01:00:00 | 00,359,936 | ---- | M] (Microsoft Corporation)
-> %SystemRoot%\System32\xmlprov.dll [xmlprov] -> [2004/08/04 01:00:00 | 00,129,536 | ---- | M] (Microsoft Corporation)
svchost.exe -> %SystemRoot%\system32\svchost.exe [C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETWORKSERVICE] -> [2004/08/04 01:00:00 | 00,014,336 |

---- | M] (Microsoft Corporation)
-> %SystemRoot%\System32\dnsrslvr.dll [Dnscache] -> [2008/02/19 23:32:44 | 00,045,568 | ---- | M] (Microsoft Corporation)
tblmouse.exe -> %SystemRoot%\system32\TBLMOUSE.EXE -> [2007/01/30 09:52:42 | 00,065,184 | ---- | M] (WALTOP International Corp.)
winlogon.exe -> %SystemRoot%\system32\winlogon.exe -> [2004/08/04 01:00:00 | 00,502,272 | ---- | M] (Microsoft Corporation)

[Win32 Services - Safe List]
(AcrSch2Svc) Acronis Scheduler2 Service [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Seagate\Schedule2\schedul2.exe -> [2007/04/19

21:29:44 | 00,411,168 | ---- | M] (Acronis)
(aspnet_state) ASP.NET State Service [Win32_Own | On_Demand | Stopped] -> %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe ->

[2007/10/24 01:47:22 | 00,033,800 | ---- | M] (Microsoft Corporation)
(AVG Anti-Spyware Guard) AVG Anti-Spyware Guard [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.exe ->

[2008/03/25 19:48:26 | 00,312,880 | ---- | M] (GRISOFT s.r.o.)
(Avg7Alrt) AVG7 Alert Manager Server [Win32_Own | Auto | Running] -> %SystemDrive%\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe -> [2008/11/12

11:59:50 | 00,418,816 | ---- | M] (GRISOFT, s.r.o.)
(Avg7UpdSvc) AVG7 Update Service [Win32_Own | Auto | Running] -> %SystemDrive%\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe -> [2008/11/12 11:52:56 |

00,049,664 | ---- | M] (GRISOFT, s.r.o.)
(AVGEMS) AVG E-mail Scanner [Win32_Own | Auto | Running] -> %SystemDrive%\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe -> [2008/11/12 11:59:50 |

00,406,528 | ---- | M] (GRISOFT, s.r.o.)
(clr_optimization_v2.0.50727_32) .NET Runtime Optimization Service v2.0.50727_X86 [Win32_Own | On_Demand | Stopped] ->

%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -> [2007/10/24 01:47:40 | 00,070,144 | ---- | M] (Microsoft Corporation)
(FontCache3.0.0.0) Windows Presentation Foundation Font Cache 3.0.0.0 [Win32_Own | On_Demand | Stopped] ->

%SystemRoot%\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe -> [2007/10/09 12:58:12 | 00,036,864 | ---- | M] (Microsoft

Corporation)
(IDriverT) InstallDriver Table Manager [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\InstallShield\Driver\1050\Intel

32\IDriverT.exe -> [2004/10/22 03:24:18 | 00,073,728 | ---- | M] (Macrovision Corporation)
(idsvc) Windows CardSpace [Win32_Shared | Unknown | Stopped] -> %SystemRoot%\Microsoft.NET\Framework\v3.0\Windows Communication

Foundation\infocard.exe -> [2007/10/11 09:55:10 | 00,864,256 | ---- | M] (Microsoft Corporation)
(NBService) NBService [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Nero\Nero 7\Nero BackItUp\NBService.exe -> [2007/03/14 19:19:10 |

00,779,824 | ---- | M] (Nero AG)
(NetTcpPortSharing) Net.Tcp Port Sharing Service [Win32_Shared | On_Demand | Stopped] -> %SystemRoot%\Microsoft.NET\Framework\v3.0\Windows

Communication Foundation\SMSvcHost.exe -> [2007/10/11 09:55:14 | 00,122,880 | ---- | M] (Microsoft Corporation)
(NMIndexingService) NMIndexingService [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Ahead\Lib\NMIndexingService.exe -> [2007/03/12

13:49:46 | 00,271,920 | ---- | M] (Nero AG)
(NVSvc) NVIDIA Display Driver Service [Win32_Own | Disabled | Stopped] -> %SystemRoot%\system32\nvsvc32.exe -> [2007/09/17 01:07:00 |

00,155,716 | ---- | M] (NVIDIA Corporation)
(UMWdf) Windows User Mode Driver Framework [Win32_Own | On_Demand | Stopped] -> %SystemRoot%\system32\wdfmgr.exe -> [2005/01/28 13:44:28 |

00,038,912 | ---- | M] (Microsoft Corporation)

[Driver Services - Safe List]
(aiptektp) Pen Pad [Kernel | System | Running] -> %SystemRoot%\system32\DRIVERS\aiptektp.sys -> [2006/06/06 09:51:06 | 00,022,528 | ---- | M]

(WALTOP International Corp.)
(ALCXWDM) Service for Realtek AC97 Audio (WDM) [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\ALCXWDM.SYS -> [2005/12/02

14:11:40 | 03,841,856 | ---- | M] (Realtek Semiconductor Corp.)
(AVG Anti-Rootkit) AVG Anti-Rootkit [Kernel | Boot | Running] -> %SystemRoot%\System32\DRIVERS\avgarkt.sys -> [2007/01/31 06:33:46 | 00,005,632

| ---- | M] (GRISOFT, s.r.o.)
(AVG Anti-Spyware Driver) AVG Anti-Spyware Driver [Kernel | System | Running] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.sys ->

[2008/03/25 19:48:24 | 00,011,000 | ---- | M] ()
(Avg7Core) AVG7 Kernel [Kernel | System | Running] -> %SystemRoot%\System32\Drivers\avg7core.sys -> [2008/11/12 11:59:46 | 00,821,856 | ---- |

M] (GRISOFT, s.r.o.)
(Avg7RsW) AVG7 Wrap Driver [Kernel | System | Running] -> %SystemRoot%\System32\Drivers\avg7rsw.sys -> [2008/11/12 11:52:58 | 00,004,224 | ----

| M] (GRISOFT, s.r.o.)
(Avg7RsXP) AVG7 Resident Driver XP [Kernel | System | Running] -> %SystemRoot%\System32\Drivers\avg7rsxp.sys -> [2008/11/12 11:59:46 |

00,027,776 | ---- | M] (GRISOFT, s.r.o.)
(AvgArCln) Avg Anti-Rootkit Clean Driver [Kernel | System | Running] -> %SystemRoot%\System32\DRIVERS\AvgArCln.sys -> [2007/01/18 05:00:28 |

00,003,968 | ---- | M] (GRISOFT, s.r.o.)
(AvgAsCln) AVG Anti-Spyware Clean Driver [Kernel | System | Running] -> %SystemRoot%\System32\DRIVERS\AvgAsCln.sys -> [2006/09/06 00:03:16 |

00,003,968 | ---- | M] (GRISOFT, s.r.o.)
(AvgClean) AVG7 Clean Driver [Kernel | System | Running] -> %SystemRoot%\System32\Drivers\avgclean.sys -> [2008/11/12 11:59:54 | 00,010,760 |

---- | M] (GRISOFT, s.r.o.)
(AvgTdi) AVG Network Redirector [Kernel | Auto | Running] -> %SystemRoot%\System32\Drivers\avgtdi.sys -> [2008/11/12 11:53:00 | 00,004,960 |

---- | M] (GRISOFT, s.r.o.)
(BCMNTIO) BCMNTIO [Kernel | Auto | Running] -> %SystemDrive%\PROGRA~1\CHECKIT\DIAGNO~1\BCMNTIO.sys -> [2004/03/05 17:09:00 | 00,003,744 | ----

| M] ()
(ElbyCDIO) ElbyCDIO Driver [Kernel | System | Running] -> %SystemRoot%\System32\Drivers\ElbyCDIO.sys -> [2007/08/07 12:48:34 | 00,025,160 |

---- | M] (Elaborate Bytes AG)
(ElbyDelay) ElbyDelay [Kernel | On_Demand | Running] -> %SystemRoot%\System32\Drivers\ElbyDelay.sys -> [2007/02/15 17:56:50 | 00,011,984 | ----

| M] (Elaborate Bytes AG)
(gmer) gmer [Kernel | On_Demand | Stopped] -> %SystemRoot%\System32\DRIVERS\gmer.sys -> [2009/01/11 12:25:06 | 00,085,969 | ---- | M] (GMER)
(MAPMEM) MAPMEM [Kernel | Auto | Running] -> %SystemDrive%\PROGRA~1\CHECKIT\DIAGNO~1\MAPMEM.sys -> [2004/03/05 17:09:02 | 00,003,904 | ---- |

M] ()
(nv) nv [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\nv4_mini.sys -> [2007/09/17 01:07:00 | 06,853,088 | ---- | M] (NVIDIA

Corporation)
(NVENETFD) NVIDIA nForce Networking Controller Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\NVENETFD.sys ->

[2006/02/17 11:28:30 | 00,034,176 | ---- | M] (NVIDIA Corporation)
(nvnetbus) NVIDIA Network Bus Enumerator [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\nvnetbus.sys -> [2006/02/17 11:28:32 |

00,013,056 | ---- | M] (NVIDIA Corporation)
(Pnp680r) Silicon Image SiI 0680 Medley Raid Controller [Kernel | Boot | Running] -> %SystemRoot%\system32\DRIVERS\pnp680r.sys -> [2002/05/31

01:35:02 | 00,076,976 | R--- | M] (Silicon Image, Inc)
(Ptilink) Direct Parallel Link Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\ptilink.sys -> [2004/08/04 01:00:00 |

00,017,792 | ---- | M] (Parallel Technologies, Inc.)
(Secdrv) Secdrv [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\DRIVERS\secdrv.sys -> [2007/11/13 03:25:54 | 00,020,480 | ---- | M]

(Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
(VClone) VClone [Kernel | System | Running] -> %SystemRoot%\system32\DRIVERS\VClone.sys -> [2007/06/16 14:16:40 | 00,031,616 | ---- | M]

(Elaborate Bytes AG)

[Registry - All]
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> ->
HKEY_LOCAL_MACHINE\: Main\\"Default_Page_URL" -> http://go.microsoft.com/fwlink/?LinkId=69157 ->
HKEY_LOCAL_MACHINE\: Main\\"Default_Search_URL" -> http://go.microsoft.com/fwlink/?LinkId=54896 ->
HKEY_LOCAL_MACHINE\: Main\\"Local Page" -> C:\windows\system32\blank.htm ->
HKEY_LOCAL_MACHINE\: Main\\"Search Page" -> http://go.microsoft.com/fwlink/?LinkId=54896 ->
HKEY_LOCAL_MACHINE\: Main\\"Start Page" -> http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home ->
HKEY_LOCAL_MACHINE\: Search\\"CustomizeSearch" -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm ->
HKEY_LOCAL_MACHINE\: Search\\"Default_Search_URL" -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKEY_LOCAL_MACHINE\: Search\\"SearchAssistant" -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm ->
< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> ->
HKEY_CURRENT_USER\: Main\\"Default_Search_URL" -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKEY_CURRENT_USER\: Main\\"Local Page" -> C:\windows\system32\blank.htm ->
HKEY_CURRENT_USER\: Main\\"Page_Transitions" -> ->
HKEY_CURRENT_USER\: Main\\"Search Page" -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKEY_CURRENT_USER\: Main\\"Start Page" -> about:blank ->
HKEY_CURRENT_USER\: SearchURL\\"" -> http://home.microsoft.com/access/autosearch.asp?p=%s ->
HKEY_CURRENT_USER\: SearchURL\\"provider" -> ->
HKEY_CURRENT_USER\: URLSearchHooks\\"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" [HKLM] -> %SystemRoot%\system32\shdocvw.dll [Microsoft Url Search

Hook] -> [2008/10/16 03:37:04 | 01,494,528 | ---- | M] (Microsoft Corporation)
HKEY_CURRENT_USER\: "ProxyEnable" -> 0 ->
< Internet Explorer Settings [HKEY_USERS\.DEFAULT\] > -> ->
HKEY_USERS\.DEFAULT\: Main\\"Search Page" -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKEY_USERS\.DEFAULT\: Main\\"Start Page" -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome ->
HKEY_USERS\.DEFAULT\: "ProxyEnable" -> 0 ->
< Internet Explorer Settings [HKEY_USERS\S-1-5-18\] > -> ->
HKEY_USERS\S-1-5-18\: Main\\"Search Page" -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKEY_USERS\S-1-5-18\: Main\\"Start Page" -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome ->
HKEY_USERS\S-1-5-18\: "ProxyEnable" -> 0 ->
< Internet Explorer Settings [HKEY_USERS\S-1-5-19\] > -> ->
< Internet Explorer Settings [HKEY_USERS\S-1-5-20\] > -> ->
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-1454471165-1979792683-725345543-500\] > -> ->
HKEY_USERS\S-1-5-21-1454471165-1979792683-725345543-500\: Main\\"Default_Search_URL" ->

http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKEY_USERS\S-1-5-21-1454471165-1979792683-725345543-500\: Main\\"Local Page" -> C:\windows\system32\blank.htm ->
HKEY_USERS\S-1-5-21-1454471165-1979792683-725345543-500\: Main\\"Page_Transitions" -> ->
HKEY_USERS\S-1-5-21-1454471165-1979792683-725345543-500\: Main\\"Search Page" -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKEY_USERS\S-1-5-21-1454471165-1979792683-725345543-500\: Main\\"Start Page" -> about:blank ->
HKEY_USERS\S-1-5-21-1454471165-1979792683-725345543-500\: SearchURL\\"" -> http://home.microsoft.com/access/autosearch.asp?p=%s ->
HKEY_USERS\S-1-5-21-1454471165-1979792683-725345543-500\: SearchURL\\"provider" -> ->
HKEY_USERS\S-1-5-21-1454471165-1979792683-725345543-500\: URLSearchHooks\\"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" [HKLM] ->

%SystemRoot%\system32\shdocvw.dll [Microsoft Url Search Hook] -> [2008/10/16 03:37:04 | 01,494,528 | ---- | M] (Microsoft Corporation)
HKEY_USERS\S-1-5-21-1454471165-1979792683-725345543-500\: "ProxyEnable" -> 0 ->
< FireFox Settings [Default Profile] > -> C:\Documents and Settings\Administrator.COMPUTER\Application

Data\Mozilla\FireFox\Profiles\bvvl5608.default\prefs.js ->
browser.search.selectedEngine -> "Google" ->
browser.startup.homepage -> "about:blank" ->
browser.startup.homepage_override.mstone -> "rv:1.8.1.16" ->
< HOSTS File > (290065 bytes and 10041 lines) -> C:\WINDOWS\System32\drivers\etc\Hosts ->
First 25 entries...
127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 www.1001namen.com
127.0.0.1 1001namen.com
127.0.0.1 www.100888290cs.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100sexlinks.com
127.0.0.1 100sexlinks.com
127.0.0.1 www.10sek.com
127.0.0.1 10sek.com
127.0.0.1 www.1-2005-search.com
127.0.0.1 1-2005-search.com
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ ->
{18DF081C-E8AD-4283-A596-FA578C2EBDC3} [HKLM] -> %CommonProgramFiles%\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [Adobe PDF Link Helper] ->

[2008/06/11 22:33:16 | 00,075,128 | ---- | M] (Adobe Systems Incorporated)
{53707962-6F74-2D53-2644-206D7942484F} [HKLM] -> %SystemDrive%\PROGRA~1\SPYBOT~1\SDHelper.dll [Spybot-S&D IE Protection] -> [2008/09/15

14:25:44 | 01,562,960 | RHS- | M] (Safer Networking Limited)
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKLM] -> %ProgramFiles%\Java\jre6\bin\ssv.dll [Java(tm) Plug-In SSV Helper] -> [2009/01/12 08:26:14 |

00,320,920 | ---- | M] (Sun Microsystems, Inc.)
{DBC80044-A445-435b-BC74-9C25C1C588A9} [HKLM] -> %ProgramFiles%\Java\jre6\bin\jp2ssv.dll [Java(tm) Plug-In 2 SSV Helper] -> [2009/01/12

08:26:14 | 00,034,816 | ---- | M] (Sun Microsystems, Inc.)
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ ->
ShellBrowser\\"{01E04581-4EEE-11D0-BFE9-00AA005B4383}" [HKLM] -> %SystemRoot%\system32\browseui.dll [&Address] -> [2008/10/16 03:37:04 |

01,023,488 | ---- | M] (Microsoft Corporation)
ShellBrowser\\"{0E5CBF21-D15F-11D0-8301-00AA005B4383}" [HKLM] -> %SystemRoot%\system32\SHELL32.dll [&Links] -> [2007/10/25 20:36:52 |

08,454,656 | ---- | M] (Microsoft Corporation)
WebBrowser\\"{01E04581-4EEE-11D0-BFE9-00AA005B4383}" [HKLM] -> %SystemRoot%\system32\browseui.dll [&Address] -> [2008/10/16 03:37:04 |

01,023,488 | ---- | M] (Microsoft Corporation)
WebBrowser\\"{0E5CBF21-D15F-11D0-8301-00AA005B4383}" [HKLM] -> %SystemRoot%\system32\SHELL32.dll [&Links] -> [2007/10/25 20:36:52 | 08,454,656

| ---- | M] (Microsoft Corporation)
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-1454471165-1979792683-725345543-500\] > ->

HKEY_USERS\S-1-5-21-1454471165-1979792683-725345543-500\Software\Microsoft\Internet Explorer\Toolbar\ ->
ShellBrowser\\"{01E04581-4EEE-11D0-BFE9-00AA005B4383}" [HKLM] -> %SystemRoot%\system32\browseui.dll [&Address] -> [2008/10/16 03:37:04 |

01,023,488 | ---- | M] (Microsoft Corporation)
ShellBrowser\\"{0E5CBF21-D15F-11D0-8301-00AA005B4383}" [HKLM] -> %SystemRoot%\system32\SHELL32.dll [&Links] -> [2007/10/25 20:36:52 |

08,454,656 | ---- | M] (Microsoft Corporation)
WebBrowser\\"{01E04581-4EEE-11D0-BFE9-00AA005B4383}" [HKLM] -> %SystemRoot%\system32\browseui.dll [&Address] -> [2008/10/16 03:37:04 |

01,023,488 | ---- | M] (Microsoft Corporation)
WebBrowser\\"{0E5CBF21-D15F-11D0-8301-00AA005B4383}" [HKLM] -> %SystemRoot%\system32\SHELL32.dll [&Links] -> [2007/10/25 20:36:52 | 08,454,656

| ---- | M] (Microsoft Corporation)
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
"atwtusb" -> %SystemRoot%\system32\atwtusb.exe [atwtusb.exe] -> [2007/03/20 17:43:50 | 00,315,392 | ---- | M] ()
"AVG7_CC" -> [C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP] -> File not found
"NeroFilterCheck" -> %CommonProgramFiles%\Ahead\Lib\NeroCheck.exe [C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe] -> [2007/03/09

18:53:56 | 00,153,136 | ---- | M] (Nero AG)
"nwiz" -> %SystemRoot%\system32\nwiz.exe [nwiz.exe /install] -> [2007/09/17 01:07:00 | 01,626,112 | ---- | M] ()
"SoundMan" -> %SystemRoot%\SOUNDMAN.EXE [SOUNDMAN.EXE] -> [2005/11/11 14:07:40 | 00,090,112 | ---- | M] (Realtek Semiconductor Corp.)
"Tweak UI" -> %SystemRoot%\system32\TWEAKUI.CPL [RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp] -> [1997/11/08 00:00:00 | 00,087,312 | ---- | M]

(Microsoft Corporation)
< Run [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
"AVG7_Run" -> %SystemDrive%\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe [C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE] -> [2008/11/12 11:59:52 |

00,219,136 | ---- | M] (GRISOFT, s.r.o.)
< Run [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
"AVG7_Run" -> %SystemDrive%\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe [C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE] -> [2008/11/12 11:59:52 |

00,219,136 | ---- | M] (GRISOFT, s.r.o.)
< Default User Startup Folder > -> C:\Documents and Settings\Default User\Start Menu\Programs\Startup ->
< All Users Startup Folder > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup ->
%SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk ->

%CommonProgramFiles%\Adobe\Calibration\Adobe Gamma Loader.exe -> [2000/10/11 18:08:00 | 00,113,664 | ---- | M] (Adobe Systems, Inc.)
< montyl Startup Folder > -> C:\Documents and Settings\montyl\Start Menu\Programs\Startup ->
< Default User.WINDOWS Startup Folder > -> C:\Documents and Settings\Default User.WINDOWS\Start Menu\Programs\Startup ->
< All Users.WINDOWS Startup Folder > -> C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup ->
-> %AllUsersProfile%\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk.disabled -> [2009/01/12 12:31:42 | 00,000,794 | ---- | M] ()
< Administrator.COMPUTER Startup Folder > -> C:\Documents and Settings\Administrator.COMPUTER\Start Menu\Programs\Startup ->
< Software Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer ->
< Software Policy Settings [HKEY_USERS\S-1-5-21-1454471165-1979792683-725345543-500] > ->

HKEY_USERS\S-1-5-21-1454471165-1979792683-725345543-500\SOFTWARE\Policies\Microsoft\Internet Explorer ->
< CurrentVersion Policy Settings - Explorer [HKEY_LOCAL_MACHINE] > ->

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveAutoRun" -> [67108863] -> File not found
\\"NoDriveTypeAutoRun" -> [323] -> File not found
\\"NoDrives" -> [0] -> File not found
< CurrentVersion Policy Settings - System [HKEY_LOCAL_MACHINE] > ->

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
\\"dontdisplaylastusername" -> [0] -> File not found
\\"legalnoticecaption" -> [] -> File not found
\\"legalnoticetext" -> [] -> File not found
\\"shutdownwithoutlogon" -> [1] -> File not found
\\"undockwithoutlogon" -> [1] -> File not found
\\"DisableRegistryTools" -> [0] -> File not found
< CurrentVersion Policy Settings - Explorer [HKEY_CURRENT_USER] > ->

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" -> [323] -> File not found
\\"NoLogoff" -> [01 00 00 00 [binary data]] -> File not found
\\"NoRecentDocsMenu" -> [01 00 00 00 [binary data]] -> File not found
\\"NoRecentDocsHistory" -> [01 00 00 00 [binary data]] -> File not found
\\"NoRecentDocsNetHood" -> [01 00 00 00 [binary data]] -> File not found
\\"NoSMMyDocs" -> [01 00 00 00 [binary data]] -> File not found
\\"NoSMMyPictures" -> [01 00 00 00 [binary data]] -> File not found
\\"NoNetworkConnections" -> [01 00 00 00 [binary data]] -> File not found
\\"NoUserNameInStartMenu" -> [01 00 00 00 [binary data]] -> File not found
\\"ForceClassicControlPanel" -> [1] -> File not found
\\"NoDrives" -> [0] -> File not found
\\"NoDriveAutoRun" -> [67108863] -> File not found
< CurrentVersion Policy Settings - System [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System

->
< CurrentVersion Policy Settings [HKEY_USERS\.DEFAULT] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer ->
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" -> [323] -> File not found
\\"NoDriveAutoRun" -> [67108863] -> File not found
< CurrentVersion Policy Settings [HKEY_USERS\.DEFAULT] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System ->
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-18] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer ->
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" -> [323] -> File not found
\\"NoDriveAutoRun" -> [67108863] -> File not found
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-18] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System ->
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-19] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer ->
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" -> [145] -> File not found
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-20] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer ->
HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" -> [145] -> File not found
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-21-1454471165-1979792683-725345543-500] > ->

HKEY_USERS\S-1-5-21-1454471165-1979792683-725345543-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer ->
HKEY_USERS\S-1-5-21-1454471165-1979792683-725345543-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" -> [323] -> File not found
\\"NoLogoff" -> [01 00 00 00 [binary data]] -> File not found
\\"NoRecentDocsMenu" -> [01 00 00 00 [binary data]] -> File not found
\\"NoRecentDocsHistory" -> [01 00 00 00 [binary data]] -> File not found
\\"NoRecentDocsNetHood" -> [01 00 00 00 [binary data]] -> File not found
\\"NoSMMyDocs" -> [01 00 00 00 [binary data]] -> File not found
\\"NoSMMyPictures" -> [01 00 00 00 [binary data]] -> File not found
\\"NoNetworkConnections" -> [01 00 00 00 [binary data]] -> File not found
\\"NoUserNameInStartMenu" -> [01 00 00 00 [binary data]] -> File not found
\\"ForceClassicControlPanel" -> [1] -> File not found
\\"NoDrives" -> [0] -> File not found
\\"NoDriveAutoRun" -> [67108863] -> File not found
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-21-1454471165-1979792683-725345543-500] > ->

HKEY_USERS\S-1-5-21-1454471165-1979792683-725345543-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System ->
< Internet Explorer Menu Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\ ->
Save Flash -> %ProgramFiles%\SWF-Get\Flash Saving Plugin\FlashSButton.dll [res://C:\Program Files\SWF-Get\Flash Saving

Plugin\FlashSButton.dll/210] -> [2005/04/30 14:53:32 | 00,180,224 | ---- | M] (UnH Solutions)
< Internet Explorer Menu Extensions [HKEY_USERS\S-1-5-21-1454471165-1979792683-725345543-500\] > ->

HKEY_USERS\S-1-5-21-1454471165-1979792683-725345543-500\Software\Microsoft\Internet Explorer\MenuExt\ ->
Save Flash -> %ProgramFiles%\SWF-Get\Flash Saving Plugin\FlashSButton.dll [res://C:\Program Files\SWF-Get\Flash Saving

Plugin\FlashSButton.dll/210] -> [2005/04/30 14:53:32 | 00,180,224 | ---- | M] (UnH Solutions)
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ ->
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}:{53707962-6F74-2D53-2644-206D7942484F} [HKLM] -> %SystemDrive%\PROGRA~1\SPYBOT~1\SDHelper.dll [Menu:

Spybot - Search & Destroy Configuration] -> [2008/09/15 14:25:44 | 01,562,960 | RHS- | M] (Safer Networking Limited)
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\ ->
{43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA}\\"ButtonText" [HKLM] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
{43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA}\\"CLSID" [HKLM] -> [{0000031A-0000-0000-C000-000000000046}] -> File not found
{43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA}\\"ClsidExtension" [HKLM] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
{43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA}\\"Default Visible" [HKLM] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
{43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA}\\"HotIcon" [HKLM] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
{43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA}\\"Icon" [HKLM] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
CmdMapping\\"{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" [HKLM] -> [Reg Error: Value does not exist or could not be read.] -> File not found
CmdMapping\\"{43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA}" [HKLM] -> [Reg Error: Value does not exist or could not be read.] -> File not found
CmdMapping\\"{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}" [HKLM] -> %SystemDrive%\PROGRA~1\SPYBOT~1\SDHelper.dll [Spybot - Search & Destroy

Configuration] -> [2008/09/15 14:25:44 | 01,562,960 | RHS- | M] (Safer Networking Limited)
CmdMapping\\"{FB5F1910-F110-11d2-BB9E-00C04F795683}" [HKLM] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
< Internet Explorer Extensions [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\ ->
CmdMapping\\"{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" [HKLM] -> [Reg Error: Value does not exist or could not be read.] -> File not found
< Internet Explorer Extensions [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\ ->
CmdMapping\\"{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" [HKLM] -> [Reg Error: Value does not exist or could not be read.] -> File not found
< Internet Explorer Extensions [HKEY_USERS\S-1-5-21-1454471165-1979792683-725345543-500\] > ->

HKEY_USERS\S-1-5-21-1454471165-1979792683-725345543-500\Software\Microsoft\Internet Explorer\Extensions\ ->
{43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA}\\"ButtonText" [HKLM] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
{43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA}\\"CLSID" [HKLM] -> [{0000031A-0000-0000-C000-000000000046}] -> File not found
{43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA}\\"ClsidExtension" [HKLM] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
{43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA}\\"Default Visible" [HKLM] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
{43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA}\\"HotIcon" [HKLM] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
{43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA}\\"Icon" [HKLM] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
CmdMapping\\"{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" [HKLM] -> [Reg Error: Value does not exist or could not be read.] -> File not found
CmdMapping\\"{43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA}" [HKLM] -> [Reg Error: Value does not exist or could not be read.] -> File not found
CmdMapping\\"{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}" [HKLM] -> %SystemDrive%\PROGRA~1\SPYBOT~1\SDHelper.dll [Spybot - Search & Destroy

Configuration] -> [2008/09/15 14:25:44 | 01,562,960 | RHS- | M] (Safer Networking Limited)
CmdMapping\\"{FB5F1910-F110-11d2-BB9E-00C04F795683}" [HKLM] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
< Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ ->
PluginsPageFriendlyName -> Microsoft ActiveX Gallery ->
PluginsPage -> http://activex.microsoft.com/controls/find.asp?ext=%s&mime=%s ->
< Default Prefix > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix
"" -> http://
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet

Settings\ZoneMap\Domains\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 5248 domain(s) found. -> 50 domain(s) and sub-domain(s) not assigned to a zone. < Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 77 range(s) found. -> < Trusted Sites Domains [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 7832 domain(s) found. -> 55 domain(s) and sub-domain(s) not assigned to a zone. < Trusted Sites Ranges [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 77 range(s) found. -> < Trusted Sites Domains [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 5254 domain(s) found. -> 49 domain(s) and sub-domain(s) not assigned to a zone. < Trusted Sites Ranges [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 77 range(s) found. -> < Trusted Sites Domains [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 5254 domain(s) found. -> 49 domain(s) and sub-domain(s) not assigned to a zone. < Trusted Sites Ranges [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 77 range(s) found. -> < Trusted Sites Domains [HKEY_USERS\S-1-5-19\] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 4107 domain(s) found. -> 32 domain(s) and sub-domain(s) not assigned to a zone. < Trusted Sites Ranges [HKEY_USERS\S-1-5-19\] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 77 range(s) found. -> < Trusted Sites Domains [HKEY_USERS\S-1-5-20\] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 4107 domain(s) found. -> 32 domain(s) and sub-domain(s) not assigned to a zone. < Trusted Sites Ranges [HKEY_USERS\S-1-5-20\] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 77 range(s) found. -> < Trusted Sites Domains [HKEY_USERS\S-1-5-21-1454471165-1979792683-725345543-500\] > -> HKEY_USERS\S-1-5-21-1454471165-1979792683-725345543-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> HKEY_USERS\S-1-5-21-1454471165-1979792683-725345543-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 7832 domain(s) found. -> 55 domain(s) and sub-domain(s) not assigned to a zone. < Trusted Sites Ranges [HKEY_USERS\S-1-5-21-1454471165-1979792683-725345543-500\] > -> HKEY_USERS\S-1-5-21-1454471165-1979792683-725345543-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> HKEY_USERS\S-1-5-21-1454471165-1979792683-725345543-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 77 range(s) found. -> < Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ -> {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} [HKLM] -> http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab [CKAVWebScan Object] -> {6414512B-B978-451D-A0D8-FCFDF33E833C} [HKLM] -> http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1206762645578 [WUWebControl Class] -> {8AD9C840-044E-11D1-B3E9-00805F499D93} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab [Java Plug-in 1.6.0_11] -> {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab [Java Plug-in 1.6.0_11] -> {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab [Java Plug-in 1.6.0_11] -> {D27CDB6E-AE6D-11CF-96B8-444553540000} [HKLM] -> http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab [Shockwave Flash Object] -> IE Styles -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Styles < Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> *Shell* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell -> Explorer.exe -> %SystemRoot%\Explorer.exe -> [2007/06/13 03:23:08 | 01,033,216 | ---- | M] (Microsoft Corporation) *MultiFile Done* -> -> *UserInit* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit -> C:\WINDOWS\system32\userinit.exe -> %SystemRoot%\system32\userinit.exe -> [2004/08/04 01:00:00 | 00,024,576 | ---- | M] (Microsoft Corporation) *MultiFile Done* -> -> *UIHost* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UIHost -> logonui.exe -> %SystemRoot%\system32\logonui.exe -> [2004/08/04 01:00:00 | 00,514,560 | ---- | M] (Microsoft Corporation) *MultiFile Done* -> -> *VMApplet* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet -> rundll32 shell32 -> %SystemRoot%\System32\shell32.dll -> [2007/10/25 20:36:52 | 08,454,656 | ---- | M] (Microsoft Corporation) Control_RunDLL "sysdm.cpl" -> %SystemRoot%\system32\sysdm.cpl -> [2004/08/04 01:00:00 | 00,298,496 | ---- | M] (Microsoft Corporation) *MultiFile Done* -> -> < Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ -> crypt32chain -> %SystemRoot%\system32\crypt32.dll -> [2004/08/04 01:00:00 | 00,597,504 | ---- | M] (Microsoft Corporation) cryptnet -> %SystemRoot%\system32\cryptnet.dll -> [2004/08/04 01:00:00 | 00,063,488 | ---- | M] (Microsoft Corporation) cscdll -> %SystemRoot%\system32\cscdll.dll -> [2004/08/04 01:00:00 | 00,101,888 | ---- | M] (Microsoft Corporation) ScCertProp -> %SystemRoot%\system32\wlnotify.dll -> [2004/08/04 01:00:00 | 00,092,672 | ---- | M] (Microsoft Corporation) Schedule -> %SystemRoot%\system32\wlnotify.dll -> [2004/08/04 01:00:00 | 00,092,672 | ---- | M] (Microsoft Corporation) sclgntfy -> %SystemRoot%\system32\sclgntfy.dll -> [2004/08/04 01:00:00 | 00,020,992 | ---- | M] (Microsoft Corporation) SensLogn -> %SystemRoot%\system32\WlNotify.dll -> [2004/08/04 01:00:00 | 00,092,672 | ---- | M] (Microsoft Corporation) termsrv -> %SystemRoot%\system32\wlnotify.dll -> [2004/08/04 01:00:00 | 00,092,672 | ---- | M] (Microsoft Corporation) WgaLogon -> %SystemRoot%\system32\WgaLogon.dll -> [2007/04/10 14:00:46 | 00,236,928 | ---- | M] (Microsoft Corporation) wlballoon -> %SystemRoot%\system32\wlnotify.dll -> [2004/08/04 01:00:00 | 00,092,672 | ---- | M] (Microsoft Corporation) < SSODL [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad -> "{fbeb8a05-beee-4442-804e-409d6c4515e9}" [HKLM] -> %SystemRoot%\system32\SHELL32.dll [CDBurn] -> [2007/10/25 20:36:52 | 08,454,656 | ---- | M] (Microsoft Corporation) "{7849596a-48ea-486e-8937-a2a3009f31a9}" [HKLM] -> %SystemRoot%\system32\SHELL32.dll [PostBootReminder] -> [2007/10/25 20:36:52 | 08,454,656 | ---- | M] (Microsoft Corporation) "{35CEC8A3-2BE6-11D2-8773-92E220524153}" [HKLM] -> %SystemRoot%\system32\stobject.dll [SysTray] -> [2004/08/04 01:00:00 | 00,121,856 | ---- | M] (Microsoft Corporation) "{e57ce738-33e8-4c51-8354-bb4de9d215d1}" [HKLM] -> %SystemRoot%\system32\upnpui.dll [UPnPMonitor] -> [2004/08/04 01:00:00 | 00,239,616 | ---- | M] (Microsoft Corporation) "{E6FB5E20-DE35-11CF-9C87-00AA005127ED}" [HKLM] -> %SystemRoot%\system32\webcheck.dll [WebCheck] -> [2004/08/04 01:00:00 | 00,276,480 | ---- | M] (Microsoft Corporation) < SharedTaskScheduler [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler -> "{438755C2-A8BA-11D1-B96B-00A0C90312E1}" [HKLM] -> %SystemRoot%\system32\browseui.dll [Browseui preloader] -> [2008/10/16 03:37:04 | 01,023,488 | ---- | M] (Microsoft Corporation) "{8C7461EF-2B13-11d2-BE35-3078302C2030}" [HKLM] -> %SystemRoot%\system32\browseui.dll [Component Categories cache daemon] -> [2008/10/16 03:37:04 | 01,023,488 | ---- | M] (Microsoft Corporation) < IFEO [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ -> Your Image File Name Here without a path -> %SystemRoot%\System32\ntsd.exe [Debugger] -> [2004/08/04 01:00:00 | 00,031,744 | ---- | M] (Microsoft Corporation) < ShellExecuteHooks [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks -> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" [HKLM] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll [AVG Anti-Spyware 7.5] -> [2008/03/25 19:48:24 | 00,079,408 | ---- | M] (GRISOFT s.r.o.) "{AEB6717E-7E19-11d0-97EE-00C04FD91972}" [HKLM] -> %SystemRoot%\system32\shell32.dll [] -> [2007/10/25 20:36:52 | 08,454,656 | ---- | M] (Microsoft Corporation) < SecurityProviders [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders -> *SecurityProviders* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders -> msapsspc.dll -> %SystemRoot%\system32\msapsspc.dll -> [2004/08/04 01:00:00 | 00,086,016 | ---- | M] (Microsoft Corporation) schannel.dll -> %SystemRoot%\system32\schannel.dll -> [2007/04/25 07:21:16 | 00,144,896 | ---- | M] (Microsoft Corporation) digest.dll -> %SystemRoot%\system32\digest.dll -> [2004/08/04 01:00:00 | 00,068,608 | ---- | M] (Microsoft Corporation) msnsspc.dll -> %SystemRoot%\system32\msnsspc.dll -> [2004/08/04 01:00:00 | 00,290,816 | ---- | M] (Microsoft Corporation) *MultiFile Done* -> -> < LSA Authentication Packages [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages -> *LSA Authentication Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages -> msv1_0 -> %SystemRoot%\System32\msv1_0.dll -> [2004/08/04 01:00:00 | 00,129,536 | ---- | M] (Microsoft Corporation) *MultiFile Done* -> -> < LSA Authentication Packages [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Security Packages -> *LSA Security Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Security Packages -> kerberos -> %SystemRoot%\System32\kerberos.dll -> [2005/06/15 10:49:30 | 00,295,936 | ---- | M] (Microsoft Corporation) msv1_0 -> %SystemRoot%\System32\msv1_0.dll -> [2004/08/04 01:00:00 | 00,129,536 | ---- | M] (Microsoft Corporation) schannel -> %SystemRoot%\System32\schannel.dll -> [2007/04/25 07:21:16 | 00,144,896 | ---- | M] (Microsoft Corporation) wdigest -> %SystemRoot%\System32\wdigest.dll -> [2004/08/04 01:00:00 | 00,049,152 | ---- | M] (Microsoft Corporation) *MultiFile Done* -> -> < Domain Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List -> "%windir%\system32\sessmgr.exe" -> C:\WINDOWS\system32\sessmgr.exe [%windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019] -> [2004/08/04 01:00:00 | 00,140,800 | ---- | M] (Microsoft Corporation) < Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List -> "%windir%\system32\sessmgr.exe" -> C:\WINDOWS\system32\sessmgr.exe [%windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019] -> [2004/08/04 01:00:00 | 00,140,800 | ---- | M] (Microsoft Corporation) "C:\Program Files\Grisoft\AVG Free\avgamsvr.exe" -> C:\Program Files\Grisoft\AVG Free\avgamsvr.exe [C:\Program Files\Grisoft\AVG Free\avgamsvr.exe:*:Enabled:avgamsvr.exe] -> [2008/11/12 11:59:50 | 00,418,816 | ---- | M] (GRISOFT, s.r.o.) "C:\Program Files\Grisoft\AVG Free\avgcc.exe" -> C:\Program Files\Grisoft\AVG Free\avgcc.exe [C:\Program Files\Grisoft\AVG Free\avgcc.exe:*:Enabled:avgcc.exe] -> [2008/11/12 12:08:54 | 00,590,848 | ---- | M] (GRISOFT, s.r.o.) "C:\Program Files\Grisoft\AVG Free\avgemc.exe" -> C:\Program Files\Grisoft\AVG Free\avgemc.exe [C:\Program Files\Grisoft\AVG Free\avgemc.exe:*:Enabled:avgemc.exe] -> [2008/11/12 11:59:50 | 00,406,528 | ---- | M] (GRISOFT, s.r.o.) "C:\Program Files\Grisoft\AVG Free\avginet.exe" -> C:\Program Files\Grisoft\AVG Free\avginet.exe [C:\Program Files\Grisoft\AVG Free\avginet.exe:*:Enabled:avginet.exe] -> [2008/11/12 12:08:56 | 00,514,560 | ---- | M] (GRISOFT, s.r.o.) "C:\Program Files\uTorrent\uTorrent.exe" -> C:\Program Files\uTorrent\uTorrent.exe [C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent] -> [2009/01/14 04:20:16 | 00,270,128 | ---- | M] (BitTorrent, Inc.) "C:\WINDOWS\System32\mmc.exe" -> C:\WINDOWS\System32\mmc.exe [C:\WINDOWS\System32\mmc.exe:*isabled:Microsoft Management Console] -> [2004/08/04 01:00:00 | 00,815,104 | ---- | M] (Microsoft Corporation) "C:\WINDOWS\system32\sessmgr.exe" -> C:\WINDOWS\system32\sessmgr.exe [C:\WINDOWS\system32\sessmgr.exe:*isabledxpsp2res.dll,-22019] -> [2004/08/04 01:00:00 | 00,140,800 | ---- | M] (Microsoft Corporation) < SafeBoot AlternateShell [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot -> "AlternateShell" -> cmd.exe -> < CDROM Autorun Setting [HKEY_LOCAL_MACHINE]> -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom -> "AutoRun" -> 1 -> "DisplayName" -> CD-ROM Driver -> "ImagePath" -> %SystemRoot%\system32\DRIVERS\cdrom.sys [system32\DRIVERS\cdrom.sys] -> [2004/08/04 01:00:00 | 00,049,536 | ---- | M] (Microsoft Corporation) < Drives with AutoRun files > -> -> C:\AUTOEXEC.BAT [] -> %SystemDrive%\AUTOEXEC.BAT [ FAT32 ] -> [2007/10/23 00:49:12 | 00,000,000 | ---- | M] () < MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 -> Log too long for 1 reply

dinosaur58 · Jan 16, 2009

OTScanIt log pt2

Log continued:

< ActiveX StubPath [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\ ->
{08B0E5C0-4FCB-11CF-AAA5-00401C608500} [HKLM] -> C:\WINDOWS\System32\Java.exe [(default): Java (Sun); IsInstalled: 1] -> [2009/01/12 08:26:14 |

00,144,792 | ---- | M] (Sun Microsystems, Inc.)
{10072CEC-8CC1-11D1-986E-00A0C955B42F} [HKLM] -> [(default): Vector Graphics Rendering (VML); IsInstalled: 01 00 00 00 [binary data]] ->
{166B1BCA-3F9C-11CF-8075-444553540000} [HKLM] -> [(default): Macromedia Shockwave Director 7.0.0; IsInstalled: 01 00 00 00 [binary data]] ->
{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} [StubPath] -> [ComponentID: NetShow; IsInstalled: 1] ->
{22d6f312-b0f6-11d0-94ab-0080c74c7e95} [StubPath] -> [(default): Microsoft Windows Media Player 6.4; IsInstalled: 1] ->
{233C1507-6A77-46A4-9443-F871F945D258} [HKLM] -> [(default): Adobe Shockwave Director 10.1.4; IsInstalled: 01 00 00 00 [binary data]] ->
{283807B5-2C60-11D0-A31D-00AA00B92C03} [HKLM] -> [(default): DirectAnimation; IsInstalled: 1] ->
{2A202491-F00D-11cf-87CC-0020AFEECF20} [HKLM] -> [(default): Macromedia Shockwave Director 7.0.0; IsInstalled: 01 00 00 00 [binary data]] ->
{2C7339CF-2B09-4501-B3F3-F3508C9228ED} [StubPath] -> %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[(default): Themes Setup; IsInstalled: 1] ->
{36f8ec70-c29a-11d1-b5c7-0000f8051515} [HKLM] -> [(default): Dynamic HTML Data Binding for Java; IsInstalled: 1] ->
{3af36230-a269-11d1-b5bf-0000f8051515} [HKLM] -> [(default): Offline Browsing Pack; IsInstalled: 1] ->
{3bf42070-b3b1-11d1-b5c5-0000f8051515} [HKLM] -> [(default): Uniscribe; IsInstalled: 1] ->
{4278c270-a269-11d1-b5bf-0000f8051515} [HKLM] -> [(default): Advanced Authoring; IsInstalled: 1] ->
{44BBA840-CC51-11CF-AAFA-00AA00B6015C} [StubPath] -> "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[(default): Microsoft Outlook Express 6; IsInstalled: 1] ->
{44BBA842-CC51-11CF-AAFA-00AA00B6015B} [StubPath] -> rundll32.exe advpack.dll,LaunchINFSection

C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT [(default): NetMeeting 3.01; IsInstalled: 01 00 00 00 [binary data]] ->
{44BBA848-CC51-11CF-AAFA-00AA00B6015C} [HKLM] -> [(default): DirectShow; IsInstalled: 1] ->
{44BBA855-CC51-11CF-AAFA-00AA00B6015F} [HKLM] -> [(default): DirectDrawEx; IsInstalled: 1] ->
{45ea75a0-a269-11d1-b5bf-0000f8051515} [HKLM] -> [(default): Internet Explorer Help; IsInstalled: 1] ->
{4b218e3e-bc98-4770-93d3-2731b9329278} [StubPath] -> %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896

%systemroot%\inf\ie.inf [(default): Internet Explorer; IsInstalled: 1] ->
{4f216970-c90c-11d1-b5c7-0000f8051515} [HKLM] -> [(default): DirectAnimation Java Classes; IsInstalled: 1] ->
{4f645220-306d-11d2-995d-00c04f98bbc9} [HKLM] -> [(default): Microsoft Windows Script 5.6; IsInstalled: 1] ->
{5056b317-8d4c-43ee-8543-b9d1e234b8f4} [HKLM] -> C:\WINDOWS\System32\Security.dll [(default): Security Update for Windows XP (KB923789);

IsInstalled: 1] -> [2004/08/04 01:00:00 | 00,005,632 | ---- | M] (Microsoft Corporation)
{5945c046-1e7d-11d1-bc44-00c04fd912be} [StubPath] -> rundll32.exe advpack.dll,LaunchINFSection

C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser [(default): Windows Messenger 4.7; IsInstalled: 1] ->
{5A8D6EE0-3E18-11D0-821E-444553540000} [HKLM] -> Reg Error: Value does not exist or could not be read. [ComponentID: ICW; IsInstalled: 1] ->

File not found
{5fd399c0-a70a-11d1-9948-00c04f98bbc9} [HKLM] -> [(default): Internet Explorer Setup Tools; IsInstalled: 1] ->
{630b1da0-b465-11d1-9948-00c04f98bbc9} [HKLM] -> [(default): Browsing Enhancements; IsInstalled: 1] ->
{6BF52A52-394A-11d3-B153-00C04F79FAA6} [StubPath] -> rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub [(default):

Microsoft Windows Media Player; IsInstalled: 1] ->
{6fab99d0-bab8-11d1-994a-00c04f98bbc9} [HKLM] -> [(default): MSN Site Access; IsInstalled: 1] ->
{7131646D-CD3C-40F4-97B9-CD9E4E6262EF} [HKLM] -> [(default): .NET Framework] ->
{7790769C-0471-11d2-AF11-00C04FA35D02} [StubPath] -> "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[(default): Address Book 6; IsInstalled: 1] ->
{89820200-ECBD-11cf-8B85-00AA005B4340} [StubPath] -> regsvr32.exe /s /n /i:U shell32.dll [(default): Windows Desktop Update; IsInstalled: 1] ->
{89820200-ECBD-11cf-8B85-00AA005B4383} [StubPath] -> %SystemRoot%\system32\ie4uinit.exe [(default): Internet Explorer 6; IsInstalled: 1] ->
{89B4C1CD-B018-4511-B0A1-5476DBF70820} [StubPath] -> C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install [ComponentID:

DOTNETFRAMEWORKS; IsInstalled: 1] ->
{9381D8F2-0288-11D0-9501-00AA00B911A5} [HKLM] -> [(default): Dynamic HTML Data Binding; IsInstalled: 1] ->
{ACC563BC-4266-43f0-B6ED-9D38C4202C7E} [HKLM] -> Reg Error: Value does not exist or could not be read. [(no name)] -> File not found
{B508B3F1-A24A-32C0-B310-85786919EF28} [HKLM] -> [(default): .NET Framework] ->
{C9E9A340-D1F1-11D0-821E-444553540600} [HKLM] -> [(default): Internet Explorer Core Fonts; IsInstalled: 1] ->
{CC2A9BA0-3BDD-11D0-821E-444553540000} [HKLM] -> [(default): Task Scheduler; IsInstalled: 1] ->
{CDD7975E-60F8-41d5-8149-19E51D6F71D0} [HKLM] -> Reg Error: Value does not exist or could not be read. [ComponentID: Windows Movie Maker v2.1;

IsInstalled: 01 00 00 00 [binary data]] -> File not found
{D27CDB6E-AE6D-11cf-96B8-444553540000} [HKLM] -> [(default): Adobe Flash Player; IsInstalled: 01 00 00 00 [binary data]] ->
{de5aed00-a4bf-11d1-9948-00c04f98bbc9} [HKLM] -> [(default): HTML Help; IsInstalled: 1] ->
{E92B03AB-B707-11d2-9CBD-0000F87A369E} [HKLM] -> [(default): Active Directory Service Interface; IsInstalled: 01 00 00 00 [binary data]] ->
{EF289A85-8E57-408d-BE47-73B55609861A} [HKLM] -> [(default): RootsUpdate; IsInstalled: 1] ->
>{22d6f312-b0f6-11d0-94ab-0080c74c7e95} [StubPath] -> C:\WINDOWS\inf\unregmp2.exe /ShowWMP [(default): Microsoft Windows Media Player;

IsInstalled: 0] ->
>{26923b43-4d38-484f-9b9e-de460746276c} [StubPath] -> %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE [(default): Internet Explorer;

IsInstalled: 1] ->
>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS [StubPath] -> RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP [(default): Browser Customizations;

IsInstalled: 1] ->
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a} [StubPath] -> %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE [(default): Outlook Express;

IsInstalled: 0] ->
Microsoft Base Smart Card Crypto Provider Package [HKLM] -> Reg Error: Value does not exist or could not be read. [(no name); IsInstalled: 1]

-> File not found
< ActiveX StubPath [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\ ->
{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} [HKLM] -> [HKLM: Microsoft NetShow Player] ->
{22d6f312-b0f6-11d0-94ab-0080c74c7e95} [HKLM] -> [HKLM: Windows Media Player] ->
{2C7339CF-2B09-4501-B3F3-F3508C9228ED} [HKLM] -> [(no name)] ->
{44BBA840-CC51-11CF-AAFA-00AA00B6015C} [HKLM] -> [(no name)] ->
{44BBA842-CC51-11CF-AAFA-00AA00B6015B} [HKLM] -> [(no name)] ->
{44BBA848-CC51-11CF-AAFA-00AA00B6015C} [HKLM] -> [(no name)] ->
{4b218e3e-bc98-4770-93d3-2731b9329278} [HKLM] -> [(no name)] ->
{5945c046-1e7d-11d1-bc44-00c04fd912be} [HKLM] -> [(no name)] ->
{6BF52A52-394A-11d3-B153-00C04F79FAA6} [HKLM] -> [HKLM: Windows Media Player] ->
{7790769C-0471-11d2-AF11-00C04FA35D02} [HKLM] -> [(no name)] ->
{89820200-ECBD-11cf-8B85-00AA005B4340} [HKLM] -> [(no name)] ->
{89820200-ECBD-11cf-8B85-00AA005B4383} [HKLM] -> [(no name)] ->
{89B4C1CD-B018-4511-B0A1-5476DBF70820} [HKLM] -> Reg Error: Value does not exist or could not be read. [(no name)] -> File not found
>{26923b43-4d38-484f-9b9e-de460746276c} [HKLM] -> [(no name)] ->
>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS [HKLM] -> C:\WINDOWS\System32\Browser.dll [(no name)] -> [2004/08/04 01:00:00 | 00,077,312 | ----

| M] (Microsoft Corporation)
< ActiveX StubPath [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Active Setup\Installed Components\ ->
{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} [HKLM] -> Reg Error: Key does not exist or could not be opened. [HKLM: Microsoft NetShow Player] -> File

not found
{22d6f312-b0f6-11d0-94ab-0080c74c7e95} [HKLM] -> Reg Error: Key does not exist or could not be opened. [HKLM: Windows Media Player] -> File not

found
{44BBA842-CC51-11CF-AAFA-00AA00B6015B} [HKLM] -> Reg Error: Key does not exist or could not be opened. [(no name)] -> File not found
{44BBA848-CC51-11CF-AAFA-00AA00B6015C} [HKLM] -> Reg Error: Key does not exist or could not be opened. [(no name)] -> File not found
{6BF52A52-394A-11d3-B153-00C04F79FAA6} [HKLM] -> Reg Error: Key does not exist or could not be opened. [HKLM: Windows Media Player] -> File not

found
< ActiveX StubPath [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Active Setup\Installed Components\ ->
{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} [HKLM] -> Reg Error: Key does not exist or could not be opened. [HKLM: Microsoft NetShow Player] -> File

not found
{22d6f312-b0f6-11d0-94ab-0080c74c7e95} [HKLM] -> Reg Error: Key does not exist or could not be opened. [HKLM: Windows Media Player] -> File not

found
{44BBA842-CC51-11CF-AAFA-00AA00B6015B} [HKLM] -> Reg Error: Key does not exist or could not be opened. [(no name)] -> File not found
{44BBA848-CC51-11CF-AAFA-00AA00B6015C} [HKLM] -> Reg Error: Key does not exist or could not be opened. [(no name)] -> File not found
{6BF52A52-394A-11d3-B153-00C04F79FAA6} [HKLM] -> Reg Error: Key does not exist or could not be opened. [HKLM: Windows Media Player] -> File not

found
< ActiveX StubPath [HKEY_USERS\S-1-5-19\] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Active Setup\Installed Components\ ->
{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} [HKLM] -> Reg Error: Key does not exist or could not be opened. [HKLM: Microsoft NetShow Player] -> File

not found
{22d6f312-b0f6-11d0-94ab-0080c74c7e95} [HKLM] -> Reg Error: Key does not exist or could not be opened. [HKLM: Windows Media Player] -> File not

found
{44BBA842-CC51-11CF-AAFA-00AA00B6015B} [HKLM] -> Reg Error: Key does not exist or could not be opened. [(no name)] -> File not found
{44BBA848-CC51-11CF-AAFA-00AA00B6015C} [HKLM] -> Reg Error: Key does not exist or could not be opened. [(no name)] -> File not found
{6BF52A52-394A-11d3-B153-00C04F79FAA6} [HKLM] -> Reg Error: Key does not exist or could not be opened. [HKLM: Windows Media Player] -> File not

found
< ActiveX StubPath [HKEY_USERS\S-1-5-20\] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Active Setup\Installed Components\ ->
{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} [HKLM] -> Reg Error: Key does not exist or could not be opened. [HKLM: Microsoft NetShow Player] -> File

not found
{22d6f312-b0f6-11d0-94ab-0080c74c7e95} [HKLM] -> Reg Error: Key does not exist or could not be opened. [HKLM: Windows Media Player] -> File not

found
{44BBA842-CC51-11CF-AAFA-00AA00B6015B} [HKLM] -> Reg Error: Key does not exist or could not be opened. [(no name)] -> File not found
{44BBA848-CC51-11CF-AAFA-00AA00B6015C} [HKLM] -> Reg Error: Key does not exist or could not be opened. [(no name)] -> File not found
{6BF52A52-394A-11d3-B153-00C04F79FAA6} [HKLM] -> Reg Error: Key does not exist or could not be opened. [HKLM: Windows Media Player] -> File not

found
< ActiveX StubPath [HKEY_USERS\S-1-5-21-1454471165-1979792683-725345543-500\] > ->

HKEY_USERS\S-1-5-21-1454471165-1979792683-725345543-500\SOFTWARE\Microsoft\Active Setup\Installed Components\ ->
{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} [HKLM] -> Reg Error: Key does not exist or could not be opened. [HKLM: Microsoft NetShow Player] -> File

not found
{22d6f312-b0f6-11d0-94ab-0080c74c7e95} [HKLM] -> Reg Error: Key does not exist or could not be opened. [HKLM: Windows Media Player] -> File not

found
{2C7339CF-2B09-4501-B3F3-F3508C9228ED} [HKLM] -> Reg Error: Key does not exist or could not be opened. [(no name)] -> File not found
{44BBA840-CC51-11CF-AAFA-00AA00B6015C} [HKLM] -> Reg Error: Key does not exist or could not be opened. [(no name)] -> File not found
{44BBA842-CC51-11CF-AAFA-00AA00B6015B} [HKLM] -> Reg Error: Key does not exist or could not be opened. [(no name)] -> File not found
{44BBA848-CC51-11CF-AAFA-00AA00B6015C} [HKLM] -> Reg Error: Key does not exist or could not be opened. [(no name)] -> File not found
{4b218e3e-bc98-4770-93d3-2731b9329278} [HKLM] -> Reg Error: Key does not exist or could not be opened. [(no name)] -> File not found
{5945c046-1e7d-11d1-bc44-00c04fd912be} [HKLM] -> Reg Error: Key does not exist or could not be opened. [(no name)] -> File not found
{6BF52A52-394A-11d3-B153-00C04F79FAA6} [HKLM] -> Reg Error: Key does not exist or could not be opened. [HKLM: Windows Media Player] -> File not

found
{7790769C-0471-11d2-AF11-00C04FA35D02} [HKLM] -> Reg Error: Key does not exist or could not be opened. [(no name)] -> File not found
{89820200-ECBD-11cf-8B85-00AA005B4340} [HKLM] -> Reg Error: Key does not exist or could not be opened. [(no name)] -> File not found
{89820200-ECBD-11cf-8B85-00AA005B4383} [HKLM] -> Reg Error: Key does not exist or could not be opened. [(no name)] -> File not found
{89B4C1CD-B018-4511-B0A1-5476DBF70820} [HKLM] -> Reg Error: Key does not exist or could not be opened. [(no name)] -> File not found
>{26923b43-4d38-484f-9b9e-de460746276c} [HKLM] -> Reg Error: Key does not exist or could not be opened. [(no name)] -> File not found
>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS [HKLM] -> Reg Error: Key does not exist or could not be opened. [(no name)] -> File not found
< App Paths [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\ ->
AcroRd32.exe -> %ProgramFiles%\Adobe\Reader 9.0\Reader\AcroRd32.exe [C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe] -> [2008/06/12

02:47:22 | 00,349,544 | ---- | M] (Adobe Systems Incorporated)
Adobe SVG Viewer -> [C:\WINDOWS\System32\Adobe\SVG Viewer\Adobe SVG Viewer] -> File not found
AVGSE.DLL -> %SystemDrive%\PROGRA~1\Grisoft\AVGFRE~1\avgse.dll [C:\PROGRA~1\Grisoft\AVGFRE~1\avgse.dll] -> [2008/11/12 11:52:56 | 00,050,688 |

---- | M] (GRISOFT, s.r.o.)
AVGW.EXE -> %SystemDrive%\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe [C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe] -> [2008/11/12 11:59:52 | 00,219,136 |

---- | M] (GRISOFT, s.r.o.)
BackItUp.exe -> %ProgramFiles%\Nero\Nero 7\Nero BackItUp\BackItUp.exe [C:\Program Files\Nero\Nero 7\Nero BackItUp\BackItUp.exe] -> [2007/03/14

19:18:06 | 19,416,624 | ---- | M] (Nero AG)
BounceBack Express -> [C:\Program Files\CMS Peripherals\BounceBack Express\BounceBack Express] -> File not found
CheckIt.exe -> %SystemDrive%\PROGRA~1\CheckIt\Diagnostics\CheckIt.exe [C:\PROGRA~1\CheckIt\Diagnostics\CheckIt.exe] -> [2004/08/06 15:40:44 |

00,528,384 | ---- | M] (Smith Micro Software, Inc.)
cmmgr32.exe -> %SystemRoot%\system32\cmmgr32.exe [C:\WINDOWS\system32\cmmgr32.exe] -> File not found
combofix.exe -> %UserProfile%\My Documents\Anti-Smitfraud\Country.exe [C:\Documents and Settings\Administrator.COMPUTER\My

Documents\Anti-Smitfraud\Country.exe] -> [2009/01/11 12:18:16 | 02,915,194 | R--- | M] ()
CONF.EXE -> %ProgramFiles%\NetMeeting\conf.exe [C:\Program Files\NetMeeting\conf.exe] -> [2004/08/04 01:00:00 | 01,032,192 | ---- | M]

(Microsoft Corporation)
DataLifeguard.exe -> %ProgramFiles%\Western Digital\Data Lifeguard Tools\DataLifeguard.exe [C:\Program Files\Western Digital\Data Lifeguard

Tools\DataLifeguard.exe] -> [2004/03/29 15:40:06 | 00,049,152 | ---- | M] (Kroll Ontrack Inc.)
dialer.exe -> %ProgramFiles%\Windows NT\dialer.exe [C:\Program Files\Windows NT\dialer.exe] -> [2004/08/04 01:00:00 | 00,539,136 | ---- | M]

(Microsoft Corporation)
dwwin.exe -> %ProgramFiles%\DiscWizard for Windows\dwwin.exe [C:\Program Files\DiscWizard for Windows\dwwin.exe] -> [2004/03/31 09:19:52 |

00,552,960 | ---- | M] (Kroll Ontrack Inc)
ElbyDVD.exe -> %ProgramFiles%\VirtualCloneDrive\ElbyDVD.exe [C:\Program Files\VirtualCloneDrive\ElbyDVD.exe] -> [2004/08/20 03:34:36 |

00,069,632 | ---- | M] (Elaborate Bytes AG)
firefox.exe -> %ProgramFiles%\Mozilla Firefox\firefox.exe [C:\Program Files\Mozilla Firefox\firefox.exe] -> [2008/07/23 20:12:36 | 07,667,312 |

---- | M] (Mozilla Corporation)
frontpg.exe -> %SystemDrive%\PROGRA~1\MICROS~2\Office\FRONTPG.EXE [C:\PROGRA~1\MICROS~2\Office\FRONTPG.EXE] -> [1999/03/19 23:06:38 |

01,990,730 | R--- | M] (Microsoft Corporation)
HELPCTR.EXE -> %SystemRoot%\PCHealth\HelpCtr\Binaries\HelpCtr.exe [C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpCtr.exe] -> [2004/08/04 01:00:00 |

00,768,512 | ---- | M] (Microsoft Corporation)
HijackThis.exe -> %UserProfile%\My Documents\Anti-Smitfraud\hijackthis.exe [C:\Documents and Settings\Administrator.COMPUTER\My

Documents\Anti-Smitfraud\hijackthis.exe] -> [2008/07/14 22:48:00 | 00,401,720 | ---- | M] (Trend Micro Inc.)
hypertrm.exe -> %ProgramFiles%\Windows NT\hypertrm.exe ["C:\Program Files\Windows NT\hypertrm.exe"] -> [2004/08/04 01:00:00 | 00,028,160 | ----

| M] (Hilgraeve, Inc.)
ICWCONN1.EXE -> %ProgramFiles%\Internet Explorer\Connection Wizard\ICWCONN1.EXE ["C:\Program Files\Internet Explorer\Connection

Wizard\ICWCONN1.EXE"] -> [2004/08/04 01:00:00 | 00,214,528 | ---- | M] (Microsoft Corporation)
ICWCONN2.EXE -> %ProgramFiles%\Internet Explorer\Connection Wizard\ICWCONN2.EXE ["C:\Program Files\Internet Explorer\Connection

Wizard\ICWCONN2.EXE"] -> [2004/08/04 01:00:00 | 00,086,016 | ---- | M] (Microsoft Corporation)
IEXPLORE.EXE -> %ProgramFiles%\Internet Explorer\iexplore.exe [C:\Program Files\Internet Explorer\iexplore.exe] -> [2004/08/04 01:00:00 |

00,093,184 | ---- | M] (Microsoft Corporation)
ImageDrive.exe -> %ProgramFiles%\Nero\Nero 7\Nero ImageDrive\ImageDrive.exe [C:\Program Files\Nero\Nero 7\Nero ImageDrive\ImageDrive.exe] ->

[2007/03/14 19:20:30 | 01,070,640 | ---- | M] (Nero AG)
INETWIZ.EXE -> %ProgramFiles%\Internet Explorer\Connection Wizard\INETWIZ.EXE ["C:\Program Files\Internet Explorer\Connection

Wizard\INETWIZ.EXE"] -> [2004/08/04 01:00:00 | 00,020,480 | ---- | M] (Microsoft Corporation)
install.exe -> Reg Error: Value does not exist or could not be read. [Reg Error: Value does not exist or could not be read.] -> File not

found
ISIGNUP.EXE -> %ProgramFiles%\Internet Explorer\Connection Wizard\ISIGNUP.EXE ["C:\Program Files\Internet Explorer\Connection

Wizard\ISIGNUP.EXE"] -> [2004/08/04 01:00:00 | 00,016,384 | ---- | M] (Microsoft Corporation)
IsoBuster.exe -> %ProgramFiles%\Smart Projects\IsoBuster\IsoBuster.exe [C:\Program Files\Smart Projects\IsoBuster\IsoBuster.exe] -> [2007/12/21

16:52:08 | 04,404,664 | ---- | M] (Smart Projects)
javaws.exe -> %ProgramFiles%\Java\jre6\bin\javaws.exe [C:\Program Files\Java\jre6\bin\javaws.exe] -> [2009/01/12 08:26:14 | 00,148,888 | ---- |

M] (Sun Microsystems, Inc.)
mbam.exe -> %ProgramFiles%\Malwarebytes' Anti-Malware\mbam.exe [C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe] -> [2009/01/14 16:11:26 |

01,273,488 | ---- | M] (Malwarebytes Corporation)
migwiz.exe -> %SystemRoot%\system32\usmt\migwiz.exe [%SystemRoot%\system32\usmt\migwiz.exe] -> [2004/08/04 01:00:00 | 00,240,128 | ---- | M]

(Microsoft Corporation)
moviemk.exe -> %ProgramFiles%\Movie Maker\moviemk.exe [C:\Program Files\Movie Maker\moviemk.exe] -> [2004/08/04 01:00:00 | 03,555,328 | ---- |

M] (Microsoft Corporation)
mplayer2.exe -> %ProgramFiles%\Windows Media Player\mplayer2.exe ["C:\Program Files\Windows Media Player\mplayer2.exe"] -> [2004/08/04 01:00:00

| 00,004,639 | ---- | M] ()
MSCONFIG.EXE -> %SystemRoot%\pchealth\helpctr\Binaries\MSCONFIG.EXE [%systemroot%\pchealth\helpctr\Binaries\MSCONFIG.EXE] -> [2004/08/04

01:00:00 | 00,158,208 | ---- | M] (Microsoft Corporation)
msimn.exe -> %ProgramFiles%\Outlook Express\msimn.exe [%ProgramFiles%\Outlook Express\msimn.exe] -> [2004/08/04 01:00:00 | 00,060,416 | -HS- |

M] (Microsoft Corporation)
msinfo32.exe -> %CommonProgramFiles%\Microsoft Shared\MSInfo\MSInfo32.exe [C:\Program Files\Common Files\Microsoft Shared\MSInfo\MSInfo32.exe]

-> [2004/08/04 01:00:00 | 00,039,936 | ---- | M] (Microsoft Corporation)
MSMSGS.EXE -> Reg Error: Value does not exist or could not be read. [Reg Error: Value does not exist or could not be read.] -> File not found
MsoHtmEd.exe -> Reg Error: Value does not exist or could not be read. [Reg Error: Value does not exist or could not be read.] -> File not

found
NCoverEd.exe -> %ProgramFiles%\Nero\Nero 7\Nero CoverDesigner\CoverDes.exe [C:\Program Files\Nero\Nero 7\Nero CoverDesigner\CoverDes.exe] ->

[2007/02/28 19:20:06 | 05,740,080 | ---- | M] (Nero AG)
Nero.exe -> %ProgramFiles%\Nero\Nero 7\Core\Nero.exe [C:\Program Files\Nero\Nero 7\Core\Nero.exe] -> [2007/03/14 11:40:22 | 36,673,072 | ---- |

M] (Nero AG)
NeroBurnRights.exe -> %ProgramFiles%\Nero\Nero 7\Nero Toolkit\NeroBurnRights.exe [C:\Program Files\Nero\Nero 7\Nero Toolkit\NeroBurnRights.exe]

-> [2007/03/14 19:19:50 | 00,919,088 | ---- | M] (Nero AG)
NeroMediaHome.exe -> %ProgramFiles%\Nero\Nero 7\Nero MediaHome\NeroMediaHome.exe [C:\Program Files\Nero\Nero 7\Nero

MediaHome\NeroMediaHome.exe] -> [2007/03/12 13:50:58 | 04,216,368 | ---- | M] (Nero AG)
NeroVision.exe -> %ProgramFiles%\Nero\Nero 7\Nero Vision\NeroVision.exe [C:\Program Files\Nero\Nero 7\Nero Vision\NeroVision.exe] ->

[2007/02/28 20:51:38 | 01,005,616 | ---- | M] (Nero AG)
PaprPort.exe -> %ProgramFiles%\ScanSoft\PaperPort\PaprPort.exe [C:\Program Files\ScanSoft\PaperPort\PaprPort.exe] -> [2001/10/15 15:16:16 |

00,307,712 | ---- | M] (Scansoft Inc.)
pbrush.exe -> %SystemRoot%\system32\mspaint.exe [%SystemRoot%\system32\mspaint.exe] -> [2004/08/04 01:00:00 | 00,343,040 | ---- | M] (Microsoft

Corporation)
PhotoshopElements.exe -> %ProgramFiles%\Adobe\Photoshop Elements\PhotoshopElements.exe [C:\Program Files\Adobe\Photoshop

Elements\PhotoshopElements.exe] -> [2009/01/12 12:31:40 | 13,381,632 | ---- | M] (Adobe Systems, Incorporated)
PhotoSnapViewer.exe -> %ProgramFiles%\Nero\Nero 7\Nero PhotoSnap\PhotoSnapViewer.exe [C:\Program Files\Nero\Nero 7\Nero

PhotoSnap\PhotoSnapViewer.exe] -> [2007/03/14 19:24:52 | 02,938,416 | ---- | M] (Nero AG)
PictureViewer.exe -> %ProgramFiles%\QuickTime\PictureViewer.exe [C:\Program Files\QuickTime\PictureViewer.exe] -> [2008/05/27 10:50:24 |

00,548,864 | ---- | M] (Apple Inc.)
PowerPnt.exe -> %SystemDrive%\PROGRA~1\MICROS~2\Office\POWERPNT.EXE [C:\PROGRA~1\MICROS~2\Office\POWERPNT.EXE] -> [1999/03/16 21:41:22 |

04,325,428 | R--- | M] ()
QuickTimePlayer.exe -> %ProgramFiles%\QuickTime\QuickTimePlayer.exe [C:\Program Files\QuickTime\QuickTimePlayer.exe] -> [2008/05/27 10:50:48 |

07,677,232 | ---- | M] (Apple Inc.)
RealPlay.exe -> %ProgramFiles%\Real\RealPlayer\realplay.exe [C:\Program Files\Real\RealPlayer\realplay.exe] -> [2007/10/23 23:59:18 |

00,214,560 | ---- | M] (RealNetworks, Inc.)
Recode.exe -> %ProgramFiles%\Nero\Nero 7\Nero Recode\Recode.exe [C:\Program Files\Nero\Nero 7\Nero Recode\Recode.exe] -> [2007/03/14 19:27:40 |

11,863,600 | ---- | M] (Nero AG)
rnxproc.exe -> %CommonProgramFiles%\Real\Update_OB\rnxproc.exe [C:\Program Files\Common Files\Real\Update_OB\rnxproc.exe] -> [2007/10/23

23:59:16 | 00,058,912 | ---- | M] (RealNetworks, Inc.)
RogueRemover.exe -> %ProgramFiles%\RogueRemover FREE\RogueRemover.exe [C:\Program Files\RogueRemover FREE\RogueRemover.exe] -> [2008/02/24

14:53:10 | 00,266,240 | ---- | M] (Malwarebytes)
setup.exe -> Reg Error: Value does not exist or could not be read. [Reg Error: Value does not exist or could not be read.] -> File not found
ShowTime.exe -> %ProgramFiles%\Nero\Nero 7\Nero ShowTime\ShowTime.exe [C:\Program Files\Nero\Nero 7\Nero ShowTime\ShowTime.exe] -> [2007/02/28

15:41:02 | 05,199,408 | ---- | M] (Nero AG)
SMRegister.exe -> %SystemDrive%\PROGRA~1\COMMON~1\SMITHM~1\SMREGI~1.EXE [C:\PROGRA~1\COMMON~1\SMITHM~1\SMREGI~1.EXE] -> [2004/03/15 14:08:10 |

00,184,320 | ---- | M] (Smith Micro Software, Inc.)
SoundTrax.exe -> %ProgramFiles%\Nero\Nero 7\Nero SoundTrax\SoundTrax.exe [C:\Program Files\Nero\Nero 7\Nero SoundTrax\SoundTrax.exe] ->

[2007/02/28 19:23:56 | 03,167,792 | ---- | M] (Nero AG)
table30.exe -> Reg Error: Value does not exist or could not be read. [Reg Error: Value does not exist or could not be read.] -> File not

found
thunderbird.exe -> %ProgramFiles%\Mozilla Thunderbird\thunderbird.exe [C:\Program Files\Mozilla Thunderbird\thunderbird.exe] -> [2007/11/24

21:24:10 | 08,472,936 | ---- | M] (Mozilla Corporation)
UnZixWin.exe -> %ProgramFiles%\UnZixWin\UnZixWin.exe [C:\Program Files\UnZixWin\UnZixWin.exe] -> [2007/11/25 20:49:24 | 00,270,336 | ---- | M]

(Last Resort Software)
VCDDaemon.exe -> %ProgramFiles%\VirtualCloneDrive\VCDDaemon.exe [C:\Program Files\VirtualCloneDrive\VCDDaemon.exe] -> [2006/04/29 06:21:30 |

00,094,208 | ---- | M] (Elaborate Bytes AG)
VCDMount.exe -> %ProgramFiles%\VirtualCloneDrive\VCDMount.exe [C:\Program Files\VirtualCloneDrive\VCDMount.exe] -> [2006/02/13 06:10:06 |

00,034,304 | ---- | M] (Elaborate Bytes AG)
VCDPrefs.exe -> %ProgramFiles%\VirtualCloneDrive\VCDPrefs.exe [C:\Program Files\VirtualCloneDrive\VCDPrefs.exe] -> [2007/10/28 08:02:42 |

00,848,384 | ---- | M] (Elaborate Bytes AG)
wab.exe -> %ProgramFiles%\Outlook Express\wab.exe [%ProgramFiles%\Outlook Express\wab.exe] -> [2004/08/04 01:00:00 | 00,046,080 | ---- | M]

(Microsoft Corporation)
wabmig.exe -> %ProgramFiles%\Outlook Express\wabmig.exe [%ProgramFiles%\Outlook Express\wabmig.exe] -> [2004/08/04 01:00:00 | 00,030,208 | ----

| M] (Microsoft Corporation)
waveedit.exe -> %ProgramFiles%\Nero\Nero 7\Nero WaveEditor\waveedit.exe [C:\Program Files\Nero\Nero 7\Nero WaveEditor\waveedit.exe] ->

[2007/02/28 19:22:46 | 00,788,016 | ---- | M] (Nero AG)
winnt32.exe -> Reg Error: Value does not exist or could not be read. [Reg Error: Value does not exist or could not be read.] -> File not

found
WinRAR.exe -> %ProgramFiles%\WinRAR\WinRAR.exe [C:\Program Files\WinRAR\WinRAR.exe] -> [2007/12/11 23:21:34 | 00,915,968 | ---- | M] ()
Winword.exe -> %SystemDrive%\PROGRA~1\MICROS~2\Office\WINWORD.EXE [C:\PROGRA~1\MICROS~2\Office\WINWORD.EXE] -> [1999/03/17 23:38:10 |

08,798,260 | R--- | M] (Microsoft Corporation)
WMPBurn.exe -> %ProgramFiles%\Nero\Nero 7\Nero Fast CD-DVD Burning Plug-in\WMPBurn.exe [C:\Program Files\Nero\Nero 7\Nero Fast CD-DVD Burning

Plug-in\WMPBurn.exe] -> [2007/03/14 19:20:20 | 01,340,976 | ---- | M] (Nero AG)
wmplayer.exe -> %ProgramFiles%\Windows Media Player\wmplayer.exe [C:\Program Files\Windows Media Player\wmplayer.exe] -> [2004/08/04 01:00:00 |

00,073,728 | ---- | M] (Microsoft Corporation)
WORDPAD.EXE -> %ProgramFiles%\Windows NT\Accessories\WORDPAD.EXE ["%ProgramFiles%\Windows NT\Accessories\WORDPAD.EXE"] -> [2004/08/04 01:00:00

| 00,214,528 | ---- | M] (Microsoft Corporation)
WRITE.EXE -> %ProgramFiles%\Windows NT\Accessories\WORDPAD.EXE ["%ProgramFiles%\Windows NT\Accessories\WORDPAD.EXE"] -> [2004/08/04 01:00:00 |

00,214,528 | ---- | M] (Microsoft Corporation)
XPSViewer.exe -> %SystemRoot%\system32\XPSViewer\XPSViewer.exe ["C:\WINDOWS\system32\XPSViewer\XPSViewer.exe"] -> [2007/10/09 13:03:08 |

00,308,760 | ---- | M] (Microsoft Corporation)
yourapp.Exe -> %SystemRoot%\yourapp.Exe [C:\WINDOWS\yourapp.Exe] -> File not found
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{00022613-0000-0000-C000-000000000046}" [HKLM] -> %SystemRoot%\system32\mmsys.cpl [Multimedia File Property Sheet] -> [2004/08/04 01:00:00 |

00,618,496 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{00BB2763-6A77-11D0-A535-00C04FD7D062}" [HKLM] -> %SystemRoot%\system32\browseui.dll [Microsoft AutoComplete] -> [2008/10/16 03:37:04 |

01,023,488 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{00BB2764-6A77-11D0-A535-00C04FD7D062}" [HKLM] -> %SystemRoot%\system32\browseui.dll [Microsoft History AutoComplete List] -> [2008/10/16

03:37:04 | 01,023,488 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{00BB2765-6A77-11D0-A535-00C04FD7D062}" [HKLM] -> %SystemRoot%\system32\browseui.dll [Microsoft Multiple AutoComplete List Container] ->

[2008/10/16 03:37:04 | 01,023,488 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{00E7B358-F65B-4dcf-83DF-CD026B94BFD4}" [HKLM] -> %SystemRoot%\system32\shimgvw.DLL [Autoplay for SlideShow] -> [2004/08/04 01:00:00 |

00,438,272 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}" [HKLM] -> %SystemRoot%\system32\browseui.dll [&Address] -> [2008/10/16 03:37:04 | 01,023,488 | ---- |

M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{03C036F1-A186-11D0-824A-00AA005B4383}" [HKLM] -> %SystemRoot%\system32\browseui.dll [Microsoft Shell Folder AutoComplete List] -> [2008/10/16

03:37:04 | 01,023,488 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{0561EC90-CE54-4f0c-9C55-E226110A740C}" [HKLM] -> %SystemRoot%\system32\mmfinfo.dll [Haali Column Provider] -> [2007/12/28 17:04:02 |

00,159,744 | ---- | M] ()
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{07798131-AF23-11d1-9111-00A0C98BA67D}" [HKLM] -> %SystemRoot%\system32\browseui.dll [Web Search] -> [2008/10/16 03:37:04 | 01,023,488 | ----

| M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{08165EA0-E946-11CF-9C87-00AA005127ED}" [HKLM] -> %SystemRoot%\system32\webcheck.dll [WebCheckWebCrawler] -> [2004/08/04 01:00:00 | 00,276,480

| ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{0A89A860-D7B1-11CE-8350-444553540000}" [HKLM] -> %SystemRoot%\system32\shdocvw.dll [Shell Automation Inproc Service] -> [2008/10/16 03:37:04

| 01,494,528 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{0B124F8F-91F0-11D1-B8B5-006008059382}" [HKLM] -> %SystemRoot%\system32\appwiz.cpl [Installed Apps Enumerator] -> [2004/08/04 01:00:00 |

00,549,888 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}" [HKLM] -> %SystemRoot%\system32\cabview.dll [.CAB file viewer] -> [2004/08/04 01:00:00 | 00,084,480 |

---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}" [HKLM] -> %SystemRoot%\system32\dsuiext.dll [Directory Property UI] -> [2004/08/04 01:00:00 |

00,113,152 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}" [HKLM] -> %SystemRoot%\system32\shell32.DLL [Taskbar and Start Menu] -> [2007/10/25 20:36:52 |

08,454,656 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}" [HKLM] -> %SystemRoot%\system32\docprop2.dll [Microsoft DocProp Inplace Droplist Combo Control] ->

[2004/08/04 01:00:00 | 00,048,128 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}" [HKLM] -> %SystemRoot%\System32\cscui.dll [Offline Files Folder Options] -> [2004/08/04 01:00:00 |

00,326,656 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{131A6951-7F78-11D0-A979-00C04FD705A2}" [HKLM] -> %SystemRoot%\system32\shdocvw.dll [ISFBand OC] -> [2008/10/16 03:37:04 | 01,494,528 | ---- |

M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}" [HKLM] -> %SystemRoot%\msagent\agentpsh.dll [Microsoft Agent Character Property Sheet Handler] ->

[2004/08/04 01:00:00 | 00,024,064 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}" [HKLM] -> %SystemRoot%\system32\dsquery.dll [Directory Object Find] -> [2004/08/04 01:00:00 |

00,239,104 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}" [HKLM] -> %SystemRoot%\system32\browseui.dll [In-pane search] -> [2008/10/16 03:37:04 | 01,023,488 |

---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{176d6597-26d3-11d1-b350-080036a75b03}" [HKLM] -> %SystemRoot%\system32\icmui.dll [ICM Scanner Management] -> [2004/08/04 01:00:00 |

00,054,784 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" [HKLM] -> %SystemRoot%\system32\nvshell.dll [Desktop Explorer] -> [2007/09/17 01:07:00 | 00,466,944 |

---- | M] ()
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" [HKLM] -> %SystemRoot%\system32\nvshell.dll [Desktop Explorer Menu] -> [2007/09/17 01:07:00 |

00,466,944 | ---- | M] ()
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" [HKLM] -> %SystemRoot%\system32\nvshell.dll [nView Desktop Context Menu] -> [2007/09/17 01:07:00 |

00,466,944 | ---- | M] ()
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}" [HKLM] -> %SystemRoot%\system32\rshx32.dll [NTFS Security Page] -> [2004/08/04 01:00:00 | 00,039,936 |

---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{21569614-B795-46b1-85F4-E737A8DC09AD}" [HKLM] -> %SystemRoot%\system32\browseui.dll [Shell Search Band] -> [2008/10/16 03:37:04 | 01,023,488

| ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}" [HKLM] -> %CommonProgramFiles%\System\Ole DB\oledb32.dll [Microsoft Data Link] -> [2004/08/04 01:00:00

| 00,487,424 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}" [HKLM] -> %SystemRoot%\system32\browseui.dll [Download Status] -> [2008/10/16 03:37:04 | 01,023,488 |

---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}" [HKLM] -> %SystemRoot%\system32\shdocvw.dll [Search] -> [2008/10/16 03:37:04 | 01,494,528 | ---- | M]

(Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}" [HKLM] -> %SystemRoot%\system32\shdocvw.dll [Help and Support] -> [2008/10/16 03:37:04 | 01,494,528 |

---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}" [HKLM] -> %SystemRoot%\system32\shdocvw.dll [Help and Support] -> [2008/10/16 03:37:04 | 01,494,528 |

---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}" [HKLM] -> %SystemRoot%\system32\shdocvw.dll [Run...] -> [2008/10/16 03:37:04 | 01,494,528 | ---- | M]

(Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}" [HKLM] -> %SystemRoot%\system32\shdocvw.dll [Internet] -> [2008/10/16 03:37:04 | 01,494,528 | ---- |

M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}" [HKLM] -> %SystemRoot%\system32\shdocvw.dll [E-mail] -> [2008/10/16 03:37:04 | 01,494,528 | ---- | M]

(Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}" [HKLM] -> %SystemRoot%\system32\shdocvw.dll [Set Program Access and Defaults] -> [2008/10/16 03:37:04

| 01,494,528 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}" [HKLM] -> %SystemRoot%\system32\docprop2.dll [Microsoft DocProp Inplace Time Control] -> [2004/08/04

01:00:00 | 00,048,128 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{30D02401-6A81-11d0-8274-00C04FD5AE38}" [HKLM] -> %SystemRoot%\system32\browseui.dll [Search Band] -> [2008/10/16 03:37:04 | 01,023,488 | ----

| M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{32714800-2E5F-11d0-8B85-00AA0044F941}" [HKLM] -> %ProgramFiles%\Outlook Express\wabfind.dll [For &People...] -> [2004/08/04 01:00:00 |

00,032,768 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{327669A0-59A7-4be9-B99E-1C9F3A57611A}" [HKLM] -> %SystemRoot%\system32\mmfinfo.dll [Haali Matroska Thumbnail Extractor] -> [2007/12/28

17:04:02 | 00,159,744 | ---- | M] ()
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{352EC2B7-8B9A-11D1-B8AE-006008059382}" [HKLM] -> %SystemRoot%\system32\appwiz.cpl [Shell Application Manager] -> [2004/08/04 01:00:00 |

00,549,888 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}" [HKLM] -> %SystemRoot%\system32\shdocvw.dll [Microsoft Url History Service] -> [2008/10/16 03:37:04 |

01,494,528 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}" [HKLM] -> %SystemRoot%\system32\browseui.dll [Shell DeskBarApp] -> [2008/10/16 03:37:04 | 01,023,488 |

---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}" [HKLM] -> %SystemRoot%\system32\shdocvw.dll [The Internet] -> [2008/10/16 03:37:04 | 01,494,528 | ----

| M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}" [HKLM] -> %SystemRoot%\system32\docprop.dll [OLE Docfile Property Page] -> [2004/08/04 01:00:00 |

00,046,080 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}" [HKLM] -> %SystemRoot%\system32\shimgvw.dll [GDI+ file thumbnail extractor] -> [2004/08/04 01:00:00 |

00,438,272 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}" [HKLM] -> %SystemRoot%\system32\wiashext.dll [Scanners & Cameras] -> [2004/08/04 01:00:00 | 00,589,312

| ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}" [HKLM] -> %SystemRoot%\system32\shmedia.dll [Video Media Properties Handler] -> [2004/08/04 01:00:00 |

00,151,552 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}" [HKLM] -> %SystemRoot%\system32\ntshrui.dll [Shell extensions for sharing] -> [2004/08/04 01:00:00 |

00,143,872 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{41E300E0-78B6-11ce-849B-444553540000}" [HKLM] -> %SystemRoot%\system32\themeui.dll [PlusPack CPL Extension] -> [2004/08/04 01:00:00 |

00,385,536 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{42071712-76d4-11d1-8b24-00a0c9068ff3}" [HKLM] -> %SystemRoot%\system32\deskadp.dll [Display Adapter CPL Extension] -> [2004/08/04 01:00:00 |

00,016,384 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{42071713-76d4-11d1-8b24-00a0c9068ff3}" [HKLM] -> %SystemRoot%\system32\deskmon.dll [Display Monitor CPL Extension] -> [2004/08/04 01:00:00 |

00,016,896 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" [HKLM] -> [Display Panning CPL Extension] -> File not found
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{44121072-A222-48f2-A58A-6D9AD51EBBE9}" [HKLM] -> %SystemRoot%\System32\XPSSHHDR.DLL [Microsoft.XPS.Shell.Thumbnail.1] -> [2007/03/23 06:07:54

| 00,583,504 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{45670FA8-ED97-4F44-BC93-305082590BFB}" [HKLM] -> %SystemRoot%\System32\XPSSHHDR.DLL [Microsoft.XPS.Shell.Metadata.1] -> [2007/03/23 06:07:54

| 00,583,504 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}" [HKLM] -> %SystemRoot%\system32\mydocs.dll [MyDocs Properties] -> [2004/08/04 01:00:00 | 00,090,624 |

---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{4E40F770-369C-11d0-8922-00A024AB2DBB}" [HKLM] -> %SystemRoot%\system32\dssec.dll [DS Security Page] -> [2004/08/04 01:00:00 | 00,051,200 |

---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}" [HKLM] -> %SystemRoot%\system32\SlayerXP.dll [Compatibility Page] -> [2004/08/04 01:00:00 | 00,025,088

| ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{5574006C-28F5-4a65-A28C-74DE6BFBE0BB}" [HKLM] -> %SystemRoot%\system32\mmfinfo.dll [Haali Matroska Shell Property Page] -> [2007/12/28

17:04:02 | 00,159,744 | ---- | M] ()
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{56117100-C0CD-101B-81E2-00AA004AE837}" [HKLM] -> %SystemRoot%\system32\shscrap.dll [Shell Scrap DataHandler] -> [2004/08/04 01:00:00 |

00,027,648 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{58f1f272-9240-4f51-b6d4-fd63d1618591}" [HKLM] -> %SystemRoot%\system32\netplwiz.dll [Get a Passport Wizard] -> [2004/08/04 01:00:00 |

00,875,008 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{59099400-57FF-11CE-BD94-0020AF85B590}" [HKLM] -> %SystemRoot%\system32\diskcopy.dll [Disk Copy Extension] -> [2004/08/04 01:00:00 |

01,501,696 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{596AB062-B4D2-4215-9F74-E9109B0A8153}" [HKLM] -> %SystemRoot%\system32\twext.dll [Previous Versions Property Page] -> [2004/08/04 01:00:00 |

00,044,032 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}" [HKLM] -> %SystemRoot%\system32\ntlanui2.dll [Shell extensions for Microsoft Windows Network objects]

-> [2004/08/04 01:00:00 | 00,014,336 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}" [HKLM] -> %SystemRoot%\System32\icmui.dll [ICM Monitor Management] -> [2004/08/04 01:00:00 |

00,054,784 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{5E6AB780-7743-11CF-A12B-00AA004AE837}" [HKLM] -> %SystemRoot%\system32\browseui.dll [Microsoft Internet Toolbar] -> [2008/10/16 03:37:04 |

01,023,488 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}" [HKLM] -> %SystemRoot%\system32\wuaucpl.cpl [Auto Update Property Sheet Extension] -> [2008/10/16

14:12:20 | 00,213,528 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{60254CA5-953B-11CF-8C96-00AA00B8708C}" [HKLM] -> %SystemRoot%\system32\wshext.dll [Shell extensions for Windows Script Host] -> [2004/08/04

01:00:00 | 00,065,536 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{60fd46de-f830-4894-a628-6fa81bc0190d}" [HKLM] -> %SystemRoot%\system32\photowiz.dll [%DESC_PublishDropTarget%] -> [2004/08/04 01:00:00 |

00,176,128 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{62AE1F9A-126A-11D0-A14B-0800361B1103}" [HKLM] -> %SystemRoot%\system32\dsuiext.dll [Directory Context Menu Verbs] -> [2004/08/04 01:00:00 |

00,113,152 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{63da6ec0-2e98-11cf-8d82-444553540000}" [HKLM] -> %SystemRoot%\system32\msieftp.dll [FTP Folders Webview] -> [2004/08/04 01:00:00 | 00,248,832

| ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{6413BA2C-B461-11d1-A18A-080036B11A03}" [HKLM] -> %SystemRoot%\system32\browseui.dll [Augmented Shell Folder 2] -> [2008/10/16 03:37:04 |

01,023,488 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}" [HKLM] -> %SystemRoot%\system32\shimgvw.dll [Shell Image Data Factory] -> [2004/08/04 01:00:00 |

00,438,272 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{6756A641-DE71-11d0-831B-00AA005B4383}" [HKLM] -> %SystemRoot%\system32\browseui.dll [MRU AutoComplete List] -> [2008/10/16 03:37:04 |

01,023,488 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{675F097E-4C4D-11D0-B6C1-0800091AA605}" [HKLM] -> %SystemRoot%\system32\icmui.dll [ICM Printer Management] -> [2004/08/04 01:00:00 |

00,054,784 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}" [HKLM] -> %SystemRoot%\system32\shdocvw.dll [CDF Extension Copy Hook] -> [2008/10/16 03:37:04 |

01,494,528 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}" [HKLM] -> %SystemRoot%\system32\extmgr.dll [Extensions Manager Folder] -> [2008/10/16 03:37:02 |

00,055,808 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}" [HKLM] -> %SystemRoot%\system32\browseui.dll [Custom MRU AutoCompleted List] -> [2008/10/16 03:37:04 |

01,023,488 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{6A205B57-2567-4A2C-B881-F787FAB579A3}" [HKLM] -> %SystemRoot%\system32\docprop2.dll [Microsoft DocProp Inplace Calendar Control] ->

[2004/08/04 01:00:00 | 00,048,128 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}" [HKLM] -> %SystemRoot%\system32\netplwiz.dll [Shell Publishing Wizard Object] -> [2004/08/04 01:00:00

| 00,875,008 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}" [HKLM] -> %SystemRoot%\system32\NETSHELL.dll [Network Connections] -> [2004/08/04 01:00:00 |

01,708,032 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{7376D660-C583-11d0-A3A5-00C04FD706EC}" [HKLM] -> %SystemRoot%\system32\browseui.dll [TridentImageExtractor] -> [2008/10/16 03:37:04 |

01,023,488 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}" [HKLM] -> %SystemRoot%\system32\cryptext.dll [Crypto PKO Extension] -> [2004/08/04 01:00:00 |

00,053,760 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}" [HKLM] -> %SystemRoot%\system32\cryptext.dll [Crypto Sign Extension] -> [2004/08/04 01:00:00 |

00,053,760 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{750fdf0e-2a26-11d1-a3ea-080036587f03}" [HKLM] -> %SystemRoot%\System32\cscui.dll [Offline Files Menu] -> [2004/08/04 01:00:00 | 00,326,656 |

---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{764BF0E1-F219-11ce-972D-00AA00A14F56}" [HKLM] -> Reg Error: Key does not exist or could not be opened. [Shell extensions for file

compression] -> File not found
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{77597368-7b15-11d0-a0c2-080036af3f03}" [HKLM] -> %SystemRoot%\system32\printui.dll [Web Printer Shell Extension] -> [2004/08/04 01:00:00 |

00,560,640 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}" [HKLM] -> %SystemRoot%\system32\mstask.dll [Tasks Folder Shell Extension] -> [2004/08/04 01:00:00 |

00,274,944 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{7988B573-EC89-11cf-9C00-00AA00A14F56}" [HKLM] -> %SystemRoot%\system32\dskquoui.dll [Disk Quota UI] -> [2004/08/04 01:00:00 | 00,144,384 |

---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}" [HKLM] -> %SystemRoot%\System32\mmcshext.dll [MMC Icon Handler] -> [2004/08/04 01:00:00 | 00,050,688 |

dinosaur58 · Jan 16, 2009

OTScanIt log pt3

Log Continued:

< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{7A9D77BD-5403-11d2-8785-2E0420524153}" [HKLM] -> %SystemRoot%\system32\netplwiz.DLL [User Accounts] -> [2004/08/04 01:00:00 | 00,875,008 |

---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}" [HKLM] -> %SystemRoot%\system32\browseui.dll [Microsoft BrowserBand] -> [2008/10/16 03:37:04 |

01,023,488 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}" [HKLM] -> %SystemRoot%\system32\shdocvw.dll [Temporary Internet Files] -> [2008/10/16 03:37:04 |

01,494,528 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}" [HKLM] -> %SystemRoot%\system32\shdocvw.dll [Temporary Internet Files] -> [2008/10/16 03:37:04 |

01,494,528 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}" [HKLM] -> %SystemRoot%\system32\webcheck.dll [Code Download Agent] -> [2004/08/04 01:00:00 |

00,276,480 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{7e653215-fa25-46bd-a339-34a2790f3cb7}" [HKLM] -> %SystemRoot%\system32\browseui.dll [Accessible] -> [2008/10/16 03:37:04 | 01,023,488 | ----

| M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" [HKLM] -> %CommonProgramFiles%\Ahead\Lib\NeroDigitalExt.dll [NeroDigitalPropSheetHandler] ->

[2007/03/14 11:39:32 | 01,807,920 | ---- | M] (Nero AG)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}" [HKLM] -> %SystemRoot%\system32\webcheck.dll [WebCheck SyncMgr Handler] -> [2004/08/04 01:00:00 |

00,276,480 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{83bbcbf3-b28a-4919-a5aa-73027445d672}" [HKLM] -> %SystemRoot%\system32\wiashext.dll [Scanners & Cameras] -> [2004/08/04 01:00:00 | 00,589,312

| ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}" [HKLM] -> Reg Error: Key does not exist or could not be opened. [Encryption Context Menu] -> File not

found
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{85BBD920-42A0-1069-A2E4-08002B30309D}" [HKLM] -> %SystemRoot%\system32\syncui.dll [Briefcase] -> [2004/08/04 01:00:00 | 00,191,488 | ---- |

M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{871C5380-42A0-1069-A2EA-08002B30309D}" [HKLM] -> %SystemRoot%\system32\shdocvw.dll [Internet Name Space] -> [2008/10/16 03:37:04 | 01,494,528

| ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}" [HKLM] -> %SystemRoot%\system32\shmedia.dll [Audio Media Properties Handler] -> [2004/08/04 01:00:00 |

00,151,552 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}" [HKLM] -> %SystemRoot%\system32\shmedia.dll [Avi Properties Handler] -> [2004/08/04 01:00:00 |

00,151,552 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{883373C3-BF89-11D1-BE35-080036B11A03}" [HKLM] -> %SystemRoot%\system32\docprop2.dll [Microsoft DocProp Shell Ext] -> [2004/08/04 01:00:00 |

00,048,128 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{88895560-9AA2-1069-930E-00AA0030EBC8}" [HKLM] -> %SystemRoot%\system32\hticons.dll [HyperTerminal Icon Ext] -> [2004/08/04 01:00:00 |

00,044,544 | ---- | M] (Hilgraeve, Inc.)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}" [HKLM] -> %SystemRoot%\system32\zipfldr.dll [Compressed (zipped) Folder SendTo Target] -> [2004/08/04

01:00:00 | 00,337,920 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{88C6C381-2E85-11D0-94DE-444553540000}" [HKLM] -> %SystemRoot%\system32\occache.dll [ActiveX Cache Folder] -> [2004/08/04 01:00:00 |

00,096,256 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}" [HKLM] -> %SystemRoot%\system32\dsquery.dll [Directory Query UI] -> [2004/08/04 01:00:00 | 00,239,104

| ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{8DD448E6-C188-4aed-AF92-44956194EB1F}" [HKLM] -> %SystemRoot%\system32\wmpshell.dll [Windows Media Player Play as Playlist Context Menu

Handler] -> [2004/08/04 01:00:00 | 00,102,400 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{8EE97210-FD1F-4B19-91DA-67914005F020}" [HKLM] -> %SystemRoot%\system32\docprop2.dll [Microsoft DocProp Inplace ML Edit Box Control] ->

[2004/08/04 01:00:00 | 00,048,128 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{905667aa-acd6-11d2-8080-00805f6596d2}" [HKLM] -> %SystemRoot%\system32\wiashext.dll [Scanners & Cameras] -> [2004/08/04 01:00:00 | 00,589,312

| ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}" [HKLM] -> %SystemRoot%\system32\browseui.dll [Augmented Shell Folder] -> [2008/10/16 03:37:04 |

01,023,488 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}" [HKLM] -> %SystemRoot%\system32\shdocvw.dll [Search Assistant OC] -> [2008/10/16 03:37:04 | 01,494,528

| ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{97F68CE3-7146-45FF-BE24-D9A7DD7CB8A2}" [HKLM] -> %ProgramFiles%\Nero\Nero 7\Nero CoverDesigner\CoverEdExtension.dll [NeroCoverEd Live Icons]

-> [2007/02/28 19:21:16 | 01,963,568 | ---- | M] (Nero AG)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{992CFFA0-F557-101A-88EC-00DD010CCC48}" [HKLM] -> %SystemRoot%\system32\NETSHELL.dll [Network Connections] -> [2004/08/04 01:00:00 |

01,708,032 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{9DB7A13C-F208-4981-8353-73CC61AE2783}" [HKLM] -> %SystemRoot%\system32\twext.dll [Previous Versions] -> [2004/08/04 01:00:00 | 00,044,032 |

---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}" [HKLM] -> %SystemRoot%\system32\shimgvw.dll [Summary Info Thumbnail handler (DOCFILES)] -> [2004/08/04

01:00:00 | 00,438,272 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}" [HKLM] -> %SystemRoot%\system32\dsquery.dll [Shell properties for a DS object] -> [2004/08/04 01:00:00

| 00,239,104 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}" [HKLM] -> %SystemRoot%\system32\sendmail.dll [Sendmail service] -> [2004/08/04 01:00:00 | 00,055,296 |

---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}" [HKLM] -> %SystemRoot%\system32\sendmail.dll [Sendmail service] -> [2004/08/04 01:00:00 | 00,055,296 |

---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" [HKLM] -> %ProgramFiles%\Grisoft\AVG Free\avgse.dll [AVG7 Shell Extension] -> [2008/11/12 11:52:56 |

00,050,688 | ---- | M] (GRISOFT, s.r.o.)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" [HKLM] -> %ProgramFiles%\Grisoft\AVG Free\avgse.dll [AVG7 Find Extension] -> [2008/11/12 11:52:56 |

00,050,688 | ---- | M] (GRISOFT, s.r.o.)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{A08C11D2-A228-11d0-825B-00AA005B4383}" [HKLM] -> %SystemRoot%\system32\browseui.dll [Address EditBox] -> [2008/10/16 03:37:04 | 01,023,488 |

---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}" [HKLM] -> %SystemRoot%\system32\shdocvw.dll [IE4 Suite Splash Screen] -> [2008/10/16 03:37:04 |

01,494,528 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}" [HKLM] -> %SystemRoot%\system32\shdocvw.dll [Microsoft Browser Architecture] -> [2008/10/16 03:37:04 |

01,494,528 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}" [HKLM] -> %SystemRoot%\system32\shmedia.dll [Midi Properties Handler] -> [2004/08/04 01:00:00 |

00,151,552 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{A7005AF0-D6E8-48AF-8DFA-023B1CF660A7}" [HKLM] -> %ProgramFiles%\TeraCopy\TeraCopy.dll [TeraCopy] -> [2007/06/21 21:26:50 | 00,324,608 | ----

| M] ()
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{A70C977A-BF00-412C-90B7-034C51DA2439}" [HKLM] -> %SystemRoot%\system32\nvcpl.dll [NvCpl DesktopContext Class] -> [2007/09/17 01:07:00 |

08,491,008 | ---- | M] (NVIDIA Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}" [HKLM] -> %SystemRoot%\system32\docprop2.dll [Microsoft DocProp Inplace Edit Box Control] ->

[2004/08/04 01:00:00 | 00,048,128 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}" [HKLM] -> %SystemRoot%\system32\webcheck.dll [Subscription Mgr] -> [2004/08/04 01:00:00 | 00,276,480 |

---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{acf35015-526e-4230-9596-becbe19f0ac9}" [HKLM] -> %SystemRoot%\system32\browseui.dll [Track Popup Bar] -> [2008/10/16 03:37:04 | 01,023,488 |

---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{add36aa8-751a-4579-a266-d66f5202ccbb}" [HKLM] -> %SystemRoot%\system32\netplwiz.dll [Print Ordering via the Web] -> [2004/08/04 01:00:00 |

00,875,008 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}" [HKLM] -> %SystemRoot%\system32\browseui.dll [Registry Tree Options Utility] -> [2008/10/16 03:37:04 |

01,023,488 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}" [HKLM] -> %SystemRoot%\System32\cscui.dll [Offline Files Folder] -> [2004/08/04 01:00:00 | 00,326,656

| ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{B327765E-D724-4347-8B16-78AE18552FC3}" [HKLM] -> %CommonProgramFiles%\Ahead\Lib\NeroDigitalExt.dll [NeroDigitalIconHandler] -> [2007/03/14

11:39:32 | 01,807,920 | ---- | M] (Nero AG)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" [HKLM] -> %ProgramFiles%\WinRAR\rarext.dll [WinRAR shell extension] -> [2006/12/03 14:53:06 |

00,126,464 | ---- | M] ()
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{B7056B8E-4F99-44f8-8CBD-282390FE5428}" [HKLM] -> %ProgramFiles%\VirtualCloneDrive\ElbyVCDShell.dll [VirtualCloneDrive] -> [2006/02/18

17:46:16 | 00,069,632 | ---- | M] (Elaborate Bytes AG)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{BD472F60-27FA-11cf-B8B4-444553540000}" [HKLM] -> %SystemRoot%\system32\zipfldr.dll [Compressed (zipped) Folder Right Drag Handler] ->

[2004/08/04 01:00:00 | 00,337,920 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{BD84B380-8CA2-1069-AB1D-08000948F534}" [HKLM] -> %SystemRoot%\system32\fontext.dll [Fonts] -> [2004/08/04 01:00:00 | 00,382,976 | ---- | M]

(Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{c5a40261-cd64-4ccf-84cb-c394da41d590}" [HKLM] -> %SystemRoot%\system32\shmedia.dll [Video Thumbnail Extractor] -> [2004/08/04 01:00:00 |

00,151,552 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}" [HKLM] -> %SystemRoot%\system32\netplwiz.dll [Web Publishing Wizard] -> [2004/08/04 01:00:00 |

00,875,008 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}" [HKLM] -> %SystemRoot%\system32\wmpshell.dll [Windows Media Player Burn Audio CD Context Menu Handler]

-> [2004/08/04 01:00:00 | 00,102,400 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" [HKLM] -> %SystemRoot%\system32\shdocvw.dll [Microsoft Url Search Hook] -> [2008/10/16 03:37:04 |

01,494,528 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{CFCCC7A0-A282-11D1-9082-006008059382}" [HKLM] -> %SystemRoot%\system32\appwiz.cpl [Darwin App Publisher] -> [2004/08/04 01:00:00 | 00,549,888

| ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{D20EA4E1-3957-11d2-A40B-0C5020524152}" [HKLM] -> %SystemRoot%\system32\shdocvw.dll [Fonts] -> [2008/10/16 03:37:04 | 01,494,528 | ---- | M]

(Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{D20EA4E1-3957-11d2-A40B-0C5020524153}" [HKLM] -> %SystemRoot%\system32\shdocvw.dll [Administrative Tools] -> [2008/10/16 03:37:04 |

01,494,528 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}" [HKLM] -> %SystemRoot%\system32\mstask.dll [Scheduled Tasks] -> [2004/08/04 01:00:00 | 00,274,944 |

---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}" [HKLM] -> %SystemRoot%\system32\webcheck.dll [PostAgent] -> [2004/08/04 01:00:00 | 00,276,480 | ---- |

M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}" [HKLM] -> %SystemRoot%\system32\icmui.dll [ICC Profile] -> [2004/08/04 01:00:00 | 00,054,784 | ---- |

M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}" [HKLM] -> %SystemRoot%\system32\mstask.dll [Tasks Folder Icon Handler] -> [2004/08/04 01:00:00 |

00,274,944 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}" [HKLM] -> %SystemRoot%\system32\browseui.dll [User Assist] -> [2008/10/16 03:37:04 | 01,023,488 | ----

| M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}" [HKLM] -> %SystemRoot%\system32\wiashext.dll [Scanners & Cameras] -> [2004/08/04 01:00:00 | 00,589,312

| ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}" [HKLM] -> %SystemRoot%\system32\dfshim.dll [Shell Icon Handler for Application References] ->

[2007/10/24 01:47:28 | 00,096,760 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}" [HKLM] -> %SystemRoot%\system32\webcheck.dll [WebCheckChannelAgent] -> [2004/08/04 01:00:00 |

00,276,480 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}" [HKLM] -> %SystemRoot%\system32\shmedia.dll [Wav Properties Handler] -> [2004/08/04 01:00:00 |

00,151,552 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{E4D8441D-F89C-4b5c-90AC-A857E1768F1F}" [HKLM] -> Reg Error: Key does not exist or could not be opened. [Haali Matroska Thumbnail Exctractor]

-> File not found
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" [HKLM] -> %SystemRoot%\system32\upnpui.dll [Universal Plug and Play Devices] -> [2004/08/04 01:00:00 |

00,239,616 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}" [HKLM] -> %SystemRoot%\system32\webcheck.dll [ConnectionAgent] -> [2004/08/04 01:00:00 | 00,276,480 |

---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}" [HKLM] -> %SystemRoot%\system32\webcheck.dll [WebCheck] -> [2004/08/04 01:00:00 | 00,276,480 | ---- |

M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}" [HKLM] -> %SystemRoot%\system32\shdocvw.dll [Shell DocObject Viewer] -> [2008/10/16 03:37:04 |

01,494,528 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{e82a2d71-5b2f-43a0-97b8-81be15854de8}" [HKLM] -> %SystemRoot%\system32\dfshim.dll [ShellLink for Application References] -> [2007/10/24

01:47:28 | 00,096,760 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{e84fda7c-1d6a-45f6-b725-cb260c236066}" [HKLM] -> %SystemRoot%\system32\shimgvw.dll [Shell Image Verbs] -> [2004/08/04 01:00:00 | 00,438,272 |

---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{E88DCCE0-B7B3-11d1-A9F0-00AA0060FA31}" [HKLM] -> %SystemRoot%\system32\zipfldr.dll [Compressed (zipped) Folder] -> [2004/08/04 01:00:00 |

00,337,920 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}" [HKLM] -> %SystemRoot%\system32\webcheck.dll [TrayAgent] -> [2004/08/04 01:00:00 | 00,276,480 | ---- |

M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{EAB841A0-9550-11cf-8C16-00805F1408F3}" [HKLM] -> %SystemRoot%\system32\shimgvw.dll [HTML Thumbnail Extractor] -> [2004/08/04 01:00:00 |

00,438,272 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}" [HKLM] -> %SystemRoot%\system32\shimgvw.dll [Shell Image Property Handler] -> [2004/08/04 01:00:00 |

00,438,272 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}" [HKLM] -> %SystemRoot%\system32\dfsshlex.dll [DfsShell] -> [2004/08/04 01:00:00 | 00,028,672 | ---- |

M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}" [HKLM] -> %SystemRoot%\system32\browseui.dll [Shell DeskBar] -> [2008/10/16 03:37:04 | 01,023,488 |

---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}" [HKLM] -> %SystemRoot%\system32\browseui.dll [Shell Rebar BandSite] -> [2008/10/16 03:37:04 |

01,023,488 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}" [HKLM] -> %SystemRoot%\system32\browseui.dll [Shell Band Site Menu] -> [2008/10/16 03:37:04 |

01,023,488 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{ECF03A32-103D-11d2-854D-006008059367}" [HKLM] -> %SystemRoot%\system32\mydocs.dll [MyDocs Drop Target] -> [2004/08/04 01:00:00 | 00,090,624 |

---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{ECF03A33-103D-11d2-854D-006008059367}" [HKLM] -> %SystemRoot%\system32\mydocs.dll [MyDocs Copy Hook] -> [2004/08/04 01:00:00 | 00,090,624 |

---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}" [HKLM] -> %SystemRoot%\system32\browseui.dll [Global Folder Settings] -> [2008/10/16 03:37:04 |

01,023,488 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}" [HKLM] -> %SystemRoot%\system32\shdocvw.dll [Favorites Band] -> [2008/10/16 03:37:04 | 01,494,528 |

---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}" [HKLM] -> %SystemRoot%\system32\shdocvw.dll [Explorer Band] -> [2008/10/16 03:37:04 | 01,494,528 |

---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{F0152790-D56E-4445-850E-4F3117DB740C}" [HKLM] -> %SystemRoot%\system32\remotepg.dll [Remote Sessions CPL Extension] -> [2004/08/04 01:00:00 |

00,060,416 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{F020E586-5264-11d1-A532-0000F8757D7E}" [HKLM] -> %SystemRoot%\system32\dsquery.dll [Directory Start/Search Find] -> [2004/08/04 01:00:00 |

00,239,104 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" [HKLM] -> %ProgramFiles%\Real\RealPlayer\rpshell.dll [Shell Extensions for RealOne Player] ->

[2007/10/23 23:59:20 | 00,054,848 | ---- | M] (RealNetworks, Inc.)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}" [HKLM] -> %SystemRoot%\system32\wmpshell.dll [Windows Media Player Add to Playlist Context Menu

Handler] -> [2004/08/04 01:00:00 | 00,102,400 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}" [HKLM] -> %SystemRoot%\system32\rshx32.dll [Printers Security Page] -> [2004/08/04 01:00:00 |

00,039,936 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}" [HKLM] -> %SystemRoot%\system32\cdfview.dll [Channel File] -> [2008/10/16 03:37:02 | 00,151,040 | ----

| M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}" [HKLM] -> %SystemRoot%\system32\cdfview.dll [Channel Shortcut] -> [2008/10/16 03:37:02 | 00,151,040 |

---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}" [HKLM] -> %SystemRoot%\system32\cdfview.dll [Channel Handler Object] -> [2008/10/16 03:37:02 |

00,151,040 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}" [HKLM] -> %SystemRoot%\system32\cdfview.dll [Channel Menu] -> [2008/10/16 03:37:02 | 00,151,040 | ----

| M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}" [HKLM] -> %SystemRoot%\system32\cdfview.dll [Channel Properties] -> [2008/10/16 03:37:02 | 00,151,040

| ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{F5175861-2688-11d0-9C5E-00AA00A45957}" [HKLM] -> %SystemRoot%\system32\webcheck.dll [Subscription Folder] -> [2004/08/04 01:00:00 |

00,276,480 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}" [HKLM] -> %SystemRoot%\system32\browseui.dll [BandProxy] -> [2008/10/16 03:37:04 | 01,023,488 | ---- |

M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}" [HKLM] -> %SystemRoot%\system32\ntshrui.dll [Shell extensions for sharing] -> [2004/08/04 01:00:00 |

00,143,872 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}" [HKLM] -> %SystemRoot%\system32\deskperf.dll [Display TroubleShoot CPL Extension] -> [2004/08/04

01:00:00 | 00,018,432 | ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}" [HKLM] -> %SystemRoot%\system32\wiashext.dll [Scanners & Cameras] -> [2004/08/04 01:00:00 | 00,589,312

| ---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}" [HKLM] -> %SystemRoot%\system32\shdocvw.dll [InternetShortcut] -> [2008/10/16 03:37:04 | 01,494,528 |

---- | M] (Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{FF393560-C2A7-11CF-BFF4-444553540000}" [HKLM] -> %SystemRoot%\system32\shdocvw.dll [History] -> [2008/10/16 03:37:04 | 01,494,528 | ---- | M]

(Microsoft Corporation)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

->
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" [HKLM] -> %SystemRoot%\system32\nvcpl.dll [Play on my TV helper] -> [2007/09/17 01:07:00 | 08,491,008

| ---- | M] (NVIDIA Corporation)
< Approved Shell Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved ->
"" [HKLM] -> Reg Error: Key does not exist or could not be opened. [] -> File not found
< Approved Shell Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved ->
"{BDEADF00-C265-11d0-BCED-00A0C90AB50F}" [HKLM] -> %SystemDrive%\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL [Web Folders] -> [2001/05/19

22:57:40 | 00,561,209 | ---- | M] ()
< Approved Shell Extensions [HKEY_USERS\S-1-5-21-1454471165-1979792683-725345543-500\] > ->

HKEY_USERS\S-1-5-21-1454471165-1979792683-725345543-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved ->
"" [HKLM] -> Reg Error: Key does not exist or could not be opened. [] -> File not found
< Approved Shell Extensions [HKEY_USERS\S-1-5-21-1454471165-1979792683-725345543-500\] > ->

HKEY_USERS\S-1-5-21-1454471165-1979792683-725345543-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved ->
"{BDEADF00-C265-11d0-BCED-00A0C90AB50F}" [HKLM] -> %SystemDrive%\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL [Web Folders] -> [2001/05/19

22:57:40 | 00,561,209 | ---- | M] ()
< ColumnHandlers - Folder [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\ ->
{0561EC90-CE54-4f0c-9C55-E226110A740C} [HKLM] -> %SystemRoot%\system32\mmfinfo.dll [Haali Column Provider] -> [2007/12/28 17:04:02 | 00,159,744

| ---- | M] ()
{7D4D6379-F301-4311-BEBA-E26EB0561882} [HKLM] -> %CommonProgramFiles%\Ahead\Lib\NeroDigitalExt.dll [NeroDigitalColumnHandler Class] ->

[2007/03/14 11:39:32 | 01,807,920 | ---- | M] (Nero AG)
{F9DB5320-233E-11D1-9F84-707F02C10627} [HKLM] -> %CommonProgramFiles%\Adobe\Acrobat\ActiveX\PDFShell.dll [PDF Shell Extension] -> [2008/06/11

22:49:10 | 00,378,200 | ---- | M] (Adobe Systems, Inc.)
< ContextMenuHandlers - * [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\Software\Classes\*\shell\ ->
sdfiles -> %ProgramFiles%\Spybot - Search & Destroy\SDFiles.exe ["C:\Program Files\Spybot - Search & Destroy\SDFiles.exe" "%1" /ask] ->

[2008/07/07 09:36:46 | 01,430,016 | ---- | M] (Safer Networking Limited)
TeraCopy -> %ProgramFiles%\TeraCopy\add.exe [C:\Program Files\TeraCopy\add.exe Add "%L"] -> [2007/08/07 05:59:46 | 00,041,472 | ---- | M] ()
< ContextMenuHandlers - * [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers\ ->
{EB4D3CFE-E2AA-4C6E-B2FE-2A749F95D208} [HKLM] -> %ProgramFiles%\Nero\Nero 7\Nero BackItUp\NBShell.dll [NBShellHook Class] -> [2007/03/14

19:19:16 | 00,079,408 | ---- | M] (Nero AG)
< ContextMenuHandlers - * [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers\ ->
(AVG Anti-Spyware):{8934FCEF-F5B8-468f-951F-78A921CD3920} [HKLM] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\context.dll [CContextScan

Object] -> [2008/03/25 19:48:24 | 00,144,944 | ---- | M] (GRISOFT s.r.o.)
< ContextMenuHandlers - * [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers\ ->
(AVG7 Shell Extension):{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} [HKLM] -> %ProgramFiles%\Grisoft\AVG Free\avgse.dll [AVG7 Shell Extension Class]

-> [2008/11/12 11:52:56 | 00,050,688 | ---- | M] (GRISOFT, s.r.o.)
< ContextMenuHandlers - * [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers\ ->
(Cover Designer):{73FCA462-9BD5-4065-A73F-A8E5F6904EF7} [HKLM] -> %ProgramFiles%\Nero\Nero 7\Nero CoverDesigner\CoverEdExtension.dll

[NeroCoverEdContextMenu Class] -> [2007/02/28 19:21:16 | 01,963,568 | ---- | M] (Nero AG)
< ContextMenuHandlers - * [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers\ ->
(MagicISO):{DB85C504-C730-49DD-BEC1-7B39C6103B7A} [HKLM] -> %ProgramFiles%\MagicISO\misosh.dll [MShellExtMenu Class] -> [2006/06/05 14:06:22 |

00,020,992 | ---- | M] (MagicISO, Inc.)
< ContextMenuHandlers - * [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers\ ->
(Offline Files):{750fdf0e-2a26-11d1-a3ea-080036587f03} [HKLM] -> %SystemRoot%\System32\cscui.dll [Offline Files Menu] -> [2004/08/04 01:00:00 |

00,326,656 | ---- | M] (Microsoft Corporation)
< ContextMenuHandlers - * [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers\ ->
(ShellExtension): [HKLM] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Value does not exist or could not be read.] ->

File not found
< ContextMenuHandlers - * [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers\ ->
(WinRAR):{B41DB860-8EE4-11D2-9906-E49FADC173CA} [HKLM] -> %ProgramFiles%\WinRAR\rarext.dll [WinRAR] -> [2006/12/03 14:53:06 | 00,126,464 | ----

| M] ()
< ContextMenuHandlers - AllFilesystemObjects [HKEY_LOCAL_MACHINE\] > ->

HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\ ->
(MBAMShlExt):{57CE581A-0CB6-4266-9CA0-19364C90A0B3} [HKLM] -> %ProgramFiles%\Malwarebytes' Anti-Malware\mbamext.dll [MBAMShlExt Class] ->

[2008/09/08 00:11:02 | 00,073,392 | ---- | M] (Malwarebytes Corporation)
< ContextMenuHandlers - Directory [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\Software\Classes\Directory\shell\ ->
find -> %SystemRoot%\Explorer.exe [%SystemRoot%\Explorer.exe] -> [2007/06/13 03:23:08 | 01,033,216 | ---- | M] (Microsoft Corporation)
< ContextMenuHandlers - Directory [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\Software\Classes\Directory\shellex\ContextMenuHandlers\ ->
(AVG Anti-Spyware):{8934FCEF-F5B8-468f-951F-78A921CD3920} [HKLM] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\context.dll [CContextScan

Object] -> [2008/03/25 19:48:24 | 00,144,944 | ---- | M] (GRISOFT s.r.o.)
< ContextMenuHandlers - Directory [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\Software\Classes\Directory\shellex\ContextMenuHandlers\ ->
(MagicISO):{DB85C504-C730-49DD-BEC1-7B39C6103B7A} [HKLM] -> %ProgramFiles%\MagicISO\misosh.dll [MShellExtMenu Class] -> [2006/06/05 14:06:22 |

00,020,992 | ---- | M] (MagicISO, Inc.)
< ContextMenuHandlers - Directory [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\Software\Classes\Directory\shellex\ContextMenuHandlers\ ->
(Offline Files):{750fdf0e-2a26-11d1-a3ea-080036587f03} [HKLM] -> %SystemRoot%\System32\cscui.dll [Offline Files Menu] -> [2004/08/04 01:00:00 |

00,326,656 | ---- | M] (Microsoft Corporation)
< ContextMenuHandlers - Directory [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\Software\Classes\Directory\shellex\ContextMenuHandlers\ ->
(Sharing):{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} [HKLM] -> %SystemRoot%\system32\ntshrui.dll [Shell extensions for sharing] -> [2004/08/04

01:00:00 | 00,143,872 | ---- | M] (Microsoft Corporation)
< ContextMenuHandlers - Directory [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\Software\Classes\Directory\shellex\ContextMenuHandlers\ ->
(ShellExtension): [HKLM] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Value does not exist or could not be read.] ->

File not found
< ContextMenuHandlers - Directory [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\Software\Classes\Directory\shellex\ContextMenuHandlers\ ->
(WinRAR):{B41DB860-8EE4-11D2-9906-E49FADC173CA} [HKLM] -> %ProgramFiles%\WinRAR\rarext.dll [WinRAR] -> [2006/12/03 14:53:06 | 00,126,464 | ----

| M] ()
< ContextMenuHandlers - Directory\Background [HKEY_LOCAL_MACHINE\] > ->

HKEY_LOCAL_MACHINE\Software\Classes\Directory\Background\shellex\ContextMenuHandlers\ ->
(00nView):{1E9B04FB-F9E5-4718-997B-B8DA88302A48} [HKLM] -> %SystemRoot%\system32\nvshell.dll [nView Desktop Context Menu] -> [2007/09/17

01:07:00 | 00,466,944 | ---- | M] ()
< ContextMenuHandlers - Directory\Background [HKEY_LOCAL_MACHINE\] > ->

HKEY_LOCAL_MACHINE\Software\Classes\Directory\Background\shellex\ContextMenuHandlers\ ->
(NvCplDesktopContext):{A70C977A-BF00-412C-90B7-034C51DA2439} [HKLM] -> %SystemRoot%\system32\nvcpl.dll [DesktopContext Class] -> [2007/09/17

01:07:00 | 08,491,008 | ---- | M] (NVIDIA Corporation)
< ContextMenuHandlers - Folder [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\Software\Classes\Folder\shell\ ->
explore -> %SystemRoot%\Explorer.exe [%SystemRoot%\Explorer.exe /e,/idlist,%I,%L] -> [2007/06/13 03:23:08 | 01,033,216 | ---- | M] (Microsoft

Corporation)
open -> %SystemRoot%\Explorer.exe [%SystemRoot%\Explorer.exe /idlist,%I,%L] -> [2007/06/13 03:23:08 | 01,033,216 | ---- | M] (Microsoft

Corporation)
sdfiles -> %ProgramFiles%\Spybot - Search & Destroy\SDFiles.exe ["C:\Program Files\Spybot - Search & Destroy\SDFiles.exe" "%1" /ask] ->

[2008/07/07 09:36:46 | 01,430,016 | ---- | M] (Safer Networking Limited)
TeraCopy -> %ProgramFiles%\TeraCopy\add.exe [C:\Program Files\TeraCopy\add.exe Add "%L"] -> [2007/08/07 05:59:46 | 00,041,472 | ---- | M] ()
< ContextMenuHandlers - Folder [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers\ ->
{EB4D3CFE-E2AA-4C6E-B2FE-2A749F95D208} [HKLM] -> %ProgramFiles%\Nero\Nero 7\Nero BackItUp\NBShell.dll [NBShellHook Class] -> [2007/03/14

19:19:16 | 00,079,408 | ---- | M] (Nero AG)
< ContextMenuHandlers - Folder [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers\ ->
(AVG7 Shell Extension):{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} [HKLM] -> %ProgramFiles%\Grisoft\AVG Free\avgse.dll [AVG7 Shell Extension Class]

-> [2008/11/12 11:52:56 | 00,050,688 | ---- | M] (GRISOFT, s.r.o.)
< ContextMenuHandlers - Folder [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers\ ->
(MagicISO):{DB85C504-C730-49DD-BEC1-7B39C6103B7A} [HKLM] -> %ProgramFiles%\MagicISO\misosh.dll [MShellExtMenu Class] -> [2006/06/05 14:06:22 |

00,020,992 | ---- | M] (MagicISO, Inc.)
< ContextMenuHandlers - Folder [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers\ ->
(MBAMShlExt):{57CE581A-0CB6-4266-9CA0-19364C90A0B3} [HKLM] -> %ProgramFiles%\Malwarebytes' Anti-Malware\mbamext.dll [MBAMShlExt Class] ->

[2008/09/08 00:11:02 | 00,073,392 | ---- | M] (Malwarebytes Corporation)
< ContextMenuHandlers - Folder [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers\ ->
(WinRAR):{B41DB860-8EE4-11D2-9906-E49FADC173CA} [HKLM] -> %ProgramFiles%\WinRAR\rarext.dll [WinRAR] -> [2006/12/03 14:53:06 | 00,126,464 | ----

| M] ()
< ControlSets > -> HKEY_LOCAL_MACHINE\SYSTEM\Select ->
HKEY_LOCAL_MACHINE\SYSTEM\Select
\\"Current" -> [2] -> File not found
\\"Default" -> [2] -> File not found
\\"Failed" -> [1] -> File not found
\\"LastKnownGood" -> [4] -> File not found
< Disabled MSConfig Folder Items [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\ ->
C:^DOCUME~1^ADMINI~1.COM^Start Menu^Programs^Startup^QuickShelf 2000.lnk -> %SystemDrive%\PROGRA~1\MICROS~4\BOOKSH~1\qshelf2k.exe ->

[2007/10/24 23:54:04 | 00,110,592 | ---- | M] (Microsoft Corporation)
C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk ->

%SystemDrive%\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE -> [2000/10/11 18:08:00 | 00,113,664 | ---- | M] (Adobe Systems, Inc.)
C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk -> %SystemDrive%\PROGRA~1\MICROS~2\Office\OSA9.EXE

-> [1999/02/17 14:05:56 | 00,065,588 | ---- | M] (Microsoft Corporation)
< Disabled MSConfig State [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state ->
"bootini" -> 0 ->
"services" -> 0 ->
"startup" -> 2 ->
"system.ini" -> 0 ->
"win.ini" -> 0 ->
< File Associations - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>\ ->
.bat [@ = batfile] -> "%1" %* ->
.chm [@ = chm.file] -> %SystemRoot%\hh.exe -> [2005/05/26 16:22:02 | 00,010,752 | ---- | M] (Microsoft Corporation)
.cmd [@ = cmdfile] -> "%1" %* ->
.com [@ = ComFile] -> "%1" %* ->
.cpl [@ = cplfile] -> %SystemRoot%\system32\shell32.DLL -> [2007/10/25 20:36:52 | 08,454,656 | ---- | M] (Microsoft Corporation)
.exe [@ = exefile] -> "%1" %* ->
.hlp [@ = hlpfile] -> %SystemRoot%\System32\winhlp32.exe -> [2004/08/04 01:00:00 | 00,008,192 | ---- | M] (Microsoft Corporation)
.hta [@ = htafile] -> %SystemRoot%\system32\mshta.exe -> [2004/08/04 01:00:00 | 00,029,184 | ---- | M] (Microsoft Corporation)
.html [@ = FirefoxHTML] -> %SystemDrive%\PROGRA~1\MOZILL~1\FIREFOX.EXE -> [2008/07/23 20:12:36 | 07,667,312 | ---- | M] (Mozilla Corporation)
.inf [@ = inffile] -> %SystemRoot%\System32\NOTEPAD.EXE -> [2004/08/04 01:00:00 | 00,069,120 | ---- | M] (Microsoft Corporation)
.ini [@ = inifile] -> %SystemRoot%\System32\NOTEPAD.EXE -> [2004/08/04 01:00:00 | 00,069,120 | ---- | M] (Microsoft Corporation)
.url [@ = InternetShortcut] -> %SystemRoot%\system32\shdocvw.DLL -> [2008/10/16 03:37:04 | 01,494,528 | ---- | M] (Microsoft Corporation)
.js [@ = JSFile] -> %SystemRoot%\System32\WScript.exe -> [2004/08/04 01:00:00 | 00,114,688 | ---- | M] (Microsoft Corporation)
.jse [@ = JSEFile] -> %SystemRoot%\System32\WScript.exe -> [2004/08/04 01:00:00 | 00,114,688 | ---- | M] (Microsoft Corporation)
.pif [@ = piffile] -> "%1" %* ->
.reg [@ = regfile] -> %SystemRoot%\regedit.exe -> [2004/08/04 01:00:00 | 00,146,432 | ---- | M] (Microsoft Corporation)
.scr [@ = scrfile] -> "%1" /S ->
.txt [@ = txtfile] -> %SystemRoot%\system32\NOTEPAD.EXE -> [2004/08/04 01:00:00 | 00,069,120 | ---- | M] (Microsoft Corporation)
.vbe [@ = VBEFile] -> %SystemRoot%\System32\WScript.exe -> [2004/08/04 01:00:00 | 00,114,688 | ---- | M] (Microsoft Corporation)
.vbs [@ = VBSFile] -> %SystemRoot%\System32\WScript.exe -> [2004/08/04 01:00:00 | 00,114,688 | ---- | M] (Microsoft Corporation)
.wsf [@ = WSFFile] -> %SystemRoot%\System32\WScript.exe -> [2004/08/04 01:00:00 | 00,114,688 | ---- | M] (Microsoft Corporation)
.wsh [@ = WSHFile] -> %SystemRoot%\System32\WScript.exe -> [2004/08/04 01:00:00 | 00,114,688 | ---- | M] (Microsoft Corporation)
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost > -> ->
*netsvcs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\\netsvcs ->
6to4 -> [] ->
HidServ -> C:\WINDOWS\System32\hidserv.dll [C:\WINDOWS\System32\hidserv.dll] -> File not found
Ias -> [] ->
Iprip -> [] ->
Irmon -> [] ->
NWCWorkstation -> [] ->
Nwsapagent -> [] ->
WmdmPmSp -> [] ->
helpsvc -> C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll [C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll] -> [2004/08/04 01:00:00 |

00,038,912 | ---- | M] (Microsoft Corporation)
*MultiFile Done* -> ->
< NeverShowExt [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Classes\ ->
lnkfile\\"NeverShowExt" -> ->
piffile\\"NeverShowExt" -> ->
SHCmdFile\\"NeverShowExt" -> ->
< Hidden File Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden

->

dinosaur58 · Jan 16, 2009

OTScanIt log pt4 Final

Log file conclusion:

\\"Text" -> %SystemRoot%\system32\shell32.dll [@shell32.dll,-30499] -> [2007/10/25 20:36:52 | 08,454,656 | ---- | M] (Microsoft Corporation)
\\"Type" -> [group] -> File not found
\\"Bitmap" -> %SystemRoot%\system32\SHELL32.dll [%SystemRoot%\system32\SHELL32.dll,4] -> [2007/10/25 20:36:52 | 08,454,656 | ---- | M]

(Microsoft Corporation)
\\"HelpID" -> [shell.hlp#51131] -> File not found
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN
\NOHIDDEN\\"RegPath" -> [Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] -> File not found
\NOHIDDEN\\"Text" -> %SystemRoot%\system32\shell32.dll [@shell32.dll,-30501] -> [2007/10/25 20:36:52 | 08,454,656 | ---- | M] (Microsoft

Corporation)
\NOHIDDEN\\"Type" -> [radio] -> File not found
\NOHIDDEN\\"CheckedValue" -> [2] -> File not found
\NOHIDDEN\\"ValueName" -> [Hidden] -> File not found
\NOHIDDEN\\"DefaultValue" -> [2] -> File not found
\NOHIDDEN\\"HKeyRoot" -> [-2147483647] -> File not found
\NOHIDDEN\\"HelpID" -> [shell.hlp#51104] -> File not found
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
\SHOWALL\\"RegPath" -> [Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] -> File not found
\SHOWALL\\"Text" -> %SystemRoot%\system32\shell32.dll [@shell32.dll,-30500] -> [2007/10/25 20:36:52 | 08,454,656 | ---- | M] (Microsoft

Corporation)
\SHOWALL\\"Type" -> [radio] -> File not found
\SHOWALL\\"CheckedValue" -> [1] -> File not found
\SHOWALL\\"ValueName" -> [Hidden] -> File not found
\SHOWALL\\"DefaultValue" -> [2] -> File not found
\SHOWALL\\"HKeyRoot" -> [-2147483647] -> File not found
\SHOWALL\\"HelpID" -> [shell.hlp#51105] -> File not found
< Hidden File Settings [HKEY_LOCAL_MACHINE] > ->

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt
\\"Type" -> [checkbox] -> File not found
\\"Text" -> %SystemRoot%\system32\shell32.dll [@shell32.dll,-30503] -> [2007/10/25 20:36:52 | 08,454,656 | ---- | M] (Microsoft Corporation)
\\"HKeyRoot" -> [-2147483647] -> File not found
\\"RegPath" -> [Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] -> File not found
\\"ValueName" -> [HideFileExt] -> File not found
\\"CheckedValue" -> [1] -> File not found
\\"UncheckedValue" -> [0] -> File not found
\\"DefaultValue" -> [1] -> File not found
\\"HelpID" -> [shell.hlp#51101] -> File not found
< Hidden File Settings [HKEY_LOCAL_MACHINE] > ->

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden
\\"Type" -> [checkbox] -> File not found
\\"Text" -> %SystemRoot%\system32\shell32.dll [@shell32.dll,-30508] -> [2007/10/25 20:36:52 | 08,454,656 | ---- | M] (Microsoft Corporation)
\\"WarningIfNotDefault" -> %SystemRoot%\system32\shell32.dll [@shell32.dll,-28964] -> [2007/10/25 20:36:52 | 08,454,656 | ---- | M] (Microsoft

Corporation)
\\"HKeyRoot" -> [-2147483647] -> File not found
\\"RegPath" -> [Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] -> File not found
\\"ValueName" -> [ShowSuperHidden] -> File not found
\\"CheckedValue" -> [0] -> File not found
\\"UncheckedValue" -> [1] -> File not found
\\"DefaultValue" -> [0] -> File not found
\\"HelpID" -> [shell.hlp#51103] -> File not found
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden\Policy\DontShowSuperHidden
\Policy\DontShowSuperHidden\\"" -> [] -> File not found
< Hidden File Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ->
\\"Hidden" -> 1 ->
\\"HideFileExt" -> 0 ->
\\"ShowSuperHidden" -> 1 ->
< Print Monitors [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\ ->
BJ Language Monitor -> %SystemRoot%\system32\cnbjmon.dll -> [2004/08/04 01:00:00 | 00,047,104 | ---- | M] (Microsoft Corporation)
Local Port -> %SystemRoot%\system32\localspl.dll -> [2004/08/04 01:00:00 | 00,341,504 | ---- | M] (Microsoft Corporation)
PJL Language Monitor -> %SystemRoot%\system32\pjlmon.dll -> [2004/08/04 01:00:00 | 00,015,360 | ---- | M] (Microsoft Corporation)
Standard TCP/IP Port -> %SystemRoot%\system32\tcpmon.dll -> [2004/08/04 01:00:00 | 00,045,568 | ---- | M] (Microsoft Corporation)
USB Monitor -> %SystemRoot%\system32\usbmon.dll -> [2004/08/04 01:00:00 | 00,016,896 | ---- | M] (Microsoft Corporation)
< Protocol Handlers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ ->
ipp: [HKLM] -> No CLSID value
ipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} [HKLM] -> %SystemDrive%\PROGRA~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL[Microsoft OLE DB

Moniker Binder for Internet Publishing] -> [2002/05/24 12:22:16 | 00,532,480 | ---- | M] (Microsoft Corporation)
msdaipp: [HKLM] -> No CLSID value
msdaipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} [HKLM] -> %SystemDrive%\PROGRA~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL[Microsoft OLE DB

Moniker Binder for Internet Publishing] -> [2002/05/24 12:22:16 | 00,532,480 | ---- | M] (Microsoft Corporation)
msdaipp\oledb:{E1D2BF40-A96B-11d1-9C6B-0000F875AC61} [HKLM] -> %SystemDrive%\PROGRA~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL[MSDAIPP.BINDER] ->

[2002/05/24 12:22:16 | 00,532,480 | ---- | M] (Microsoft Corporation)
< SafeBoot-Minimal Settings > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ ->
{36FC9E60-C465-11CF-8056-444553540000} -> Universal Serial Bus controllers
{4D36E965-E325-11CE-BFC1-08002BE10318} -> CD-ROM Drive
{4D36E967-E325-11CE-BFC1-08002BE10318} -> DiskDrive
{4D36E969-E325-11CE-BFC1-08002BE10318} -> Standard floppy disk controller
{4D36E96A-E325-11CE-BFC1-08002BE10318} -> Hdc
{4D36E96B-E325-11CE-BFC1-08002BE10318} -> Keyboard
{4D36E96F-E325-11CE-BFC1-08002BE10318} -> Mouse
{4D36E977-E325-11CE-BFC1-08002BE10318} -> PCMCIA Adapters
{4D36E97B-E325-11CE-BFC1-08002BE10318} -> SCSIAdapter
{4D36E97D-E325-11CE-BFC1-08002BE10318} -> System
{4D36E980-E325-11CE-BFC1-08002BE10318} -> Floppy disk drive
{71A27CDD-812A-11D0-BEC7-08002BE2092F} -> Volume
{745A17A0-74D3-11D0-B6FE-00A0C90F57DA} -> Human Interface Devices
AVG Anti-Spyware Driver -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.sys -> [2008/03/25 19:48:24 | 00,011,000 | ---- | M] ()
AVG Anti-Spyware Guard -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.exe -> [2008/03/25 19:48:26 | 00,312,880 | ---- | M] (GRISOFT

s.r.o.)
Base -> Driver Group
Boot Bus Extender -> Driver Group
Boot file system -> Driver Group
File system -> Driver Group
Filter -> Driver Group
PCI Configuration -> Driver Group
PNP Filter -> Driver Group
Primary disk -> Driver Group
SCSI Class -> Driver Group
sermouse.sys -> Driver
System Bus Extender -> Driver Group
vga.sys -> Driver
< SafeBoot-Network Settings > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ ->
{1a3e09be-1e45-494b-9174-d7385b45bbf5} -> Reg Error: Value does not exist or could not be read.
{36FC9E60-C465-11CF-8056-444553540000} -> Universal Serial Bus controllers
{4D36E965-E325-11CE-BFC1-08002BE10318} -> CD-ROM Drive
{4D36E967-E325-11CE-BFC1-08002BE10318} -> DiskDrive
{4D36E969-E325-11CE-BFC1-08002BE10318} -> Standard floppy disk controller
{4D36E96A-E325-11CE-BFC1-08002BE10318} -> Hdc
{4D36E96B-E325-11CE-BFC1-08002BE10318} -> Keyboard
{4D36E96F-E325-11CE-BFC1-08002BE10318} -> Mouse
{4D36E972-E325-11CE-BFC1-08002BE10318} -> Net
{4D36E973-E325-11CE-BFC1-08002BE10318} -> NetClient
{4D36E974-E325-11CE-BFC1-08002BE10318} -> NetService
{4D36E975-E325-11CE-BFC1-08002BE10318} -> NetTrans
{4D36E977-E325-11CE-BFC1-08002BE10318} -> PCMCIA Adapters
{4D36E97B-E325-11CE-BFC1-08002BE10318} -> SCSIAdapter
{4D36E97D-E325-11CE-BFC1-08002BE10318} -> System
{4D36E980-E325-11CE-BFC1-08002BE10318} -> Floppy disk drive
{71A27CDD-812A-11D0-BEC7-08002BE2092F} -> Volume
{745A17A0-74D3-11D0-B6FE-00A0C90F57DA} -> Human Interface Devices
AVG Anti-Spyware Driver -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.sys -> [2008/03/25 19:48:24 | 00,011,000 | ---- | M] ()
AVG Anti-Spyware Guard -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.exe -> [2008/03/25 19:48:26 | 00,312,880 | ---- | M] (GRISOFT

s.r.o.)
Base -> Driver Group
Boot Bus Extender -> Driver Group
Boot file system -> Driver Group
File system -> Driver Group
Filter -> Driver Group
NDIS Wrapper -> Driver Group
NetBIOSGroup -> Driver Group
NetDDEGroup -> Driver Group
Network -> Driver Group
NetworkProvider -> Driver Group
PCI Configuration -> Driver Group
PNP Filter -> Driver Group
PNP_TDI -> Driver Group
Primary disk -> Driver Group
rdpdd.sys -> %SystemRoot%\System32\rdpdd.dll -> [2004/08/04 01:00:00 | 00,092,168 | ---- | M] (Microsoft Corporation)
SCSI Class -> Driver Group
sermouse.sys -> Driver
Streams Drivers -> Driver Group
System Bus Extender -> Driver Group
TDI -> Driver Group
vga.sys -> Driver
< Security Center Settings > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
\\"FirstRunDisabled" -> [1] -> File not found
\\"AntiVirusDisableNotify" -> [0] -> File not found
\\"FirewallDisableNotify" -> [0] -> File not found
\\"UpdatesDisableNotify" -> [1] -> File not found
\\"AntiVirusOverride" -> [0] -> File not found
\\"FirewallOverride" -> [0] -> File not found
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall\ -> ->

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
\\"EnableFirewall" -> [1] -> File not found
\\"DoNotAllowExceptions" -> [0] -> File not found
\\"DisableNotifications" -> [0] -> File not found
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\ -> ->
< Session Manager Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager ->
"BootExecute" -> autocheck autochk *; ->
"ExcludeFromKnownDlls" -> ->
*ObjectDirectories* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\\ObjectDirectories ->
\Windows -> -> File not found
\RPC Control -> -> File not found
*MultiFile Done* -> ->
*PendingFileRenameOperations* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\\PendingFileRenameOperations ->
\??\C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft\Avg7Data\avg7upd\install.1\upd_vers.cfg [\??\C:\Documents and

Settings\All Users.WINDOWS\Application Data\Grisoft\Avg7Data\avg7upd\install.1\upd_vers.cfg] -> %AllUsersProfile%\Application

Data\Grisoft\Avg7Data\avg7upd\install.1\upd_vers.cfg [%AllUsersProfile%\Application Data\Grisoft\Avg7Data\avg7upd\install.1\upd_vers.cfg] ->

File not found
!\??\C:\Program Files\Grisoft\AVG Free\upd_vers.cfg [!\??\C:\Program Files\Grisoft\AVG Free\upd_vers.cfg] -> [] -> File not found
\??\C:\Program Files\Grisoft\AVG Free\wait4sd [\??\C:\Program Files\Grisoft\AVG Free\wait4sd] -> [] -> File not found
*MultiFile Done* -> ->
< Session Manager Environment Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session

Manager\Environment ->
"ComSpec" -> C:\WINDOWS\system32\cmd.exe -> [2004/08/04 01:00:00 | 00,388,608 | ---- | M] (Microsoft Corporation)
"TEMP" -> %SystemRoot%\TEMP ->
"TMP" -> %SystemRoot%\TEMP ->
"windir" -> %SystemRoot% ->
*Path* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\\Path ->
%systemroot%\system32 -> %SystemRoot%\system32 -> [2007/10/23 00:21:28 | 00,000,000 | ---D | M]
%systemroot% -> %SystemRoot% -> [2007/10/23 00:21:28 | 00,000,000 | ---D | M]
%systemroot%\system32\wbem -> %SystemRoot%\system32\wbem -> [2007/10/23 00:21:28 | 00,000,000 | ---D | M]
C:\Program Files\QuickTime\QTSystem -> %ProgramFiles%\QuickTime\QTSystem -> [2008/08/18 23:18:24 | 00,000,000 | ---D | M]
C:\Program Files\Smart Projects\IsoBuster -> %ProgramFiles%\Smart Projects\IsoBuster -> [2008/03/26 03:55:36 | 00,000,000 | ---D | M]
C:\Program Files\Support Tools -> -> File not found
*MultiFile Done* -> ->
*PATHEXT* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\\PATHEXT ->
.COM -> -> File not found
.EXE -> -> File not found
.BAT -> -> File not found
.CMD -> -> File not found
.VBS -> -> File not found
.VBE -> -> File not found
.JS -> -> File not found
.JSE -> -> File not found
.WSF -> -> File not found
.WSH -> -> File not found
*MultiFile Done* -> ->
< Session Manager FileRenameOperations Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session

Manager\FileRenameOperations ->
< Session Manager KnownDlls Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDlls ->
"advapi32" -> C:\WINDOWS\system32\advapi32.dll -> [2004/08/04 01:00:00 | 00,616,960 | ---- | M] (Microsoft Corporation)
"comdlg32" -> C:\WINDOWS\system32\comdlg32.dll -> [2004/08/04 01:00:00 | 00,276,992 | ---- | M] (Microsoft Corporation)
"DllDirectory" -> C:\WINDOWS\system32 -> [2007/10/23 00:21:28 | 00,000,000 | ---D | M]
"gdi32" -> C:\WINDOWS\system32\gdi32.dll -> [2008/10/23 06:01:36 | 00,283,648 | ---- | M] (Microsoft Corporation)
"imagehlp" -> C:\WINDOWS\system32\imagehlp.dll -> [2004/08/04 01:00:00 | 00,144,384 | ---- | M] (Microsoft Corporation)
"kernel32" -> C:\WINDOWS\system32\kernel32.dll -> [2007/04/16 08:52:54 | 00,984,576 | ---- | M] (Microsoft Corporation)
"lz32" -> C:\WINDOWS\system32\lz32.dll -> [2004/08/04 01:00:00 | 00,002,560 | ---- | M] (Microsoft Corporation)
"ole32" -> C:\WINDOWS\system32\ole32.dll -> [2005/07/25 21:39:48 | 01,285,120 | ---- | M] (Microsoft Corporation)
"oleaut32" -> C:\WINDOWS\system32\oleaut32.dll -> [2007/12/04 11:38:14 | 00,550,912 | ---- | M] (Microsoft Corporation)
"olecli32" -> C:\WINDOWS\system32\olecli32.dll -> [2005/07/25 21:39:48 | 00,074,752 | ---- | M] (Microsoft Corporation)
"olecnv32" -> C:\WINDOWS\system32\olecnv32.dll -> [2005/07/25 21:39:50 | 00,037,888 | ---- | M] (Microsoft Corporation)
"olesvr32" -> C:\WINDOWS\system32\olesvr32.dll -> [2004/08/04 01:00:00 | 00,022,016 | ---- | M] (Microsoft Corporation)
"olethk32" -> C:\WINDOWS\system32\olethk32.dll -> [2004/08/04 01:00:00 | 00,069,120 | ---- | M] (Microsoft Corporation)
"rpcrt4" -> C:\WINDOWS\system32\rpcrt4.dll -> [2007/07/09 06:09:42 | 00,584,192 | ---- | M] (Microsoft Corporation)
"shell32" -> C:\WINDOWS\system32\shell32.dll -> [2007/10/25 20:36:52 | 08,454,656 | ---- | M] (Microsoft Corporation)
"url" -> C:\WINDOWS\system32\url.dll -> [2004/08/04 01:00:00 | 00,037,888 | ---- | M] (Microsoft Corporation)
"urlmon" -> C:\WINDOWS\system32\urlmon.dll -> [2008/10/16 03:37:04 | 00,615,936 | ---- | M] (Microsoft Corporation)
"user32" -> C:\WINDOWS\system32\user32.dll -> [2007/03/08 08:36:28 | 00,577,536 | ---- | M] (Microsoft Corporation)
"version" -> C:\WINDOWS\system32\version.dll -> [2004/08/04 01:00:00 | 00,018,944 | ---- | M] (Microsoft Corporation)
"wininet" -> C:\WINDOWS\system32\wininet.dll -> [2008/10/16 03:37:04 | 00,659,456 | ---- | M] (Microsoft Corporation)
"wldap32" -> C:\WINDOWS\system32\wldap32.dll -> [2004/08/04 01:00:00 | 00,172,032 | ---- | M] (Microsoft Corporation)
< Session Manager SFC Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SFC ->
"CommonFilesDir" -> C:\Program Files\Common Files -> [2007/10/23 00:25:50 | 00,000,000 | ---D | M]
"ProgramFilesDir" -> C:\Program Files -> [2007/12/13 18:38:36 | 00,000,000 | R--D | M]
< Registry Shell Spawning - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command ->
batfile [edit] -> %SystemRoot%\System32\NOTEPAD.EXE %1 -> [2004/08/04 01:00:00 | 00,069,120 | ---- | M] (Microsoft Corporation)
batfile [open] -> "%1" %* -> File not found
batfile [print] -> %SystemRoot%\System32\NOTEPAD.EXE /p %1 -> [2004/08/04 01:00:00 | 00,069,120 | ---- | M] (Microsoft Corporation)
chm.file [open] -> "%SystemRoot%\hh.exe" %1 -> [2005/05/26 16:22:02 | 00,010,752 | ---- | M] (Microsoft Corporation)
cmdfile [edit] -> %SystemRoot%\System32\NOTEPAD.EXE %1 -> [2004/08/04 01:00:00 | 00,069,120 | ---- | M] (Microsoft Corporation)
cmdfile [open] -> "%1" %* -> File not found
cmdfile [print] -> %SystemRoot%\System32\NOTEPAD.EXE /p %1 -> [2004/08/04 01:00:00 | 00,069,120 | ---- | M] (Microsoft Corporation)
comfile [open] -> "%1" %* -> File not found
cplfile [cplopen] -> rundll32.exe shell32.dll,Control_RunDLL "%1",%* -> [2007/10/25 20:36:52 | 08,454,656 | ---- | M] (Microsoft Corporation)
exefile [open] -> "%1" %* -> File not found
helpfile [open] -> winhlp32.exe %1 -> [2004/08/04 01:00:00 | 00,008,192 | ---- | M] (Microsoft Corporation)
hlpfile [open] -> %SystemRoot%\System32\winhlp32.exe %1 -> [2004/08/04 01:00:00 | 00,008,192 | ---- | M] (Microsoft Corporation)
htafile [open] -> %SystemRoot%\system32\mshta.exe "%1" %* -> [2004/08/04 01:00:00 | 00,029,184 | ---- | M] (Microsoft Corporation)
htmlfile [edit] -> Reg Error: Key does not exist or could not be opened.
htmlfile [open] -> "%ProgramFiles%\Internet Explorer\IEXPLORE.EXE" -nohome -> [2004/08/04 01:00:00 | 00,093,184 | ---- | M] (Microsoft

Corporation)
htmlfile [opennew] -> "%ProgramFiles%\Internet Explorer\IEXPLORE.EXE" %1 -> [2004/08/04 01:00:00 | 00,093,184 | ---- | M] (Microsoft

Corporation)
htmlfile [print] -> rundll32.exe %SystemRoot%\system32\mshtml.dll,PrintHTML "%1" -> [2008/12/12 10:33:24 | 03,060,224 | ---- | M] (Microsoft

Corporation)
http [open] -> %SystemDrive%\PROGRA~1\MOZILL~1\FIREFOX.EXE -requestPending -osint -url "%1" -> [2008/07/23 20:12:36 | 07,667,312 | ---- | M]

(Mozilla Corporation)
https [open] -> %SystemDrive%\PROGRA~1\MOZILL~1\FIREFOX.EXE -requestPending -osint -url "%1" -> [2008/07/23 20:12:36 | 07,667,312 | ---- | M]

(Mozilla Corporation)
inffile [install] -> %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1 -> [2004/08/04 01:00:00 | 00,033,280

| ---- | M] (Microsoft Corporation)
inffile [open] -> %SystemRoot%\System32\NOTEPAD.EXE %1 -> [2004/08/04 01:00:00 | 00,069,120 | ---- | M] (Microsoft Corporation)
inffile [print] -> %SystemRoot%\System32\NOTEPAD.EXE /p %1 -> [2004/08/04 01:00:00 | 00,069,120 | ---- | M] (Microsoft Corporation)
inifile [open] -> %SystemRoot%\System32\NOTEPAD.EXE %1 -> [2004/08/04 01:00:00 | 00,069,120 | ---- | M] (Microsoft Corporation)
inifile [print] -> %SystemRoot%\System32\NOTEPAD.EXE /p %1 -> [2004/08/04 01:00:00 | 00,069,120 | ---- | M] (Microsoft Corporation)
InternetShortcut [open] -> rundll32.exe shdocvw.dll,OpenURL %l -> [2008/10/16 03:37:04 | 01,494,528 | ---- | M] (Microsoft Corporation)
InternetShortcut [print] -> rundll32.exe %SystemRoot%\system32\mshtml.dll,PrintHTML "%1" -> [2008/12/12 10:33:24 | 03,060,224 | ---- | M]

(Microsoft Corporation)
jsfile [edit] -> %SystemRoot%\System32\Notepad.exe %1 -> [2004/08/04 01:00:00 | 00,069,120 | ---- | M] (Microsoft Corporation)
jsfile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* -> [2004/08/04 01:00:00 | 00,114,688 | ---- | M] (Microsoft Corporation)
jsfile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 -> [2004/08/04 01:00:00 | 00,069,120 | ---- | M] (Microsoft Corporation)
jsefile [edit] -> %SystemRoot%\System32\Notepad.exe %1 -> [2004/08/04 01:00:00 | 00,069,120 | ---- | M] (Microsoft Corporation)
jsefile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* -> [2004/08/04 01:00:00 | 00,114,688 | ---- | M] (Microsoft Corporation)
jsefile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 -> [2004/08/04 01:00:00 | 00,069,120 | ---- | M] (Microsoft Corporation)
piffile [open] -> "%1" %* -> File not found
regfile [edit] -> %SystemRoot%\system32\NOTEPAD.EXE %1 -> [2004/08/04 01:00:00 | 00,069,120 | ---- | M] (Microsoft Corporation)
regfile [open] -> regedit.exe "%1" -> [2004/08/04 01:00:00 | 00,146,432 | ---- | M] (Microsoft Corporation)
regfile [merge] -> Reg Error: Key does not exist or could not be opened.
regfile [print] -> %SystemRoot%\system32\NOTEPAD.EXE /p %1 -> [2004/08/04 01:00:00 | 00,069,120 | ---- | M] (Microsoft Corporation)
scrfile [config] -> "%1" -> File not found
scrfile [install] -> rundll32.exe desk.cpl,InstallScreenSaver %l -> [2004/08/04 01:00:00 | 00,135,168 | ---- | M] (Microsoft Corporation)
scrfile [open] -> "%1" /S -> File not found
txtfile [edit] -> Reg Error: Key does not exist or could not be opened.
txtfile [open] -> %SystemRoot%\system32\NOTEPAD.EXE %1 -> [2004/08/04 01:00:00 | 00,069,120 | ---- | M] (Microsoft Corporation)
txtfile [print] -> %SystemRoot%\system32\NOTEPAD.EXE /p %1 -> [2004/08/04 01:00:00 | 00,069,120 | ---- | M] (Microsoft Corporation)
txtfile [printto] -> %SystemRoot%\system32\notepad.exe /pt "%1" "%2" "%3" "%4" -> [2004/08/04 01:00:00 | 00,069,120 | ---- | M] (Microsoft

Corporation)
vbefile [edit] -> %SystemRoot%\System32\Notepad.exe %1 -> [2004/08/04 01:00:00 | 00,069,120 | ---- | M] (Microsoft Corporation)
vbefile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* -> [2004/08/04 01:00:00 | 00,114,688 | ---- | M] (Microsoft Corporation)
vbefile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 -> [2004/08/04 01:00:00 | 00,069,120 | ---- | M] (Microsoft Corporation)
vbsfile [edit] -> %SystemRoot%\System32\Notepad.exe %1 -> [2004/08/04 01:00:00 | 00,069,120 | ---- | M] (Microsoft Corporation)
vbsfile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* -> [2004/08/04 01:00:00 | 00,114,688 | ---- | M] (Microsoft Corporation)
vbsfile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 -> [2004/08/04 01:00:00 | 00,069,120 | ---- | M] (Microsoft Corporation)
wsffile [edit] -> %SystemRoot%\System32\Notepad.exe %1 -> [2004/08/04 01:00:00 | 00,069,120 | ---- | M] (Microsoft Corporation)
wsffile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* -> [2004/08/04 01:00:00 | 00,114,688 | ---- | M] (Microsoft Corporation)
wsffile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 -> [2004/08/04 01:00:00 | 00,069,120 | ---- | M] (Microsoft Corporation)
wshfile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* -> [2004/08/04 01:00:00 | 00,114,688 | ---- | M] (Microsoft Corporation)
Unknown [openas] -> %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 -> [2007/10/25 20:36:52 | 08,454,656

| ---- | M] (Microsoft Corporation)
Directory [find] -> %SystemRoot%\Explorer.exe -> [2007/06/13 03:23:08 | 01,033,216 | ---- | M] (Microsoft Corporation)
Folder [open] -> %SystemRoot%\Explorer.exe /idlist,%I,%L -> [2007/06/13 03:23:08 | 01,033,216 | ---- | M] (Microsoft Corporation)
Folder [explore] -> %SystemRoot%\Explorer.exe /e,/idlist,%I,%L -> [2007/06/13 03:23:08 | 01,033,216 | ---- | M] (Microsoft Corporation)
Drive [find] -> %SystemRoot%\Explorer.exe -> [2007/06/13 03:23:08 | 01,033,216 | ---- | M] (Microsoft Corporation)
Applications\iexplore.exe [open] -> "%ProgramFiles%\Internet Explorer\IEXPLORE.EXE" %1 -> [2004/08/04 01:00:00 | 00,093,184 | ---- | M]

(Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -> "%programfiles%\internet explorer\iexplore.exe" -> [2004/08/04 01:00:00 |

00,093,184 | ---- | M] (Microsoft Corporation)
< Tcpip Persistent Routes > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\PersistentRoutes ->
< Uninstall List [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ ->
{00000409-78E1-11D2-B60F-006097C998E7} -> Microsoft Office 2000 Premium
{00203668-8170-44A0-BE44-B632FA4D780F} -> Adobe AIR
{02DFF6B1-1654-411C-8D7B-FD6052EF016F} -> Apple Software Update
{08CA9554-B5FE-4313-938F-D4A417B81175} -> QuickTime
{26A24AE4-039D-4CA4-87B4-2F83216011FF} -> Java(TM) 6 Update 11
{2715D1D6-2B81-4DD5-A9DC-6EFF4D5E0993} -> Ahead Nero Burning Rom PlugIn Pack 2.0.2 by MadHacker2k4
{2BA00471-0328-3743-93BD-FA813353A783} -> Microsoft .NET Framework 3.0 Service Pack 1
{2C0A655C-61E7-428A-8ED2-23A3D20E7DD2} -> Data Lifeguard Tools
{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227} -> WebFldrs XP
{43FFE159-3199-4188-A1CD-629166AD1033} -> Nero 7 Ultra Edition
{56C049BE-79E9-4502-BEA7-9754A3E60F9B} -> neroxml
{6D74E1F4-32D5-44D0-9054-8D57E981F59F}_is1 -> Flash Saving Plugin
{7299052b-02a4-4627-81f2-1818da5d550d} -> Microsoft Visual C++ 2005 Redistributable
{77DCDCE3-2DED-62F3-8154-05E745472D07} -> Acrobat.com
{89B078C4-50B0-453E-BF53-3A7E6A0D85FA} -> Windows Support Tools
{A1BC8E02-6B5B-4B4A-A75F-B27A16918C2B} -> DiscWizard for Windows
{AC76BA86-7AD7-1033-7B44-A90000000001} -> Adobe Reader 9
{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1 -> Spybot - Search & Destroy
{B508B3F1-A24A-32C0-B310-85786919EF28} -> Microsoft .NET Framework 2.0 Service Pack 1
{BAF78226-3200-4DB4-BE33-4D922A799840} -> Windows Presentation Foundation
{CC5BCC32-7EAB-4555-B7DC-E7B9BF927C5C} -> NETGEAR DG632 ADSL Modem
{F3D7915D-6B42-49FA-9FC8-5020479A6A57} -> Nero Reloaded PlugIn Pack 2.0.4 by GEAR
{FB08F381-6533-4108-B7DD-039E11FBC27E} -> Realtek AC'97 Audio
Ad-Aware SE Personal -> Ad-Aware SE Personal
Adobe AIR -> Adobe AIR
Adobe Flash Player ActiveX -> Adobe Flash Player ActiveX
Adobe Flash Player Plugin -> Adobe Flash Player 10 Plugin
Adobe Photoshop Elements 1.0 -> Adobe Photoshop Elements
Adobe Shockwave Player -> Adobe Shockwave Player
Adobe SVG Viewer -> Adobe SVG Viewer
Ahead Nero Add-on Pack -> Ahead Nero Add-on Pack
AVG7Uninstall -> AVG Free Edition
AVGantiRootkit -> AVG Anti-Rootkit Free
AVGAntiSpyware75 -> AVG Anti-Spyware 7.5
BIMPLite -> BIMP Lite 1.62
Bookshelf 2k -> Bookshelf 2000
CheckIt Diagnostics -> CheckIt Diagnostics
Cole2k Media - Codec Pack -> Cole2k Media - Codec Pack (Advanced)
com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1 -> Acrobat.com
Combined Community Codec Pack_is1 -> Combined Community Codec Pack 2007-02-22
DIVXCodec -> DivX Codec 3.1alpha release
ERUNT_is1 -> ERUNT 1.1j
EZ Mask v1.5 for Adobe Photoshop & Photoshop Elements -> EZ Mask v1.5 for Adobe Photoshop & Photoshop Elements
GSpot -> GSpot Codec Information Appliance
HijackThis -> HijackThis 2.0.2
IconArt -> IconArt
IsoBuster_is1 -> IsoBuster 2.3
Kaspersky Online Scanner -> Kaspersky Online Scanner
Magic ISO Maker v5.4 (build 0251) -> Magic ISO Maker v5.4 (build 0251)
Malwarebytes' Anti-Malware_is1 -> Malwarebytes' Anti-Malware
Malwarebytes' RogueRemover FREE_is1 -> Malwarebytes' RogueRemover
Movkit Batch Video Converter_is1 -> Movkit Batch Video Converter 2.8.8
Mozilla Firefox (2.0.0.16) -> Mozilla Firefox (2.0.0.16)
Mozilla Thunderbird (2.0.0.6) -> Mozilla Thunderbird (2.0.0.6)
NVIDIA Drivers -> NVIDIA Drivers
OggDS -> Direct Show Ogg Vorbis Filter (remove only)
OneTouch Version 3.0 -> OneTouch Version 3.0
PaperPort 7.02 -> PaperPort 7.02
RealPlayer 6.0 -> RealPlayer
RmTablet -> USB Tablet Manager
SLD Codec Pack -> SLD Codec Pack
SpywareBlaster_is1 -> SpywareBlaster 4.1
ST6UNST #1 -> UnZixWin
SystemRequirementsLab -> System Requirements Lab
TeraCopy_is1 -> TeraCopy 1.22 Pro
Tweak UI 2.10 -> Tweak UI
VCW VicMan's Photo Editor -> VCW VicMan's Photo Editor
VirtualCloneDrive -> VirtualCloneDrive
Windows Media Format Runtime -> Windows Media Format Runtime
WinRAR archiver -> WinRAR archiver
XpsEPSC -> XML Paper Specification Shared Components Pack 1.0
< Uninstall List [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ ->
uTorrent -> µTorrent
< Uninstall List [HKEY_USERS\S-1-5-21-1454471165-1979792683-725345543-500\] > ->

HKEY_USERS\S-1-5-21-1454471165-1979792683-725345543-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ ->
uTorrent -> µTorrent
< WOW Settings [HKEY_LOCAL_MACHINE] - Select to Repair > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WOW ->
"cmdline" -> %SystemRoot%\system32\ntvdm.exe ->
"wowcmdline" -> %SystemRoot%\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386 ->
< EventViewer Logs - Last 10 Errors > -> Event Information -> Description
Application [ Error ] 1/3/2009 12:49:08 PM Computer Name = COMPUTER | Source = Application Error | ID = 1000 -> Description = Faulting

application k9261108.exe, version 3.1.0.2, faulting module unknown, version 0.0.0.0, fault address 0x0084465d.
Application [ Error ] 1/6/2009 06:18:14 AM Computer Name = COMPUTER | Source = Application Error | ID = 1000 -> Description = Faulting

application media.player.classic.6.4.9.0.exe, version 6.4.9.0, faulting module proppage.dll, version 6.5.1.1126, fault address 0x0001ee68.
Application [ Error ] 1/11/2009 11:21:49 AM Computer Name = COMPUTER | Source = crypt32 | ID = 131080 -> Description = Failed auto update

retrieval of third-party root list sequence number from:

<http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the

timeout period expired.
Application [ Error ] 1/11/2009 11:21:57 AM Computer Name = COMPUTER | Source = Application Error | ID = 1000 -> Description = Faulting

application sed.exe, version 0.0.0.0, faulting module sed.exe, version 0.0.0.0, fault address 0x00013e87.
Application [ Error ] 1/11/2009 03:21:28 PM Computer Name = COMPUTER | Source = Application Error | ID = 1000 -> Description = Faulting

application swreg.cfexe, version 3.0.0.0, faulting module swreg.cfexe, version 3.0.0.0, fault address 0x00003cba.
Application [ Error ] 1/11/2009 03:34:57 PM Computer Name = COMPUTER | Source = Application Error | ID = 1000 -> Description = Faulting

application swreg.cfexe, version 3.0.0.0, faulting module swreg.cfexe, version 3.0.0.0, fault address 0x00003cba.
Application [ Error ] 1/13/2009 10:26:57 AM Computer Name = COMPUTER | Source = Application Error | ID = 1000 -> Description = Faulting

application firefox.exe, version 1.8.20080.4669, faulting module js3250.dll, version 4.0.0.0, fault address 0x0004b827.
Application [ Error ] 1/13/2009 02:44:05 PM Computer Name = COMPUTER | Source = Application Error | ID = 1000 -> Description = Faulting

application photoshopelements.exe, version 1.0.128.0, faulting module psicon.dll, version 6.6.64.53, fault address 0x000019e4.
Application [ Error ] 1/14/2009 06:23:43 PM Computer Name = COMPUTER | Source = Application Error | ID = 1000 -> Description = Faulting

application mrt.exe, version 2.6.2427.0, faulting module mpengine.dll, version 1.1.4208.0, fault address 0x002372cb.
Application [ Error ] 1/16/2009 04:23:53 PM Computer Name = COMPUTER | Source = Application Error | ID = 1000 -> Description = Faulting

application firefox.exe, version 1.8.20080.4669, faulting module firefox.exe, version 1.8.20080.4669, fault address 0x0019109c.
System [ Error ] 1/12/2009 12:03:38 AM Computer Name = COMPUTER | Source = Service Control Manager | ID = 7001 -> Description = The SSDP

Discovery Service service depends on the HTTP service which failed to start because of the following error: %%5
System [ Error ] 1/12/2009 12:15:50 PM Computer Name = COMPUTER | Source = Service Control Manager | ID = 7000 -> Description = The CMS PortIO

Service service failed to start due to the following error: %%2
System [ Error ] 1/12/2009 02:10:13 PM Computer Name = COMPUTER | Source = Service Control Manager | ID = 7000 -> Description = The CMS PortIO

Service service failed to start due to the following error: %%2
System [ Error ] 1/12/2009 03:19:06 PM Computer Name = COMPUTER | Source = Service Control Manager | ID = 7000 -> Description = The CMS PortIO

Service service failed to start due to the following error: %%2
System [ Error ] 1/13/2009 02:23:43 AM Computer Name = COMPUTER | Source = Service Control Manager | ID = 7000 -> Description = The CMS PortIO

Service service failed to start due to the following error: %%2
System [ Error ] 1/14/2009 06:59:49 AM Computer Name = COMPUTER | Source = Service Control Manager | ID = 7000 -> Description = The CMS PortIO

Service service failed to start due to the following error: %%2
System [ Error ] 1/14/2009 07:11:13 AM Computer Name = COMPUTER | Source = Service Control Manager | ID = 7000 -> Description = The CMS PortIO

Service service failed to start due to the following error: %%2
System [ Error ] 1/14/2009 09:31:51 AM Computer Name = COMPUTER | Source = Service Control Manager | ID = 7000 -> Description = The CMS PortIO

Service service failed to start due to the following error: %%2
System [ Error ] 1/16/2009 12:30:40 AM Computer Name = COMPUTER | Source = Service Control Manager | ID = 7000 -> Description = The CMS PortIO

Service service failed to start due to the following error: %%2
System [ Error ] 1/16/2009 10:28:01 AM Computer Name = COMPUTER | Source = Service Control Manager | ID = 7000 -> Description = The CMS PortIO

Service service failed to start due to the following error: %%2

[Files/Folders - Created Within 90 Days]
3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp ->
rsit -> %SystemDrive%\rsit -> [2009/01/16 07:38:18 | 00,000,000 | ---D | C]
FOUND.000 -> %SystemDrive%\FOUND.000 -> [2009/01/14 04:10:38 | 00,000,000 | -HSD | C]
ntuser.dat -> %UserProfile%\ntuser.dat -> [2009/01/13 14:08:51 | 11,030,528 | ---- | C] ()
Adobe Gamma Loader.exe.lnk.disabled -> %AllUsersProfile%\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk.disabled -> [2009/01/12

12:31:40 | 00,000,794 | ---- | C] ()
Adobe AIR -> %CommonProgramFiles%\Adobe AIR -> [2009/01/12 08:30:56 | 00,000,000 | ---D | C]
temp -> %SystemRoot%\temp -> [2009/01/11 12:35:53 | 00,000,000 | ---D | C]
Country -> %SystemDrive%\Country -> [2009/01/11 12:32:27 | 00,000,000 | ---D | C]
gmer.dll -> %SystemRoot%\gmer.dll -> [2009/01/11 12:25:05 | 00,884,736 | ---- | C] ()
gmer.exe -> %SystemRoot%\gmer.exe -> [2009/01/11 12:25:05 | 00,811,008 | ---- | C] ()
gmer.sys -> %SystemRoot%\System32\drivers\gmer.sys -> [2009/01/11 12:25:05 | 00,085,969 | ---- | C] (GMER)
gmer.ini -> %SystemRoot%\gmer.ini -> [2009/01/11 12:25:05 | 00,000,250 | ---- | C] ()
gmer_uninstall.cmd -> %SystemRoot%\gmer_uninstall.cmd -> [2009/01/11 12:25:05 | 00,000,080 | ---- | C] ()
SWXCACLS.exe -> %SystemRoot%\SWXCACLS.exe -> [2009/01/11 12:18:32 | 00,212,480 | ---- | C] (SteelWerX)
SWREG.exe -> %SystemRoot%\SWREG.exe -> [2009/01/11 12:18:32 | 00,161,792 | ---- | C] (SteelWerX)
SWSC.exe -> %SystemRoot%\SWSC.exe -> [2009/01/11 12:18:32 | 00,136,704 | ---- | C] (SteelWerX)
sed.exe -> %SystemRoot%\sed.exe -> [2009/01/11 12:18:32 | 00,098,816 | ---- | C] ()
fdsv.exe -> %SystemRoot%\fdsv.exe -> [2009/01/11 12:18:32 | 00,089,504 | ---- | C] (Smallfrogs Studio)
grep.exe -> %SystemRoot%\grep.exe -> [2009/01/11 12:18:32 | 00,080,412 | ---- | C] ()
zip.exe -> %SystemRoot%\zip.exe -> [2009/01/11 12:18:32 | 00,068,096 | ---- | C] ()
VFIND.exe -> %SystemRoot%\VFIND.exe -> [2009/01/11 12:18:32 | 00,049,152 | ---- | C] ()
NIRCMD.exe -> %SystemRoot%\NIRCMD.exe -> [2009/01/11 12:18:32 | 00,028,672 | ---- | C] (NirSoft)
Trend Micro -> %ProgramFiles%\Trend Micro -> [2009/01/11 07:54:50 | 00,000,000 | ---D | C]
VundoFix Backups -> %SystemDrive%\VundoFix Backups -> [2009/01/11 07:29:14 | 00,000,000 | ---D | C]
MRT.exe -> %SystemRoot%\System32\MRT.exe -> [2009/01/03 21:17:16 | 20,853,704 | ---- | C] (Microsoft Corporation)
1A-MontyWallpaper4.bmp -> %UserProfile%\My Documents\1A-MontyWallpaper4.bmp -> [2008/11/18 12:54:42 | 01,922,456 | ---- | C] ()
1A-MontyWallpaper3.bmp -> %UserProfile%\My Documents\1A-MontyWallpaper3.bmp -> [2008/11/18 12:49:29 | 01,922,456 | ---- | C] ()
1A-Montywallpaper2.bmp -> %UserProfile%\My Documents\1A-Montywallpaper2.bmp -> [2008/11/18 12:43:44 | 01,920,054 | ---- | C] ()
1A-MontyWallpaper1.bmp -> %UserProfile%\My Documents\1A-MontyWallpaper1.bmp -> [2008/11/18 12:39:03 | 01,922,456 | ---- | C] ()
KPCMS.INI -> %SystemRoot%\KPCMS.INI -> [2008/11/18 05:24:12 | 00,000,048 | ---- | C] ()
uninst.exe -> %SystemRoot%\uninst.exe -> [2008/11/18 05:21:02 | 00,297,472 | ---- | C] (InstallShield Corporation, Inc.)
Deckard -> %SystemDrive%\Deckard -> [2008/11/15 08:52:07 | 00,000,000 | ---D | C]
$VAULT$.AVG -> %SystemDrive%\$VAULT$.AVG -> [2008/11/15 08:17:43 | 00,000,000 | RH-D | C]
NVIDIA.lnk -> %UserProfile%\Desktop\NVIDIA.lnk -> [2008/11/14 11:15:08 | 00,000,228 | ---- | C] ()
AVG7QT.DAT -> %SystemDrive%\AVG7QT.DAT -> [2008/11/14 10:49:28 | 12,512,467 | ---- | C] ()
AVG7 -> %AppData%\AVG7 -> [2008/11/12 11:53:04 | 00,000,000 | ---D | C]
avgmfx86.sys -> %SystemRoot%\System32\drivers\avgmfx86.sys -> [2008/11/12 11:52:59 | 00,026,952 | ---- | C] (GRISOFT, s.r.o.)
avgclean.sys -> %SystemRoot%\System32\drivers\avgclean.sys -> [2008/11/12 11:52:59 | 00,010,760 | ---- | C] (GRISOFT, s.r.o.)
avgtdi.sys -> %SystemRoot%\System32\drivers\avgtdi.sys -> [2008/11/12 11:52:59 | 00,004,960 | ---- | C] (GRISOFT, s.r.o.)
avg7rsxp.sys -> %SystemRoot%\System32\drivers\avg7rsxp.sys -> [2008/11/12 11:52:57 | 00,027,776 | ---- | C] (GRISOFT, s.r.o.)
avg7rsw.sys -> %SystemRoot%\System32\drivers\avg7rsw.sys -> [2008/11/12 11:52:57 | 00,004,224 | ---- | C] (GRISOFT, s.r.o.)
avg7core.sys -> %SystemRoot%\System32\drivers\avg7core.sys -> [2008/11/12 11:52:56 | 00,821,856 | ---- | C] (GRISOFT, s.r.o.)
avg7 -> %AllUsersProfile%\Application Data\avg7 -> [2008/11/12 11:52:55 | 00,000,000 | ---D | C]
ERUNT -> %UserProfile%\My Documents\ERUNT -> [2008/11/12 11:51:17 | 00,000,000 | ---D | C]
Avg8 -> %AllUsersProfile%\Application Data\Avg8 -> [2008/11/12 10:59:38 | 00,000,000 | ---D | C]
NVIDIA -> %AllUsersProfile%\Application Data\NVIDIA -> [2008/11/12 02:41:43 | 00,000,000 | ---D | C]
Ahead -> %ProgramFiles%\Ahead -> [2008/11/02 08:51:57 | 00,000,000 | ---D | C]
Office Genuine Advantage -> %AllUsersProfile%\Application Data\Office Genuine Advantage -> [2008/11/02 08:18:49 | 00,000,000 | ---D | C]
Windows Genuine Advantage -> %AllUsersProfile%\Application Data\Windows Genuine Advantage -> [2008/11/02 08:18:43 | 00,000,000 | ---D | C]
WebsitePasswords1.jpg -> %UserProfile%\My Documents\WebsitePasswords1.jpg -> [2008/10/21 14:16:21 | 00,119,768 | ---- | C] ()
CoreCodec -> %ProgramFiles%\CoreCodec -> [2008/10/21 13:18:18 | 00,000,000 | ---D | C]

[Files/Folders - Modified Within 90 Days]
3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp ->
3 C:\Documents and Settings\Administrator.COMPUTER\Local Settings\temp\*.tmp files -> C:\Documents and Settings\Administrator.COMPUTER\Local

Settings\temp\*.tmp ->
3 C:\Documents and Settings\Administrator.COMPUTER\Local Settings\temp\*.tmp files -> C:\Documents and Settings\Administrator.COMPUTER\Local

Settings\temp\*.tmp ->
Perflib_Perfdata_664.dat -> %UserProfile%\Local Settings\temp\Perflib_Perfdata_664.dat -> [2009/01/16 14:15:18 | 00,016,384 | ---- | M] ()
win.ini -> %SystemRoot%\win.ini -> [2009/01/16 07:27:58 | 00,000,705 | ---- | M] ()
wpa.dbl -> %SystemRoot%\System32\wpa.dbl -> [2009/01/16 07:27:52 | 00,013,668 | ---- | M] ()
SA.DAT -> %SystemRoot%\tasks\SA.DAT -> [2009/01/16 07:27:48 | 00,000,006 | -H-- | M] ()
bootstat.dat -> %SystemRoot%\bootstat.dat -> [2009/01/16 07:27:46 | 00,002,048 | --S- | M] ()
ntuser.dat -> %UserProfile%\ntuser.dat -> [2009/01/15 21:32:44 | 11,030,528 | ---- | M] ()
ntuser.ini -> %UserProfile%\ntuser.ini -> [2009/01/15 21:32:44 | 00,000,178 | -HS- | M] ()
qmgr0.dat -> %AllUsersProfile%\Application Data\Microsoft\Network\Downloader\qmgr0.dat -> [2009/01/15 21:29:30 | 00,005,498 | ---- | M] ()
qmgr1.dat -> %AllUsersProfile%\Application Data\Microsoft\Network\Downloader\qmgr1.dat -> [2009/01/15 21:29:30 | 00,004,232 | ---- | M] ()
mbamswissarmy.sys -> %SystemRoot%\System32\drivers\mbamswissarmy.sys -> [2009/01/14 16:11:32 | 00,038,496 | ---- | M] (Malwarebytes

Corporation)
mbam.sys -> %SystemRoot%\System32\drivers\mbam.sys -> [2009/01/14 16:11:28 | 00,015,504 | ---- | M] (Malwarebytes Corporation)
mpengine.dll -> %UserProfile%\Local Settings\temp\mpengine.dll -> [2009/01/14 15:23:22 | 04,141,904 | ---- | M] (Microsoft Corporation)
default.pls -> %UserProfile%\default.pls -> [2009/01/14 09:15:52 | 00,000,162 | ---- | M] ()
NeroDigital.ini -> %SystemRoot%\NeroDigital.ini -> [2009/01/14 09:15:52 | 00,000,069 | ---- | M] ()
DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini -> %UserProfile%\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini ->

[2009/01/14 08:02:34 | 00,168,960 | ---- | M] ()
µTorrent.lnk -> %UserProfile%\Desktop\µTorrent.lnk -> [2009/01/14 04:22:46 | 00,001,404 | ---- | M] ()
system.ini -> %SystemRoot%\system.ini -> [2009/01/13 23:27:44 | 00,000,227 | ---- | M] ()
MEMORY.DMP -> %SystemRoot%\MEMORY.DMP -> [2009/01/12 23:23:22 | 00,000,000 | ---- | M] ()
Adobe Gamma Loader.exe.lnk.disabled -> %AllUsersProfile%\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk.disabled -> [2009/01/12

12:31:42 | 00,000,794 | ---- | M] ()
gmer.ini -> %SystemRoot%\gmer.ini -> [2009/01/11 20:58:16 | 00,000,250 | ---- | M] ()
gmer.dll -> %SystemRoot%\gmer.dll -> [2009/01/11 12:25:06 | 00,884,736 | ---- | M] ()
gmer.sys -> %SystemRoot%\System32\drivers\gmer.sys -> [2009/01/11 12:25:06 | 00,085,969 | ---- | M] (GMER)
gmer_uninstall.cmd -> %SystemRoot%\gmer_uninstall.cmd -> [2009/01/11 12:25:06 | 00,000,080 | ---- | M] ()
KPCMS.INI -> %SystemRoot%\KPCMS.INI -> [2009/01/11 12:17:04 | 00,000,048 | ---- | M] ()
MRT.exe -> %SystemRoot%\System32\MRT.exe -> [2009/01/09 18:35:28 | 20,853,704 | ---- | M] (Microsoft Corporation)
imsins.BAK -> %SystemRoot%\imsins.BAK -> [2009/01/03 21:17:14 | 00,001,355 | ---- | M] ()
mshtml.dll -> %SystemRoot%\System32\mshtml.dll -> [2008/12/12 10:33:24 | 03,060,224 | ---- | M] (Microsoft Corporation)
mshtml.dll -> %SystemRoot%\System32\dllcache\mshtml.dll -> [2008/12/12 10:33:24 | 03,060,224 | ---- | M] (Microsoft Corporation)
srv.sys -> %SystemRoot%\System32\drivers\srv.sys -> [2008/12/11 04:57:22 | 00,333,184 | ---- | M] (Microsoft Corporation)
srv.sys -> %SystemRoot%\System32\dllcache\srv.sys -> [2008/12/11 04:57:22 | 00,333,184 | ---- | M] (Microsoft Corporation)
1A-MontyWallpaper4.bmp -> %UserProfile%\My Documents\1A-MontyWallpaper4.bmp -> [2008/11/18 12:54:46 | 01,922,456 | ---- | M] ()
1A-MontyWallpaper1.bmp -> %UserProfile%\My Documents\1A-MontyWallpaper1.bmp -> [2008/11/18 12:50:08 | 01,922,456 | ---- | M] ()
1A-MontyWallpaper3.bmp -> %UserProfile%\My Documents\1A-MontyWallpaper3.bmp -> [2008/11/18 12:49:34 | 01,922,456 | ---- | M] ()
NVIDIA.lnk -> %UserProfile%\Desktop\NVIDIA.lnk -> [2008/11/14 11:15:10 | 00,000,228 | ---- | M] ()
AVG7QT.DAT -> %SystemDrive%\AVG7QT.DAT -> [2008/11/14 10:49:32 | 12,512,467 | ---- | M] ()
avgclean.sys -> %SystemRoot%\System32\drivers\avgclean.sys -> [2008/11/12 11:59:54 | 00,010,760 | ---- | M] (GRISOFT, s.r.o.)
avg7core.sys -> %SystemRoot%\System32\drivers\avg7core.sys -> [2008/11/12 11:59:46 | 00,821,856 | ---- | M] (GRISOFT, s.r.o.)
avg7rsxp.sys -> %SystemRoot%\System32\drivers\avg7rsxp.sys -> [2008/11/12 11:59:46 | 00,027,776 | ---- | M] (GRISOFT, s.r.o.)
avgmfx86.sys -> %SystemRoot%\System32\drivers\avgmfx86.sys -> [2008/11/12 11:59:46 | 00,026,952 | ---- | M] (GRISOFT, s.r.o.)
avgtdi.sys -> %SystemRoot%\System32\drivers\avgtdi.sys -> [2008/11/12 11:53:00 | 00,004,960 | ---- | M] (GRISOFT, s.r.o.)
avg7rsw.sys -> %SystemRoot%\System32\drivers\avg7rsw.sys -> [2008/11/12 11:52:58 | 00,004,224 | ---- | M] (GRISOFT, s.r.o.)
Computer Management.lnk -> %UserProfile%\My Documents\Computer Management.lnk -> [2008/11/11 22:47:58 | 00,001,494 | ---- | M] ()
boot.ini -> %SystemDrive%\boot.ini -> [2008/11/11 22:16:44 | 00,000,322 | -HS- | M] ()
OggDSUninst.exe -> %SystemRoot%\System32\OggDSUninst.exe -> [2008/11/02 08:46:50 | 00,037,270 | ---- | M] ()
GDIPFONTCACHEV1.DAT -> %UserProfile%\Local Settings\Application Data\GDIPFONTCACHEV1.DAT -> [2008/11/02 07:57:28 | 00,093,584 | ---- | M] ()
FNTCACHE.DAT -> %SystemRoot%\System32\FNTCACHE.DAT -> [2008/11/02 07:51:32 | 01,600,160 | ---- | M] ()
mrxsmb.sys -> %SystemRoot%\System32\drivers\mrxsmb.sys -> [2008/10/24 04:10:42 | 00,453,632 | ---- | M] (Microsoft Corporation)
mrxsmb.sys -> %SystemRoot%\System32\dllcache\mrxsmb.sys -> [2008/10/24 04:10:42 | 00,453,632 | ---- | M] (Microsoft Corporation)
gdi32.dll -> %SystemRoot%\System32\gdi32.dll -> [2008/10/23 06:01:36 | 00,283,648 | ---- | M] (Microsoft Corporation)
gdi32.dll -> %SystemRoot%\System32\dllcache\gdi32.dll -> [2008/10/23 06:01:36 | 00,283,648 | ---- | M] (Microsoft Corporation)
tzchange.exe -> %SystemRoot%\System32\tzchange.exe -> [2008/10/22 02:47:08 | 00,062,976 | ---- | M] (Microsoft Corporation)
WebsitePasswords1.jpg -> %UserProfile%\My Documents\WebsitePasswords1.jpg -> [2008/10/21 14:16:24 | 00,119,768 | ---- | M] ()
hhcolreg.dat -> %AllUsersProfile%\Application Data\Microsoft\HTML Help\hhcolreg.dat -> [2008/07/20 08:23:24 | 00,004,944 | ---- | M] ()
FileAssoc.dll -> %UserProfile%\Local Settings\temp\_ISTMP1.DIR\_ISTMP0.DIR\FileAssoc.dll -> [2001/02/21 18:44:00 | 00,172,032 | R--- | M] ()
Adobeisf.dll -> %UserProfile%\Local Settings\temp\_ISTMP1.DIR\_ISTMP0.DIR\Adobeisf.dll -> [2001/02/14 17:22:00 | 00,045,056 | R--- | M] (Adobe

Systems, Inc.)
Asn.er.dll -> %UserProfile%\Local Settings\temp\_ISTMP1.DIR\_ISTMP0.DIR\Asn.er.dll -> [2001/02/01 16:40:20 | 00,233,472 | R--- | M] (Adobe

Systems Incorporated)
EnigmaValidation.dll -> %UserProfile%\Local Settings\temp\_ISTMP1.DIR\_ISTMP0.DIR\EnigmaValidation.dll -> [2001/02/01 16:40:20 | 00,135,168 |

R--- | M] (Adobe Systems, Incorporated)
WINTDIST.EXE -> %UserProfile%\Local Settings\temp\_ISTMP1.DIR\_ISTMP0.DIR\WINTDIST.EXE -> [2001/01/19 13:30:26 | 00,401,760 | R--- | M]

(Microsoft Corporation)
IccTest.dll -> %UserProfile%\Local Settings\temp\_ISTMP1.DIR\_ISTMP0.DIR\IccTest.dll -> [2001/01/19 13:30:26 | 00,126,976 | R--- | M] (Adobe

Systems, Inc.)
ICOMP.EXE -> %UserProfile%\Local Settings\temp\_ISTMP1.DIR\_ISTMP0.DIR\ICOMP.EXE -> [2001/01/19 13:30:26 | 00,119,808 | R--- | M] ()
ShFolder.Exe -> %UserProfile%\Local Settings\temp\_ISTMP1.DIR\_ISTMP0.DIR\ShFolder.Exe -> [2001/01/19 13:30:26 | 00,117,288 | R--- | M]

(Microsoft Corporation)
73c1c.DLL -> %UserProfile%\Local Settings\temp\_ISTMP1.DIR\_ISTMP0.DIR\73c1c.DLL -> [2001/01/19 13:30:26 | 00,040,960 | R--- | M] (Adobe

Systems, Inc.)

[File - Lop Check]
Application Data -> C:\Documents and Settings\Default User\Application Data -> [2007/10/23 00:25:40 | 00,000,000 | RH-D | M]
Application Data -> C:\Documents and Settings\All Users\Application Data -> [2007/10/23 00:25:40 | 00,000,000 | RH-D | M]
AVG7 -> C:\Documents and Settings\All Users\Application Data\AVG7 -> [2007/10/23 01:09:56 | 00,000,000 | ---D | M]
EnterNHelp -> C:\Documents and Settings\All Users\Application Data\EnterNHelp -> [2007/10/23 13:36:12 | 00,000,000 | ---D | M]
FLEXnet -> C:\Documents and Settings\All Users\Application Data\FLEXnet -> [2007/10/23 13:36:12 | 00,000,000 | ---D | M]
Grisoft -> C:\Documents and Settings\All Users\Application Data\Grisoft -> [2007/10/23 01:09:56 | 00,000,000 | ---D | M]
Ultima_T15 -> C:\Documents and Settings\All Users\Application Data\Ultima_T15 -> [2007/10/23 13:36:12 | 00,000,000 | ---D | M]
Application Data -> C:\Documents and Settings\NetworkService\Application Data -> [2007/10/23 00:53:14 | 00,000,000 | ---D | M]
Application Data -> C:\Documents and Settings\LocalService\Application Data -> [2007/10/23 00:55:16 | 00,000,000 | ---D | M]
AVG7 -> C:\Documents and Settings\LocalService\Application Data\AVG7 -> [2007/10/23 15:26:26 | 00,000,000 | ---D | M]
Application Data -> C:\Documents and Settings\montyl\Application Data -> [2007/10/23 00:25:40 | 00,000,000 | RH-D | M]
AVG7 -> C:\Documents and Settings\montyl\Application Data\AVG7 -> [2007/10/23 01:10:08 | 00,000,000 | ---D | M]
Hulubulu -> C:\Documents and Settings\montyl\Application Data\Hulubulu -> [2007/10/23 14:26:18 | 00,000,000 | ---D | M]
MSNInstaller -> C:\Documents and Settings\montyl\Application Data\MSNInstaller -> [2007/10/23 14:26:20 | 00,000,000 | ---D | M]
Thunderbird -> C:\Documents and Settings\montyl\Application Data\Thunderbird -> [2007/10/23 14:25:44 | 00,000,000 | ---D | M]
Uniblue -> C:\Documents and Settings\montyl\Application Data\Uniblue -> [2007/10/23 14:26:18 | 00,000,000 | ---D | M]
uTorrent -> C:\Documents and Settings\montyl\Application Data\uTorrent -> [2007/10/23 14:26:20 | 00,000,000 | ---D | M]
Application Data -> C:\Documents and Settings\Administrator\Application Data -> [2007/10/23 13:36:08 | 00,000,000 | -H-D | M]
Thunderbird -> C:\Documents and Settings\Administrator\Application Data\Thunderbird -> [2007/10/23 13:36:10 | 00,000,000 | ---D | M]
Application Data -> C:\Documents and Settings\Default User.WINDOWS\Application Data -> [2007/10/23 15:51:56 | 00,000,000 | RH-D | M]
Application Data -> C:\Documents and Settings\All Users.WINDOWS\Application Data -> [2007/10/23 15:51:56 | 00,000,000 | RH-D | M]
Ahead -> C:\Documents and Settings\All Users.WINDOWS\Application Data\Ahead -> [2008/04/09 08:25:40 | 00,000,000 | ---D | M]
avg7 -> C:\Documents and Settings\All Users.WINDOWS\Application Data\avg7 -> [2008/11/12 11:52:56 | 00,000,000 | ---D | M]
Digital Film Tools -> C:\Documents and Settings\All Users.WINDOWS\Application Data\Digital Film Tools -> [2007/10/25 20:18:28 | 00,000,000 |

---D | M]
Grisoft -> C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft -> [2007/10/23 18:05:16 | 00,000,000 | ---D | M]
Propellerhead Software -> C:\Documents and Settings\All Users.WINDOWS\Application Data\Propellerhead Software -> [2007/12/11 23:56:56 |

00,000,000 | ---D | M]
Seagate -> C:\Documents and Settings\All Users.WINDOWS\Application Data\Seagate -> [2008/03/11 20:52:44 | 00,000,000 | ---D | M]
Tablet -> C:\Documents and Settings\All Users.WINDOWS\Application Data\Tablet -> [2008/07/01 22:35:14 | 00,000,000 | ---D | M]
TEMP -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP -> [2007/12/05 07:02:36 | 00,000,000 | ---D | M]
Application Data -> C:\Documents and Settings\NetworkService.NT AUTHORITY\Application Data -> [2007/10/23 16:06:02 | 00,000,000 | ---D | M]
Application Data -> C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data -> [2007/10/23 16:14:52 | 00,000,000 | ---D | M]
AVG7 -> C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\AVG7 -> [2008/11/12 11:53:02 | 00,000,000 | ---D | M]
Application Data -> C:\Documents and Settings\Administrator.COMPUTER\Application Data -> [2007/10/23 15:51:56 | 00,000,000 | RH-D | M]
Ahead -> C:\Documents and Settings\Administrator.COMPUTER\Application Data\Ahead -> [2008/04/11 10:12:40 | 00,000,000 | ---D | M]
AVG7 -> C:\Documents and Settings\Administrator.COMPUTER\Application Data\AVG7 -> [2008/11/12 11:53:06 | 00,000,000 | ---D | M]
Grisoft -> C:\Documents and Settings\Administrator.COMPUTER\Application Data\Grisoft -> [2008/03/25 07:25:16 | 00,000,000 | ---D | M]
Propellerhead Software -> C:\Documents and Settings\Administrator.COMPUTER\Application Data\Propellerhead Software -> [2007/12/19 23:22:20 |

00,000,000 | ---D | M]
SystemRequirementsLab -> C:\Documents and Settings\Administrator.COMPUTER\Application Data\SystemRequirementsLab -> [2008/03/08 20:24:44 |

00,000,000 | ---D | M]
TeraCopy -> C:\Documents and Settings\Administrator.COMPUTER\Application Data\TeraCopy -> [2008/09/19 20:48:22 | 00,000,000 | ---D | M]
Thunderbird -> C:\Documents and Settings\Administrator.COMPUTER\Application Data\Thunderbird -> [2007/10/23 17:15:40 | 00,000,000 | ---D | M]
uTorrent -> C:\Documents and Settings\Administrator.COMPUTER\Application Data\uTorrent -> [2007/10/23 20:12:24 | 00,000,000 | ---D | M]
C:\WINDOWS\Tasks\ -> C:\WINDOWS\Tasks -> [2007/10/23 00:48:04 | 00,000,000 | --SD | M]
desktop.ini -> C:\WINDOWS\Tasks\desktop.ini -> [2004/08/04 01:00:00 | 00,000,065 | RH-- | M] ()
SA.DAT -> C:\WINDOWS\Tasks\SA.DAT -> [2009/01/16 07:27:48 | 00,000,006 | -H-- | M] ()

[File - Purity Scan]

[File - Signature Check]
< Cached Copy > -> < OS Copy > -> < MD5's >
C:\WINDOWS\system32\dllcache\explorer.exe [2007/06/13 03:23:08 | 01,033,216 | ---- | M] (Microsoft Corporation) -> C:\WINDOWS\explorer.exe

[2007/06/13 03:23:08 | 01,033,216 | ---- | M] (Microsoft Corporation) -> Cached Copy = 97BD6515465659FF8F3B7BE375B2EA87 \ OS Copy =

97BD6515465659FF8F3B7BE375B2EA87
C:\WINDOWS\system32\dllcache\csrss.exe [2004/08/04 01:00:00 | 00,006,144 | ---- | M] (Microsoft Corporation) -> C:\WINDOWS\system32\csrss.exe

[2004/08/04 01:00:00 | 00,006,144 | ---- | M] (Microsoft Corporation) -> Cached Copy = F12B178B1678D778CFD3FF1FC38C71FB \ OS Copy =

F12B178B1678D778CFD3FF1FC38C71FB
C:\WINDOWS\system32\dllcache\lsass.exe [2004/08/04 01:00:00 | 00,013,312 | ---- | M] (Microsoft Corporation) -> C:\WINDOWS\system32\lsass.exe

[2004/08/04 01:00:00 | 00,013,312 | ---- | M] (Microsoft Corporation) -> Cached Copy = 84885F9B82F4D55C6146EBF6065D75D2 \ OS Copy =

84885F9B82F4D55C6146EBF6065D75D2
C:\WINDOWS\system32\dllcache\rundll32.exe [2004/08/04 01:00:00 | 00,033,280 | ---- | M] (Microsoft Corporation) ->

C:\WINDOWS\system32\rundll32.exe [2004/08/04 01:00:00 | 00,033,280 | ---- | M] (Microsoft Corporation) -> Cached Copy =

DA285490BBD8A1D0CE6623577D5BA1FF \ OS Copy = DA285490BBD8A1D0CE6623577D5BA1FF
C:\WINDOWS\system32\dllcache\services.exe [2004/08/04 01:00:00 | 00,108,032 | ---- | M] (Microsoft Corporation) ->

C:\WINDOWS\system32\services.exe [2004/08/04 01:00:00 | 00,108,032 | ---- | M] (Microsoft Corporation) -> Cached Copy =

C6CE6EEC82F187615D1002BB3BB50ED4 \ OS Copy = C6CE6EEC82F187615D1002BB3BB50ED4
C:\WINDOWS\system32\dllcache\smss.exe [2004/08/04 01:00:00 | 00,050,688 | ---- | M] (Microsoft Corporation) -> C:\WINDOWS\system32\smss.exe

[2004/08/04 01:00:00 | 00,050,688 | ---- | M] (Microsoft Corporation) -> Cached Copy = BD7FB0957C716F1A60333AEE04DE2178 \ OS Copy =

BD7FB0957C716F1A60333AEE04DE2178
C:\WINDOWS\system32\dllcache\spoolsv.exe [2005/06/10 16:53:32 | 00,057,856 | ---- | M] (Microsoft Corporation) ->

C:\WINDOWS\system32\spoolsv.exe [2005/06/10 16:53:32 | 00,057,856 | ---- | M] (Microsoft Corporation) -> Cached Copy =

DA81EC57ACD4CDC3D4C51CF3D409AF9F \ OS Copy = DA81EC57ACD4CDC3D4C51CF3D409AF9F
C:\WINDOWS\system32\dllcache\svchost.exe [2004/08/04 01:00:00 | 00,014,336 | ---- | M] (Microsoft Corporation) ->

C:\WINDOWS\system32\svchost.exe [2004/08/04 01:00:00 | 00,014,336 | ---- | M] (Microsoft Corporation) -> Cached Copy =

8F078AE4ED187AAABC0A305146DE6716 \ OS Copy = 8F078AE4ED187AAABC0A305146DE6716
C:\WINDOWS\system32\dllcache\taskmgr.exe [2004/08/04 01:00:00 | 00,135,680 | ---- | M] (Microsoft Corporation) ->

C:\WINDOWS\system32\taskmgr.exe [2004/08/04 01:00:00 | 00,135,680 | ---- | M] (Microsoft Corporation) -> Cached Copy =

FC160ACE21C81837692B339D230DD4BE \ OS Copy = FC160ACE21C81837692B339D230DD4BE
C:\WINDOWS\system32\dllcache\userinit.exe [2004/08/04 01:00:00 | 00,024,576 | ---- | M] (Microsoft Corporation) ->

C:\WINDOWS\system32\userinit.exe [2004/08/04 01:00:00 | 00,024,576 | ---- | M] (Microsoft Corporation) -> Cached Copy =

39B1FFB03C2296323832ACBAE50D2AFF \ OS Copy = 39B1FFB03C2296323832ACBAE50D2AFF
C:\WINDOWS\system32\dllcache\winlogon.exe [2004/08/04 01:00:00 | 00,502,272 | ---- | M] (Microsoft Corporation) ->

C:\WINDOWS\system32\winlogon.exe [2004/08/04 01:00:00 | 00,502,272 | ---- | M] (Microsoft Corporation) -> Cached Copy =

01C3346C241652F43AED8E2149881BFE \ OS Copy = 01C3346C241652F43AED8E2149881BFE

[CatchMe Rootkit Scan by GMER]
< Windows folder & sub-folders >
scanning hidden processes ...
scanning hidden services ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
< Document and Settings folder & sub folders >
scanning hidden files ...
scan completed successfully
hidden files: 0

< End of report >
[/code]

peku006 · Jan 19, 2009

Hi dinosaur58

WordWrap

The formatting of your post is messed up. This is caused by having Word Wrap checked.
1. Click Start > All Programs > Accessories > Notepad
2. On the menu bar in Notepad select Format and click on WordWrap so it appears unchecked.

1 - Scan With ComboFix

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

How to Temporarily Disable Anti-virus

Please include the C:\ComboFix.txt in your next reply for further review.

2 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

3 - Status Check
Please reply with

1. the ComboFix log(C:\ComboFix.txt)
2. a fresh HijackThis log

Thanks peku006

dinosaur58 · Jan 19, 2009

Status Check Files

Peku006, again my thanks for your help. Confirmed Word Wrap UNchecked, sorry about hard to read log. If it matters - when Combofix finished running 1 Firefox browser window and 2 Windows Explorer windows [open during scan] closed spontaneously. Scans run in Normal mode.

ComboFix 09-01-19.01 - Administrator 2009-01-19 11:23:34.6 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1982.1466 [GMT -7:00]
Running from: c:\documents and settings\Administrator.COMPUTER\My Documents\Anti-Smitfraud\Country1.exe
AV: AVG 7.5.552 *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-12-19 to 2009-01-19 )))))))))))))))))))))))))))))))
.

2009-01-16 07:38 . 2009-01-16 07:38 <DIR> d-------- C:\rsit
2009-01-14 05:14 . 2007-12-11 19:46 3,468 --a------ c:\documents and settings\dht.dat.old
2009-01-14 05:14 . 2007-12-13 10:29 3,338 --a------ c:\documents and settings\dht.dat
2009-01-14 05:14 . 2007-09-08 00:33 2,890 --a------ c:\documents and settings\resume.old
2009-01-14 05:14 . 2007-12-13 10:29 2,260 --a------ c:\documents and settings\settings.dat
2009-01-14 05:14 . 2007-12-13 09:45 2,259 --a------ c:\documents and settings\settings.dat.old
2009-01-14 05:14 . 2007-09-08 00:33 2,245 --a------ c:\documents and settings\settings.old
2009-01-14 05:14 . 2007-09-08 00:33 111 --a------ c:\documents and settings\dht.old
2009-01-14 05:14 . 2007-12-13 10:27 58 --a------ c:\documents and settings\resume.dat.old
2009-01-14 05:14 . 2007-12-13 10:29 58 --a------ c:\documents and settings\resume.dat
2009-01-14 04:10 . 2009-01-14 04:10 <DIR> d--hs---- C:\FOUND.000
2009-01-12 08:30 . 2009-01-12 08:30 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-01-12 08:26 . 2009-01-12 08:26 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-12 08:26 . 2009-01-12 08:26 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-11 12:32 . 2009-01-11 12:32 <DIR> d-------- C:\Country
2009-01-11 12:25 . 2009-01-11 20:58 250 --a------ c:\windows\gmer.ini
2009-01-11 07:54 . 2009-01-11 07:54 <DIR> d-------- c:\program files\Trend Micro
2009-01-11 07:29 . 2009-01-11 07:29 <DIR> d-------- C:\VundoFix Backups

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-14 23:11 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 23:11 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-12-12 17:33 3,060,224 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-11 11:57 333,184 ----a-w c:\windows\system32\dllcache\srv.sys
2008-11-14 17:49 12,512,467 ------w C:\AVG7QT.DAT
2008-11-02 15:46 37,270 ----a-w c:\windows\system32\OggDSUninst.exe
2008-10-24 11:10 453,632 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 13:01 283,648 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 13:01 283,648 ----a-w c:\windows\system32\dllcache\gdi32.dll
2006-03-03 11:27 1,010 ----a-w c:\documents and settings\Mozilla\registry.dat
2004-04-09 22:13 114,688 ----a-w c:\program files\NETGEAR DG632 USB Driveruninstalldrv.exe
2002-01-03 13:15 61,440 ----a-w c:\windows\inf\i386\onetUSD.dll
2001-10-02 15:58 36,864 ----a-w c:\windows\inf\i386\Wiamicro.dll
2001-09-28 15:00 139,264 ----a-w c:\windows\inf\i386\Rtscan.dll
2001-09-27 15:11 167,936 ----a-w c:\windows\inf\i386\viceo.dll
2008-07-24 03:12 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-07-24 03:12 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-07-24 03:12 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-07-24 03:12 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-07-24 03:12 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((( snapshot_2009-01-11_12.21.18.07 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-11 19:25:06 884,736 ----a-w c:\windows\gmer.dll
+ 2008-04-18 04:13:02 811,008 ----a-w c:\windows\gmer.exe
+ 2007-12-12 22:06:42 295,606 ----a-r c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe
- 2000-08-31 15:00:00 28,672 ----a-w c:\windows\NIRCMD.exe
+ 2000-08-31 15:00:00 29,696 ----a-w c:\windows\NIRCMD.exe
+ 2009-01-11 19:25:06 85,969 ----a-w c:\windows\system32\drivers\gmer.sys
- 2008-02-22 08:23:36 135,168 ----a-w c:\windows\system32\java.exe
+ 2009-01-12 15:26:14 144,792 ----a-w c:\windows\system32\java.exe
- 2008-02-22 08:23:40 135,168 ----a-w c:\windows\system32\javaw.exe
+ 2009-01-12 15:26:14 144,792 ----a-w c:\windows\system32\javaw.exe
- 2008-02-22 09:33:32 139,264 ----a-w c:\windows\system32\javaws.exe
+ 2009-01-12 15:26:14 148,888 ----a-w c:\windows\system32\javaws.exe
- 2008-12-09 22:24:38 17,593,280 ----a-w c:\windows\system32\MRT.exe
+ 2009-01-10 01:35:28 20,853,704 ----a-w c:\windows\system32\MRT.exe
- 2008-07-09 07:37:44 13,196 ----a-w c:\windows\system32\Restore\rstrlog.dat
+ 2009-01-14 11:07:52 1,403,752 ----a-w c:\windows\system32\Restore\rstrlog.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 153136]
"AVG7_CC"="c:\progra~1\Grisoft\AVGFRE~1\avgcc.exe" [2008-11-12 590848]
"nwiz"="nwiz.exe" [2007-09-17 c:\windows\system32\nwiz.exe]
"atwtusb"="atwtusb.exe" [2007-03-20 c:\windows\system32\Atwtusb.exe]
"Tweak UI"="TWEAKUI.CPL" [1997-11-08 c:\windows\system32\TWEAKUI.CPL]
"SoundMan"="SOUNDMAN.EXE" [2005-11-11 c:\windows\soundman.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVGFRE~1\avgw.exe" [2008-11-12 219136]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk.disabled [2009-01-12 794]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogoff"= 01000000
"NoRecentDocsNetHood"= 01000000
"NoSMMyDocs"= 01000000
"NoSMMyPictures"= 01000000
"NoNetworkConnections"= 01000000
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm
"vidc.X264"= x264vfw.dll
"vidc.hfyu"= huffyuv.dll
"msacm.divxa32"= DivXa32.acm
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.ac3filter"= ac3filter.acm
"msacm.l3codec"= l3codecp.acm
"vidc.ffds"= c:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll
"vidc.wmv3"= c:\progra~1\COMBIN~1\Filters\wmv9vcm.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^DOCUME~1^ADMINI~1.COM^Start Menu^Programs^Startup^QuickShelf 2000.lnk]
path=c:\docume~1\ADMINI~1.COM\Start Menu\Programs\Startup\QuickShelf 2000.lnk
backup=c:\windows\pss\QuickShelf 2000.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"VirtualCloneDrive"="c:\program files\VirtualCloneDrive\VCDDaemon.exe" /s
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\System32\\mmc.exe"=
"c:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"=
"c:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12000:TCP"= 12000:TCP:Utor1

R1 aiptektp;Pen Pad;c:\windows\system32\drivers\aiptektp.sys [2008-07-01 22528]
R4 BCMNTIO;BCMNTIO;c:\progra~1\CHECKIT\DIAGNO~1\BCMNTIO.sys [2007-12-20 3744]
R4 MAPMEM;MAPMEM;c:\progra~1\CHECKIT\DIAGNO~1\MAPMEM.sys [2007-12-20 3904]
S4 portD;CMS PortIO Service;c:\windows\system32\DRIVERS\portd2k.sys --> c:\windows\system32\DRIVERS\portd2k.sys [?]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: Save Flash - c:\program files\SWF-Get\Flash Saving Plugin\FlashSButton.dll/210
FF - ProfilePath - c:\documents and settings\Administrator.COMPUTER\Application Data\Mozilla\Firefox\Profiles\bvvl5608.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-19 11:25:06
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\Administrator\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{08437B63-CA86-7C11-1E25-5A214BD5C952}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"abnllihdbjplkgkdpkebpdfihejcgiaodb"=hex:61,62,6c,65,69,61,66,69,69,68,6d,65,
63,6d,6c,6e,63,67,63,66,6d,6a,6b,63,64,6d,67,61,68,66,62,70,65,61,00,00
"bbnllihdbjplkgkdpkfbdachibjdfkjonkac"=hex:61,62,67,67,63,64,64,61,65,69,68,62,
66,6d,63,70,63,64,65,68,6d,67,6e,6c,65,67,6a,6e,70,67,6e,6d,6f,63,00,00
.
Completion time: 2009-01-19 11:26:14
ComboFix-quarantined-files.txt 2009-01-19 18:26:14
ComboFix4.txt 2009-01-03 19:25:34
ComboFix3.txt 2009-01-11 19:22:08
ComboFix5.txt 2009-01-19 18:23:08
ComboFix2.txt 2009-01-11 19:35:54

Pre-Run: 82,711,445,504 bytes free
Post-Run: 82,855,559,168 bytes free

174 --- E O F --- 2009-01-14 22:25:12

===================================================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:32:A, on 1/19/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Adobe\Photoshop Elements\PhotoshopElements.exe
C:\Program Files\Common Files\Adobe\Web\AOM.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\FIREFOX.EXE
C:\Documents and Settings\Administrator.COMPUTER\My Documents\Anti-Smitfraud\HiJackThis.new.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk.disabled
O8 - Extra context menu item: Save Flash - res://C:\Program Files\SWF-Get\Flash Saving Plugin\FlashSButton.dll/210
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - C:\Program Files\SWF-Get\Flash Saving Plugin\FlashSButton.dll (HKCU)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1206762645578
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

--
End of file - 4345 bytes

=========================

Thanks D58

peku006 · Jan 19, 2009

Hi dinosaur58

Run Malwarebytes' Anti-Malware

Open Malwarebytes' Anti-Malware
Select the Update tab
Click Check for Updates
After the update have been completed, Select the Scanner tab.

Make sure the "Perform full scan" option is selected.
Then click on the Scan button.
If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button
The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

Click on the Show Results button to see a list of any malware that was found.
Make sure that everything is checked, and click Remove Selected.
When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
The log can also be found here:

C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Please reply with

the Malwarebytes' Anti-Malware Log

Thanks peku006

dinosaur58 · Jan 20, 2009

More Info

Peku, Ran an M.B.A.M. Full Scan [usually run Quick Scan]. It found and deleted "Trojan horse Downloader Banload.AHMF Still unable to browse to wvUonLCS.dll
D58

dinosaur58 · Jan 20, 2009

Status Check Files

Peku006, again my thanks for your help. Confirmed Word Wrap UNchecked, sorry about hard to read log.
When Combofix finished running 1 Firefox browser window and 2 Windows Explorer windows [open during scan] closed spontaneously.
Ran an M.B.A.M. Full Scan [usually run Quick Scan]. It found and deleted "Trojan horse Downloader Banload.AHMF Still unable to browse to wvUonLCS.dll
Scans run in Normal mode.

ComboFix 09-01-19.01 - Administrator 2009-01-19 11:23:34.6 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1982.1466 [GMT -7:00]
Running from: c:\documents and settings\Administrator.COMPUTER\My Documents\Anti-Smitfraud\Country1.exe
AV: AVG 7.5.552 *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-12-19 to 2009-01-19 )))))))))))))))))))))))))))))))
.

2009-01-16 07:38 . 2009-01-16 07:38 <DIR> d-------- C:\rsit
2009-01-14 05:14 . 2007-12-11 19:46 3,468 --a------ c:\documents and settings\dht.dat.old
2009-01-14 05:14 . 2007-12-13 10:29 3,338 --a------ c:\documents and settings\dht.dat
2009-01-14 05:14 . 2007-09-08 00:33 2,890 --a------ c:\documents and settings\resume.old
2009-01-14 05:14 . 2007-12-13 10:29 2,260 --a------ c:\documents and settings\settings.dat
2009-01-14 05:14 . 2007-12-13 09:45 2,259 --a------ c:\documents and settings\settings.dat.old
2009-01-14 05:14 . 2007-09-08 00:33 2,245 --a------ c:\documents and settings\settings.old
2009-01-14 05:14 . 2007-09-08 00:33 111 --a------ c:\documents and settings\dht.old
2009-01-14 05:14 . 2007-12-13 10:27 58 --a------ c:\documents and settings\resume.dat.old
2009-01-14 05:14 . 2007-12-13 10:29 58 --a------ c:\documents and settings\resume.dat
2009-01-14 04:10 . 2009-01-14 04:10 <DIR> d--hs---- C:\FOUND.000
2009-01-12 08:30 . 2009-01-12 08:30 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-01-12 08:26 . 2009-01-12 08:26 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-12 08:26 . 2009-01-12 08:26 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-11 12:32 . 2009-01-11 12:32 <DIR> d-------- C:\Country
2009-01-11 12:25 . 2009-01-11 20:58 250 --a------ c:\windows\gmer.ini
2009-01-11 07:54 . 2009-01-11 07:54 <DIR> d-------- c:\program files\Trend Micro
2009-01-11 07:29 . 2009-01-11 07:29 <DIR> d-------- C:\VundoFix Backups

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-14 23:11 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 23:11 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-12-12 17:33 3,060,224 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-11 11:57 333,184 ----a-w c:\windows\system32\dllcache\srv.sys
2008-11-14 17:49 12,512,467 ------w C:\AVG7QT.DAT
2008-11-02 15:46 37,270 ----a-w c:\windows\system32\OggDSUninst.exe
2008-10-24 11:10 453,632 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 13:01 283,648 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 13:01 283,648 ----a-w c:\windows\system32\dllcache\gdi32.dll
2006-03-03 11:27 1,010 ----a-w c:\documents and settings\Mozilla\registry.dat
2004-04-09 22:13 114,688 ----a-w c:\program files\NETGEAR DG632 USB Driveruninstalldrv.exe
2002-01-03 13:15 61,440 ----a-w c:\windows\inf\i386\onetUSD.dll
2001-10-02 15:58 36,864 ----a-w c:\windows\inf\i386\Wiamicro.dll
2001-09-28 15:00 139,264 ----a-w c:\windows\inf\i386\Rtscan.dll
2001-09-27 15:11 167,936 ----a-w c:\windows\inf\i386\viceo.dll
2008-07-24 03:12 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-07-24 03:12 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-07-24 03:12 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-07-24 03:12 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-07-24 03:12 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((( snapshot_2009-01-11_12.21.18.07 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-11 19:25:06 884,736 ----a-w c:\windows\gmer.dll
+ 2008-04-18 04:13:02 811,008 ----a-w c:\windows\gmer.exe
+ 2007-12-12 22:06:42 295,606 ----a-r c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe
- 2000-08-31 15:00:00 28,672 ----a-w c:\windows\NIRCMD.exe
+ 2000-08-31 15:00:00 29,696 ----a-w c:\windows\NIRCMD.exe
+ 2009-01-11 19:25:06 85,969 ----a-w c:\windows\system32\drivers\gmer.sys
- 2008-02-22 08:23:36 135,168 ----a-w c:\windows\system32\java.exe
+ 2009-01-12 15:26:14 144,792 ----a-w c:\windows\system32\java.exe
- 2008-02-22 08:23:40 135,168 ----a-w c:\windows\system32\javaw.exe
+ 2009-01-12 15:26:14 144,792 ----a-w c:\windows\system32\javaw.exe
- 2008-02-22 09:33:32 139,264 ----a-w c:\windows\system32\javaws.exe
+ 2009-01-12 15:26:14 148,888 ----a-w c:\windows\system32\javaws.exe
- 2008-12-09 22:24:38 17,593,280 ----a-w c:\windows\system32\MRT.exe
+ 2009-01-10 01:35:28 20,853,704 ----a-w c:\windows\system32\MRT.exe
- 2008-07-09 07:37:44 13,196 ----a-w c:\windows\system32\Restore\rstrlog.dat
+ 2009-01-14 11:07:52 1,403,752 ----a-w c:\windows\system32\Restore\rstrlog.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 153136]
"AVG7_CC"="c:\progra~1\Grisoft\AVGFRE~1\avgcc.exe" [2008-11-12 590848]
"nwiz"="nwiz.exe" [2007-09-17 c:\windows\system32\nwiz.exe]
"atwtusb"="atwtusb.exe" [2007-03-20 c:\windows\system32\Atwtusb.exe]
"Tweak UI"="TWEAKUI.CPL" [1997-11-08 c:\windows\system32\TWEAKUI.CPL]
"SoundMan"="SOUNDMAN.EXE" [2005-11-11 c:\windows\soundman.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVGFRE~1\avgw.exe" [2008-11-12 219136]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk.disabled [2009-01-12 794]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogoff"= 01000000
"NoRecentDocsNetHood"= 01000000
"NoSMMyDocs"= 01000000
"NoSMMyPictures"= 01000000
"NoNetworkConnections"= 01000000
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm
"vidc.X264"= x264vfw.dll
"vidc.hfyu"= huffyuv.dll
"msacm.divxa32"= DivXa32.acm
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.ac3filter"= ac3filter.acm
"msacm.l3codec"= l3codecp.acm
"vidc.ffds"= c:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll
"vidc.wmv3"= c:\progra~1\COMBIN~1\Filters\wmv9vcm.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^DOCUME~1^ADMINI~1.COM^Start Menu^Programs^Startup^QuickShelf 2000.lnk]
path=c:\docume~1\ADMINI~1.COM\Start Menu\Programs\Startup\QuickShelf 2000.lnk
backup=c:\windows\pss\QuickShelf 2000.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"VirtualCloneDrive"="c:\program files\VirtualCloneDrive\VCDDaemon.exe" /s
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\System32\\mmc.exe"=
"c:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"=
"c:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12000:TCP"= 12000:TCP:Utor1

R1 aiptektp;Pen Pad;c:\windows\system32\drivers\aiptektp.sys [2008-07-01 22528]
R4 BCMNTIO;BCMNTIO;c:\progra~1\CHECKIT\DIAGNO~1\BCMNTIO.sys [2007-12-20 3744]
R4 MAPMEM;MAPMEM;c:\progra~1\CHECKIT\DIAGNO~1\MAPMEM.sys [2007-12-20 3904]
S4 portD;CMS PortIO Service;c:\windows\system32\DRIVERS\portd2k.sys --> c:\windows\system32\DRIVERS\portd2k.sys [?]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: Save Flash - c:\program files\SWF-Get\Flash Saving Plugin\FlashSButton.dll/210
FF - ProfilePath - c:\documents and settings\Administrator.COMPUTER\Application Data\Mozilla\Firefox\Profiles\bvvl5608.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-19 11:25:06
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\Administrator\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{08437B63-CA86-7C11-1E25-5A214BD5C952}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"abnllihdbjplkgkdpkebpdfihejcgiaodb"=hex:61,62,6c,65,69,61,66,69,69,68,6d,65,
63,6d,6c,6e,63,67,63,66,6d,6a,6b,63,64,6d,67,61,68,66,62,70,65,61,00,00
"bbnllihdbjplkgkdpkfbdachibjdfkjonkac"=hex:61,62,67,67,63,64,64,61,65,69,68,62,
66,6d,63,70,63,64,65,68,6d,67,6e,6c,65,67,6a,6e,70,67,6e,6d,6f,63,00,00
.
Completion time: 2009-01-19 11:26:14
ComboFix-quarantined-files.txt 2009-01-19 18:26:14
ComboFix4.txt 2009-01-03 19:25:34
ComboFix3.txt 2009-01-11 19:22:08
ComboFix5.txt 2009-01-19 18:23:08
ComboFix2.txt 2009-01-11 19:35:54

Pre-Run: 82,711,445,504 bytes free
Post-Run: 82,855,559,168 bytes free

174 --- E O F --- 2009-01-14 22:25:12

===================================================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:32:A, on 1/19/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Adobe\Photoshop Elements\PhotoshopElements.exe
C:\Program Files\Common Files\Adobe\Web\AOM.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\FIREFOX.EXE
C:\Documents and Settings\Administrator.COMPUTER\My Documents\Anti-Smitfraud\HiJackThis.new.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk.disabled
O8 - Extra context menu item: Save Flash - res://C:\Program Files\SWF-Get\Flash Saving Plugin\FlashSButton.dll/210
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - C:\Program Files\SWF-Get\Flash Saving Plugin\FlashSButton.dll (HKCU)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1206762645578
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

--
End of file - 4345 bytes

=========================

Thanks D58

peku006 · Jan 20, 2009

Hi dinosaur58

Press Start->Run, copy/paste the following command into the box and press OK:

cmd /c dir C:\*.* /L /A /B /S|Find "wvUonLCS.dll" >> "%userprofile%\desktop\look.txt"

A file called look.txt should appear on your Desktop. Please post the contents of this file.

Thanks peku006

dinosaur58 · Jan 20, 2009

Confusion resolved

Peku, regret double post. I was not seeing your response of yesterday 12:04. MBAM log [Program did not ask about drives] referred to in my most recent post follows :

Malwarebytes' Anti-Malware 1.33
Database version: 1668
Windows 5.1.2600 Service Pack 2

1/20/2009 12:01:58 AM
mbam-log-2009-01-20 (00-01-58).txt

Scan type: Full Scan (C:\|)
Objects scanned: 112744
Time elapsed: 18 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Administrator.COMPUTER\My Documents\ReActivate\WinXP_Activate\Windows XP Keygen.exe (Malware.Tool) -> Not selected for removal.
C:\System Volume Information\_restore{A08155B8-3425-4173-9474-2C7C1FC3A3D2}\RP160\A0020203.exe (Adware.Agent) -> Quarantined and deleted successfully.

Thanks Again, D58

peku006 · Jan 20, 2009

Hi dinosaur58

Do you know what this program is?
C:\Documents and Settings\Administrator.COMPUTER\My Documents\ReActivate\WinXP_Activate\Windows XP Keygen.exe

dinosaur58 · Jan 20, 2009

Continued

look.txt file is empty. Re Windows XP Keygen.exe - was helping a freind of mine to reinstall his OS, didn't know how to find his key. Tried to use the keygen, but never got a good key from it. Finally found software for key retrieval. Can delete it if it's dangerous. Haven't run it in over a year, have had Kaspersky Full scans clean since then.
D58

peku006 · Jan 20, 2009

Hi D58

You will need to validate your copy of Windows, please use Internet Explorer for the next step

Click here to visit Microsoft website.
Click on the Validate Windows button on the top right hand corner to validate your Windows.
Click on Continue.
You will be prompted to install an ActiveX. Please install it.
Please copy and paste the results of the validation in your next reply.

thanks peku006

dinosaur58 · Jan 20, 2009

Windows validation

All I got was this:

Validation Complete!
Thank you for completing the validation process and for using genuine Microsoft software.

By using genuine Microsoft software, you can be confident that you will have access to the latest features, security, and support, which will help to improve your productivity and expand the capabilities of your computer.

You will also have access to new innovations and offerings available only to genuine Microsoft software customers.

peku006 · Jan 20, 2009

Hi D58
Thanks for returning your information...

1 - use windows search function

Please enable the Show Hidden Folders option

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Next,
Please open the window explorer.

Right click at start button. Click explore
Search the file or directory as below (if exist):

wvUonLCS.dll

Click to expand...
Delete the file in red color if still exist.

2 - Clean temp files

Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.Double-click ATF Cleaner.exe to open it.

Under Main choose:
- Windows Temp
  Current User Temp
  All Users Temp
  Temporary Internet Files
  Prefetch
  Java Cache
  *The other boxes are optional*
  Then click the Empty Selected button.
if you use Firefox:
- Click Firefox at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
if you use Opera:
- Click Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program

3 - Kaspersky Online Scan

Please go to Kaspersky website and perform an online antivirus scan.

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
- Spyware, Adware, Dialers, and other potentially dangerous programs
  Archives
  Mail databases
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply.

4 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

5 - Status Check
Please reply with

1. the Kaspersky online scanner report
2. a fresh HijackThis log
How's the computer running now?

Thanks peku006

Something's hiding

New member

Emeritus- Security Expert

New member

Emeritus- Security Expert

New member

New member

New member

New member

Emeritus- Security Expert

New member

Emeritus- Security Expert

New member

New member

Emeritus- Security Expert

New member

Emeritus- Security Expert

New member

Emeritus- Security Expert

New member

Emeritus- Security Expert