Gladiator Security Forum > My Hijack log, please help..

Full Version: My Hijack log, please help..

Gladiator Security Forum > Malware Help Forum > HELP! Think you are Infected?

Pages: 1, 2

che

Jan 15 2006, 11:13 AM

Hi..

My Computer has been slowing down on me recently. Furthermore I just started using Firefox, and everytime I do a google search I first get a message back that my computer is sending a lot of info, and they think I'm infected with something.
I have Mic. Antispyware and Symantec, and can't find anything.
I do know that I have "my search bar" which I can't get rid of, but none other viruses I know of.. I also had a warning about "datalayer.exe". but I deleted the file with Symantec..

If someone could check my logfile I would appreciate it alot..Thanks!!

Che

Logfile of HijackThis v1.99.1
Scan saved at 12:22:11 PM, on 1/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\PROGRA~1\Support.com\bin\tgcmd.exe
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Plaxo\2.6.2.7\PlaxoHelper.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\mmc.exe
C:\WINDOWS\system32\DfrgNtfs.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\VPC32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Nils\My Documents\Installation files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.vi.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.vi.nl/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.ams.chello.nl:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [tgcmd] "C:\PROGRA~1\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [ATIPTA] C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunServices: [Data Layer 2] datalayer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.6.2.7\PlaxoHelper.exe -a
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postbank.nl/sesam/CAX.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D185838-009D-47C8-824B-B65B4854430E} (Installer Class) - http://quickfix2.chello.nl/quickfix2/asp/chelloInstall.CAB
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1099473463000
O16 - DPF: {8731163E-77B9-4F91-9122-F112521C28AF} (MMSPlayerX Class) - http://212.41.157.233:8080/mmawap/jsp/comp...r/mmsPlayer.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {C58EFA10-2CC0-4C50-8C77-B326555EC1B7} (clsDefault Class) - http://quickfix2.chello.nl/quickfix2/asp/LaunchApp.CAB
O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IPSUploader Control) - http://as.photoprintit.de/ips-opdata/74914...IPSUploader.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://liveca04.custhelp.com/7020-b375h/rnl/java/RntX.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

Mosaic1

Jan 15 2006, 09:00 PM

Hi,

QUOTE

everytime I do a google search I first get a message back that my computer is sending a lot of info, and they think I'm infected with something

That is confusing What program gives you that message? What does it say on the titlebar for this message. And what are the exact words of the message please.

Download Autoruns from this page:
http://www.sysinternals.com/Utilities/Autoruns.html

Unzip to a folder and the double click on autoruns.exe

Wait until the program has finished running (the status line will show 'Ready')
Under the 'Options' menu, make sure that 'Include Empty Sections' is checked.
Wait again until ready.

Be sure the 'Everything' tab is selected.
Select 'File -> Save' and save the output file.

Copy the contents of the Autoruns text file and post its contents in your next reply here.

che

Jan 15 2006, 09:52 PM

Hi..

Thanks for helping me..
When I use google for a search it says: (translating from dutch) Sorry but we cannot comply to your request. A computer virus or Anti spyware programme is sending us automatic requests. It looks like your computer or network is infected.

We'll try to give you access asap. Please try these antispy and virus software, and try again later.

Hope to see you soon..

(then beneath it it shows a couple validation letters, and if I type those in a box below, I get forwarded to my request). The title of the page is: 403 forbidden.

As I have Microsoft Antispyware it could be that that's the cause of this, but I've never had it with IE, and as it's such a common antispyware programme, I doubt if that's it..

This is the output of Autoruns:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

+ C:\WINDOWS\system32\userinit.exe Userinit Logon Application Microsoft Corporation c:\windows\system32\userinit.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

+ Explorer.exe Windows Explorer Microsoft Corporation c:\windows\explorer.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

+ ATIModeChange ATI 2D Mode component ATI Technologies, Inc. c:\windows\system32\ati2mdxx.exe

+ ATIPTA ATI Desktop Control Panel ATI Technologies, Inc. c:\program files\ati technologies\ati control panel\atiptaxx.exe

+ gcasServ Microsoft AntiSpyware Service Microsoft Corporation c:\program files\microsoft antispyware\gcasserv.exe

+ iTunesHelper iTunesHelper Module Apple Computer, Inc. c:\program files\itunes\ituneshelper.exe

+ KernelFaultCheck Windows Error Reporting Dump Reporting Tool Microsoft Corporation c:\windows\system32\dumprep.exe

+ QuickTime Task QuickTime Task Apple Computer, Inc. c:\program files\quicktime\qttask.exe

+ SmcService Sygate Agent Firewall Sygate Technologies, Inc. c:\program files\sygate\spf\smc.exe

+ tgcmd Support.com Scheduler and Command Dispatcher Support.com, Inc. c:\program files\support.com\bin\tgcmd.exe

+ vptray Symantec AntiVirus Symantec Corporation c:\program files\symantec_client_security\symantec antivirus\vptray.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup

+ Microsoft Office.lnk Microsoft Office XP component Microsoft Corporation c:\program files\microsoft office\office10\osa.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

+ ctfmon.exe CTF Loader Microsoft Corporation c:\windows\system32\ctfmon.exe

+ PlaxoUpdate Enables Plaxo to integrate securely with Outlook Express Plaxo, Inc. c:\program files\plaxo\2.6.2.7\plaxohelper.exe

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components

+ Address Book 6 Outlook Express Setup Library Microsoft Corporation c:\program files\outlook express\setup50.exe

+ Browser Customizations Microsoft Internet Explorer Customization DLL Microsoft Corporation c:\windows\system32\iedkcs32.dll

+ Internet Explorer Windows NT User Data Migration Tool Microsoft Corporation c:\windows\system32\shmgrate.exe

+ Internet Explorer Windows Setup API Microsoft Corporation c:\windows\system32\setupapi.dll

+ Internet Explorer 6 IE 5.0 Per-User Install Utility Microsoft Corporation c:\windows\system32\ie4uinit.exe

+ Microsoft Outlook Express 6 Outlook Express Setup Library Microsoft Corporation c:\program files\outlook express\setup50.exe

+ Microsoft Windows Media Player ADVPACK Microsoft Corporation c:\windows\system32\advpack.dll

+ NetMeeting 3.01 ADVPACK Microsoft Corporation c:\windows\system32\advpack.dll

+ Outlook Express Windows NT User Data Migration Tool Microsoft Corporation c:\windows\system32\shmgrate.exe

+ Themes Setup Microsoft© Register Server Microsoft Corporation c:\windows\system32\regsvr32.exe

+ Windows Desktop Update Microsoft© Register Server Microsoft Corporation c:\windows\system32\regsvr32.exe

+ Windows Media Player Microsoft Windows Media Player Setup Utility Microsoft Corporation c:\windows\inf\unregmp2.exe

+ Windows Messenger 4.7 ADVPACK Microsoft Corporation c:\windows\system32\advpack.dll

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler

+ Browseui preloader Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll

+ Component Categories cache daemon Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

+ CDBurn Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll

+ PostBootReminder Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll

+ SysTray Systray shell service object Microsoft Corporation c:\windows\system32\stobject.dll

+ WebCheck Web Site Monitor Microsoft Corporation c:\windows\system32\webcheck.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks

+ Microsoft AntiSpyware Service Hook Microsoft AntiSpyware Shell Extension Microsoft Corporation c:\program files\microsoft antispyware\shellextension.dll

+ shell32.dll Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

+ %DESC_PublishDropTarget% Photo Printing Wizard Microsoft Corporation c:\windows\system32\photowiz.dll

+ &Address Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll

+ .CAB file viewer Cabinet File Viewer Shell Extension Microsoft Corporation c:\windows\system32\cabview.dll

+ Accessible Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll

+ ActiveX Cache Folder Object Control Viewer Microsoft Corporation c:\windows\system32\occache.dll

+ Adaptec DirectCD Shell Extension DirectCD Shell Extention DLL Roxio c:\program files\roxio\easy cd creator 5\directcd\shellex.dll

+ Address Bar Parser Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll

+ Address EditBox Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll

+ Administrative Tools Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll

+ Audio Media Properties Handler Media File Property Extractor Shell Extension Microsoft Corporation c:\windows\system32\shmedia.dll

+ Augmented Shell Folder Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll

+ Augmented Shell Folder 2 Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll

+ Auto Update Property Sheet Extension Automatic Updates Control Panel Microsoft Corporation c:\windows\system32\wuaucpl.cpl

+ Avi Properties Handler Media File Property Extractor Shell Extension Microsoft Corporation c:\windows\system32\shmedia.dll

+ BandProxy Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll

+ Briefcase Windows Briefcase Microsoft Corporation c:\windows\system32\syncui.dll

+ CDF Extension Copy Hook Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll

+ Channel File Channel Definition File Viewer Microsoft Corporation c:\windows\system32\cdfview.dll

+ Channel Handler Object Channel Definition File Viewer Microsoft Corporation c:\windows\system32\cdfview.dll

+ Channel Menu Channel Definition File Viewer Microsoft Corporation c:\windows\system32\cdfview.dll

+ Channel Properties Channel Definition File Viewer Microsoft Corporation c:\windows\system32\cdfview.dll

+ Channel Shortcut Channel Definition File Viewer Microsoft Corporation c:\windows\system32\cdfview.dll

+ Code Download Agent Web Site Monitor Microsoft Corporation c:\windows\system32\webcheck.dll

+ Compatibility Page Compatibility Tab Shell Extension DLL Microsoft Corporation c:\windows\system32\slayerxp.dll

+ Compressed (zipped) Folder Compressed (zipped) Folders Microsoft Corporation c:\windows\system32\zipfldr.dll

+ Compressed (zipped) Folder Right Drag Handler Compressed (zipped) Folders Microsoft Corporation c:\windows\system32\zipfldr.dll

+ Compressed (zipped) Folder SendTo Target Compressed (zipped) Folders Microsoft Corporation c:\windows\system32\zipfldr.dll

+ ConnectionAgent Web Site Monitor Microsoft Corporation c:\windows\system32\webcheck.dll

+ Crypto PKO Extension Crypto Shell Extensions Microsoft Corporation c:\windows\system32\cryptext.dll

+ Crypto Sign Extension Crypto Shell Extensions Microsoft Corporation c:\windows\system32\cryptext.dll

+ Custom MRU AutoCompleted List Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll

+ Darwin App Publisher Shell Application Manager Microsoft Corporation c:\windows\system32\appwiz.cpl

+ Dell DJ Explorer Dell DJ Explorer Plugin Creative Technology Ltd c:\program files\dell\dell dj explorer\ctojbns.dll

+ DfsShell Distributed File System shell extension Microsoft Corporation c:\windows\system32\dfsshlex.dll

+ Directory Context Menu Verbs Directory Service Common UI Microsoft Corporation c:\windows\system32\dsuiext.dll

+ Directory Object Find Directory Service Find Microsoft Corporation c:\windows\system32\dsquery.dll

+ Directory Property UI Directory Service Common UI Microsoft Corporation c:\windows\system32\dsuiext.dll

+ Directory Query UI Directory Service Find Microsoft Corporation c:\windows\system32\dsquery.dll

+ Directory Start/Search Find Directory Service Find Microsoft Corporation c:\windows\system32\dsquery.dll

+ Disk Copy Extension Windows DiskCopy Microsoft Corporation c:\windows\system32\diskcopy.dll

+ Disk Quota UI Windows Shell Disk Quota UI DLL Microsoft Corporation c:\windows\system32\dskquoui.dll

+ Display Adapter CPL Extension Advanced display adapter properties Microsoft Corporation c:\windows\system32\deskadp.dll

+ Display Monitor CPL Extension Advanced display monitor properties Microsoft Corporation c:\windows\system32\deskmon.dll

+ Display Panning CPL Extension File not found: deskpan.dll

+ Display TroubleShoot CPL Extension Advanced display performance properties Microsoft Corporation c:\windows\system32\deskperf.dll

+ Download Status Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll

+ DS Security Page Directory Service Security UI Microsoft Corporation c:\windows\system32\dssec.dll

+ E-mail Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll

+ Explorer Band Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll

+ Extensions Manager Folder Extensions Manager Microsoft Corporation c:\windows\system32\extmgr.dll

+ Favorites Band Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll

+ Fonts Windows Font Folder Microsoft Corporation c:\windows\system32\fontext.dll

+ Fonts Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll

+ For &People... Find People Microsoft Corporation c:\program files\outlook express\wabfind.dll

+ FTP Folders Webview Microsoft Internet Explorer FTP Folder Shell Extension Microsoft Corporation c:\windows\system32\msieftp.dll

+ GDI+ file thumbnail extractor Windows Picture and Fax Viewer Microsoft Corporation c:\windows\system32\shimgvw.dll

+ Get a Passport Wizard Map Network Drives/Network Places Wizard Microsoft Corporation c:\windows\system32\netplwiz.dll

+ Global Folder Settings Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll

+ guard.tmp c:\windows\system32\guard.tmp

+ Help and Support Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll

+ Help and Support Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll

+ History Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll

+ HTML Thumbnail Extractor Windows Picture and Fax Viewer Microsoft Corporation c:\windows\system32\shimgvw.dll

+ hupertrm.dll c:\windows\system32\hupertrm.dll

+ HyperTerminal Icon Ext HyperTerminal Applet Library Hilgraeve, Inc. c:\windows\system32\hticons.dll

+ ICC Profile Microsoft Color Matching System User Interface DLL Microsoft Corporation c:\windows\system32\icmui.dll

+ ICM Monitor Management Microsoft Color Matching System User Interface DLL Microsoft Corporation c:\windows\system32\icmui.dll

+ ICM Printer Management Microsoft Color Matching System User Interface DLL Microsoft Corporation c:\windows\system32\icmui.dll

+ ICM Scanner Management Microsoft Color Matching System User Interface DLL Microsoft Corporation c:\windows\system32\icmui.dll

+ IE4 Suite Splash Screen Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll

+ In-pane search Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll

+ Installed Apps Enumerator Shell Application Manager Microsoft Corporation c:\windows\system32\appwiz.cpl

+ Internet Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll

+ Internet Name Space Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll

+ InternetShortcut Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll

+ ISFBand OC Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll

+ iTunes iTunes Mini Player DLL Apple Computer, Inc. c:\program files\itunes\itunesminiplayer.dll

+ KodakShellExtension Shell Extension Resource DLL Eastman Kodak Company c:\program files\common files\kodak\ifscore\kodakshx.dll

+ LDVP Shell Extensions Symantec AntiVirus Symantec Corporation c:\program files\common files\symantec shared\ssc\vpshell2.dll

+ Microsoft Agent Character Property Sheet Handler Microsoft Agent Property Sheet Handler Microsoft Corporation c:\windows\msagent\agentpsh.dll

+ Microsoft AutoComplete Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll

+ Microsoft Browser Architecture Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll

+ Microsoft BrowserBand Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll

+ Microsoft Data Link Microsoft Data Access - OLE DB Core Services Microsoft Corporation c:\program files\common files\system\ole db\oledb32.dll

+ Microsoft DocProp Inplace Calendar Control Microsoft DocProp Shell Ext Microsoft Corporation c:\windows\system32\docprop2.dll

+ Microsoft DocProp Inplace Droplist Combo Control Microsoft DocProp Shell Ext Microsoft Corporation c:\windows\system32\docprop2.dll

+ Microsoft DocProp Inplace Edit Box Control Microsoft DocProp Shell Ext Microsoft Corporation c:\windows\system32\docprop2.dll

+ Microsoft DocProp Inplace ML Edit Box Control Microsoft DocProp Shell Ext Microsoft Corporation c:\windows\system32\docprop2.dll

+ Microsoft DocProp Inplace Time Control Microsoft DocProp Shell Ext Microsoft Corporation c:\windows\system32\docprop2.dll

+ Microsoft DocProp Shell Ext Microsoft DocProp Shell Ext Microsoft Corporation c:\windows\system32\docprop2.dll

+ Microsoft History AutoComplete List Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll

+ Microsoft Internet Toolbar Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll

+ Microsoft Multiple AutoComplete List Container Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll

+ Microsoft Office HTML Icon Handler Microsoft Office XP component Microsoft Corporation c:\program files\microsoft office\office10\msohev.dll

+ Microsoft Outlook Custom Icon Handler Outlook Shell Hook for Start/Find Microsoft Corporation c:\program files\microsoft office\office10\olkfstub.dll

+ Microsoft Shell Folder AutoComplete List Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll

+ Microsoft Url History Service Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll

+ Microsoft Url Search Hook Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll

+ Midi Properties Handler Media File Property Extractor Shell Extension Microsoft Corporation c:\windows\system32\shmedia.dll

+ MMC Icon Handler MMC Shell Extension DLL Microsoft Corporation c:\windows\system32\mmcshext.dll

+ MRU AutoComplete List Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll

+ Multimedia File Property Sheet Control Panel Drivers Applet Microsoft Corporation c:\windows\system32\mmsys.cpl

+ MyDocs Copy Hook My Documents Folder UI Microsoft Corporation c:\windows\system32\mydocs.dll

+ MyDocs Drop Target My Documents Folder UI Microsoft Corporation c:\windows\system32\mydocs.dll

+ MyDocs Properties My Documents Folder UI Microsoft Corporation c:\windows\system32\mydocs.dll

+ Network Connections Network Connections Shell Microsoft Corporation c:\windows\system32\netshell.dll

+ Network Connections Network Connections Shell Microsoft Corporation c:\windows\system32\netshell.dll

+ NTFS Security Page Security Shell Extension Microsoft Corporation c:\windows\system32\rshx32.dll

+ Offline Files Folder Client Side Caching UI Microsoft Corporation c:\windows\system32\cscui.dll

+ Offline Files Folder Options Client Side Caching UI Microsoft Corporation c:\windows\system32\cscui.dll

+ Offline Files Menu Client Side Caching UI Microsoft Corporation c:\windows\system32\cscui.dll

+ OLE Docfile Property Page OLE DocFile Property Page Microsoft Corporation c:\windows\system32\docprop.dll

+ PlusPack CPL Extension Windows Theme API Microsoft Corporation c:\windows\system32\themeui.dll

+ Portable Media Devices Portable Media Devices Shell Extension Microsoft Corporation c:\windows\system32\audiodev.dll

+ Portable Media Devices Menu Portable Media Devices Shell Extension Microsoft Corporation c:\windows\system32\audiodev.dll

+ PostAgent Web Site Monitor Microsoft Corporation c:\windows\system32\webcheck.dll

+ Previous Versions Previous Versions property page Microsoft Corporation c:\windows\system32\twext.dll

+ Previous Versions Property Page Previous Versions property page Microsoft Corporation c:\windows\system32\twext.dll

+ Print Ordering via the Web Map Network Drives/Network Places Wizard Microsoft Corporation c:\windows\system32\netplwiz.dll

+ Printers Security Page Security Shell Extension Microsoft Corporation c:\windows\system32\rshx32.dll

+ pzapi.dll File not found: C:\WINDOWS\system32\pzapi.dll

+ Registry Tree Options Utility Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll

+ Remote Sessions CPL Extension Remote Sessions CPL Extension Microsoft Corporation c:\windows\system32\remotepg.dll

+ Run... Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll

+ Scanners & Cameras Imaging Devices Shell Folder UI Microsoft Corporation c:\windows\system32\wiashext.dll

+ Scanners & Cameras Imaging Devices Shell Folder UI Microsoft Corporation c:\windows\system32\wiashext.dll

+ Scanners & Cameras Imaging Devices Shell Folder UI Microsoft Corporation c:\windows\system32\wiashext.dll

+ Scanners & Cameras Imaging Devices Shell Folder UI Microsoft Corporation c:\windows\system32\wiashext.dll

+ Scanners & Cameras Imaging Devices Shell Folder UI Microsoft Corporation c:\windows\system32\wiashext.dll

+ Scheduled Tasks Task Scheduler interface DLL Microsoft Corporation c:\windows\system32\mstask.dll

+ Search Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll

+ Search Assistant OC Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll

+ Search Band Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll

+ Sendmail service Send Mail Microsoft Corporation c:\windows\system32\sendmail.dll

+ Sendmail service Send Mail Microsoft Corporation c:\windows\system32\sendmail.dll

+ Set Program Access and Defaults Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll

+ Shell Application Manager Shell Application Manager Microsoft Corporation c:\windows\system32\appwiz.cpl

+ Shell Automation Inproc Service Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll

+ Shell Band Site Menu Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll

+ Shell DeskBar Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll

+ Shell DeskBarApp Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll

+ Shell DocObject Viewer Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll

+ Shell extensions for Microsoft Windows Network objects Network object shell UI Microsoft Corporation c:\windows\system32\ntlanui2.dll

+ Shell Extensions for RealOne Player RealPlayer Shell Extensions RealNetworks, Inc. c:\program files\real\realplayer\rpshell.dll

+ Shell extensions for sharing Shell extensions for sharing Microsoft Corporation c:\windows\system32\ntshrui.dll

+ Shell extensions for sharing Shell extensions for sharing Microsoft Corporation c:\windows\system32\ntshrui.dll

+ Shell extensions for Windows Script Host Microsoft ® Shell Extension for Windows Script Host Microsoft Corporation c:\windows\system32\wshext.dll

+ Shell Image Data Factory Windows Picture and Fax Viewer Microsoft Corporation c:\windows\system32\shimgvw.dll

+ Shell Image Property Handler Windows Picture and Fax Viewer Microsoft Corporation c:\windows\system32\shimgvw.dll

+ Shell Image Verbs Windows Picture and Fax Viewer Microsoft Corporation c:\windows\system32\shimgvw.dll

+ Shell properties for a DS object Directory Service Find Microsoft Corporation c:\windows\system32\dsquery.dll

+ Shell Publishing Wizard Object Map Network Drives/Network Places Wizard Microsoft Corporation c:\windows\system32\netplwiz.dll

+ Shell Rebar BandSite Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll

+ Shell Scrap DataHandler Shell scrap object handler Microsoft Corporation c:\windows\system32\shscrap.dll

+ Shell Search Band Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll

+ Siemens Device DESShellExt Module Siemens AG c:\program files\mobile phone manager\des\desshellext.dll

+ Siemens Device ContextMenuHandler DESShellExt Module Siemens AG c:\program files\mobile phone manager\des\desshellext.dll

+ Siemens SX1 PropertySheetHandler DESShellExt Module Siemens AG c:\program files\mobile phone manager\des\desshellext.dll

+ Subscription Folder Web Site Monitor Microsoft Corporation c:\windows\system32\webcheck.dll

+ Subscription Mgr Web Site Monitor Microsoft Corporation c:\windows\system32\webcheck.dll

+ sulwapi.dll c:\windows\system32\sulwapi.dll

+ Summary Info Thumbnail handler (DOCFILES) Windows Picture and Fax Viewer Microsoft Corporation c:\windows\system32\shimgvw.dll

+ Taskbar and Start Menu Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll

+ Tasks Folder Icon Handler Task Scheduler interface DLL Microsoft Corporation c:\windows\system32\mstask.dll

+ Tasks Folder Shell Extension Task Scheduler interface DLL Microsoft Corporation c:\windows\system32\mstask.dll

+ Temporary Internet Files Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll

+ Temporary Internet Files Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll

+ The Internet Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll

+ Track Popup Bar Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll

+ TrayAgent Web Site Monitor Microsoft Corporation c:\windows\system32\webcheck.dll

+ TridentImageExtractor Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll

+ User Accounts Map Network Drives/Network Places Wizard Microsoft Corporation c:\windows\system32\netplwiz.dll

+ User Assist Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll

+ Video Media Properties Handler Media File Property Extractor Shell Extension Microsoft Corporation c:\windows\system32\shmedia.dll

+ Video Thumbnail Extractor Media File Property Extractor Shell Extension Microsoft Corporation c:\windows\system32\shmedia.dll

+ Wav Properties Handler Media File Property Extractor Shell Extension Microsoft Corporation c:\windows\system32\shmedia.dll

+ Web Folders Microsoft Web Folders Microsoft Corporation c:\program files\common files\microsoft shared\web folders\mson-- The nicest hobby on Earth ;) --t.dll

+ Web Printer Shell Extension Print UI DLL Microsoft Corporation c:\windows\system32\printui.dll

+ Web Publishing Wizard Map Network Drives/Network Places Wizard Microsoft Corporation c:\windows\system32\netplwiz.dll

+ Web Search Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll

+ WebCheck Web Site Monitor Microsoft Corporation c:\windows\system32\webcheck.dll

+ WebCheck SyncMgr Handler Web Site Monitor Microsoft Corporation c:\windows\system32\webcheck.dll

+ WebCheckChannelAgent Web Site Monitor Microsoft Corporation c:\windows\system32\webcheck.dll

+ WebCheckWebCrawler Web Site Monitor Microsoft Corporation c:\windows\system32\webcheck.dll

+ Window Washer Shell Shredding Utility Window Washer Shredding Shell Extension Webroot Software c:\program files\common files\webroot shared\shellwash.dll

+ Windows Media Player Add to Playlist Context Menu Handler Windows Media Player Launcher Microsoft Corporation c:\windows\system32\wmpshell.dll

+ Windows Media Player Burn Audio CD Context Menu Handler Windows Media Player Launcher Microsoft Corporation c:\windows\system32\wmpshell.dll

+ Windows Media Player Play as Playlist Context Menu Handler Windows Media Player Launcher Microsoft Corporation c:\windows\system32\wmpshell.dll

+ WinRAR shell extension c:\program files\winrar\rarext.dll

+ WinZip WinZip Shell Extension DLL WinZip Computing, Inc. c:\program files\winzip\wzshlstb.dll

+ WinZip WinZip Shell Extension DLL WinZip Computing, Inc. c:\program files\winzip\wzshlstb.dll

+ WinZip WinZip Shell Extension DLL WinZip Computing, Inc. c:\program files\winzip\wzshlstb.dll

+ WinZip WinZip Shell Extension DLL WinZip Computing, Inc. c:\program files\winzip\wzshlstb.dll

+ wlcsvc.dll c:\windows\system32\wlcsvc.dll

HKLM\Software\Classes\Folder\Shellex\ColumnHandlers

+ {0D2E74C4-3C34-11d2-A27E-00C04FC30871} Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll

+ {24F14F01-7B1C-11d1-838f-0000F80461CF} Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll

+ {24F14F02-7B1C-11d1-838f-0000F80461CF} Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll

+ {66742402-F9B9-11D1-A202-0000F81FEDEE} Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll

HKCU\Software\Microsoft\Internet Explorer\UrlSearchHooks

+ shdocvw.dll Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll

HKLM\Software\Microsoft\Internet Explorer\Extensions

+ Windows Messenger Windows Messenger Microsoft Corporation c:\program files\messenger\msmsgs.exe

HKLM\System\CurrentControlSet\Services

+ Ati HotKey Poller c:\windows\system32\ati2evxx.exe

+ AudioSrv Manages audio devices for Windows-based programs. If this service is stopped, audio devices and effects will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\svchost.exe

+ Browser Maintains an updated list of computers on the network and supplies this list to computers designated as browsers. If this service is stopped, this list will not be updated or maintained. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\svchost.exe

+ CryptSvc Provides three management services: Catalog Database Service, which confirms the signatures of Windows files; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; and Key Service, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\svchost.exe

+ DcomLaunch Provides launch functionality for DCOM services. Microsoft Corporation c:\windows\system32\svchost.exe

+ DefWatch Virus Definition Daemon Symantec Corporation c:\program files\symantec_client_security\symantec antivirus\defwatch.exe

+ Dhcp Manages network configuration by registering and updating IP addresses and DNS names. Microsoft Corporation c:\windows\system32\svchost.exe

+ dmserver Detects and monitors new hard disk drives and sends disk volume information to Logical Disk Manager Administrative Service for configuration. If this service is stopped, dynamic disk status and configuration information may become out of date. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\svchost.exe

+ Dnscache Resolves and caches Domain Name System (DNS) names for this computer. If this service is stopped, this computer will not be able to resolve DNS names and locate Active Directory domain controllers. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\svchost.exe

+ Eventlog Enables event log messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped. Microsoft Corporation c:\windows\system32\services.exe

+ helpsvc Enables Help and Support Center to run on this computer. If this service is stopped, Help and Support Center will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\svchost.exe

+ lanmanserver Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\svchost.exe

+ lanmanworkstation Creates and maintains client network connections to remote servers. If this service is stopped, these connections will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\svchost.exe

+ LmHosts Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution. Microsoft Corporation c:\windows\system32\svchost.exe

+ MDM Manages local and remote debugging for Visual Studio debuggers Microsoft Corporation c:\program files\common files\microsoft shared\vs7debug\mdm.exe

+ Norton AntiVirus Server Symantec AntiVirus Symantec Corporation c:\program files\symantec_client_security\symantec antivirus\rtvscan.exe

+ PlugPlay Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service will result in system instability. Microsoft Corporation c:\windows\system32\services.exe

+ PolicyAgent Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver. Microsoft Corporation c:\windows\system32\lsass.exe

+ ProtectedStorage Provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services, processes, or users. Microsoft Corporation c:\windows\system32\lsass.exe

+ RemoteRegistry Enables remote users to modify registry settings on this computer. If this service is stopped, the registry can be modified only by users on this computer. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\svchost.exe

+ RpcSs Provides the endpoint mapper and other miscellaneous RPC services. Microsoft Corporation c:\windows\system32\svchost.exe

+ SamSs Stores security information for local user accounts. Microsoft Corporation c:\windows\system32\lsass.exe

+ Schedule Enables a user to configure and schedule automated tasks on this computer. If this service is stopped, these tasks will not be run at their scheduled times. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\svchost.exe

+ ScsiAccess c:\windows\system32\scsiaccess.exe

+ seclogon Enables starting processes under alternate credentials. If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\svchost.exe

+ SENS Tracks system events such as Windows logon, network, and power events. Notifies COM+ Event System subscribers of these events. Microsoft Corporation c:\windows\system32\svchost.exe

+ SharedAccess Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network. Microsoft Corporation c:\windows\system32\svchost.exe

+ ShellHWDetection Generic Host Process for Win32 Services Microsoft Corporation c:\windows\system32\svchost.exe

+ SmcService Sygate Agent Firewall Sygate Technologies, Inc. c:\program files\sygate\spf\smc.exe

+ Spooler Loads files to memory for later printing. Microsoft Corporation c:\windows\system32\spoolsv.exe

+ srservice Performs system restore functions. To stop service, turn off System Restore from the System Restore tab in My Computer->Properties Microsoft Corporation c:\windows\system32\svchost.exe

+ stisvc Provides image acquisition services for scanners and cameras. Microsoft Corporation c:\windows\system32\svchost.exe

+ Themes Provides user experience theme management. Microsoft Corporation c:\windows\system32\svchost.exe

+ TrkWks Maintains links between NTFS files within a computer or across computers in a network domain. Microsoft Corporation c:\windows\system32\svchost.exe

+ UMWdf Enables Windows user mode drivers. Microsoft Corporation c:\windows\system32\wdfmgr.exe

+ W32Time Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.

Microsoft Corporation c:\windows\system32\svchost.exe

+ WebClient Enables Windows-based programs to create, access, and modify Internet-based files. If this service is stopped, these functions will not be available. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\svchost.exe

+ winmgmt Provides a common interface and object model to access management information about operating system, devices, applications and services. If this service is stopped, most Windows-based software will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\svchost.exe

+ WMDM PMSP Service WMDM PMSP Service Microsoft Corporation c:\windows\system32\mspmspsv.exe

+ wscsvc Monitors system security settings and configurations. Microsoft Corporation c:\windows\system32\svchost.exe

+ wuauserv Enables the download and installation of Windows updates. If this service is disabled, this computer will not be able to use the Automatic Updates feature or the Windows Update Web site. Microsoft Corporation c:\windows\system32\svchost.exe

+ WZCSVC Provides automatic configuration for the 802.11 adapters Microsoft Corporation c:\windows\system32\svchost.exe

HKLM\System\CurrentControlSet\Services

+ ACPI ACPI Driver for NT Microsoft Corporation c:\windows\system32\drivers\acpi.sys

+ actser Actser Serial Filter driver Siemens AG c:\windows\system32\drivers\actser.sys

+ ADILOADER File not found: System32\Drivers\adildr.sys

+ adiusbae File not found: System32\DRIVERS\adiusbae.sys

+ aec Microsoft Acoustic Echo Canceller Microsoft Corporation c:\windows\system32\drivers\aec.sys

+ AFD AFD Networking Support Environment Microsoft Corporation c:\windows\system32\drivers\afd.sys

+ agp440 440 NT AGP Filter Microsoft Corporation c:\windows\system32\drivers\agp440.sys

+ AsyncMac RAS Asynchronous Media Driver Microsoft Corporation c:\windows\system32\drivers\asyncmac.sys

+ atapi IDE/ATAPI Port Driver Microsoft Corporation c:\windows\system32\drivers\atapi.sys

+ ati2mtag ATI Radeon Miniport Driver ATI Technologies Inc. c:\windows\system32\drivers\ati2mtag.sys

+ Atmarpc ATM ARP Client Protocol Microsoft Corporation c:\windows\system32\drivers\atmarpc.sys

+ audstub AudStub Driver Microsoft Corporation c:\windows\system32\drivers\audstub.sys

+ Bridge MAC Bridge Driver Microsoft Corporation c:\windows\system32\drivers\bridge.sys

+ BridgeMP MAC Bridge Driver Microsoft Corporation c:\windows\system32\drivers\bridge.sys

+ Cdrom SCSI CD-ROM Driver Microsoft Corporation c:\windows\system32\drivers\cdrom.sys

+ DiCapi CAPI 2.0 for Windows NT Eicon Technology c:\windows\system32\drivers\disdn\capi20.sys

+ DiMaint Maintenance_Tools Eicon Technology c:\windows\system32\drivers\disdn\dimaint.sys

+ Disk PnP Disk Driver Microsoft Corporation c:\windows\system32\drivers\disk.sys

+ DiWan WAN Miniport Driver for Windows 2000 Eicon Technology c:\windows\system32\drivers\disdn\diwan.sys

+ dmio NT Disk Manager I/O Driver Microsoft Corp., Veritas Software c:\windows\system32\drivers\dmio.sys

+ dmload NT Disk Manager Startup Driver Microsoft Corp., Veritas Software. c:\windows\system32\drivers\dmload.sys

+ DMusic Microsoft Kernel DLS Synthesizer Microsoft Corporation c:\windows\system32\drivers\dmusic.sys

+ Dot4 One Cool Transport Microsoft Corporation c:\windows\system32\drivers\dot4.sys

+ Dot4Print Dot4 Printer Driver Microsoft Corporation c:\windows\system32\drivers\dot4prt.sys

+ drmkaud Microsoft Kernel DRM Audio Descrambler Filter Microsoft Corporation c:\windows\system32\drivers\drmkaud.sys

+ E100B NDIS 5 driver Intel Corporation c:\windows\system32\drivers\e100b325.sys

+ Fdc Floppy Disk Controller Driver Microsoft Corporation c:\windows\system32\drivers\fdc.sys

+ Flpydisk Floppy Driver Microsoft Corporation c:\windows\system32\drivers\flpydisk.sys

+ Ftdisk FT Disk Driver Microsoft Corporation c:\windows\system32\drivers\ftdisk.sys

+ gameenum Game Port Enumerator Microsoft Corporation c:\windows\system32\drivers\gameenum.sys

+ GEARAspiWDM CDRom Class Filter Driver GEAR Software Inc. c:\windows\system32\drivers\gearaspiwdm.sys

+ Gpc Generic Packet Classifier Microsoft Corporation c:\windows\system32\drivers\msgpc.sys

+ hidusb USB Miniport Driver for Input Devices Microsoft Corporation c:\windows\system32\drivers\hidusb.sys

+ HTTP This service implements the hypertext transfer protocol (HTTP). If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\drivers\http.sys

+ i8042prt i8042 Port Driver Microsoft Corporation c:\windows\system32\drivers\i8042prt.sys

+ Imapi IMAPI Kernel Driver Microsoft Corporation c:\windows\system32\drivers\imapi.sys

+ IntelIde Intel PCI IDE Driver Microsoft Corporation c:\windows\system32\drivers\intelide.sys

+ intelppm Processor Device Driver Microsoft Corporation c:\windows\system32\drivers\intelppm.sys

+ Ip6Fw Provides intrusion prevention service for a home or small office network. Microsoft Corporation c:\windows\system32\drivers\ip6fw.sys

+ IpFilterDriver IP Traffic Filter Driver Microsoft Corporation c:\windows\system32\drivers\ipfltdrv.sys

+ IpInIp IP in IP Tunnel Driver Microsoft Corporation c:\windows\system32\drivers\ipinip.sys

+ IpNat IP Network Address Translator Microsoft Corporation c:\windows\system32\drivers\ipnat.sys

+ IPSec IPSEC driver Microsoft Corporation c:\windows\system32\drivers\ipsec.sys

+ IRENUM Infra-Red Bus Enumerator Microsoft Corporation c:\windows\system32\drivers\irenum.sys

+ isapnp PNP ISA Bus Driver Microsoft Corporation c:\windows\system32\drivers\isapnp.sys

+ Jukebox USB Player Drivers (WDM) Creative Technology Ltd. c:\windows\system32\drivers\ctpdusb2.sys

+ Kbdclass Keyboard Class Driver Microsoft Corporation c:\windows\system32\drivers\kbdclass.sys

+ kmixer Kernel Mode Audio Mixer Microsoft Corporation c:\windows\system32\drivers\kmixer.sys

+ Mouclass Mouse Class Driver Microsoft Corporation c:\windows\system32\drivers\mouclass.sys

+ mouhid HID Mouse Filter Driver Microsoft Corporation c:\windows\system32\drivers\mouhid.sys

+ MSKSSRV MS KS Server Microsoft Corporation c:\windows\system32\drivers\mskssrv.sys

+ MSPCLOCK MS Proxy Clock Microsoft Corporation c:\windows\system32\drivers\mspclock.sys

+ MSPQM MS Proxy Quality Manager Microsoft Corporation c:\windows\system32\drivers\mspqm.sys

+ mssmbios System Management BIOS Driver Microsoft Corporation c:\windows\system32\drivers\mssmbios.sys

+ NAVAP AutoProtect Symantec Corporation c:\program files\symantec_client_security\symantec antivirus\navap.sys

+ NAVAPEL NAVAPEL Symantec Corporation c:\program files\symantec_client_security\symantec antivirus\navapel.sys

+ NAVENG AV Engine Symantec Corporation c:\program files\common files\symantec shared\virusdefs\20060111.038\naveng.sys

+ NAVEX15 AV Engine Symantec Corporation c:\program files\common files\symantec shared\virusdefs\20060111.038\navex15.sys

+ NdisTapi Remote Access NDIS TAPI Driver Microsoft Corporation c:\windows\system32\drivers\ndistapi.sys

+ Ndisuio NDIS Usermode I/O Protocol Microsoft Corporation c:\windows\system32\drivers\ndisuio.sys

+ NdisWan Remote Access NDIS WAN Driver Microsoft Corporation c:\windows\system32\drivers\ndiswan.sys

+ NetBT NetBios over Tcpip Microsoft Corporation c:\windows\system32\drivers\netbt.sys

+ NwlnkFlt IPX Traffic Filter Driver Microsoft Corporation c:\windows\system32\drivers\nwlnkflt.sys

+ NwlnkFwd IPX Traffic Forwarder Driver Microsoft Corporation c:\windows\system32\drivers\nwlnkfwd.sys

+ OMCI OMCI Device Driver Dell Computer Corporation c:\windows\system32\drivers\omci.sys

+ Parport Parallel Port Driver Microsoft Corporation c:\windows\system32\drivers\parport.sys

+ PCI NT Plug and Play PCI Enumerator Microsoft Corporation c:\windows\system32\drivers\pci.sys

+ PfModNT File not found: C:\WINDOWS\system32\drivers\PfModNT.sys

+ PptpMiniport WAN Miniport (PPTP) Microsoft Corporation c:\windows\system32\drivers\raspptp.sys

+ Processor Processor Device Driver Microsoft Corporation c:\windows\system32\drivers\processr.sys

+ PSched QoS Packet Scheduler Microsoft Corporation c:\windows\system32\drivers\psched.sys

+ Ptilink Direct Parallel Link Driver Parallel Technologies, Inc. c:\windows\system32\drivers\ptilink.sys

+ PxHelp20 Px Engine Device Driver for Windows 2000/XP Sonic Solutions c:\windows\system32\drivers\pxhelp20.sys

+ QV2KUX USBSTOR LowerFilter Driver for Qv-2000ux Microsoft Corporation c:\windows\system32\drivers\qv2kux.sys

+ RasAcd Remote Access Auto Connection Driver Microsoft Corporation c:\windows\system32\drivers\rasacd.sys

+ Rasl2tp WAN Miniport (L2TP) Microsoft Corporation c:\windows\system32\drivers\rasl2tp.sys

+ RasPppoe Remote Access PPPOE Driver Microsoft Corporation c:\windows\system32\drivers\raspppoe.sys

+ Raspti Direct Parallel Microsoft Corporation c:\windows\system32\drivers\raspti.sys

+ RDPCDD RDP Miniport Microsoft Corporation c:\windows\system32\drivers\rdpcdd.sys

+ rdpdr Microsoft RDP Device redirector Microsoft Corporation c:\windows\system32\drivers\rdpdr.sys

+ redbook Redbook Audio Filter Driver Microsoft Corporation c:\windows\system32\drivers\redbook.sys

+ Secdrv SafeDisc driver Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K. c:\windows\system32\drivers\secdrv.sys

+ serenum Serial Port Enumerator Microsoft Corporation c:\windows\system32\drivers\serenum.sys

+ Serial Serial Device Driver Microsoft Corporation c:\windows\system32\drivers\serial.sys

+ splitter Microsoft Kernel Audio Splitter Microsoft Corporation c:\windows\system32\drivers\splitter.sys

+ swenum Plug and Play Software Device Enumerator Microsoft Corporation c:\windows\system32\drivers\swenum.sys

+ swmidi Microsoft GS Wavetable Synthesizer Microsoft Corporation c:\windows\system32\drivers\swmidi.sys

+ SymEvent Symantec Event Library Symantec Corporation c:\program files\symantec\symevent.sys

+ sysaudio System Audio WDM Filter Microsoft Corporation c:\windows\system32\drivers\sysaudio.sys

+ tbcspud Turtle Beach PCI WDM Audio Driver Voyetra Turtle Beach c:\windows\system32\drivers\tbcspud.sys

+ tbcwdm Turtle Beach PCI WDM Audio Driver Voyetra Turtle Beach c:\windows\system32\drivers\tbcwdm.sys

+ Tcpip TCP/IP Protocol Driver Microsoft Corporation c:\windows\system32\drivers\tcpip.sys

+ Teefer Teefer Driver Sygate Technologies, Inc. c:\windows\system32\drivers\teefer.sys

+ TermDD Terminal Server Driver Microsoft Corporation c:\windows\system32\drivers\termdd.sys

+ Update Update Driver Microsoft Corporation c:\windows\system32\drivers\update.sys

+ usbehci EHCI eUSB Miniport Driver Microsoft Corporation c:\windows\system32\drivers\usbehci.sys

+ usbhub Default Hub Driver for USB Microsoft Corporation c:\windows\system32\drivers\usbhub.sys

+ USBSTOR USB Mass Storage Class Driver Microsoft Corporation c:\windows\system32\drivers\usbstor.sys

+ usbuhci UHCI USB Miniport Driver Microsoft Corporation c:\windows\system32\drivers\usbuhci.sys

+ VgaSave Controls the VGA display adapter to provide basic display capabilities. Microsoft Corporation c:\windows\system32\drivers\vga.sys

+ Wanarp Remote Access IP ARP Driver Microsoft Corporation c:\windows\system32\drivers\wanarp.sys

+ wdmaud MMSYSTEM Wave/Midi API mapper Microsoft Corporation c:\windows\system32\drivers\wdmaud.sys

+ wg3n wgxn Sygate Technologies, Inc. c:\windows\system32\drivers\wg3n.sys

+ wg4n wgxn Sygate Technologies, Inc. c:\windows\system32\drivers\wg4n.sys

+ wg5n wgxn Sygate Technologies, Inc. c:\windows\system32\drivers\wg5n.sys

+ wg6n wgxn Sygate Technologies, Inc. c:\windows\system32\drivers\wg6n.sys

+ wpsdrvnt wpsdrvnt Sygate Technologies, Inc. c:\windows\system32\drivers\wpsdrvnt.sys

+ WS2IFSL Winsock2 IFS Layer Microsoft Corporation c:\windows\system32\drivers\ws2ifsl.sys

HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute

+ autocheck autochk * Auto Check Utility Microsoft Corporation c:\windows\system32\autochk.exe

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

+ Your Image File Name Here without a path Symbolic Debugger for Windows 2000 Microsoft Corporation c:\windows\system32\ntsd.exe

HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls

+ advapi32 Advanced Windows 32 Base API Microsoft Corporation c:\windows\system32\advapi32.dll

+ comdlg32 Common Dialogs DLL Microsoft Corporation c:\windows\system32\comdlg32.dll

+ gdi32 GDI Client DLL Microsoft Corporation c:\windows\system32\gdi32.dll

+ imagehlp Windows NT Image Helper Microsoft Corporation c:\windows\system32\imagehlp.dll

+ kernel32 Windows NT BASE API Client DLL Microsoft Corporation c:\windows\system32\kernel32.dll

+ lz32 LZ Expand/Compress API DLL Microsoft Corporation c:\windows\system32\lz32.dll

+ ole32 Microsoft OLE for Windows Microsoft Corporation c:\windows\system32\ole32.dll

+ oleaut32 Microsoft Corporation c:\windows\system32\oleaut32.dll

+ olecli32 Object Linking and Embedding Client Library Microsoft Corporation c:\windows\system32\olecli32.dll

+ olecnv32 Microsoft OLE for Windows Microsoft Corporation c:\windows\system32\olecnv32.dll

+ olesvr32 Object Linking and Embedding Server Library Microsoft Corporation c:\windows\system32\olesvr32.dll

+ olethk32 Microsoft OLE for Windows Microsoft Corporation c:\windows\system32\olethk32.dll

+ rpcrt4 Remote Procedure Call Runtime Microsoft Corporation c:\windows\system32\rpcrt4.dll

+ shell32 Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll

+ url Internet Shortcut Shell Extension DLL Microsoft Corporation c:\windows\system32\url.dll

+ urlmon OLE32 Extensions for Win32 Microsoft Corporation c:\windows\system32\urlmon.dll

+ user32 Windows XP USER API Client DLL Microsoft Corporation c:\windows\system32\user32.dll

+ version Version Checking and File Installation Libraries Microsoft Corporation c:\windows\system32\version.dll

+ wininet Internet Extensions for Win32 Microsoft Corporation c:\windows\system32\wininet.dll

+ wldap32 Win32 LDAP API DLL Microsoft Corporation c:\windows\system32\wldap32.dll

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

+ AtiExtEvent c:\windows\system32\ati2evxx.dll

+ crypt32chain Crypto API32 Microsoft Corporation c:\windows\system32\crypt32.dll

+ cryptnet Crypto Network Related API Microsoft Corporation c:\windows\system32\cryptnet.dll

+ cscdll Offline Network Agent Microsoft Corporation c:\windows\system32\cscdll.dll

+ NavLogon c:\windows\system32\navlogon.dll

+ ScCertProp Common DLL to receive Winlogon notifications Microsoft Corporation c:\windows\system32\wlnotify.dll

+ Schedule Common DLL to receive Winlogon notifications Microsoft Corporation c:\windows\system32\wlnotify.dll

+ sclgntfy Secondary Logon Service Notification DLL Microsoft Corporation c:\windows\system32\sclgntfy.dll

+ SensLogn Common DLL to receive Winlogon notifications Microsoft Corporation c:\windows\system32\wlnotify.dll

+ termsrv Common DLL to receive Winlogon notifications Microsoft Corporation c:\windows\system32\wlnotify.dll

+ wlballoon Common DLL to receive Winlogon notifications Microsoft Corporation c:\windows\system32\wlnotify.dll

HKCU\Control Panel\Desktop\Scrnsave.exe

+ C:\WINDOWS\System32\logon.scr Logon Screen Saver Microsoft Corporation c:\windows\system32\logon.scr

HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9

+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{CE704140-ACFF-457A-BE13-5F6EF7A7A1A6}] DATAGRAM 2 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll

+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{CE704140-ACFF-457A-BE13-5F6EF7A7A1A6}] SEQPACKET 2 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll

+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{E7FFA791-26CC-471E-8A22-49D5AE161BA2}] DATAGRAM 1 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll

+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{E7FFA791-26CC-471E-8A22-49D5AE161BA2}] SEQPACKET 1 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll

+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{F1D6D714-15C8-4C70-8364-BA680390CD58}] DATAGRAM 3 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll

+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{F1D6D714-15C8-4C70-8364-BA680390CD58}] SEQPACKET 3 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll

+ MSAFD Tcpip [RAW/IP] Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll

+ MSAFD Tcpip [TCP/IP] Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll

+ MSAFD Tcpip [UDP/IP] Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll

+ RSVP TCP Service Provider Microsoft Windows Rsvp 1.0 Service Provider Microsoft Corporation c:\windows\system32\rsvpsp.dll

+ RSVP UDP Service Provider Microsoft Windows Rsvp 1.0 Service Provider Microsoft Corporation c:\windows\system32\rsvpsp.dll

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors

+ BJ Language Monitor Langage Monitor for Canon Bubble-Jet Printer Microsoft Corporation c:\windows\system32\cnbjmon.dll

+ Local Port Local Spooler DLL Microsoft Corporation c:\windows\system32\localspl.dll

+ PJL Language Monitor PJL Language monitor Microsoft Corporation c:\windows\system32\pjlmon.dll

+ Standard TCP/IP Port Standard TCP/IP Port Monitor DLL Microsoft Corporation c:\windows\system32\tcpmon.dll

+ USB Monitor Standard Dynamic Printing Port Monitor DLL Microsoft Corporation c:\windows\system32\usbmon.dll

Mosaic1

Jan 15 2006, 10:04 PM

Hi che,

The last of the autoruns was cut off. Can you please post that last bit into your next reply.

Thanks,

Mo

Download L2mfix from one of these links:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop. Double click l2mfix.exe. Click the Install button to extract the files and follow the prompts. Open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into your next reply here.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

che

Jan 15 2006, 10:07 PM

Hi Mosaic1,

Thanks, but I did include all the output..

The +USB is the last line..

I've rerun the program, but keep getting the same line (also did the include empty thing)

Is something wrong?

(just now read your email completely) here is the output

L2MFIX find log 010406
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
"StartShell"="NavStartShellEvent"
"DllName"="C:\\WINDOWS\\System32\\NavLogon.dll"
"Logoff"="NavLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"FunWebProducts-MyWay"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}"="LDVP Shell Extensions"
"{5E44E225-A408-11CF-B581-008029601108}"="Adaptec DirectCD Shell Extension"
"{6EE51AA0-77A0-11D7-B4E1-000347126E46}"="Window Washer Shell Shredding Utility"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"="TrojanHunter Menu Shell Extension"
"{4EC26602-4807-40FE-A40F-1A41E4D40C78}"="Dell DJ Explorer"
"{acb4a560-3606-11d3-aef4-00104bd0f92d}"="KodakShellExtension"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{32020A01-506E-484D-A2A8-BE3CF17601C3}"="AlcoholShellEx"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{ED65AC21-B24F-11d3-BA80-00C0CA16AA37}"="Siemens Device"
"{ED65AC22-B24F-11d3-BA80-00C0CA16AA37}"="Siemens Device ContextMenuHandler"
"{ED65AC23-B24F-11d3-BA80-00C0CA16AA37}"="Siemens SX1 PropertySheetHandler"
"{DF49036F-F0A9-47FD-A116-B953EB1C86FF}"=""
"{49587826-505A-407F-80C0-7DCCD760CB88}"=""
"{09926FD1-225C-4936-9986-65DFC0D26156}"=""
"{7048F391-D0AC-408D-AC9B-BEBC43197A60}"=""
"{7DF96B21-419F-4F23-AF7E-461A965113B2}"=""
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}"="iTunes"
"{21569614-B795-46b1-85F4-E737A8DC09AD}"="Shell Search Band"

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{DF49036F-F0A9-47FD-A116-B953EB1C86FF}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DF49036F-F0A9-47FD-A116-B953EB1C86FF}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DF49036F-F0A9-47FD-A116-B953EB1C86FF}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DF49036F-F0A9-47FD-A116-B953EB1C86FF}\InprocServer32]
@="C:\\WINDOWS\\system32\\pzapi.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{49587826-505A-407F-80C0-7DCCD760CB88}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{49587826-505A-407F-80C0-7DCCD760CB88}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{49587826-505A-407F-80C0-7DCCD760CB88}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{49587826-505A-407F-80C0-7DCCD760CB88}\InprocServer32]
@="C:\\WINDOWS\\system32\\wlcsvc.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{09926FD1-225C-4936-9986-65DFC0D26156}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{09926FD1-225C-4936-9986-65DFC0D26156}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{09926FD1-225C-4936-9986-65DFC0D26156}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{09926FD1-225C-4936-9986-65DFC0D26156}\InprocServer32]
@="C:\\WINDOWS\\system32\\hupertrm.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{7048F391-D0AC-408D-AC9B-BEBC43197A60}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7048F391-D0AC-408D-AC9B-BEBC43197A60}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7048F391-D0AC-408D-AC9B-BEBC43197A60}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7048F391-D0AC-408D-AC9B-BEBC43197A60}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{7DF96B21-419F-4F23-AF7E-461A965113B2}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7DF96B21-419F-4F23-AF7E-461A965113B2}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7DF96B21-419F-4F23-AF7E-461A965113B2}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7DF96B21-419F-4F23-AF7E-461A965113B2}\InprocServer32]
@="C:\\WINDOWS\\system32\\sulwapi.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
browseui.dll Thu Nov 24 2005 2:06:34a A.... 1,022,464 998.50 K
cdfview.dll Fri Oct 21 2005 4:39:26a A.... 151,040 147.50 K
danim.dll Sat Nov 5 2005 4:16:24a A.... 1,054,208 1.00 M
dxtrans.dll Fri Oct 21 2005 4:39:28a A.... 205,312 200.50 K
esent.dll Thu Oct 20 2005 11:20:04p A.... 1,082,368 1.03 M
extmgr.dll Fri Oct 21 2005 4:39:28a ..... 55,808 54.50 K
fontsub.dll Mon Oct 17 2005 10:14:46p A.... 80,896 79.00 K
gccoll~1.dll Tue Nov 15 2005 12:12:08p A.... 126,680 123.71 K
gcunco~1.dll Tue Nov 15 2005 12:12:06p A.... 95,448 93.21 K
gdi32.dll Thu Dec 29 2005 3:54:36a A.... 280,064 273.50 K
hashlib.dll Tue Nov 15 2005 12:12:08p A.... 117,976 115.21 K
iepeers.dll Fri Oct 21 2005 4:39:28a A.... 251,392 245.50 K
inseng.dll Fri Oct 21 2005 4:39:28a A.... 96,256 94.00 K
mshtml.dll Thu Nov 24 2005 2:06:34a A.... 3,015,680 2.88 M
mshtmled.dll Fri Oct 21 2005 4:39:30a A.... 448,512 438.00 K
msrating.dll Fri Oct 21 2005 4:39:30a A.... 146,432 143.00 K
mstime.dll Fri Oct 21 2005 4:39:30a A.... 530,944 518.50 K
pngfilt.dll Fri Oct 21 2005 4:39:30a A.... 39,424 38.50 K
shdocvw.dll Thu Dec 1 2005 4:59:30a A.... 1,492,480 1.42 M
shlwapi.dll Fri Oct 21 2005 4:39:30a A.... 473,600 462.50 K
t2embed.dll Mon Oct 17 2005 10:14:46p A.... 118,272 115.50 K
urlmon.dll Sat Nov 5 2005 4:16:28a A.... 609,280 595.00 K
wininet.dll Fri Oct 21 2005 4:39:30a A.... 658,432 643.00 K

23 items found: 23 files, 0 directories.
Total of file sizes: 12,152,968 bytes 11.59 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is CC5D-C39B

Directory of C:\WINDOWS\System32

01/15/2006 11:17 PM <DIR> dllcache
12/27/2004 09:23 AM 56 mv2ql9f51.dll
12/23/2004 03:24 PM 225,051 jt0u07d9e.dll
12/22/2004 10:30 PM 224,981 rzpdd.dll
08/04/2004 08:56 AM 46,159 datalayer.exe
04/17/2004 01:21 PM <DIR> Microsoft
4 File(s) 496,247 bytes
2 Dir(s) 48,074,416,128 bytes free

Mosaic1

Jan 15 2006, 10:12 PM

Hi che,

I am having trolbe pinpointing what's going on. But I do see remnants of an L2M infection.

Maybe going tothe next step will help to clarify.

Also, when you get that message when you google, look at the title bar please. What does it say?

Who is your Internet service provider please? Is it the Proxy Server I see set up in this entry? Your address does show to be theirs when I check it out.

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.ams.chello.nl:8080

che

Jan 15 2006, 10:15 PM

Thanks,

This is the title in the bar:

http://www.google.nl/sorry/?continue=http:...oeken%26meta%3D

where "zoeken" means "Search", and in this example I was looking for Gladiator Security Foru..

My internet provider is Chello (as it mentions in the line)
And what do you mean with that my address does show to be theirs?

Mosaic1

Jan 15 2006, 11:51 PM

I can see your Address as an Admin here. Your address shows the correct Internet Service Provider, I wanted to be sure. It does.

I meant the title bar of the message you get. That looks like the address bar entry for the results.

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new Hijack This log.

I want you to also do a google search after you perform the fix. Let me know if it works.

che

Jan 16 2006, 07:26 PM

Hi..
I did as you asked, below is the result.
I also tried the Google search again, but with the same result.. (can't it be the microsoft anti spyware?) anyway it says" Error, our apologies.. (otherwise I don't know what you mean with title bar). But it doesn't show in the normal Google result way. It's just the Google logo, the text I've written before, and the box where you have to fill in the letters I see..

here is the result:

L2mfix 010406
Creating Account.
The command completed successfully.

Adding Administrative privleges.
The command completed successfully.
Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful

Running From:
C:\WINDOWS\system32

Killing Processes!

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peaco*k@beyondlogic.org
Killing PID 628 'smss.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peaco*k@beyondlogic.org
Killing PID 700 'winlogon.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peaco*k@beyondlogic.org
Killing PID 520 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peaco*k@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrators ... successful

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
Deleting: C:\WINDOWS\system32\hupertrm.dll
Successfully Deleted: C:\WINDOWS\system32\hupertrm.dll
Deleting: C:\WINDOWS\system32\jt0u07d9e.dll
Successfully Deleted: C:\WINDOWS\system32\jt0u07d9e.dll
Deleting: C:\WINDOWS\system32\rzpdd.dll
Successfully Deleted: C:\WINDOWS\system32\rzpdd.dll
Deleting: C:\WINDOWS\system32\sulwapi.dll
Successfully Deleted: C:\WINDOWS\system32\sulwapi.dll
Deleting: C:\WINDOWS\system32\wlcsvc.dll
Successfully Deleted: C:\WINDOWS\system32\wlcsvc.dll
Deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp

msg11?.dll
0 file(s) copied.

Restoring Windows Update Certificates.:

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
"StartShell"="NavStartShellEvent"
"DllName"="C:\\WINDOWS\\System32\\NavLogon.dll"
"Logoff"="NavLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

The following are the files found:
****************************************************************************
C:\WINDOWS\system32\hupertrm.dll
C:\WINDOWS\system32\jt0u07d9e.dll
C:\WINDOWS\system32\rzpdd.dll
C:\WINDOWS\system32\sulwapi.dll
C:\WINDOWS\system32\wlcsvc.dll
C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{DF49036F-F0A9-47FD-A116-B953EB1C86FF}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DF49036F-F0A9-47FD-A116-B953EB1C86FF}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DF49036F-F0A9-47FD-A116-B953EB1C86FF}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DF49036F-F0A9-47FD-A116-B953EB1C86FF}\InprocServer32]
@="C:\\WINDOWS\\system32\\pzapi.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{49587826-505A-407F-80C0-7DCCD760CB88}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{49587826-505A-407F-80C0-7DCCD760CB88}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{49587826-505A-407F-80C0-7DCCD760CB88}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{49587826-505A-407F-80C0-7DCCD760CB88}\InprocServer32]
@="C:\\WINDOWS\\system32\\wlcsvc.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{09926FD1-225C-4936-9986-65DFC0D26156}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{09926FD1-225C-4936-9986-65DFC0D26156}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{09926FD1-225C-4936-9986-65DFC0D26156}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{09926FD1-225C-4936-9986-65DFC0D26156}\InprocServer32]
@="C:\\WINDOWS\\system32\\hupertrm.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{7048F391-D0AC-408D-AC9B-BEBC43197A60}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7048F391-D0AC-408D-AC9B-BEBC43197A60}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7048F391-D0AC-408D-AC9B-BEBC43197A60}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7048F391-D0AC-408D-AC9B-BEBC43197A60}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{7DF96B21-419F-4F23-AF7E-461A965113B2}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7DF96B21-419F-4F23-AF7E-461A965113B2}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7DF96B21-419F-4F23-AF7E-461A965113B2}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7DF96B21-419F-4F23-AF7E-461A965113B2}\InprocServer32]
@="C:\\WINDOWS\\system32\\sulwapi.dll"
"ThreadingModel"="Apartment"

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{DF49036F-F0A9-47FD-A116-B953EB1C86FF}"=-
"{49587826-505A-407F-80C0-7DCCD760CB88}"=-
"{09926FD1-225C-4936-9986-65DFC0D26156}"=-
"{7048F391-D0AC-408D-AC9B-BEBC43197A60}"=-
"{7DF96B21-419F-4F23-AF7E-461A965113B2}"=-
[-HKEY_CLASSES_ROOT\CLSID\{DF49036F-F0A9-47FD-A116-B953EB1C86FF}]
[-HKEY_CLASSES_ROOT\CLSID\{49587826-505A-407F-80C0-7DCCD760CB88}]
[-HKEY_CLASSES_ROOT\CLSID\{09926FD1-225C-4936-9986-65DFC0D26156}]
[-HKEY_CLASSES_ROOT\CLSID\{7048F391-D0AC-408D-AC9B-BEBC43197A60}]
[-HKEY_CLASSES_ROOT\CLSID\{7DF96B21-419F-4F23-AF7E-461A965113B2}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************

****************************************************************************
Checking for L2MFix account(0=no 1=yes):
0
Zipping up files for submission:
adding: dlls/guard.tmp (164 bytes security) (deflated 5%)
adding: dlls/hupertrm.dll (164 bytes security) (deflated 3%)
adding: dlls/jt0u07d9e.dll (164 bytes security) (deflated 4%)
adding: dlls/rzpdd.dll (164 bytes security) (deflated 4%)
adding: dlls/sulwapi.dll (164 bytes security) (deflated 5%)
adding: dlls/wlcsvc.dll (164 bytes security) (deflated 4%)
adding: backregs/09926FD1-225C-4936-9986-65DFC0D26156.reg (212 bytes security) (deflated 70%)
adding: backregs/49587826-505A-407F-80C0-7DCCD760CB88.reg (212 bytes security) (deflated 70%)
adding: backregs/7048F391-D0AC-408D-AC9B-BEBC43197A60.reg (212 bytes security) (deflated 70%)
adding: backregs/7DF96B21-419F-4F23-AF7E-461A965113B2.reg (212 bytes security) (deflated 70%)
adding: backregs/DF49036F-F0A9-47FD-A116-B953EB1C86FF.reg (212 bytes security) (deflated 70%)
adding: backregs/notibac.reg (164 bytes security) (deflated 87%)
adding: backregs/shell.reg (164 bytes security) (deflated 74%)

Mosaic1

Jan 16 2006, 07:36 PM

Do you know how to take a screen shot? If so, please try a google search and then when you get that page, take a screen shot and save it please.

Sned it to me as an attachment at this email please:

Katie_3232AThotmail.com

Replace the AT with and @ for it to work.

Please put your username in the title so I know where it's from.

Thanks.

Mosaic1

Jan 16 2006, 08:12 PM

The traces of L2M were cleaned up.

But you do have this leftover and let's clean it up.

Copy the contents of the code box to notepad.
Name the file nofun.reg
Save as Type: All files
Close all Browser windows and double click on nofun.reg
Say yes to the prompt.

Clean out your cookies from all browsers and try a google search again.

Do you get the same result when you try a google using Internet Explorer?

CODE

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"FunWebProducts-MyWay"=-

Mosaic1

Jan 16 2006, 08:17 PM

Sorry, I looked at the log again and the L2MFix actually did clean that already. No harm though.

Let's try another program, Ewido.

Please download, install, and update the free version of Ewido trojan scanner:
http://www.ewido.net/en/download/

When you run ewido for the first time, you might get a warning "Database could not be found!". Click OK.

From the main ewido screen, click on update in the left menu, then click the Start update button.

After the update finishes (the status bar at the bottom will display "Update successful")

Exit Ewido. DO NOT scan yet.

If you are having problems with the updater, you can go to http://www.ewido.net/en/download/updates/ to update manually
-----------------

Next, run a scan with Ewido after restarting into Safe Mode.

Click on the Scanner button in the left menu, then click on the Start button. This scan can take quite a while to run, so please be patient

If Ewido finds anything, it will pop up a notification. You can select "remove" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.

When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.

Copy and paste the results from that scan back here when you return to post again.

*Note: Ewido is a free trial product for 14 days. After that you can purchase it for full features OR you can also keep the free version to use as an on-demand scanner (recommended).
You will still be able to manually update Ewido using the *update* button

--------------------------------------

che

Jan 16 2006, 08:17 PM

Thanks,

I did.

I keep getting the same result though. But don't have that same problem when I use IE. (furthermore it's not that irritating, but only strange).

(just saw your new post)
Am now running the ewido programme..

Mosaic1

Jan 16 2006, 08:21 PM

The fact that you only get this error in Firefox makes me wonder.

Do empty out all your cookies in Firefox and see if the message goes away.

che

Jan 16 2006, 08:26 PM

I did before the scan..

I'm now running the Ewido, and am nearly halfway but have already gotten 30 infections.. (deleted them all).. A lot were actually in my Firefox cache (even though I though I deleted my history, cache etc..)

But it's strange, how can Microsoft etc don't find them, and this one can?

Nice program btw, thanks!

I'll post the log in a sec

Just saw that I cleaned everything in Firefox except the cookies..
But even after I did, I keep getting the same error message, strange huh?

che

Jan 16 2006, 09:17 PM

SOrry, but it took quite some time..

Here's the log..

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 10:25:20 PM, 1/16/2006
+ Report-Checksum: 12035E74

+ Scan result:

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates : Cleaned with backup
HKLM\SOFTWARE\Need2Find -> Spyware.Need2Find : Cleaned with backup
HKLM\SOFTWARE\Need2Find\bar -> Spyware.Need2Find : Cleaned with backup
HKLM\SOFTWARE\Need2Find\bar\Partner -> Spyware.Need2Find : Cleaned with backup
HKU\S-1-5-21-527237240-1592454029-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{25D8BACF-3DE2-4B48-AE22-D659B8D835B0} -> Spyware.RXToolbar : Cleaned with backup
HKU\S-1-5-21-527237240-1592454029-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E} -> Spyware.NewDotNet : Cleaned with backup
HKU\S-1-5-21-527237240-1592454029-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4D1C4E81-A32A-416B-BCDB-33B3EF3617D3} -> Spyware.Need2Find : Cleaned with backup
HKU\S-1-5-21-527237240-1592454029-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4E7BD74F-2B8D-469E-90F0-F66AB581A933} -> Spyware.MyWebSearch : Cleaned with backup
HKU\S-1-5-21-527237240-1592454029-682003330-1003\Software\Need2Find -> Spyware.Need2Find : Cleaned with backup
HKU\S-1-5-21-527237240-1592454029-682003330-1003\Software\Need2Find\bar -> Spyware.Need2Find : Cleaned with backup
C:\Documents and Settings\Nils\Application Data\Azureus\downloads\LimeWire PRO 4.10.0\setup.exe -> Backdoor.Rbot.anr : Cleaned with backup
:mozilla.11:C:\Documents and Settings\Nils\Application Data\Mozilla\Firefox\Profiles\x71ctnf6.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Nils\Application Data\Mozilla\Firefox\Profiles\x71ctnf6.default\cookies.txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
:mozilla.24:C:\Documents and Settings\Nils\Application Data\Mozilla\Firefox\Profiles\x71ctnf6.default\cookies.txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
:mozilla.25:C:\Documents and Settings\Nils\Application Data\Mozilla\Firefox\Profiles\x71ctnf6.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.26:C:\Documents and Settings\Nils\Application Data\Mozilla\Firefox\Profiles\x71ctnf6.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Nils\Application Data\Mozilla\Firefox\Profiles\x71ctnf6.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.34:C:\Documents and Settings\Nils\Application Data\Mozilla\Firefox\Profiles\x71ctnf6.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Nils\Application Data\Mozilla\Firefox\Profiles\x71ctnf6.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.36:C:\Documents and Settings\Nils\Application Data\Mozilla\Firefox\Profiles\x71ctnf6.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Nils\Application Data\Mozilla\Firefox\Profiles\x71ctnf6.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.41:C:\Documents and Settings\Nils\Application Data\Mozilla\Firefox\Profiles\x71ctnf6.default\cookies.txt -> Spyware.Cookie.Sitestat : Cleaned with backup
:mozilla.42:C:\Documents and Settings\Nils\Application Data\Mozilla\Firefox\Profiles\x71ctnf6.default\cookies.txt -> Spyware.Cookie.Sitestat : Cleaned with backup
:mozilla.43:C:\Documents and Settings\Nils\Application Data\Mozilla\Firefox\Profiles\x71ctnf6.default\cookies.txt -> Spyware.Cookie.Sitestat : Cleaned with backup
:mozilla.59:C:\Documents and Settings\Nils\Application Data\Mozilla\Firefox\Profiles\x71ctnf6.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.60:C:\Documents and Settings\Nils\Application Data\Mozilla\Firefox\Profiles\x71ctnf6.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.62:C:\Documents and Settings\Nils\Application Data\Mozilla\Firefox\Profiles\x71ctnf6.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.79:C:\Documents and Settings\Nils\Application Data\Mozilla\Firefox\Profiles\x71ctnf6.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.80:C:\Documents and Settings\Nils\Application Data\Mozilla\Firefox\Profiles\x71ctnf6.default\cookies.txt -> Spyware.Cookie.Masterstats : Cleaned with backup
C:\Documents and Settings\Sophie\Cookies\sophie@247realmedia[1].txt -> Spyware.Cookie.247realmedia : Cleaned with backup
C:\Documents and Settings\Sophie\Cookies\sophie@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Sophie\Cookies\sophie@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Sophie\Cookies\sophie@ads.addynamix[1].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Sophie\Cookies\sophie@ads.pointroll[1].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Sophie\Cookies\sophie@advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Sophie\Cookies\sophie@adviva[1].txt -> Spyware.Cookie.Adviva : Cleaned with backup
C:\Documents and Settings\Sophie\Cookies\sophie@as-eu.falkag[2].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\Sophie\Cookies\sophie@as1.falkag[1].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\Sophie\Cookies\sophie@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Sophie\Cookies\sophie@banner.goldenpalace[2].txt -> Spyware.Cookie.Goldenpalace : Cleaned with backup
C:\Documents and Settings\Sophie\Cookies\sophie@bfast[2].txt -> Spyware.Cookie.Bfast : Cleaned with backup
C:\Documents and Settings\Sophie\Cookies\sophie@bilbo.counted[2].txt -> Spyware.Cookie.Counted : Cleaned with backup
C:\Documents and Settings\Sophie\Cookies\sophie@bluestreak[2].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\Sophie\Cookies\sophie@bs.serving-sys[1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Sophie\Cookies\sophie@burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Sophie\Cookies\sophie@casalemedia[1].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Sophie\Cookies\sophie@centrport[2].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\Sophie\Cookies\sophie@clickagents[1].txt -> Spyware.Cookie.Clickagents : Cleaned with backup
C:\Documents and Settings\Sophie\Cookies\sophie@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Sophie\Cookies\sophie@dbbsrv[1].txt -> Spyware.Cookie.Dbbsrv : Cleaned with backup
C:\Documents and Settings\Sophie\Cookies\sophie@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Sophie\Cookies\sophie@e-2dj6wjlyajcjslp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Sophie\Cookies\sophie@edge.ru4[2].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Sophie\Cookies\sophie@ehg-cbs.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Sophie\Cookies\sophie@ehg-christiandior.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Sophie\Cookies\sophie@ehg-foxsports.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Sophie\Cookies\sophie@ehg-hasbro.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Sophie\Cookies\sophie@ehg-simon.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Sophie\Cookies\sophie@estat[1].txt -> Spyware.Cookie.Estat : Cleaned with backup
C:\Documents and Settings\Sophie\Cookies\sophie@fastclick[1].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Sophie\Cookies\sophie@goldenpalace[1].txt -> Spyware.Cookie.Goldenpalace : Cleaned with backup
C:\Documents and Settings\Sophie\Cookies\sophie@hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Sophie\Cookies\sophie@ivwbox[1].txt -> Spyware.Cookie.Ivwbox : Cleaned with backup
C:\Documents and Settings\Sophie\Cookies\sophie@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Sophie\Cookies\sophie@msnportal.112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Sophie\Cookies\sophie@overture[2].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Sophie\Cookies\sophie@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Sophie\Cookies\sophie@revenue[1].txt -> Spyware.Cookie.Revenue : Cleaned with backup
C:\Documents and Settings\Sophie\Cookies\sophie@sales.liveperson[1].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Sophie\Cookies\sophie@servedby.advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Sophie\Cookies\sophie@server.iad.liveperson[1].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Sophie\Cookies\sophie@serving-sys[1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Sophie\Cookies\sophie@spylog[2].txt -> Spyware.Cookie.Spylog : Cleaned with backup
C:\Documents and Settings\Sophie\Cookies\sophie@stat.onestat[2].txt -> Spyware.Cookie.Onestat : Cleaned with backup
C:\Documents and Settings\Sophie\Cookies\sophie@statcounter[2].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\Documents and Settings\Sophie\Cookies\sophie@statse.webtrendslive[1].txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
C:\Documents and Settings\Sophie\Cookies\sophie@targetnet[1].txt -> Spyware.Cookie.Targetnet : Cleaned with backup
C:\Documents and Settings\Sophie\Cookies\sophie@tradedoubler[1].txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
C:\Documents and Settings\Sophie\Cookies\sophie@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Sophie\Cookies\sophie@web4.realtracker[2].txt -> Spyware.Cookie.Realtracker : Cleaned with backup
C:\Documents and Settings\Sophie\Cookies\sophie@www.burstbeacon[1].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Sophie\Cookies\sophie@www.goldenpalace[1].txt -> Spyware.Cookie.Goldenpalace : Cleaned with backup
C:\Documents and Settings\Sophie\Cookies\sophie@z1.adserver[2].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\WINDOWS\system32\datalayer.exe -> Backdoor.Rbot.anr : Cleaned with backup

::Report End

Just you opinion. Do you think this is the best trojan program? At least its much better than the microsoft or does it do a different thing?

Thanks!

Mosaic1

Jan 16 2006, 09:39 PM

My last reply didn't register. EWDIO is one of the better programs. To be honest there is so much new malware being written it is hard to keep up.

It found some orphaned, cookies and a couple of files.

How is your Google now?

che

Jan 16 2006, 10:04 PM

Well, I like it a lot.. I feel a lot better after having 83 viruses removed..

My google is still the same though.. But that's not really a problem. As long as my computer is free of viruses I'm happy..

How about that datalayer.exe. Can you see if that is really gone?
And that "mysearchbar", it's still in my list.. And so is a large blank spot in my "add or remove program list"..

Thanks!

Mosaic1

Jan 17 2006, 04:22 PM

Can you post a new Hijackthis log please?

Do that first and then take this next step please.

And then I am not happy about something and want to take a look at a special System owned version of your registry.

Id you have regedit open, please close it or this won't work.

Copy the contents of the code box to notepad.
Name the file reg.vbs
Save as Type: All Files
Save on the desktop

CODE

Dim Future, NewD
Set Wshshell = Wscript.CreateObject("Wscript.shell")

NewD = DateAdd("n" , 1, Now)
Future = FormatDateTime(NewD,3)
Wshshell.run "Cmd.exe /c" & "At" & Chr(32) & Chr(34) & Future & Chr(34) & Chr(32) & "/Interactive regedit" ,vbhidden

Watch the clock in your systray. When the minute turns over, double click on reg.vbs to run it. If you get a malicious script warning, please ignore it. I wrote this and it is just going to open regedit.

It will appear that nothing happens. When the minute turns over again, regedit will open.

In the registry navigate to this key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

Right click on Notify in the left pane and click Export on the menu.

Save the file on your desktop.

Open that file using notepad. (Right click on the file and choose Edit on the menu)

Post the contents into your next reply please.

Close the registry when finished.

------------------

For the Add Remove programs let's try this:

Go to Start >Run and paste in this command. Press enter:

regsvr32 /i appwiz.cpl

Wait for the success message.

Let me know if add remove is ok now.

che

Jan 18 2006, 10:09 PM

Ok, Here's my Hijack This logfile.

Logfile of HijackThis v1.99.1
Scan saved at 11:17:41 PM, on 1/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Support.com\bin\tgcmd.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Plaxo\2.6.2.7\PlaxoHelper.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Nils\My Documents\Installation files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.vi.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.vi.nl/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.ams.chello.nl:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [tgcmd] "C:\PROGRA~1\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [ATIPTA] C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.6.2.7\PlaxoHelper.exe -a
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postbank.nl/sesam/CAX.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D185838-009D-47C8-824B-B65B4854430E} (Installer Class) - http://quickfix2.chello.nl/quickfix2/asp/chelloInstall.CAB
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1099473463000
O16 - DPF: {8731163E-77B9-4F91-9122-F112521C28AF} (MMSPlayerX Class) - http://212.41.157.233:8080/mmawap/jsp/comp...r/mmsPlayer.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {C58EFA10-2CC0-4C50-8C77-B326555EC1B7} (clsDefault Class) - http://quickfix2.chello.nl/quickfix2/asp/LaunchApp.CAB
O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IPSUploader Control) - http://as.photoprintit.de/ips-opdata/74914...IPSUploader.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://liveca04.custhelp.com/7020-b375h/rnl/java/RntX.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

che

Jan 18 2006, 10:17 PM

Here's the notify file in notepad:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
"StartShell"="NavStartShellEvent"
"DllName"="C:\\WINDOWS\\System32\\NavLogon.dll"
"Logoff"="NavLogoffEvent"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

che

Jan 18 2006, 10:20 PM

I did the command in the run entry, but can't see any difference in my add/remove programs file. (still the large blank and the mysearchbar)..

But it's incredible.. I have no idea what I'm doing, or what kind of folders are on my computer.. haha

Mosaic1

Jan 18 2006, 10:41 PM

This is a fun one for sure!

Download Rootkitreveal
http://www.sysinternals.com/utilities/rootkitrevealer.html

Extract rootkitreveal

Double click on rootkit revealer and press scan.

It will take some time to do a complete scan. When finished press file/save and post the contents of the log please.

Mosaic1

Jan 18 2006, 10:43 PM

Also, if you want to disable your Microsoft Anti Spyware program and see how google behaves... You did mention that earlier.

che

Jan 22 2006, 01:45 PM

Sorry it took so long..
I've had trouble saving a log.
Disabling my Microsoft AntiSpyware didn't help btw.

Here is the Rootkitreveailer logfile:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\ 4/17/2004 1:21 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E96C-E325-11CE-BFC1-08002BE10318}\0006\Config\Mixer\WaveFader 1/21/2006 5:29 PM 39 bytes Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E96C-E325-11CE-BFC1-08002BE10318}\0006\Config\Mixer\SpeakerConfig 1/21/2006 5:29 PM 39 bytes Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E96C-E325-11CE-BFC1-08002BE10318}\0006\Config\Mixer\Fx1Select 1/21/2006 5:29 PM 39 bytes Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E96C-E325-11CE-BFC1-08002BE10318}\0006\Config\Mixer\Fx2Select 1/21/2006 5:29 PM 39 bytes Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet003\Control\Class\{4D36E96C-E325-11CE-BFC1-08002BE10318}\0006\Config\Mixer\WaveFader 1/21/2006 5:29 PM 39 bytes Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet003\Control\Class\{4D36E96C-E325-11CE-BFC1-08002BE10318}\0006\Config\Mixer\SpeakerConfig 1/21/2006 5:29 PM 39 bytes Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet003\Control\Class\{4D36E96C-E325-11CE-BFC1-08002BE10318}\0006\Config\Mixer\Fx1Select 1/21/2006 5:29 PM 39 bytes Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet003\Control\Class\{4D36E96C-E325-11CE-BFC1-08002BE10318}\0006\Config\Mixer\Fx2Select 1/21/2006 5:29 PM 39 bytes Data mismatch between Windows API and raw hive data.
C:\System Volume Information\_restore{2B8B5193-7787-49ED-84FB-0CF993C46802}\RP82\A0006539.cfg 1/22/2006 10:19 AM 4.80 KB Hidden from Windows API.

Mosaic1

Jan 22 2006, 06:58 PM

Post a startuplist too please. In Hijackthis press the Config Button
Click Misc Tools
Check both boxes next to the Generate StartupList log and then click the generate startuplist log button.

Paste the contents into your next reply here.

Mosaic1

Jan 22 2006, 07:01 PM

ALso, Run hijackthis and press the config button.

Click MiscTools
Click the open Uninstall Manager Button.

Click the Save List Button.

It will be saved as uninstall_list.txt

Please post the contents of uninstall_list.txt

I have been able to find the possible cause of the Blank Space in Add Remove Programs. It is a bad entry for DisplayIcon in one of your Listings. We'll get to that shortly. I may have to write a script to see what's in there.

che

Jan 22 2006, 08:30 PM

ALright..

THis is the start-up logfile:

StartupList report, 1/22/2006, 9:38:45 PM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Nils\My Documents\Installation files\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2900.2180)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\PROGRA~1\Support.com\bin\tgcmd.exe
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Plaxo\2.6.2.7\PlaxoHelper.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Nils\My Documents\Installation files\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Nils\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ATIModeChange = Ati2mdxx.exe
vptray = C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
tgcmd = "C:\PROGRA~1\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
gcasServ = "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
SmcService = C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
ATIPTA = C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

(Default) =

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
PlaxoUpdate = C:\Program Files\Plaxo\2.6.2.7\PlaxoHelper.exe -a

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\System32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{4b218e3e-bc98-4770-93d3-2731b9329278}] *
StubPath = %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

*No BHO's found*

--------------------------------------------------

Enumerating Task Scheduler jobs:

*No jobs found*

--------------------------------------------------

Enumerating Download Program Files:

[CryptoRSA Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\CRYPTO~1.OCX
CODEBASE = https://www.p3.postbank.nl/sesam/CAX.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwa...director/sw.cab

[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\system32\LegitCheckControl.DLL
CODEBASE = http://go.microsoft.com/fwlink/?linkid=39204

[Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\chelloInstall.dll
CODEBASE = http://quickfix2.chello.nl/quickfix2/asp/chelloInstall.CAB

[FilePlanet Download Control Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\FilePlanetDownloadCtrl.dll
CODEBASE = http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab

[{62475759-9E84-458E-A1AB-5D2C442ADFDE}]
CODEBASE = http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\wuweb.dll
CODEBASE = http://v5.windowsupdate.microsoft.com/v5co...b?1099473463000

[MMSPlayerX Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\CONFLICT.1\SMILInetCtrl.dll
CODEBASE = http://212.41.157.233:8080/mmawap/jsp/comp...r/mmsPlayer.cab

[Java Plug-in 1.4.2_06]
InProcServer32 = C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
CODEBASE = http://java.sun.com/products/plugin/autodl...indows-i586.cab

[TLIEFlashObj Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\TLIEFlashCtrlU.dll
CODEBASE = https://webchat.dell.com/Media/VisitorChat/TLIEFlash.CAB

[{9F1C11AA-197B-4942-BA54-47A8489BB47F}]
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/...8094.2318402778

[clsDefault Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\LaunchApp.dll
CODEBASE = http://quickfix2.chello.nl/quickfix2/asp/LaunchApp.CAB

[Java Plug-in 1.4.2_06]
InProcServer32 = C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
CODEBASE = http://java.sun.com/products/plugin/autodl...indows-i586.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash8.ocx
CODEBASE = http://fpdownload.macromedia.com/get/flash...ent/swflash.cab

[IPSUploader Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\IPSUploader.ocx
CODEBASE = http://as.photoprintit.de/ips-opdata/74914...IPSUploader.cab

[Live Collaboration]
InProcServer32 = C:\WINDOWS\DOWNLO~1\RntX.dll
CODEBASE = https://liveca04.custhelp.com/7020-b375h/rnl/java/RntX.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
actser: system32\drivers\actser.sys (manual start)
General Purpose USB Driver (adildr.sys): System32\Drivers\adildr.sys (autostart)
USB ADSL LAN Adapter: System32\DRIVERS\adiusbae.sys (manual start)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
Intel AGP Bus Filter: System32\DRIVERS\agp440.sys (system)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
Ati HotKey Poller: %SystemRoot%\System32\Ati2evxx.exe (autostart)
ati2mtag: System32\DRIVERS\ati2mtag.sys (manual start)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
MAC Bridge: System32\DRIVERS\bridge.sys (manual start)
MAC Bridge Miniport: System32\DRIVERS\bridge.sys (manual start)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DefWatch: C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Eicon CAPI 2.0 Driver: System32\DRIVERS\DISDN\capi20.sys (autostart)
Eicon Maintenance Driver: System32\DRIVERS\DISDN\dimaint.sys (system)
Disk Driver: System32\DRIVERS\disk.sys (system)
Eicon Driver for all DIVA PnP cards: System32\DRIVERS\DISDN\Diwan.sys (manual start)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Logical Disk Manager Driver: System32\drivers\dmio.sys (system)
dmload: System32\drivers\dmload.sys (system)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
IEEE-1284.4 Driver: System32\DRIVERS\Dot4.sys (manual start)
Print Class Driver for IEEE-1284.4: System32\DRIVERS\Dot4Prt.sys (manual start)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
Intel® PRO Adapter Driver: System32\DRIVERS\e100b325.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
FltMgr: system32\drivers\fltmgr.sys (system)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
Santa Cruz Game Port: System32\DRIVERS\gameenum.sys (manual start)
GEAR CDRom Filter: SYSTEM32\DRIVERS\GEARAspiWDM.sys (manual start)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Microsoft HID Class Driver: System32\DRIVERS\hidusb.sys (manual start)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
InstallDriver Table Manager: "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe" (manual start)
CD-Burning Filter Driver: System32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)
IntelIde: System32\DRIVERS\intelide.sys (system)
Intel Processor Driver: System32\DRIVERS\intelppm.sys (system)
IPv6 Windows Firewall Driver: system32\drivers\ip6fw.sys (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
iPodService: C:\Program Files\iPod\bin\iPodService.exe (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Jukebox: System32\DRIVERS\ctpdusb2.sys (manual start)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Machine Debug Manager: "C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe" (autostart)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: System32\DRIVERS\mouhid.sys (manual start)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\system32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: System32\DRIVERS\mssmbios.sys (manual start)
NAVAP: \??\C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\NAVAP.sys (manual start)
NAVAPEL: \??\C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\NAVAPEL.SYS (autostart)
NAVENG: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20060111.038\NAVENG.sys (manual start)
NAVEX15: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20060111.038\NAVEX15.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (manual start)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (manual start)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Symantec AntiVirus Client: C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe (autostart)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
OMCI: \SystemRoot\SYSTEM32\DRIVERS\OMCI.SYS (system)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
PfModNT: \??\C:\WINDOWS\system32\drivers\PfModNT.sys (autostart)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Processor Driver: System32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
PxHelp20: System32\DRIVERS\PxHelp20.sys (system)
Casio Digital Camera: System32\DRIVERS\qv2kux.sys (manual start)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Terminal Server Device Redirector Driver: System32\DRIVERS\rdpdr.sys (manual start)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
ScsiAccess: C:\WINDOWS\System32\ScsiAccess.EXE (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (autostart)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Sygate Personal Firewall: C:\Program Files\Sygate\SPF\smc.exe (autostart)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: System32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{6D945830-CC8E-43AB-B928-F48E937C7D12} (manual start)
SymEvent: \??\C:\Program Files\Symantec\SYMEVENT.SYS (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Santa Cruz Driver: system32\drivers\tbcspud.sys (manual start)
Santa Cruz WDM Driver: system32\drivers\tbcwdm.sys (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Teefer for NT: SYSTEM32\Drivers\Teefer.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Telnet: C:\WINDOWS\System32\tlntsvr.exe (disabled)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows User Mode Driver Framework: C:\WINDOWS\system32\wdfmgr.exe (autostart)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: System32\DRIVERS\usbehci.sys (manual start)
USB2 Enabled Hub: System32\DRIVERS\usbhub.sys (manual start)
USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start)
VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
SyGate for NT, wg3n: \SystemRoot\SYSTEM32\Drivers\wg3n.sys (autostart)
SyGate for NT, wg4n: \SystemRoot\SYSTEM32\Drivers\wg4n.sys (autostart)
SyGate for NT, wg5n: \SystemRoot\SYSTEM32\Drivers\wg5n.sys (autostart)
SyGate for NT, wg6n: \SystemRoot\SYSTEM32\Drivers\wg6n.sys (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
WMDM PMSP Service: C:\WINDOWS\system32\MsPMSPSv.exe (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Windows Management Instrumentation Driver Extensions: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
wpsdrvnt: \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (system)
Windows Socket 2.0 Non-IFS Service Provider Support Environment: \SystemRoot\System32\drivers\ws2ifsl.sys (system)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 34,594 bytes
Report generated in 0.078 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

che

Jan 22 2006, 08:31 PM

And here's the uninstall list:

Adobe Acrobat - Reader 6.0.2 Update
Adobe Acrobat 5.0
Adobe Download Manager 1.2 (Remove Only)
Adobe Reader 6.0.1
aspi
ATI Control Panel
ATI Display Driver
AVIcodec (remove only)
Azureus
CCHelp
CCScore
chello quickfix
Dell Digital Jukebox Driver
Dell DJ Explorer
Dell ResourceCD
Easy CD Creator 5 Basic
ESSAdpt
ESSANUP
ESSBrwr
ESSCAM
ESSCDBK
ESScore
ESSgui
ESShelp
ESSini
ESSPCD
ESSstore
ESSTUTOR
ESSvpaht
ESSvpot
ewido anti-malware
Far Cry
Golden Tee Golf Course Addon #1
Google Earth
GTA San Andreas
HijackThis 1.99.1
HP OfficeJet Series 600 (Remove Only)
Intel® PRO Ethernet Adapter and Software
iPod for Windows 2005-09-23
iPod Updater 2004-08-06
iPod Updater 2004-11-15
iTunes
Java 2 Runtime Environment, SE v1.4.2_06
Kodak EasyShare software
KSU
LimeWire PRO 4.10.0
LiveUpdate 1.7 (Symantec Corporation)
Macromedia Flash Player 8
Macromedia Shockwave Player
Microsoft AntiSpyware
Microsoft Data Access Components KB870669
Microsoft Office XP Professional
Microsoft Windows Media Video 9 VCM
MinSläkt V3
Mobile Phone Manager
Mozilla Firefox (1.5)
Mozilla Thunderbird (1.0)
MP3 Remix for Winamp
MP3 To Wave Converter PLUS 2.22
MUSICMATCH® Jukebox
My Search Bar
Nero 6 Ultra Edition
Notifier
OTtBP
PCDLNCH
Photo Loader 2.1E
Photohands 1.0E
Picasa 2
Plaxo Toolbar for Outlook and Outlook Express
PowerDVD
PPLive 1.1.0.0
QuickTime
RealPlayer
Return to Castle Wolfenstein Multiplayer DEMO
Santa Cruz
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB912919)
SFR
SFR2
Siemens SmartSync
Skype 1.3
Soulseek Client 152
SoulSeek Client 156c
Sygate Personal Firewall
Symantec AntiVirus Client
Synacast Plug-in 1.1.0.0
Unreal Tournament 2004 Demo
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB910437)
Window Washer 5
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinISO 5.3
WinRAR archiver
WinZip

Mosaic1

Jan 22 2006, 08:56 PM

You have LimeWire and Azureus installed. A lot of garbage is passed through the LimeWire network. I strongly urge you to uninstall it.

Azureus is a Bit Torrent Client and also spome malware can be passed through it.
My Search Bar>> In the Hijackthis uninstall Manager, highlight this entry on the list and Click the Delete this entry button.

KSU What is this?

MinSläkt V3 What is this?
Notifier What is this?

che

Jan 22 2006, 09:58 PM

I uninstalled Limewire.

I deleted the MySearchBar entry.

Minslakt is a small program which has records of my family tree, harmless. (hard even use it as well).

What Notifier and KSU are I don't know..

Should I delete those entry as well? Btw, how safe is it for me to delete entries through Hijackthis? I mean, the program is not uninstalled/deleted right?

Mosaic1

Jan 22 2006, 10:23 PM

Hijackthis just removes entries from the Add Remove Programs list. No, it is not actually uninstalling anything when we do this. But I think that MySearchBar entry was a leftover.

----------------

Let's see what we can find out.

Copy the contents of the code box to notepad.
Name the file uninstalls.vbs
Save as Type: All files

CODE

'gets display name &
'uninstall string

Dim WshShell ,A ,B ,fso,uninst
Set fso = Wscript.CreateObject("Scripting.FileSystemObject")
Set WshShell = Wscript.CreateObject("Wscript.Shell")
set uninst = fso.CreateTextFile("uninstalls.txt",true)

const HKEY_LOCAL_MACHINE = &H80000002
strComputer = "."
Set StdOut = WScript.StdOut

Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_
strComputer & "\root\default:StdRegProv")

strKeyPath = "Software\Microsoft\Windows\currentversion\uninstall"
oReg.EnumKey HKEY_LOCAL_MACHINE, strKeyPath, arrSubKeys
On error Resume next
For Each subkey In arrSubKeys

B = WshShell.RegRead ("HKLM\" & strKeyPath & "\" & subkey & "\DisplayName")
IF B <> "" Then Msg= Msg & B & vbcrlf
If msg <> "" then

A = WshShell.RegRead ("HKLM\" & strKeyPath & "\" & subkey & "\UninstallString")
If A = "" then
Msg = Msg & "no uninstaller" & vbcrlf
Else Msg = Msg & " " & A & vbcrlf
End If
If msg <> "" then
uninst.writeline msg
End IF
End IF

A = ""
B = ""
msg = ""
Next
uninst.close

WshShell.run "uninstalls.txt"

Double click on uninstalls.vbs and it will run. If you get a warning about a malicious script, please ignore it. I wrote this script. Whenfinished, it will open a text file. Please copy and paste the contents of that text file into your next reply here.

Mosaic1

Jan 23 2006, 07:36 AM

For the Blank Space Problem let's have a look at all DisplayIcon entries and work to track them.

Copy the contents of the code box to notepad.
Name the file Blankspace.vbs
Save as Type: All files

CODE

Dim WshShell ,A ,B ,fso,uninst
Set fso = Wscript.CreateObject("Scripting.FileSystemObject")
Set WshShell = Wscript.CreateObject("Wscript.Shell")
set uninst = fso.CreateTextFile("DisplayIcons.txt",true)

const HKEY_LOCAL_MACHINE = &H80000002
strComputer = "."
Set StdOut = WScript.StdOut

Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_
strComputer & "\root\default:StdRegProv")

strKeyPath = "Software\Microsoft\Windows\currentversion\uninstall"
oReg.EnumKey HKEY_LOCAL_MACHINE, strKeyPath, arrSubKeys
On error Resume next
For Each subkey In arrSubKeys

B = WshShell.RegRead ("HKLM\" & strKeyPath & "\" & subkey & "\DisplayName")
IF B <> "" Then
A = WshShell.RegRead ("HKLM\" & strKeyPath & "\" & subkey & "\DisplayIcon")
If A = "" then
Msg = Msg
Else Msg = Msg & " " & subkey & vbtab & B & vbcrlf & A & vbcrlf
End If
If msg <> "" then
uninst.writeline msg
End IF
End IF

A = ""
B = ""
msg = ""
Next
uninst.close
WshShell.run """DisplayIcons.txt"""

Double click on Blankspace.vbs and it will run. If you get a warning about a malicious script, please ignore it. I wrote this script. When finished, it will open a text file named DisplayIcons.txt.

Please copy and paste the contents of that text file into your next reply here.

che

Jan 23 2006, 10:31 PM

Hi..

Here's the result from the uninstalls script..

Adobe Acrobat 5.0
C:\WINDOWS\ISUN0413.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"

Adobe Download Manager 1.2 (Remove Only)
"C:\Program Files\Common Files\Adobe\ESD\uninst.exe"

ATI Display Driver
rundll32 C:\WINDOWS\System32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean

AVIcodec (remove only)
"C:\Program Files\AVIcodec\uninst.exe"

Azureus
C:\Program Files\Azureus\Uninstall.exe

Dell Digital Jukebox Driver
C:\Program Files\Dell\Digital Jukebox Drivers\DrvUnins.exe /s

Dell DJ Explorer
RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2EDA9289-CCA7-11D7-8466-00D0B726B56E}\setup.exe" -l0x9 /remove

ewido anti-malware
C:\Program Files\ewido anti-malware\Uninstall.exe

Golden Tee Golf Course Addon #1
C:\Games\GOLDEN~1\UNWISE.EXE C:\Games\GOLDEN~1\INSTALL.LOG

HijackThis 1.99.1
C:\Documents and Settings\Nils\My Documents\Installation files\HijackThis.exe /uninstall

HP OfficeJet Series 600 (Remove Only)
C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Hewlett-Packard\HP OfficeJet Series 600\uninst.isu" -c"C:\Program Files\Hewlett-Packard\HP OfficeJet Series 600\uninst.dll"

iPod Updater 2004-11-15
C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{06E73C0B-7DE7-4F41-860B-587033B75BD9} /l1043

iPod Updater 2004-08-06
C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{2F8C106A-7DFC-45DE-8006-F9145AADF1D8} /l1043

iTunes
C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{501BADCD-F8F7-44CB-AC3F-6ED25C1A28B5}

Mobile Phone Manager
C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{6BAA26DB-2D4E-42B6-BC3F-3B58144A64B6} /l1033

QuickTime
C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{929408E6-D265-4174-805F-81D1D914E2A4} /l1033

iPod for Windows 2005-09-23
C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{D4936AAF-FFD0-44A1-A7EA-A2DB41CEB5BC} /l1033

Far Cry
C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{D6DBDC2A-E72C-4284-B6AD-6B3B61B4DABC} /l2057

Windows XP Hotfix - KB834707
C:\WINDOWS\$NtUninstallKB834707$\spuninst\spuninst.exe

Windows XP Hotfix - KB867282
C:\WINDOWS\$NtUninstallKB867282$\spuninst\spuninst.exe

Microsoft Data Access Components KB870669
C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf

Windows XP Hotfix - KB873333
C:\WINDOWS\$NtUninstallKB873333$\spuninst\spuninst.exe

Windows XP Hotfix - KB873339
C:\WINDOWS\$NtUninstallKB873339$\spuninst\spuninst.exe

Security Update for Windows XP (KB883939)
"C:\WINDOWS\$NtUninstallKB883939$\spuninst\spuninst.exe"

Windows XP Hotfix - KB885250
C:\WINDOWS\$NtUninstallKB885250$\spuninst\spuninst.exe

Windows XP Hotfix - KB885835
C:\WINDOWS\$NtUninstallKB885835$\spuninst\spuninst.exe

Windows XP Hotfix - KB885836
C:\WINDOWS\$NtUninstallKB885836$\spuninst\spuninst.exe

Windows XP Hotfix - KB885884
C:\WINDOWS\$NtUninstallKB885884$\spuninst\spuninst.exe

Windows XP Hotfix - KB886185
C:\WINDOWS\$NtUninstallKB886185$\spuninst\spuninst.exe

Windows XP Hotfix - KB887472
C:\WINDOWS\$NtUninstallKB887472$\spuninst\spuninst.exe

Windows XP Hotfix - KB887742
C:\WINDOWS\$NtUninstallKB887742$\spuninst\spuninst.exe

Windows XP Hotfix - KB888113
C:\WINDOWS\$NtUninstallKB888113$\spuninst\spuninst.exe

Windows XP Hotfix - KB888302
C:\WINDOWS\$NtUninstallKB888302$\spuninst\spuninst.exe

Security Update for Windows XP (KB890046)
"C:\WINDOWS\$NtUninstallKB890046$\spuninst\spuninst.exe"

Windows XP Hotfix - KB890047
C:\WINDOWS\$NtUninstallKB890047$\spuninst\spuninst.exe

Windows XP Hotfix - KB890175
C:\WINDOWS\$NtUninstallKB890175$\spuninst\spuninst.exe

Windows XP Hotfix - KB890859
"C:\WINDOWS\$NtUninstallKB890859$\spuninst\spuninst.exe"

Windows XP Hotfix - KB890923
"C:\WINDOWS\$NtUninstallKB890923$\spuninst\spuninst.exe"

Windows XP Hotfix - KB891781
C:\WINDOWS\$NtUninstallKB891781$\spuninst\spuninst.exe

Windows XP Hotfix - KB893066
"C:\WINDOWS\$NtUninstallKB893066$\spuninst\spuninst.exe"

Windows XP Hotfix - KB893086
"C:\WINDOWS\$NtUninstallKB893086$\spuninst\spuninst.exe"

Security Update for Windows XP (KB893756)
"C:\WINDOWS\$NtUninstallKB893756$\spuninst\spuninst.exe"

Windows Installer 3.1 (KB893803)
"C:\WINDOWS\$MSI31Uninstall_KB893803$\spuninst\spuninst.exe"

Windows Installer 3.1 (KB893803)
"C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"

Update for Windows XP (KB894391)
"C:\WINDOWS\$NtUninstallKB894391$\spuninst\spuninst.exe"

Security Update for Windows XP (KB896358)
"C:\WINDOWS\$NtUninstallKB896358$\spuninst\spuninst.exe"

Security Update for Windows XP (KB896422)
"C:\WINDOWS\$NtUninstallKB896422$\spuninst\spuninst.exe"

Security Update for Windows XP (KB896423)
"C:\WINDOWS\$NtUninstallKB896423$\spuninst\spuninst.exe"

Security Update for Windows XP (KB896424)
"C:\WINDOWS\$NtUninstallKB896424$\spuninst\spuninst.exe"

Security Update for Windows XP (KB896428)
"C:\WINDOWS\$NtUninstallKB896428$\spuninst\spuninst.exe"

Security Update for Windows XP (KB896688)
"C:\WINDOWS\$NtUninstallKB896688$\spuninst\spuninst.exe"

Update for Windows XP (KB896727)
"C:\WINDOWS\$NtUninstallKB896727$\spuninst\spuninst.exe"

Update for Windows XP (KB898461)
"C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"

Security Update for Windows XP (KB899587)
"C:\WINDOWS\$NtUninstallKB899587$\spuninst\spuninst.exe"

Security Update for Windows XP (KB899588)
"C:\WINDOWS\$NtUninstallKB899588$\spuninst\spuninst.exe"

Security Update for Windows XP (KB899589)
"C:\WINDOWS\$NtUninstallKB899589$\spuninst\spuninst.exe"

Security Update for Windows XP (KB899591)
"C:\WINDOWS\$NtUninstallKB899591$\spuninst\spuninst.exe"

Security Update for Windows XP (KB900725)
"C:\WINDOWS\$NtUninstallKB900725$\spuninst\spuninst.exe"

Security Update for Windows XP (KB901017)
"C:\WINDOWS\$NtUninstallKB901017$\spuninst\spuninst.exe"

Security Update for Windows XP (KB901214)
"C:\WINDOWS\$NtUninstallKB901214$\spuninst\spuninst.exe"

Security Update for Windows XP (KB902400)
"C:\WINDOWS\$NtUninstallKB902400$\spuninst\spuninst.exe"

Security Update for Windows XP (KB903235)
"C:\WINDOWS\$NtUninstallKB903235$\spuninst\spuninst.exe"

Security Update for Windows XP (KB904706)
"C:\WINDOWS\$NtUninstallKB904706$\spuninst\spuninst.exe"

Security Update for Windows XP (KB905414)
"C:\WINDOWS\$NtUninstallKB905414$\spuninst\spuninst.exe"

Security Update for Windows XP (KB905749)
"C:\WINDOWS\$NtUninstallKB905749$\spuninst\spuninst.exe"

Security Update for Windows XP (KB905915)
"C:\WINDOWS\$NtUninstallKB905915$\spuninst\spuninst.exe"

Security Update for Windows XP (KB908519)
"C:\WINDOWS\$NtUninstallKB908519$\spuninst\spuninst.exe"

Update for Windows XP (KB910437)
"C:\WINDOWS\$NtUninstallKB910437$\spuninst\spuninst.exe"

Security Update for Windows XP (KB912919)
"C:\WINDOWS\$NtUninstallKB912919$\spuninst\spuninst.exe"

LiveUpdate 1.7 (Symantec Corporation)
C:\Program Files\\Symantec\LiveUpdate\LSETUP.EXE /U

Macromedia Shockwave Player
C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log

MinSläkt V3
"C:\Documents and Settings\Nils\My Documents\MinSläkt V3\MinSläkt.exe" /uninstall

Mozilla Firefox (1.5)
C:\WINDOWS\UninstallFirefox.exe /ua "1.5 (nl)"

Mozilla Thunderbird (1.0)
C:\WINDOWS\UninstallThunderbird.exe /ua "1.0 (en)"

MP3 Remix for Winamp
"C:\Program Files\Winamp\uninstall_mp3remix.exe"

MP3 To Wave Converter PLUS 2.22
C:\PROGRA~1\ACOUST~1\UNWISE.EXE C:\PROGRA~1\ACOUST~1\INSTALL.LOG

Nero 6 Ultra Edition
C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL

Picasa 2
"C:\Program Files\Picasa2\Uninstall.exe"

Plaxo Toolbar for Outlook and Outlook Express
C:\Program Files\Plaxo\2.6.2.7\uninstall.exe

Intel® PRO Ethernet Adapter and Software
Prounstl.exe

RealPlayer
C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0

Return to Castle Wolfenstein Multiplayer DEMO
C:\PROGRA~1\RETURN~1\Uninstall\Unwise.exe /u C:\PROGRA~1\RETURN~1\Uninstall\Install.log

Macromedia Flash Player 8
RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\swflash.inf,DefaultUninstall,5

Skype 1.3
"C:\Program Files\Skype\Phone\unins000.exe"

SoulSeek Client 156c
"C:\Program Files\Soulseek\uninstall.exe"

Soulseek Client 152
C:\WINDOWS\UnGins.exe "C:\Program Files\Soulseek\install.log"

Synacast Plug-in 1.1.0.0
C:\Program Files\Common Files\Synacast\SynaLive\uninst.exe

Unreal Tournament 2004 Demo
C:\UT2004Demo\System\Setup.exe uninstall "UT2004-Demo"

Window Washer 5
C:\WINDOWS\Unwash5.exe

Windows Media Format Runtime
"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll

Windows Media Player 10
"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall

Windows XP Service Pack 2
C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe

WinISO 5.3
"C:\Program Files\WinISO\unins000.exe"

WinRAR archiver
C:\Program Files\WinRAR\uninstall.exe

WinZip
"C:\Program Files\WinZip\WINZIP32.EXE" /uninstall

Microsoft Windows Media Video 9 VCM
RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmv9vcm.inf, Uninstall

Notifier
MsiExec.exe /I{0008546E-DF6E-4CC1-AFD0-2CB8E16C95A2}

aspi
MsiExec.exe /I{015E4B8A-29B5-4AE3-BD08-38220FADFF4C}

iPod Updater 2004-11-15
no uninstaller

ATI Control Panel
RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"

Symantec AntiVirus Client
MsiExec.exe /X{0EFC6259-3AD8-4CD2-BC57-D4937AF5CC0E}

ESSPCD
MsiExec.exe /I{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}

iPod Updater 2004-08-06
no uninstaller

WebFldrs XP
no uninstaller

Google Earth
RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly

MUSICMATCH® Jukebox
C:\PROGRA~1\MUSICM~1\MUSICM~1\unmatch.exe

ESSCAM
MsiExec.exe /I{469730CC-78DF-4CD3-B286-562D459EA619}

ESSvpot
MsiExec.exe /I{48C82F7A-F100-4DAB-A310-8E18BF2159E1}

SAGEM F@st 800-840
no uninstaller

iTunes
no uninstaller

Microsoft AntiSpyware
MsiExec.exe /I{536F7C74-844B-4683-B0C5-EA39E19A6FE3}

Photohands 1.0E
RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{544FB392-069D-4BA5-9DC7-FFD47230AEE5}\Setup.exe"

Siemens SmartSync
RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5B12573C-9C90-4790-BFEE-2BC43C2EB997}\Setup.exe" UNINSTALL

ESSstore
MsiExec.exe /I{6016734B-42A7-4AEB-9248-1D1E4F69AB52}

Easy CD Creator 5 Basic
MsiExec.exe /I{609F7AC8-C510-11D4-A788-009027ABA5D0}

Windows Genuine Advantage v1.3.0254.0
MsiExec.exe /I{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}

ESSBrwr
MsiExec.exe /I{643EAE81-920C-4931-9F0B-4B343B225CA6}

PowerDVD
RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall

PCDLNCH
MsiExec.exe /I{69BD6399-3D8F-45B7-81D9-819361F5101D}

Mobile Phone Manager
no uninstaller

Photo Loader 2.1E
RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{70B45586-B51E-4947-A258-A895596C5CED}\Setup.exe" -uninst

Java 2 Runtime Environment, SE v1.4.2_06
MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142060}

ESShelp
MsiExec.exe /I{87843A41-7808-4F2E-B13F-25C1E67CF2FD}

ESSini
MsiExec.exe /I{8E92D746-CD9F-4B90-9668-42B74C14F765}

Microsoft Office XP Professional
MsiExec.exe /I{90110409-6000-11D3-8CFE-0050048383C9}

ESSgui
MsiExec.exe /I{91517631-A9F3-4B7C-B482-43E0068FD55A}

QuickTime
no uninstaller

PPLive 1.1.0.0
C:\PROGRA~1\PPLIVE~1\Setup.exe /remove

CCHelp
MsiExec.exe /I{9D1CF8B6-17B3-4832-B062-2C2DD0B57B04}

ESScore
MsiExec.exe /I{9D8FEE90-0377-49A9-AEFB-525BDE549BA4}

Santa Cruz
RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A4D58580-EA01-11D3-9318-008048B86EFE}\setup.exe"

ESSvpaht
MsiExec.exe /I{A5B3EB8A-4071-42F0-8E8E-7A8342AA8E69}

ESSANUP
MsiExec.exe /I{A6F18A67-B771-4191-8A33-36D2E742D6D9}

chello quickfix
MsiExec.exe /X{A8386B28-EB1F-45FF-8A07-D3AA811FBF04}

SFR2
MsiExec.exe /I{ABE068DF-8DC4-4947-ABFC-DD2B40850225}

Adobe Acrobat - Reader 6.0.2 Update
MsiExec.exe /I{AC76BA86-0000-0000-0000-6028747ADE01}

Adobe Reader 6.0.1
MsiExec.exe /I{AC76BA86-7AD7-1033-7646-A00000000001}

ESSCDBK
MsiExec.exe /I{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}

CCScore
MsiExec.exe /I{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}

KSU
MsiExec.exe /I{B997C2A0-4383-41BF-B76E-9B8B7ECFB267}

SFR
MsiExec.exe /I{C354C9B6-A4E0-4BB0-A368-6DC6BCA0E314}

ESSTUTOR
MsiExec.exe /I{CA60320D-6A16-49C8-A34F-84EEF4799567}

ESSAdpt
MsiExec.exe /I{D15E9DB5-6BEB-4534-901E-80C0A29BAB97}

Kodak EasyShare software
C:\Documents and Settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_3c0002_f3f697\Setup.exe /APR-REMOVE

GTA San Andreas
RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D417C96A-FCC7-4590-A1BB-FAF73F5BC98E}\setup.exe" -l0x9 -removeonly

iPod for Windows 2005-09-23
no uninstaller

Far Cry
no uninstaller

Dell ResourceCD
RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D78653C3-A8FF-415F-92E6-D774E634FF2D}\setup.exe"

Sygate Personal Firewall
MsiExec.exe /I{F34D9A5F-484A-4E31-A9D3-908CB265B289}

OTtBP
MsiExec.exe /I{F71760CD-0F8B-4DCC-B7B7-6B223CC3843C}

che

Jan 23 2006, 10:33 PM

And here's the reply from the Blank space script..

(really cool you know all this stuff.. Have no idea what you're doing, but as long as I don't see credit card numbers flashing, I guess its ok.. :)

Azureus Azureus
C:\Program Files\Azureus\Azureus.exe,0

Dell Digital Jukebox Driver Dell Digital Jukebox Driver
C:\Program Files\Dell\Digital Jukebox Drivers\CtDrvStp.exe

Dell File Manager Dell DJ Explorer
C:\Dell\Drivers\R80075\SETUP.EXE

ewidoantimalware ewido anti-malware
C:\Program Files\ewido anti-malware\SecuritySuite.exe

HijackThis HijackThis 1.99.1
C:\Documents and Settings\Nils\My Documents\Installation files\HijackThis.exe

InstallShield_{06E73C0B-7DE7-4F41-860B-587033B75BD9} iPod Updater 2004-11-15
C:\WINDOWS\Installer\{06E73C0B-7DE7-4F41-860B-587033B75BD9}\ARPPRODUCTICON.exe

InstallShield_{2F8C106A-7DFC-45DE-8006-F9145AADF1D8} iPod Updater 2004-08-06
C:\WINDOWS\Installer\{2F8C106A-7DFC-45DE-8006-F9145AADF1D8}\ARPPRODUCTICON.exe

InstallShield_{501BADCD-F8F7-44CB-AC3F-6ED25C1A28B5} iTunes
C:\WINDOWS\Installer\{501BADCD-F8F7-44CB-AC3F-6ED25C1A28B5}\ARPPRODUCTICON.exe

InstallShield_{6BAA26DB-2D4E-42B6-BC3F-3B58144A64B6} Mobile Phone Manager
C:\WINDOWS\Installer\{6BAA26DB-2D4E-42B6-BC3F-3B58144A64B6}\ARPPRODUCTICON.exe

InstallShield_{929408E6-D265-4174-805F-81D1D914E2A4} QuickTime
C:\WINDOWS\Installer\{929408E6-D265-4174-805F-81D1D914E2A4}\ARPPRODUCTICON.exe

InstallShield_{D6DBDC2A-E72C-4284-B6AD-6B3B61B4DABC} Far Cry
C:\WINDOWS\Installer\{D6DBDC2A-E72C-4284-B6AD-6B3B61B4DABC}\ARPPRODUCTICON.exe

KB893803 Windows Installer 3.1 (KB893803)
%windir%\system32\msiexec.exe

KB893803v2 Windows Installer 3.1 (KB893803)
%windir%\system32\msiexec.exe

Mozilla Firefox (1.5) Mozilla Firefox (1.5)
C:\Program Files\Mozilla Firefox\firefox.exe,0

Mozilla Thunderbird (1.0) Mozilla Thunderbird (1.0)
C:\Program Files\Mozilla Thunderbird\thunderbird.exe,0

Nero - Burning Rom!UninstallKey Nero 6 Ultra Edition
C:\Program Files\Ahead\nero\nero.exe

Plaxo Plaxo Toolbar for Outlook and Outlook Express
C:\Program Files\Plaxo\2.6.2.7\uninstall.exe,1

RealPlayer 6.0 RealPlayer
C:\Program Files\Real\RealPlayer\realplay.exe

Return to Castle Wolfenstein Multiplayer DEMO Return to Castle Wolfenstein Multiplayer DEMO
C:\PROGRA~1\RETURN~1\WolfMPDemo.exe,-0

Skype_is1 Skype 1.3
C:\Program Files\Skype\Phone\Skype.exe

Synacast Plug-in Synacast Plug-in 1.1.0.0
C:\Program Files\Common Files\Synacast\SynaLive\PE.exe

UT2004-Demo Unreal Tournament 2004 Demo
C:\UT2004Demo\Help\Unreal.ico

Windows Media Format Runtime Windows Media Format Runtime
C:\Program Files\Windows Media Player\wmplayer.exe

Windows Media Player Windows Media Player 10
C:\Program Files\Windows Media Player\wmplayer.exe

{45EBDA59-D33B-433A-956E-B2F236468B56} MUSICMATCH® Jukebox
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMJB.exe,0

{5B12573C-9C90-4790-BFEE-2BC43C2EB997} Siemens SmartSync
C:\Program Files\Mobile Phone Manager\SmartSync\xcIcons.Siemens.SmartSync.5.2.dll,-1

{A8386B28-EB1F-45FF-8A07-D3AA811FBF04} chello quickfix
C:\Program Files\Support.com\providersprt\5118.ico,0

{D32470A1-B10C-4059-BA53-CF0486F68EBC} Kodak EasyShare software
C:\Documents and Settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_3c0002_f3f697\Setup.exe,0

{D417C96A-FCC7-4590-A1BB-FAF73F5BC98E} GTA San Andreas
<PATH_TO_ICONS_FILES>\app.ico

Mosaic1

Jan 24 2006, 01:12 AM

I am getting information from your registry, but only what I want to see and creating an easy to read text file.

Notifier and KSU are both related to your Kodak Easy Share Software.

--------

I think we have the Blank Space Culprit.

Copy the contents of the code box to notepad.
Name the file space.reg
Save as Type: All files

CODE

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5B12573C-9C90-4790-BFEE-2BC43C2EB997}]
"DisplayIcon"="C:\\Program Files\\Mobile Phone Manager\\SmartSync\\xcIcons.Siemens.SmartSync.5.2.dll,0"

Double click on space.reg and say yes to the prompt.

Open Add Remove Programs and see how it looks. If still a blank space, then restart and check again. Let me know how it works out.

Mosaic1

Jan 24 2006, 01:21 AM

You still have an older versio of sun java listed too.

Please do this. It is urgent!

There has been an issue found recently with Sun Java.

When newer versions are installed, the older versions are left behind and malware can call these older versions to exploit flaws. Some malware has been found to install this way.

First update to the very latest version of Sun Java, which is 1.5.0_06

Then go into Add Remove programs and uninstall any older versions you find listed there.

che

Jan 24 2006, 06:30 PM

Alright!!

The blank space is gone..

(and so is Mysearchbar)

Great...

che

Jan 24 2006, 06:36 PM

Also installed the latest Sun Java version, and got rid of the older one..

Does this mean I'm clean?
No strange things in my Hijackthis?

Mosaic1

Jan 24 2006, 06:52 PM

It does look good. But do you still get that Google page when you do a search in Firefox?

che

Jan 24 2006, 06:53 PM

Yeah...

Strange huh?

But as I've said, it's not the end of the world...

Mosaic1

Jan 24 2006, 06:56 PM

It bothers me. Why that message? When you search google from firefox are you using a plug-in or just going to google and doing a search from there?

che

Jan 24 2006, 06:58 PM

It does say that it could also be a spyware program..

It also says that "my network" is infected.. Could my network have anything to do with it?

I do have a wireless router, but that's secured, and it's only used by one laptop...

Mosaic1

Jan 24 2006, 07:14 PM

You have how many computers on your "network"? Just 1 ?

And how do you perform a search at Google? Di you go to google.com and do the search or do you have a toolbar of some kind installed on your Firefox?

che

Jan 24 2006, 07:15 PM

It's only one computer.
And the message only keeps popping up at Firefox..
I've tried both ways (through the toolbar, as well as a normal search).

I tried to go to google.com (us version) but keep getting directed to the dutch version. It might have to do something with that, but again doubtful..

che

Jan 24 2006, 07:30 PM

Looking if you've missed something?

Mosaic1

Jan 24 2006, 07:45 PM

I went back and found this in your EWIDO log:

QUOTE

C:\Documents and Settings\Nils\Application Data\Azureus\downloads\LimeWire PRO 4.10.0\setup.exe -> Backdoor.Rbot.anr : Cleaned with backup

Another good reason to have uninstalled those two programs! Both LimeWire and Azureus.

You have never shown any entries indicating this was ever actually activated.

Read information here>

http://www.sophos.com/virusinfo/analyses/w32rbotanr.html

If it ever had been active, you should take action to protect your private information. If you do online banking, go to the bank and change all passwords. Be sure there has been no unusual activity on your accounts. Any other passwords or sensitive infromation needs to be changed and protected too.

--------

But why only in firefox?

Let's have another look around:

Copy the contents of the code box to Notepad.
Name the file lsa.bat
Save a Type :All files

CODE

If not exist Files MkDir Files

regedit /a /e files\2.txt HKEY_CURRENT_USER\Software\Microsoft\OLE
regedit /a /e files\3.txt HKEY_CURRENT_USER\System\CurrentControlSet\Control\Lsa
regedit /a /e files\4.txt HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
regedit /a /e files\5.txt HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
regedit /e /a files\6.txt HKEY_USERS\DEFAULT\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA
regedit /a /e files\7.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center"
regedit /a /e files\8.txt "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center"
Regedit /a /e files\9.txt HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
Regedit /a /e files\10.txt HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
Regedit /a /e files\11.txt HKEY_LOCAL_MACHINE\SOFTWARE\Policies\WindowsFirewall
Regedit /a /e files\12.txt HKEY_CURRENT_USER\SOFTWARE\Policies\WindowsFirewall
Regedit /a /e files\13.txt HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsUpdate
Regedit /a /e files\14.txt HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate
Regedit /a /e files\15.txt "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore"
Regedit /a /e files\16.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore"

Copy files\*.txt = lsa.txt
rmdir /s /q files
Start Notepad lsa.txt

Double click on lsa.bat to run it. It will export some registry keys for us and open a text file named lsa.txt

Please post the contents of lsa.txt into your next reply here please.

Mosaic1

Jan 24 2006, 07:49 PM

Additionally:

Download WinPFind here:
http://www.bleepingcomputer.com/files/winpfind.php

Read and follow the instructions on the page to download and then run WinPFind and post the results please.

------------------

Extract the contents to a convenient folder.

Restart into SAFE MODE

Double click in WinPFind.exe to run it.

Click "Start Scan"
This is going to take considerable time.

Once the Scan has finished it will generate a text file named WinPFind.txt in the WinPFind folder.

Restart back into regular windows.

Post the contents of WinPFind.txt into your next reply here too.

che

Jan 24 2006, 09:09 PM

I just got an error message when I restarted my computer.

It was a RunDLL error:

It said: Error 3.1.60.2-EasyShrx.Dll

Do you know what this means?

I'll do the things you just asked me now..

Mosaic1

Jan 24 2006, 09:19 PM

It's a Kodak Easy Share file error.

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.