Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Trojan Media Codec infection


  • This topic is locked This topic is locked
13 replies to this topic

#1 domehead

domehead

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:24 PM

Posted 27 July 2009 - 10:10 AM

Hi, as instructed, by DaChew, here is my post in the HJT forum.

Here is the link to the previous thread in the 'Am I Infected?' forum:

http://www.bleepingcomputer.com/forums/t/243394/servicesexe-at-99-cpu-sloooow-pc/

From this was found numerous problems, one of which being this Trojan Media Codec.

The primary effect of this seems to be the cpu-hogging by SERVICES.EXE at random intervals, sometimes accompanied by a lot of internet 'traffic'. This causes a dramatic slowdown of the pc, obviously.

My ISP has also today warned me that I have been heavily using my connection during peak times. ( I can't totally control what my family does, but we don't normally approach such heavy usage)

I hope you can help me. Thanks for your attention :thumbup2:

Here is the log from DDS: -

DDS (Ver_09-06-26.01) - NTFSx86
Run by MF at 15:38:08.15 on Mon 27/07/2009
Internet Explorer: 6.0.2800.1106 BrowserJavaVersion: 1.6.0_14
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.511.282 [GMT 1:00]


============== Running Processes ===============

C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINNT\system32\PnkBstrA.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Security\ZoneAlarm\zlclient.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Documents and Settings\MF\Desktop\dds.scr

============== Pseudo HJT Report ===============

uLocal Page = c:\windows\system32\blank.htm
uStart Page = about:blank
mLocal Page = c:\windows\system32\blank.htm
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\system32\browseui.dll
uRun: [NvMediaCenter] RUNDLL32.EXE c:\winnt\system32\NVMCTRAY.DLL,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\winnt\system32\NvCpl.dll,NvStartup
mRun: [CloneCDElbyCDFL] "c:\program files\clonecd\ElbyCheck.exe" /L ElbyCDFL
mRun: [EPSON Stylus Photo R220 Series] c:\winnt\system32\spool\drivers\w32x86\3\E_FATIAIE.EXE /P30 "EPSON Stylus Photo R220 Series" /O6 "USB001" /M "Stylus Photo R220"
mRun: [ZoneAlarm Client] "c:\program files\security\zonealarm\zlclient.exe"
mRun: [VirtualCloneDrive] "c:\program files\elaborate bytes\virtualclonedrive\VCDDaemon.exe" /s
mRun: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} - hxxp://www.riffinteractive.com/setup/RiffLick.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {41564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1232448654625
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38490.2823148148
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {AC7AEDB5-BC4F-4B7B-897C-C49CDFE6087E} = 212.159.13.49,212.159.13.50
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\mf\applic~1\mozilla\firefox\profiles\b4ssirc6.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1060933&SearchSource=3&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\documents and settings\mf\application data\mozilla\firefox\profiles\b4ssirc6.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 ElbyVCD;ElbyVCD;c:\winnt\system32\drivers\ElbyVCD.sys [2002-11-28 22016]
R0 Lbd;Lbd;c:\winnt\system32\drivers\Lbd.sys [2009-5-17 64160]
R1 Asapi;Asapi;c:\winnt\system32\drivers\asapi.sys [2007-3-3 11264]
R1 aswSP;avast! Self Protection;c:\winnt\system32\drivers\aswSP.sys [2009-3-10 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-6-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-6-23 72944]
R1 vsdatant;vsdatant;c:\winnt\system32\vsdatant.sys [2005-5-19 394952]
R2 aswFsBlk;aswFsBlk;c:\winnt\system32\drivers\aswFsBlk.sys [2009-3-10 20560]
R2 aswMon;avast! Standard Shield Support;c:\winnt\system32\drivers\aswmon.sys [2009-3-10 93296]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-3-10 138680]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-3-10 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-3-10 352920]
R3 openhci;Microsoft USB Open Host Controller Driver;c:\winnt\system32\drivers\openhci.sys [2003-6-19 24784]
R3 usbhub20;USB 2.0 Root Hub Support;c:\winnt\system32\drivers\usbhub20.sys [2005-5-18 49776]
S3 L6PODLV;PODxt Live Service;c:\winnt\system32\drivers\L6PODLV.sys [2006-7-27 417920]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-6-23 7408]
S3 sunkfilt62;USB 6/1 Driver;c:\winnt\system32\drivers\sunkfilt62.sys [2003-12-26 15460]
S3 vsc32;Virtual Sound Canvas 3.2;c:\winnt\system32\drivers\vsc.sys --> c:\winnt\system32\drivers\vsc.sys [?]

=============== Created Last 30 ================

2009-07-27 15:38 16,384 a------t c:\winnt\system32\Perflib_Perfdata_430.dat
2009-07-27 13:45 16,384 a------t c:\winnt\system32\Perflib_Perfdata_2c8.dat
2009-07-25 15:51 2,514 a------- c:\winnt\system32\tmp.reg
2009-07-25 03:40 746,562 ----h--- c:\winnt\ShellIconCache
2009-07-24 01:50 --d----- c:\documents and settings\mf\DoctorWeb
2009-07-22 02:33 --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-07-22 02:33 --d----- c:\program files\SUPERAntiSpyware
2009-07-22 02:33 --d----- c:\docume~1\mf\applic~1\SUPERAntiSpyware.com
2009-07-17 00:50 a-d----- c:\program files\common files\System-G
2009-07-16 19:55 --d----- c:\docume~1\mf\applic~1\JGsoft
2009-07-16 19:55 67,208 a------- c:\winnt\UnDeploy.exe
2009-07-16 18:57 --d----- c:\program files\ABC Amber LIT Converter
2009-07-16 02:34 54,156 a---h--- c:\winnt\QTFont.qfn
2009-07-16 02:34 1,409 a------- c:\winnt\QTFont.for
2009-06-29 10:54 16,384 a------t c:\winnt\system32\Perflib_Perfdata_4c0.dat

==================== Find3M ====================

2009-07-17 01:13 748 a------- c:\docume~1\mf\applic~1\hexplorer.dat
2009-07-17 01:13 4 a------- c:\docume~1\mf\applic~1\mclip.dat
2009-07-13 13:36 38,160 a------- c:\winnt\system32\drivers\mbamswissarmy.sys
2009-07-13 13:36 18,456 a------- c:\winnt\system32\drivers\mbam.sys
2009-06-23 10:03 16,384 a------t c:\winnt\system32\Perflib_Perfdata_284.dat
2009-06-16 05:48 165,136 a------- c:\winnt\system32\t2embed.dll
2009-06-16 05:48 81,168 a------- c:\winnt\system32\fontsub.dll
2009-06-03 11:50 15,688 a------- c:\winnt\system32\lsdelete.exe
2009-06-02 19:23 1,225,728 a------- c:\winnt\system32\quartz.dll
2009-05-21 11:33 410,984 a------- c:\winnt\system32\deploytk.dll
2009-05-17 12:20 16,384 a------t c:\winnt\system32\Perflib_Perfdata_294.dat
2009-05-17 12:15 16,384 a------t c:\winnt\system32\Perflib_Perfdata_658.dat
2009-05-07 07:41 263,440 a------- c:\winnt\system32\LOCALSPL.DLL
2007-09-23 18:15 2,293,712 a------- c:\program files\FLV PlayerFCSetup.exe
2006-05-14 20:19 91 a------- c:\program files\Crash.log
2005-11-07 14:55 2,082,304 a------- c:\program files\PcSetup.exe
2005-05-18 14:23 21,952 ----h--- c:\program files\folder.htt
2005-05-18 14:23 271 ----h--- c:\program files\desktop.ini
1999-12-07 14:00 32,528 a------- c:\winnt\inf\wbfirdma.sys

============= FINISH: 15:40:16.45 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:24 AM

Posted 06 August 2009 - 09:05 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#3 domehead

domehead
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:24 PM

Posted 07 August 2009 - 06:00 AM

Hey thcbytes - thanks for the response - you guys must be busy! I had almost given up hope.

Since then, all I have done is delete loads of files and run loads of Antivirus and Anti-Spyware tools.

Still have the same main effect (SERVICES.EXE) taking 90-100% of the cpu at irregular intervals, causing the pc to grind to a halt. It happened again as I uploaded the DDS files here.

Ran DDS as instructed:

DDS (Ver_09-07-30.01) - NTFSx86
Run by MF at 11:46:01.50 on Fri 07/08/2009
Internet Explorer: 6.0.2800.1106 BrowserJavaVersion: 1.6.0_15
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.511.309 [GMT 1:00]


============== Running Processes ===============

C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINNT\system32\PnkBstrA.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Security\ZoneAlarm\zlclient.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Documents and Settings\MF\Desktop\dds.scr

============== Pseudo HJT Report ===============

uLocal Page = c:\windows\system32\blank.htm
uStart Page = about:blank
mLocal Page = c:\windows\system32\blank.htm
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\system32\browseui.dll
uRun: [NvMediaCenter] RUNDLL32.EXE c:\winnt\system32\NVMCTRAY.DLL,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\winnt\system32\NvCpl.dll,NvStartup
mRun: [CloneCDElbyCDFL] "c:\program files\clonecd\ElbyCheck.exe" /L ElbyCDFL
mRun: [EPSON Stylus Photo R220 Series] c:\winnt\system32\spool\drivers\w32x86\3\E_FATIAIE.EXE /P30 "EPSON Stylus Photo R220 Series" /O6 "USB001" /M "Stylus Photo R220"
mRun: [ZoneAlarm Client] "c:\program files\security\zonealarm\zlclient.exe"
mRun: [VirtualCloneDrive] "c:\program files\elaborate bytes\virtualclonedrive\VCDDaemon.exe" /s
mRun: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} - hxxp://www.riffinteractive.com/setup/RiffLick.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {41564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1232448654625
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38490.2823148148
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {AC7AEDB5-BC4F-4B7B-897C-C49CDFE6087E} = 212.159.13.49,212.159.13.50
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\mf\applic~1\mozilla\firefox\profiles\b4ssirc6.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1060933&SearchSource=3&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\documents and settings\mf\application data\mozilla\firefox\profiles\b4ssirc6.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 ElbyVCD;ElbyVCD;c:\winnt\system32\drivers\ElbyVCD.sys [2002-11-28 22016]
R0 Lbd;Lbd;c:\winnt\system32\drivers\Lbd.sys [2009-5-17 64160]
R1 Asapi;Asapi;c:\winnt\system32\drivers\asapi.sys [2007-3-3 11264]
R1 aswSP;avast! Self Protection;c:\winnt\system32\drivers\aswSP.sys [2009-3-10 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-6-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-6-23 72944]
R1 vsdatant;vsdatant;c:\winnt\system32\vsdatant.sys [2005-5-19 394952]
R2 aswFsBlk;aswFsBlk;c:\winnt\system32\drivers\aswFsBlk.sys [2009-3-10 20560]
R2 aswMon;avast! Standard Shield Support;c:\winnt\system32\drivers\aswmon.sys [2009-3-10 93296]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-3-10 138680]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2009-4-8 92008]
R2 vsmon;TrueVector Internet Monitor;c:\winnt\system32\zonelabs\vsmon.exe -service --> c:\winnt\system32\zonelabs\vsmon.exe -service [?]
R3 openhci;Microsoft USB Open Host Controller Driver;c:\winnt\system32\drivers\openhci.sys [2003-6-19 24784]
R3 usbhub20;USB 2.0 Root Hub Support;c:\winnt\system32\drivers\usbhub20.sys [2005-5-18 49776]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-3-10 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-3-10 352920]
S3 L6PODLV;PODxt Live Service;c:\winnt\system32\drivers\L6PODLV.sys [2006-7-27 417920]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1029456]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-6-23 7408]
S3 sassvc;ProgramCheckerPro;c:\program files\zenturi\programchecker\sassvc.exe [2006-2-15 122880]
S3 sunkfilt62;USB 6/1 Driver;c:\winnt\system32\drivers\sunkfilt62.sys [2003-12-26 15460]
S3 vsc32;Virtual Sound Canvas 3.2;c:\winnt\system32\drivers\vsc.sys --> c:\winnt\system32\drivers\vsc.sys [?]

=============== Created Last 30 ================

2009-08-07 11:39 16,384 a------t c:\winnt\system32\Perflib_Perfdata_464.dat
2009-08-06 13:12 644,992 ----h--- c:\winnt\ShellIconCache
2009-08-06 02:25 73,728 a------- c:\winnt\system32\javacpl.cpl
2009-08-05 15:34 16,384 a------t c:\winnt\system32\Perflib_Perfdata_2bc.dat
2009-08-04 13:09 <DIR> --d----- c:\program files\ESET
2009-08-04 11:44 <DIR> --d----- c:\docume~1\mf\applic~1\IObit
2009-08-04 00:21 <DIR> --d----- c:\program files\IObit
2009-08-02 15:25 16,384 a------t c:\winnt\system32\Perflib_Perfdata_298.dat
2009-07-27 15:38 16,384 a------t c:\winnt\system32\Perflib_Perfdata_430.dat
2009-07-25 15:51 2,514 a------- c:\winnt\system32\tmp.reg
2009-07-24 01:50 <DIR> --d----- c:\documents and settings\mf\DoctorWeb
2009-07-22 02:33 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-07-22 02:33 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-07-22 02:33 <DIR> --d----- c:\docume~1\mf\applic~1\SUPERAntiSpyware.com
2009-07-17 00:50 <DIR> a-d----- c:\program files\common files\System-G
2009-07-16 19:55 <DIR> --d----- c:\docume~1\mf\applic~1\JGsoft
2009-07-16 19:55 67,208 a------- c:\winnt\UnDeploy.exe
2009-07-16 18:57 <DIR> --d----- c:\program files\ABC Amber LIT Converter

==================== Find3M ====================

2009-08-06 02:25 411,368 a------- c:\winnt\system32\deploytk.dll
2009-08-03 13:36 38,160 a------- c:\winnt\system32\drivers\mbamswissarmy.sys
2009-08-03 13:36 18,456 a------- c:\winnt\system32\drivers\mbam.sys
2009-07-17 01:13 748 a------- c:\docume~1\mf\applic~1\hexplorer.dat
2009-07-17 01:13 4 a------- c:\docume~1\mf\applic~1\mclip.dat
2009-06-29 10:54 16,384 a------t c:\winnt\system32\Perflib_Perfdata_4c0.dat
2009-06-23 10:03 16,384 a------t c:\winnt\system32\Perflib_Perfdata_284.dat
2009-06-16 05:48 165,136 a------- c:\winnt\system32\t2embed.dll
2009-06-16 05:48 81,168 a------- c:\winnt\system32\fontsub.dll
2009-06-03 11:50 15,688 a------- c:\winnt\system32\lsdelete.exe
2009-06-02 19:23 1,225,728 a------- c:\winnt\system32\quartz.dll
2009-05-17 12:20 16,384 a------t c:\winnt\system32\Perflib_Perfdata_294.dat
2009-05-17 12:15 16,384 a------t c:\winnt\system32\Perflib_Perfdata_658.dat
2007-09-23 18:15 2,293,712 a------- c:\program files\FLV PlayerFCSetup.exe
2006-05-14 20:19 91 a------- c:\program files\Crash.log
2005-11-07 14:55 2,082,304 a------- c:\program files\PcSetup.exe
2005-05-18 14:23 21,952 ----h--- c:\program files\folder.htt
2005-05-18 14:23 271 ----h--- c:\program files\desktop.ini
1999-12-07 14:00 32,528 a------- c:\winnt\inf\wbfirdma.sys

============= FINISH: 11:46:33.65 ===============

Attached Files



#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:24 PM

Posted 09 August 2009 - 07:38 PM

Hi domehead,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

---------------------------------------

I've reviewed the link and we need to use something strong to remove the infections.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop but rename it Combo-Fix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combo-Fix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#5 domehead

domehead
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:24 PM

Posted 09 August 2009 - 09:27 PM

Hey m0le :thumbup2:

Thanks for taking this on - hopefully we can nail this problem!

Did all as instructed - Combofix didn't prompt me to install the recovery console, but then reports it is not installed! That a Win 2000 problem?

Ah well - here goes with the log, enjoy :) -

ComboFix 09-08-09.04 - MF 10/08/2009 2:57.1.1 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.511.335 [GMT 1:00]
Running from: c:\documents and settings\MF\Desktop\Combo-Fix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
/wow section - STAGE 32A


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\winnt\system32\tmp.reg
c:\winnt\Web\default.htt

.
((((((((((((((((((((((((( Files Created from 2009-07-10 to 2009-08-10 )))))))))))))))))))))))))))))))
.

2009-08-10 01:56 . 2009-08-10 01:56 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_4e0.dat
2009-08-10 01:45 . 2009-08-10 01:45 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_2cc.dat
2009-08-09 15:02 . 2009-08-09 15:02 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_2c0.dat
2009-08-08 12:37 . 2009-08-08 14:14 117760 ----a-w- c:\documents and settings\MF\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-08-07 10:39 . 2009-08-07 10:39 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_464.dat
2009-08-06 01:24 . 2009-08-06 01:24 152576 ----a-w- c:\documents and settings\MF\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-04 12:09 . 2009-08-04 12:09 -------- d-----w- c:\program files\ESET
2009-08-04 10:44 . 2009-08-08 15:10 -------- d-----w- c:\documents and settings\MF\Application Data\IObit
2009-08-03 23:21 . 2009-08-08 15:10 -------- d-----w- c:\program files\IObit
2009-08-02 14:25 . 2009-08-02 14:25 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_298.dat
2009-07-27 14:38 . 2009-07-27 14:38 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_430.dat
2009-07-24 00:50 . 2009-07-24 00:50 -------- d-----w- c:\documents and settings\MF\DoctorWeb
2009-07-22 01:33 . 2009-07-22 01:33 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-07-22 01:33 . 2009-08-08 12:34 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-07-22 01:33 . 2009-08-08 12:34 -------- d-----w- c:\documents and settings\MF\Application Data\SUPERAntiSpyware.com
2009-07-16 23:50 . 2009-07-16 23:51 -------- d---a-w- c:\program files\Common Files\System-G
2009-07-16 18:55 . 2009-07-16 18:55 -------- d-----w- c:\documents and settings\MF\Application Data\JGsoft
2009-07-16 18:55 . 2009-02-09 02:10 67208 ----a-w- c:\winnt\UnDeploy.exe
2009-07-16 17:57 . 2009-07-17 00:20 -------- d-----w- c:\program files\ABC Amber LIT Converter

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-10 01:49 . 2005-05-19 12:43 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-08-09 15:08 . 2008-03-02 17:25 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-09 15:08 . 2008-06-14 01:59 -------- d-----w- c:\program files\SpywareBlaster
2009-08-08 12:32 . 2006-10-17 11:12 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-08 12:31 . 2006-04-10 22:48 -------- d-----w- c:\program files\Winamp
2009-08-08 02:10 . 2005-06-19 14:44 -------- d-----w- c:\program files\Agent
2009-08-06 12:06 . 2006-05-17 11:56 -------- d-----w- c:\program files\Steam
2009-08-06 01:29 . 2009-05-27 23:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-06 01:25 . 2009-05-17 11:53 411368 ----a-w- c:\winnt\system32\deploytk.dll
2009-08-06 01:25 . 2006-01-04 01:18 -------- d-----w- c:\program files\Java
2009-08-05 14:50 . 2005-05-19 00:14 -------- d---a-w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-04 10:16 . 2009-08-04 10:15 14742815 ----a-w- c:\winnt\Internet Logs\vsmon_on_demand_2009_08_04_00_46_59_full.dmp.zip
2009-08-03 12:36 . 2009-05-27 23:30 38160 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2009-08-03 12:36 . 2009-05-27 23:30 18456 ----a-w- c:\winnt\system32\drivers\mbam.sys
2009-07-30 10:55 . 2008-02-07 01:57 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-29 02:48 . 2009-06-08 11:07 -------- d-----w- c:\documents and settings\MF\Application Data\vlc
2009-07-25 12:11 . 2007-03-20 16:43 12 ----a-w- c:\winnt\system32\pgvmc.dat
2009-07-25 11:03 . 2006-12-14 15:26 -------- d-----w- c:\program files\RipCast 1.9
2009-07-25 10:44 . 2005-08-14 23:09 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-24 18:20 . 2006-01-03 02:38 -------- d-----w- c:\program files\yBook
2009-07-21 19:13 . 2005-05-18 23:25 -------- d-----w- c:\program files\Security
2009-07-21 16:41 . 2008-03-19 12:25 -------- d-----w- c:\program files\Lavasoft
2009-07-21 15:11 . 2009-03-06 12:37 -------- d-----w- c:\program files\Battle for Wesnoth 1.5.12-1.6rc1
2009-07-20 23:34 . 2009-01-14 12:23 -------- d-----w- c:\documents and settings\MF\Application Data\GrabIt
2009-07-20 22:41 . 2009-06-25 10:07 3775176 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-07-20 21:58 . 2006-04-06 10:07 65803910 ----a-w- c:\winnt\Internet Logs\tvDebug.zip
2009-07-17 00:13 . 2009-02-19 23:25 748 ----a-w- c:\documents and settings\MF\Application Data\hexplorer.dat
2009-07-17 00:13 . 2009-02-19 23:25 4 ----a-w- c:\documents and settings\MF\Application Data\mclip.dat
2009-07-16 09:23 . 2008-02-17 17:38 -------- d-----w- c:\documents and settings\MF\Application Data\dvdcss
2009-07-05 16:25 . 2007-02-28 01:12 -------- d-----w- c:\program files\GWFreaks
2009-07-05 15:39 . 2009-03-09 03:16 -------- d-----w- c:\program files\TomTom Map Patcher
2009-07-05 14:45 . 2007-11-21 01:06 -------- d--h--w- c:\program files\Zero G Registry
2009-07-05 13:40 . 2007-10-02 16:19 -------- d-----w- c:\program files\FinePixViewer
2009-06-27 16:45 . 2009-03-14 14:49 -------- d-----w- c:\program files\Line6
2009-06-26 12:00 . 2009-01-14 12:19 -------- d-----w- c:\program files\GrabIt
2009-06-23 09:03 . 2009-06-23 09:03 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_284.dat
2009-06-16 04:48 . 1999-12-07 13:00 81168 ----a-w- c:\winnt\system32\fontsub.dll
2009-06-16 04:48 . 1999-12-07 13:00 165136 ----a-w- c:\winnt\system32\t2embed.dll
2009-06-10 11:00 . 2009-06-10 11:00 152576 ----a-w- c:\documents and settings\MF\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-03 10:50 . 2009-06-03 10:50 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-06-03 10:50 . 2009-05-17 11:45 15688 ----a-w- c:\winnt\system32\lsdelete.exe
2009-06-02 18:23 . 2005-05-18 15:29 1225728 ----a-w- c:\winnt\system32\quartz.dll
2009-05-17 12:03 . 2006-08-18 19:47 721904 ----a-w- c:\winnt\system32\drivers\sptd.sys
2009-05-17 11:52 . 2009-05-17 11:52 152576 ----a-w- c:\documents and settings\MF\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-05-17 11:20 . 2009-05-17 11:20 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_294.dat
2009-05-17 11:18 . 2009-05-17 11:19 64160 ----a-w- c:\winnt\system32\drivers\Lbd.sys
2009-05-17 11:18 . 2009-05-17 11:18 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys
2009-05-17 11:15 . 2009-05-17 11:15 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_658.dat
2007-09-23 17:15 . 2007-09-23 17:15 2293712 ----a-w- c:\program files\FLV PlayerFCSetup.exe
2006-05-14 19:19 . 2006-05-14 19:19 91 ----a-w- c:\program files\Crash.log
2005-11-07 13:55 . 2006-05-14 19:19 2082304 ----a-w- c:\program files\PcSetup.exe
2005-05-18 13:23 . 2005-05-18 13:23 21952 ---h--w- c:\program files\folder.htt
2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2008-09-19 21:55 . 2008-09-19 21:55 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2008-09-19 21:55 . 2008-09-19 21:55 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2008-09-19 21:55 . 2008-09-19 21:55 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

------- Sigcheck -------

[7] 1999-12-07 13:00 7952 9E64AD53CFD9DA2D22E8A924F8C6E62C c:\winnt\system32\svchost.exe
[7] 1999-12-07 13:00 7952 9E64AD53CFD9DA2D22E8A924F8C6E62C c:\winnt\system32\dllcache\svchost.exe

[7] 2003-06-19 10:05 403216 11ED538DB87D8CF38017A63A82AA805D c:\winnt\$NtUninstallKB890859$\user32.dll
[7] 2005-04-21 00:08 419600 63A7731CF4BA8565B9F07908FAC05C3B c:\winnt\$NtUninstallKB925902$\user32.dll
[7] 2005-03-12 07:54 380688 05CB047C49480A2157911B0A1C7E4C10 c:\winnt\$NtUpdateRollupPackUninstall$\user32.dll
[7] 2007-03-06 11:17 381200 40023A7103796B1AF6CA41A6DBC54775 c:\winnt\system32\USER32.DLL
[7] 2007-03-06 11:17 381200 40023A7103796B1AF6CA41A6DBC54775 c:\winnt\system32\dllcache\USER32.DLL

[7] 2003-06-19 10:05 69904 0190C62DE42396D78DB9BE771CF2403E c:\winnt\system32\ws2_32.dll
[7] 2003-06-19 10:05 69904 0190C62DE42396D78DB9BE771CF2403E c:\winnt\system32\dllcache\ws2_32.dll

[7] 2005-02-18 15:19 592384 33BDE2B6C11C96969E1CBF894C5980AF c:\winnt\$NtUninstallKB883939-IE6SP1-20050428.125228$\wininet.dll
[7] 2002-08-29 06:14 585728 8579E8474130334DFA93D4DF3F0D3FA1 c:\winnt\$NtUninstallKB890923-IE6SP1-20050225.103456$\wininet.dll
[7] 2005-04-27 09:54 574976 DFD44FB5F51809859B4BA320735A2274 c:\winnt\$NtUninstallKB896727-IE6SP1-20050719.165959$\wininet.dll
[7] 2005-06-17 22:49 574976 ECE5D8E5C4B797F057E6933B539A7982 c:\winnt\$NtUninstallKB905915-IE6SP1-20051122.175908$\wininet.dll
[7] 2005-10-21 12:51 575488 4D7F35D26E955FCB4A572908D216CF00 c:\winnt\$NtUninstallKB916281-IE6SP1-20060526.162249$\wininet.dll
[7] 2006-04-28 09:58 575488 3D5062A7667913B9B515CC5769E9FB31 c:\winnt\$NtUninstallKB918899-IE6SP1-20060725.123917$\wininet.dll
[7] 2006-06-23 10:33 575488 7E7760C7F263EC7A740EE265B263F770 c:\winnt\$NtUninstallKB922760-IE6SP1-20061018.120000$\wininet.dll
[7] 2006-10-16 13:32 575488 C12F534D46E6FEB3088BAEEC56601199 c:\winnt\$NtUninstallKB925454-IE6SP1-20061116.120000$\wininet.dll
[7] 2006-10-23 09:25 575488 B4188CDC6270F89680A621AA40E13806 c:\winnt\$NtUninstallKB928090-IE6SP1-20070125.120000$\wininet.dll
[7] 2007-01-02 09:52 575488 91B32B95A072EC20C3BBE6ACA92227E0 c:\winnt\$NtUninstallKB939653-IE6SP1-20070817.120000$\wininet.dll
[7] 2007-08-17 11:10 575488 3ACF09CB26BB88CD35C44E2B0412C0D3 c:\winnt\$NtUninstallKB944533-IE6SP1-20071210.120000$\wininet.dll
[7] 2007-12-10 12:39 575488 593D48782C967E6F756C7A51B002D23C c:\winnt\$NtUninstallKB950759-IE6SP1-20080418.120000$\wininet.dll
[7] 2008-04-18 07:55 575488 8F8B846569F163482926BD0603A79AB9 c:\winnt\$NtUninstallKB953838-IE6SP1-20080620.120000$\wininet.dll
[7] 2008-06-20 08:53 575488 518D857454D381B3776AC40BAD7E1F78 c:\winnt\$NtUninstallKB958215-IE6SP1-20081016.120000$\wininet.dll
[7] 2008-10-15 13:53 575488 39B7BCE3AFF992B3B72868EE01BD1645 c:\winnt\$NtUninstallKB969897-IE6SP1-20090501.120000$\wininet.dll
[7] 2009-04-21 14:15 576512 4D9ABE8C97932B31B825F82FBF6CEE5E c:\winnt\system32\WININET.DLL
[7] 2009-04-21 14:15 576512 4D9ABE8C97932B31B825F82FBF6CEE5E c:\winnt\system32\dllcache\WININET.DLL

[7] 2003-06-19 10:05 332144 5F1BE742B1F2196663255991AE7ACC83 c:\winnt\$NtUninstallKB893066$\tcpip.sys
[7] 2005-05-12 10:25 320176 4800519C7B6A6FA2212F1F14781430A6 c:\winnt\$NtUninstallKB917953$\tcpip.sys
[7] 2006-04-25 13:38 320336 0F62FFCD1C136103D7EA57E5B2B30994 c:\winnt\$NtUninstallKB941644$\tcpip.sys
[7] 2007-10-05 06:54 320368 BA4FB02D2149E12C87F24E6700B060D4 c:\winnt\$NtUninstallKB951748$\tcpip.sys
[7] 2008-06-18 10:05 320528 02FAE418BD28E185A4909E5869497DE5 c:\winnt\system32\dllcache\tcpip.sys
[7] 2008-06-18 10:05 320528 02FAE418BD28E185A4909E5869497DE5 c:\winnt\system32\drivers\tcpip.sys

[7] 2004-08-24 22:59 182544 5922E8055EB439A58EF29530D8567A40 c:\winnt\$NtUninstallKB840987$\winlogon.exe
[7] 2004-08-24 22:59 182544 5922E8055EB439A58EF29530D8567A40 c:\winnt\$NtUninstallKB841533$\winlogon.exe
[7] 2003-06-19 10:05 181008 3980C28D116D438BBB36FB38526FDE1A c:\winnt\$NtUninstallKB890859$\winlogon.exe
[7] 2004-08-24 22:59 182544 5922E8055EB439A58EF29530D8567A40 c:\winnt\$NtUpdateRollupPackUninstall$\winlogon.exe
[7] 2005-04-08 03:51 186640 BB1DAF6A5737652646D52665251A0265 c:\winnt\system32\WINLOGON.EXE
[7] 2005-04-08 03:51 186640 BB1DAF6A5737652646D52665251A0265 c:\winnt\system32\dllcache\WINLOGON.EXE

[7] 2003-06-19 10:05 170928 FB4F2D0595BD3546A4DD915E4A9B4809 c:\winnt\system32\dllcache\ndis.sys
[7] 2003-06-19 10:05 170928 FB4F2D0595BD3546A4DD915E4A9B4809 c:\winnt\system32\drivers\ndis.sys


[7] 2003-06-19 10:05 1694080 541DAEF38C9C82541690AA7E6F52F654 c:\winnt\$NtUninstallKB890859$\ntkrnlpa.exe
[7] 2005-05-06 03:45 1713280 BA85F7C7B83CAC2B5D125E2FD3347C94 c:\winnt\$NtUninstallKB908523$\ntkrnlpa.exe
[7] 2005-10-06 09:20 1713600 B52DB052C1E45CE142CEB8562C01173D c:\winnt\$NtUninstallKB920958$\ntkrnlpa.exe
[7] 2006-09-12 11:48 1713536 43315599F4806CAC440B248AA06EB14C c:\winnt\$NtUninstallKB931784$\ntkrnlpa.exe
[7] 2005-03-02 09:49 1713280 3BE4786A7E50F7AE4AC9F1B23A057835 c:\winnt\$NtUpdateRollupPackUninstall$\ntkrnlpa.exe
[7] 2007-03-05 15:52 1713536 D63CCCA44AB92D8B819054E2AF6202AE c:\winnt\Driver Cache\i386\ntkrnlpa.exe
[7] 2007-03-05 15:52 1713536 D63CCCA44AB92D8B819054E2AF6202AE c:\winnt\system32\NTKRNLPA.EXE
[7] 2007-03-05 15:52 1713536 D63CCCA44AB92D8B819054E2AF6202AE c:\winnt\system32\dllcache\ntkrnlpa.exe

[7] 2003-06-19 10:05 1719056 61A2DCFCE1ABF5340D2128E45B5F52B7 c:\winnt\$NtUninstallKB890859$\ntoskrnl.exe
[7] 2005-05-06 03:45 1690432 AC3CE69C7B349494A53A25B44091CD6B c:\winnt\$NtUninstallKB908523$\ntoskrnl.exe
[7] 2005-10-06 09:20 1691008 1C544F422B18F4B4C66C8B7E80EB7866 c:\winnt\$NtUninstallKB920958$\ntoskrnl.exe
[7] 2006-09-12 11:48 1690880 38BD8B676E9116F3F4CBBD36EAB204A3 c:\winnt\$NtUninstallKB931784$\ntoskrnl.exe
[7] 2005-03-02 09:48 1690496 47880ADD9F1E5467F1F4536C76674166 c:\winnt\$NtUpdateRollupPackUninstall$\ntoskrnl.exe
[7] 2007-03-05 15:51 1690880 A9B95A62C4F298AADD3BEC2FDF49FCBE c:\winnt\Driver Cache\i386\ntoskrnl.exe
[7] 2007-03-05 15:51 1690880 A9B95A62C4F298AADD3BEC2FDF49FCBE c:\winnt\system32\NTOSKRNL.EXE
[7] 2007-03-05 15:51 1690880 A9B95A62C4F298AADD3BEC2FDF49FCBE c:\winnt\system32\dllcache\ntoskrnl.exe

[7] 2003-06-19 10:05 243472 59CF2B7DCED9111F48F51B4B570E672D c:\winnt\explorer.exe
[7] 2003-06-19 10:05 243472 59CF2B7DCED9111F48F51B4B570E672D c:\winnt\system32\dllcache\explorer.exe

[7] 2003-06-19 10:05 89360 CFED2D28F5B8A24127E9E06043070643 c:\winnt\$NtUpdateRollupPackUninstall$\services.exe
[7] 2005-04-08 03:51 92944 B861B4E6E9637EB76A40C10C552E0229 c:\winnt\system32\SERVICES.EXE
[7] 2005-04-08 03:51 92944 B861B4E6E9637EB76A40C10C552E0229 c:\winnt\system32\dllcache\services.exe

[7] 2003-06-19 10:05 33552 271229760CCED993E9E7CAB1C7274134 c:\winnt\$NtUninstallKB890859$\lsass.exe
[7] 2004-02-25 23:59 33552 0C13D582EDAF90CBEA454A1AC535B913 c:\winnt\$NtUpdateRollupPackUninstall$\lsass.exe
[7] 2004-12-19 14:30 33552 F19D0A319AB4BF5496F08807CB9B8651 c:\winnt\system32\LSASS.EXE
[7] 2004-12-19 14:30 33552 F19D0A319AB4BF5496F08807CB9B8651 c:\winnt\system32\dllcache\lsass.exe


[7] 2005-04-08 03:51 48400 1F124B89AA469671821115A39C0FBD27 c:\winnt\$NtUninstallKB896423$\spoolsv.exe
[7] 2003-06-19 10:05 45328 987DAF317B917CFC973DE8364D62A76C c:\winnt\$NtUpdateRollupPackUninstall$\spoolsv.exe
[7] 2005-07-12 04:59 47376 FACFB75ECC070103619FA044E0B210D3 c:\winnt\system32\spoolsv.exe
[7] 2005-07-12 04:59 47376 FACFB75ECC070103619FA044E0B210D3 c:\winnt\system32\dllcache\spoolsv.exe

[7] 2008-10-16 14:09 51224 E654B78D2F1D791B30D0ED9A8195EC22 c:\winnt\system32\wuauclt.exe
[7] 2008-10-16 14:09 51224 E654B78D2F1D791B30D0ED9A8195EC22 c:\winnt\system32\dllcache\wuauclt.exe

[7] 2003-06-19 10:05 17680 BF179C5B8A722CC79AEF1CA90D6C7D48 c:\winnt\system32\userinit.exe
[7] 2003-06-19 10:05 17680 BF179C5B8A722CC79AEF1CA90D6C7D48 c:\winnt\system32\dllcache\userinit.exe


[7] 2004-06-17 23:05 712464 276ABD5DD2053008C6C327C590DD806D c:\winnt\$NtUninstallKB841533$\kernel32.dll
[7] 2003-06-19 10:05 743184 AFFDA6F602A8F0DBA615279C28B3BDF8 c:\winnt\$NtUninstallKB890859$\kernel32.dll
[7] 2005-06-02 23:54 712464 694E9BC2ADE4F30C99D8A59340307E1A c:\winnt\$NtUninstallKB917422$\kernel32.dll
[7] 2006-06-21 06:52 712976 84AE59F949F127A3D8D4F4A09D0CE0BD c:\winnt\$NtUninstallKB935839$\kernel32.dll
[7] 2004-06-22 01:35 712464 CBFC72131FB475249DB3667239F3F4EA c:\winnt\$NtUpdateRollupPackUninstall$\kernel32.dll
[7] 2007-04-16 12:44 712976 18D623471DE9DCC2CEA310B2F3FBA15A c:\winnt\Driver Cache\i386\kernel32.dll
[7] 2007-04-16 12:44 712976 0AB23B46CCAEBA64D748A5CF79CB4BB6 c:\winnt\system32\KERNEL32.DLL
[7] 2007-04-16 12:44 712976 18D623471DE9DCC2CEA310B2F3FBA15A c:\winnt\system32\dllcache\kernel32.dll

[7] 2003-06-19 10:05 13584 0A35F356726069B95F4BB2A99203FDD4 c:\winnt\system32\powrprof.dll
[7] 2003-06-19 10:05 13584 0A35F356726069B95F4BB2A99203FDD4 c:\winnt\system32\dllcache\powrprof.dll

[7] 2003-06-19 10:05 96528 873794CE17DD72420D9C4072D4D112E5 c:\winnt\system32\imm32.dll
[7] 2003-06-19 10:05 96528 873794CE17DD72420D9C4072D4D112E5 c:\winnt\system32\dllcache\imm32.dll

[7] 2003-06-19 10:05 120592 9C2A16951FD6A21AEF1C29F213A564B2 c:\winnt\system32\appmgmts.dll
[7] 2003-06-19 10:05 120592 9C2A16951FD6A21AEF1C29F213A564B2 c:\winnt\system32\dllcache\appmgmts.dll

[7] 2005-02-24 12:23 2811904 6EAEA2E84481E597096FAC8408F2161E c:\winnt\$NtUninstallKB883939-IE6SP1-20050428.125228$\mshtml.dll
[7] 2002-08-29 06:14 2786816 3BC7FA2B92FA3EEE796B8198E84A9795 c:\winnt\$NtUninstallKB890923-IE6SP1-20050225.103456$\mshtml.dll
[7] 2005-07-18 15:22 2699264 436A11D32BF984720F58AC352A86D4F1 c:\winnt\$NtUninstallKB896688-IE6SP1-20051004.130236$\mshtml.dll
[7] 2005-04-27 09:52 2698752 08F0B01556EEE4C5F783E919ABE6DAD5 c:\winnt\$NtUninstallKB896727-IE6SP1-20050719.165959$\mshtml.dll
[7] 2005-10-04 12:19 2700288 478081E607D4A0CEDF883ADBE53AD23D c:\winnt\$NtUninstallKB905915-IE6SP1-20051122.175908$\mshtml.dll
[7] 2005-11-22 16:49 2700288 80E6EDC1F7C0FF9A77326B4D70B61828 c:\winnt\$NtUninstallKB916281-IE6SP1-20060526.162249$\mshtml.dll
[7] 2006-05-19 14:52 2702848 2B4C44316B82AE0772FA8562A6AD6AC9 c:\winnt\$NtUninstallKB918899-IE6SP1-20060725.123917$\mshtml.dll
[7] 2006-06-30 09:28 2703872 DCB29B03B80C5F26BB3F3A3DDA42281D c:\winnt\$NtUninstallKB922760-IE6SP1-20061018.120000$\mshtml.dll
[7] 2006-10-16 13:30 2703360 0141BC1D6B076C22F737878427C61B13 c:\winnt\$NtUninstallKB925454-IE6SP1-20061116.120000$\mshtml.dll
[7] 2006-10-23 09:24 2704896 0FC0186C005D94DECFDFD2DE47AE10D3 c:\winnt\$NtUninstallKB928090-IE6SP1-20070125.120000$\mshtml.dll
[7] 2007-01-02 10:16 2704896 72F1925A4ED816913F6C1A8D919EEEF9 c:\winnt\$NtUninstallKB939653-IE6SP1-20070817.120000$\mshtml.dll
[7] 2007-08-17 11:07 2705408 757CD6378674396D610E141FEDC7C1E2 c:\winnt\$NtUninstallKB944533-IE6SP1-20071210.120000$\mshtml.dll
[7] 2007-12-10 12:38 2705408 9CD55F93175FE4EE79A0FB0A2AAF4500 c:\winnt\$NtUninstallKB950759-IE6SP1-20080418.120000$\mshtml.dll
[7] 2008-04-18 07:54 2705408 6F68B5643A8E74472FDB5F90A24D1825 c:\winnt\$NtUninstallKB953838-IE6SP1-20080620.120000$\mshtml.dll
[7] 2008-06-20 08:53 2706432 C8846494C3095D3335A6BA7715566585 c:\winnt\$NtUninstallKB958215-IE6SP1-20081016.120000$\mshtml.dll
[7] 2008-10-15 13:53 2706432 D1E92CB7152D7686AFA5AD7769D38505 c:\winnt\$NtUninstallKB960714-IE6SP1-20081211.120000$\mshtml.dll
[7] 2008-12-10 23:03 2706432 70B96E75C9BDA73DCD78F0B71D62963C c:\winnt\$NtUninstallKB969897-IE6SP1-20090501.120000$\mshtml.dll
[7] 2009-04-21 14:14 2707456 28583A6DCA49F2DECCC4BC58277B7AE4 c:\winnt\system32\MSHTML.DLL
[7] 2009-04-21 14:14 2707456 28583A6DCA49F2DECCC4BC58277B7AE4 c:\winnt\system32\dllcache\MSHTML.DLL

[7] 2003-06-19 10:05 24528 399055F5C4A98F39B47D26888A72145D c:\winnt\system32\drivers\kbdclass.sys


[7] 2003-06-19 10:05 20240 EF290209052ED43DDFDB8F0E74EC79EF c:\winnt\system32\lpk.dll
[7] 2003-06-19 10:05 20240 EF290209052ED43DDFDB8F0E74EC79EF c:\winnt\system32\dllcache\lpk.dll

[7] 1999-12-07 13:00 4080 DF012C2853281CE2BF536E8DE871C8C1 c:\winnt\system32\dllcache\beep.sys
[7] 1999-12-07 13:00 4080 DF012C2853281CE2BF536E8DE871C8C1 c:\winnt\system32\drivers\beep.sys

[7] 1999-12-07 13:00 2800 280209CDE798720A24D232BF9CFDA8E9 c:\winnt\system32\dllcache\null.sys
[7] 1999-12-07 13:00 2800 280209CDE798720A24D232BF9CFDA8E9 c:\winnt\system32\drivers\null.sys


[7] 1999-12-07 13:00 924432 CDDD1A27861C406D1B3906A2B2C60CE3 c:\winnt\$NtUninstallKB924667$\mfc40u.dll
[7] 2006-11-02 17:31 927504 6CE82AC80967541ED3787B62B2242271 c:\winnt\system32\MFC40U.DLL
[7] 2006-11-02 17:31 927504 6CE82AC80967541ED3787B62B2242271 c:\winnt\system32\dllcache\mfc40u.dll

[7] 2003-06-19 10:05 239376 B49E4F60ED7E5918E44396768F9F02F2 c:\winnt\$NtUninstallKB873333$\rpcss.dll
[7] 2005-04-08 03:54 273680 391AFA6F7FE9AA667B2C54DFAE2D0FBD c:\winnt\$NtUninstallKB902400$\rpcss.dll
[7] 2005-01-14 01:27 212240 10789155522BE499A232AD2773AC1DF0 c:\winnt\$NtUpdateRollupPackUninstall$\rpcss.dll
[7] 2005-09-05 08:18 212240 037EBCF93DF5F0C31CCD2FF7E31E3BA5 c:\winnt\system32\rpcss.dll
[7] 2005-09-05 08:18 212240 037EBCF93DF5F0C31CCD2FF7E31E3BA5 c:\winnt\system32\dllcache\rpcss.dll

[7] 2003-06-19 10:05 35600 C470CF2972A6DF2214764DA2FE8B768F c:\winnt\$NtUninstallKB828035$\msgsvc.dll
[7] 2003-10-02 13:17 34064 B6C0EECE00ACE0379C0F75274E89E47F c:\winnt\$NtUpdateRollupPackUninstall$\msgsvc.dll
[7] 2005-04-08 03:54 35600 4B6E4C650721D2A51B8F51B7E5787552 c:\winnt\system32\MSGSVC.DLL
[7] 2005-04-08 03:54 35600 4B6E4C650721D2A51B8F51B7E5787552 c:\winnt\system32\dllcache\msgsvc.dll

[7] 2002-08-29 06:14 529680 9EDC93CC795DFF919C6CD953912838A9 c:\winnt\$NtUninstallKB923191$\comctl32.dll
[7] 2006-08-28 08:44 530192 F4230CAA2B9166E5114441F6B7B2DC3F c:\winnt\system32\comctl32.dll
[7] 2006-08-28 08:44 530192 F4230CAA2B9166E5114441F6B7B2DC3F c:\winnt\system32\dllcache\comctl32.dll

[7] 2003-06-19 10:05 11536 4B10B4DB777EE2EF8E755E7F3D7C4FE8 c:\winnt\system32\drivers\acpiec.sys

[7] 2003-06-19 10:05 95024 0E1F5E9B2D00611DC9FE59EEF9487C76 c:\winnt\system32\sfc.dll
[7] 2003-06-19 10:05 95024 0E1F5E9B2D00611DC9FE59EEF9487C76 c:\winnt\system32\dllcache\sfc.dll

[7] 2004-03-24 02:17 371472 21537BC1F1AB7667A3828B2344E6D4BA c:\winnt\$NtUninstallKB835732$\netlogon.dll
[7] 2004-03-24 02:17 371472 21537BC1F1AB7667A3828B2344E6D4BA c:\winnt\$NtUninstallKB885835$\netlogon.dll
[7] 2003-06-19 10:05 371984 11B91C26925F56F577089FF88AA0BEC0 c:\winnt\$NtUninstallKB890859$\netlogon.dll
[7] 2004-03-24 02:17 371472 21537BC1F1AB7667A3828B2344E6D4BA c:\winnt\$NtUpdateRollupPackUninstall$\netlogon.dll
[7] 2005-04-08 03:54 366864 BE8FC3C74AB5212CD4067E8973764AD6 c:\winnt\system32\NETLOGON.DLL
[7] 2005-04-08 03:54 366864 BE8FC3C74AB5212CD4067E8973764AD6 c:\winnt\system32\dllcache\NETLOGON.DLL

[7] 2003-06-19 10:05 244224 FE02334DB8598E2706A51A24DD33AB00 c:\winnt\$NtUninstallKB842773$\qmgr.dll
[7] 2004-10-05 09:43 362496 DCD38D8178BF1BEA585F2F003EE3460E c:\winnt\system32\qmgr.dll
[7] 2004-10-05 09:43 362496 DCD38D8178BF1BEA585F2F003EE3460E c:\winnt\system32\BITS\qmgr.dll
[7] 2004-10-05 09:43 362496 DCD38D8178BF1BEA585F2F003EE3460E c:\winnt\system32\dllcache\qmgr.dll

[7] 2004-03-24 02:17 111376 0B476C9305098B37BE70F0AC29E671E5 c:\winnt\$NtUninstallKB835732$\scecli.dll
[7] 2004-03-24 02:17 111376 0B476C9305098B37BE70F0AC29E671E5 c:\winnt\$NtUninstallKB885835$\scecli.dll
[7] 2003-06-19 10:05 114448 FF11B32A906D75CD96957B66E318DAD0 c:\winnt\$NtUninstallKB890859$\scecli.dll
[7] 2004-03-24 02:17 111376 0B476C9305098B37BE70F0AC29E671E5 c:\winnt\$NtUpdateRollupPackUninstall$\scecli.dll
[7] 2005-01-12 11:39 114448 6FCCE1622E75C7DC46509F7EC4B314A3 c:\winnt\system32\scecli.dll
[7] 2005-01-12 11:39 114448 6FCCE1622E75C7DC46509F7EC4B314A3 c:\winnt\system32\dllcache\scecli.dll

[7] 2003-06-19 10:05 17840 5D3D77C9EB3A8E6A14CC8E1252B6CC5C c:\winnt\system32\dllcache\asyncmac.sys
[7] 2003-06-19 10:05 17840 5D3D77C9EB3A8E6A14CC8E1252B6CC5C c:\winnt\system32\drivers\asyncmac.sys

[7] 2003-06-19 10:05 534192 F6AB0E765D5B80443B93C52C42F2602A c:\winnt\$NtUninstallKB820888$\ntfs.sys
[7] 2003-06-04 14:11 514320 04E06B3B098087D2D0DBAA56280DCAB2 c:\winnt\$NtUpdateRollupPackUninstall$\ntfs.sys
[7] 2005-05-10 01:20 513424 7DC1F0F9BF87CA5CEE9A46C9A63DC1D3 c:\winnt\system32\dllcache\ntfs.sys
[7] 2005-05-10 01:20 513424 7DC1F0F9BF87CA5CEE9A46C9A63DC1D3 c:\winnt\system32\drivers\ntfs.sys

[7] 2003-06-19 10:05 401168 56D893A01269008C28FBF2D025B2FA78 c:\winnt\system32\ntmssvc.dll
[7] 2003-06-19 10:05 401168 56D893A01269008C28FBF2D025B2FA78 c:\winnt\system32\dllcache\ntmssvc.dll

[7] 2003-06-19 10:05 77584 8B904D85988E71B01700B28FF4D966FE c:\winnt\system32\rasauto.dll
[7] 2003-06-19 10:05 77584 8B904D85988E71B01700B28FF4D966FE c:\winnt\system32\dllcache\rasauto.dll

[7] 2003-06-19 10:05 971024 A871E77694E9146B3C655A734B1ECF46 c:\winnt\$NtUninstallKB835732$\sfcfiles.dll
[7] 2004-03-24 02:17 971536 33D82938C20BA61E4EDB6DA85829BF23 c:\winnt\$NtUpdateRollupPackUninstall$\sfcfiles.dll
[7] 2005-04-08 02:34 973072 7645645BB506C26B96B8F31893378C4B c:\winnt\system32\sfcfiles.dll
[7] 2005-04-08 02:34 973072 7645645BB506C26B96B8F31893378C4B c:\winnt\system32\dllcache\sfcfiles.dll

c:\winnt\system32\drivers\ip6fw.sys ... is missing !!
c:\winnt\system32\ctfmon.exe ... is missing !!
c:\winnt\system32\termsrv.dll ... is missing !!
c:\winnt\system32\comres.dll ... is missing !!
c:\winnt\system32\drivers\aec.sys ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\winnt\system32\NVMCTRAY.DLL" [2003-07-28 49152]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\winnt\system32\NvCpl.dll" [2003-07-28 4841472]
"CloneCDElbyCDFL"="c:\program files\CloneCD\ElbyCheck.exe" [2002-11-02 45056]
"EPSON Stylus Photo R220 Series"="c:\winnt\system32\spool\DRIVERS\W32X86\3\E_FATIAIE.EXE" [2006-12-25 177664]
"ZoneAlarm Client"="c:\program files\Security\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-06 149280]
"Tweak UI"="TWEAKUI.CPL" - c:\winnt\system32\TWEAKUI.CPL [2000-06-18 106544]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" -autorun
"EPSON Stylus Photo R220 Series"=c:\winnt\system32\spool\DRIVERS\W32X86\3\E_FATIAIE.EXE /P30 "EPSON Stylus Photo R220 Series" /M "Stylus Photo R220" /EF "HKCU"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"="0x00000000"

R0 ElbyVCD;ElbyVCD;c:\winnt\system32\drivers\ElbyVCD.sys [28/11/2002 11:43 22016]
R0 Lbd;Lbd;c:\winnt\system32\drivers\Lbd.sys [17/05/2009 12:19 64160]
R1 Asapi;Asapi;c:\winnt\system32\drivers\asapi.sys [03/03/2007 02:15 11264]
R1 aswSP;avast! Self Protection;c:\winnt\system32\drivers\aswSP.sys [10/03/2009 13:35 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [05/08/2009 16:06 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [05/08/2009 16:06 74480]
R2 aswFsBlk;aswFsBlk;c:\winnt\system32\drivers\aswFsBlk.sys [10/03/2009 13:35 20560]
R2 aswMon;avast! Standard Shield Support;c:\winnt\system32\drivers\aswmon.sys [10/03/2009 13:35 93296]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [08/04/2009 11:38 92008]
R3 openhci;Microsoft USB Open Host Controller Driver;c:\winnt\system32\drivers\openhci.sys [19/06/2003 11:05 24784]
R3 usbhub20;USB 2.0 Root Hub Support;c:\winnt\system32\drivers\usbhub20.sys [18/05/2005 12:07 49776]
S3 L6PODLV;PODxt Live Service;c:\winnt\system32\drivers\L6PODLV.sys [27/07/2006 02:06 417920]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [09/03/2009 20:06 1029456]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [05/08/2009 16:06 7408]
S3 sassvc;ProgramCheckerPro;c:\program files\Zenturi\ProgramChecker\sassvc.exe [15/02/2006 17:17 122880]
S3 sunkfilt62;USB 6/1 Driver;c:\winnt\system32\drivers\sunkfilt62.sys [26/12/2003 10:25 15460]
S3 vsc32;Virtual Sound Canvas 3.2;c:\winnt\system32\DRIVERS\vsc.sys --> c:\winnt\system32\DRIVERS\vsc.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-07-06 c:\winnt\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 13:57]

2009-08-08 c:\winnt\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2009-08-08 08:22]
.
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = about:blank
mLocal Page = c:\windows\system32\blank.htm
LSP: %SystemRoot%\system32\msafd.dll
TCP: {AC7AEDB5-BC4F-4B7B-897C-C49CDFE6087E} = 212.159.13.49,212.159.13.50
DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} - hxxp://www.riffinteractive.com/setup/RiffLick.cab
FF - ProfilePath - c:\documents and settings\MF\Application Data\Mozilla\Firefox\Profiles\b4ssirc6.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1060933&SearchSource=3&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\documents and settings\MF\Application Data\Mozilla\Firefox\Profiles\b4ssirc6.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 16000
FF - user.js: browser.chrome.favicons - fales
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.max.tokenizing.time - 3000000
FF - user.js: content.maxtextrun - 4095
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 1000000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 1000000
FF - user.js: dom.disable_window_status_change - true
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 1000
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-10 03:04
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1993962763-2000478354-839522115-1000\Software\G*e*n*i*e*"!\FM Genie Scout]
"GameDir"="c:\\Documents and Settings\\MF\\My Documents\\Sports Interactive\\Football Manager 2007\\games"
"ShortlistDir"=""
"ScreenshotsDir"="c:\\Documents and Settings\\MF\\My Documents\\Sports Interactive\\Football Manager 2007"
"SaveDir"="c:\\Documents and Settings\\MF\\My Documents\\Sports Interactive\\Football Manager 2007\\"
"HistoryDir"="c:\\Downloads\\Games\\FM2007\\FM Genie Scout 2007\\History Points"
"LangDB"="c:\\Program Files\\Sports Interactive\\Football Manager 2007\\data\\db\\702\\lang_db.dat"
"LastSaveGame"="c:\\Documents and Settings\\MF\\My Documents\\Sports Interactive\\Football Manager 2007\\games\\West Ham.fm"
"Language"="English"
"LoadLangDB"=dword:00000001
"CompressHistoryPoints"=dword:00000000
"HighlightedAttributes"=dword:00000000
"MinCondition"=dword:00000050
"LastUpdateCheck"=dword:000099d2
"HighQualityGUI"=dword:00000000
"AutomaticallyUpdateCheck"=dword:00000001
"AdvancedGeneration"=dword:00000000
"TranslateStaffSkills"=dword:00000001
"TranslatePlayerSkills"=dword:00000001
"TranslatePositions"=dword:00000001
"ShowHistory"=dword:00000001
"WindowState"=dword:00000000
"Currency"=dword:00000056
"WindowHeight"=dword:0000030c
"WindowWidth"=dword:000003fc
"WindowLeft"=dword:00000002
"WindowTop"=dword:00000000
"UseProxy"=dword:00000000
"ProxyHost"=""
"ProxyPort"=""
"UseAuthentication"=dword:00000000
"UserName"=""
"UserPassword"=""

[HKEY_USERS\S-1-5-21-1993962763-2000478354-839522115-1000\Software\G*e*n*i*e*"!\FM Genie Scout\Columns\Clubs]
"Position0"=dword:00000000
"Visible0"=dword:00000001
"Width0"=dword:0000007d
"Position1"=dword:00000001
"Visible1"=dword:00000001
"Width1"=dword:00000064
"Position2"=dword:00000002
"Visible2"=dword:00000001
"Width2"=dword:00000064
"Position3"=dword:00000003
"Visible3"=dword:00000001
"Width3"=dword:00000032
"Position4"=dword:00000004
"Visible4"=dword:00000001
"Width4"=dword:00000032
"Position5"=dword:00000005
"Visible5"=dword:00000001
"Width5"=dword:00000050
"Position6"=dword:00000006
"Visible6"=dword:00000001
"Width6"=dword:00000050
"Position7"=dword:00000007
"Visible7"=dword:00000001
"Width7"=dword:00000050
"Position8"=dword:00000008
"Visible8"=dword:00000000
"Width8"=dword:00000050
"Position9"=dword:00000009
"Visible9"=dword:00000000
"Width9"=dword:0000002d
"Position10"=dword:0000000a
"Visible10"=dword:00000000
"Width10"=dword:0000001e
"Position11"=dword:0000000b
"Visible11"=dword:00000000
"Width11"=dword:0000001e
"Position12"=dword:0000000c
"Visible12"=dword:00000000
"Width12"=dword:0000001e
"Position13"=dword:0000000d
"Visible13"=dword:00000001
"Width13"=dword:0000003c
"Position14"=dword:0000000e
"Visible14"=dword:00000000
"Width14"=dword:00000032
"Position15"=dword:0000000f
"Visible15"=dword:00000000
"Width15"=dword:00000032
"Position16"=dword:00000010
"Visible16"=dword:00000000
"Width16"=dword:00000032
"Position17"=dword:00000011
"Visible17"=dword:00000001
"Width17"=dword:00000050
"Position18"=dword:00000012
"Visible18"=dword:00000001
"Width18"=dword:00000050
"Position19"=dword:00000013
"Visible19"=dword:00000000
"Width19"=dword:00000050

[HKEY_USERS\S-1-5-21-1993962763-2000478354-839522115-1000\Software\G*e*n*i*e*"!\FM Genie Scout\Columns\Players]
"Position0"=dword:00000000
"Visible0"=dword:00000001
"Width0"=dword:0000007d
"Position1"=dword:00000001
"Visible1"=dword:00000001
"Width1"=dword:00000064
"Position2"=dword:00000002
"Visible2"=dword:00000001
"Width2"=dword:00000064
"Position3"=dword:00000003
"Visible3"=dword:00000001
"Width3"=dword:00000037
"Position4"=dword:00000008
"Visible4"=dword:00000001
"Width4"=dword:00000023
"Position5"=dword:00000009
"Visible5"=dword:00000001
"Width5"=dword:00000028
"Position6"=dword:0000000a
"Visible6"=dword:00000001
"Width6"=dword:00000028
"Position7"=dword:0000000c
"Visible7"=dword:00000001
"Width7"=dword:0000004b
"Position8"=dword:0000000d
"Visible8"=dword:00000001
"Width8"=dword:0000004b
"Position9"=dword:0000000e
"Visible9"=dword:00000001
"Width9"=dword:00000050
"Position10"=dword:00000010
"Visible10"=dword:00000000
"Width10"=dword:00000050
"Position11"=dword:00000011
"Visible11"=dword:00000000
"Width11"=dword:0000004b
"Position12"=dword:00000012
"Visible12"=dword:00000000
"Width12"=dword:0000002d
"Position13"=dword:00000013
"Visible13"=dword:00000000
"Width13"=dword:0000003c
"Position14"=dword:00000014
"Visible14"=dword:00000000
"Width14"=dword:0000004b
"Position15"=dword:00000015
"Visible15"=dword:00000000
"Width15"=dword:00000064
"Position16"=dword:00000016
"Visible16"=dword:00000000
"Width16"=dword:00000064
"Position17"=dword:00000017
"Visible17"=dword:00000000
"Width17"=dword:0000004b
"Position18"=dword:00000018
"Visible18"=dword:00000000
"Width18"=dword:00000064
"Position19"=dword:00000019
"Visible19"=dword:00000000
"Width19"=dword:0000003c
"Position20"=dword:0000001a
"Visible20"=dword:00000000
"Width20"=dword:0000004b
"Position21"=dword:0000001b
"Visible21"=dword:00000000
"Width21"=dword:00000050
"Position22"=dword:0000001c
"Visible22"=dword:00000000
"Width22"=dword:00000073
"Position23"=dword:0000001d
"Visible23"=dword:00000000
"Width23"=dword:00000050
"Position24"=dword:0000001e
"Visible24"=dword:00000000
"Width24"=dword:0000005a
"Position25"=dword:0000001f
"Visible25"=dword:00000000
"Width25"=dword:0000006e
"Position26"=dword:00000020
"Visible26"=dword:00000000
"Width26"=dword:00000064
"Position27"=dword:00000021
"Visible27"=dword:00000000
"Width27"=dword:00000087
"Position28"=dword:00000022
"Visible28"=dword:00000000
"Width28"=dword:00000064
"Position29"=dword:00000023
"Visible29"=dword:00000000
"Width29"=dword:00000064
"Position30"=dword:00000024
"Visible30"=dword:00000000
"Width30"=dword:00000046
"Position31"=dword:00000025
"Visible31"=dword:00000000
"Width31"=dword:0000004b
"Position32"=dword:00000026
"Visible32"=dword:00000000
"Width32"=dword:00000046
"Position33"=dword:00000027
"Visible33"=dword:00000000
"Width33"=dword:0000004b
"Position34"=dword:00000028
"Visible34"=dword:00000000
"Width34"=dword:0000003c
"Position35"=dword:0000002a
"Visible35"=dword:00000000
"Width35"=dword:00000064
"Position36"=dword:0000002e
"Visible36"=dword:00000000
"Width36"=dword:00000073
"Position37"=dword:00000030
"Visible37"=dword:00000000
"Width37"=dword:0000005f
"Position38"=dword:00000033
"Visible38"=dword:00000000
"Width38"=dword:00000091
"Position39"=dword:00000035
"Visible39"=dword:00000000
"Width39"=dword:0000003c
"Position40"=dword:0000002c
"Visible40"=dword:00000000
"Width40"=dword:0000005a
"Position41"=dword:00000036
"Visible41"=dword:00000000
"Width41"=dword:00000041
"Position42"=dword:00000029
"Visible42"=dword:00000000
"Width42"=dword:00000050
"Position43"=dword:0000002b
"Visible43"=dword:00000000
"Width43"=dword:00000055
"Position44"=dword:0000002d
"Visible44"=dword:00000000
"Width44"=dword:0000005f
"Position45"=dword:00000037
"Visible45"=dword:00000000
"Width45"=dword:00000050
"Position46"=dword:00000038
"Visible46"=dword:00000000
"Width46"=dword:0000004b
"Position47"=dword:00000039
"Visible47"=dword:00000000
"Width47"=dword:0000004b
"Position48"=dword:0000003a
"Visible48"=dword:00000000
"Width48"=dword:00000046
"Position49"=dword:0000003b
"Visible49"=dword:00000000
"Width49"=dword:00000032
"Position50"=dword:0000003c
"Visible50"=dword:00000000
"Width50"=dword:0000003c
"Position51"=dword:0000003d
"Visible51"=dword:00000000
"Width51"=dword:0000004b
"Position52"=dword:0000003e
"Visible52"=dword:00000000
"Width52"=dword:0000003c
"Position53"=dword:0000003f
"Visible53"=dword:00000000
"Width53"=dword:00000037
"Position54"=dword:00000040
"Visible54"=dword:00000000
"Width54"=dword:00000069
"Position55"=dword:00000041
"Visible55"=dword:00000000
"Width55"=dword:0000005a
"Position56"=dword:00000044
"Visible56"=dword:00000000
"Width56"=dword:0000004b
"Position57"=dword:00000045
"Visible57"=dword:00000000
"Width57"=dword:0000004b
"Position58"=dword:00000046
"Visible58"=dword:00000000
"Width58"=dword:00000037
"Position59"=dword:00000047
"Visible59"=dword:00000000
"Width59"=dword:0000003c
"Position60"=dword:00000048
"Visible60"=dword:00000000
"Width60"=dword:0000003c
"Position61"=dword:00000049
"Visible61"=dword:00000000
"Width61"=dword:00000041
"Position62"=dword:0000004a
"Visible62"=dword:00000000
"Width62"=dword:00000055
"Position63"=dword:0000004b
"Visible63"=dword:00000000
"Width63"=dword:0000003c
"Position64"=dword:0000004c
"Visible64"=dword:00000000
"Width64"=dword:0000003c
"Position65"=dword:0000004d
"Visible65"=dword:00000000
"Width65"=dword:0000004b
"Position66"=dword:0000004e
"Visible66"=dword:00000000
"Width66"=dword:0000003c
"Position67"=dword:0000004f
"Visible67"=dword:00000000
"Width67"=dword:00000046
"Position68"=dword:00000050
"Visible68"=dword:00000000
"Width68"=dword:00000028
"Position69"=dword:00000051
"Visible69"=dword:00000000
"Width69"=dword:00000041
"Position70"=dword:00000052
"Visible70"=dword:00000000
"Width70"=dword:0000003c
"Position71"=dword:00000053
"Visible71"=dword:00000000
"Width71"=dword:00000069
"Position72"=dword:00000054
"Visible72"=dword:00000000
"Width72"=dword:00000041
"Position73"=dword:00000055
"Visible73"=dword:00000000
"Width73"=dword:0000005f
"Position74"=dword:00000056
"Visible74"=dword:00000000
"Width74"=dword:0000003c
"Position75"=dword:00000057
"Visible75"=dword:00000000
"Width75"=dword:00000037
"Position76"=dword:00000058
"Visible76"=dword:00000000
"Width76"=dword:0000004b
"Position77"=dword:00000059
"Visible77"=dword:00000000
"Width77"=dword:00000050
"Position78"=dword:0000005a
"Visible78"=dword:00000000
"Width78"=dword:00000037
"Position79"=dword:0000005b
"Visible79"=dword:00000000
"Width79"=dword:00000037
"Position80"=dword:0000005c
"Visible80"=dword:00000000
"Width80"=dword:0000005a
"Position81"=dword:0000005d
"Visible81"=dword:00000000
"Width81"=dword:0000004b
"Position82"=dword:0000005e
"Visible82"=dword:00000000
"Width82"=dword:00000055
"Position83"=dword:0000005f
"Visible83"=dword:00000000
"Width83"=dword:0000002d
"Position84"=dword:00000060
"Visible84"=dword:00000000
"Width84"=dword:00000037
"Position85"=dword:00000061
"Visible85"=dword:00000000
"Width85"=dword:0000003c
"Position86"=dword:00000062
"Visible86"=dword:00000000
"Width86"=dword:00000046
"Position87"=dword:00000063
"Visible87"=dword:00000000
"Width87"=dword:0000003c
"Position88"=dword:00000064
"Visible88"=dword:00000000
"Width88"=dword:0000005a
"Position89"=dword:00000065
"Visible89"=dword:00000000
"Width89"=dword:0000003c
"Position90"=dword:00000066
"Visible90"=dword:00000000
"Width90"=dword:00000050
"Position91"=dword:00000067
"Visible91"=dword:00000000
"Width91"=dword:00000046
"Position92"=dword:00000068
"Visible92"=dword:00000000
"Width92"=dword:0000005a
"Position93"=dword:00000069
"Visible93"=dword:00000000
"Width93"=dword:00000037
"Position94"=dword:0000006a
"Visible94"=dword:00000000
"Width94"=dword:0000003c
"Position95"=dword:0000006b
"Visible95"=dword:00000000
"Width95"=dword:0000003c
"Position96"=dword:0000006c
"Visible96"=dword:00000000
"Width96"=dword:00000046
"Position97"=dword:0000006d
"Visible97"=dword:00000000
"Width97"=dword:00000046
"Position98"=dword:0000006e
"Visible98"=dword:00000000
"Width98"=dword:00000055
"Position99"=dword:0000006f
"Visible99"=dword:00000000
"Width99"=dword:00000073
"Position100"=dword:00000042
"Visible100"=dword:00000000
"Width100"=dword:00000041
"Position101"=dword:00000070
"Visible101"=dword:00000000
"Width101"=dword:0000003c
"Position102"=dword:00000071
"Visible102"=dword:00000000
"Width102"=dword:0000003c
"Position103"=dword:00000072
"Visible103"=dword:00000000
"Width103"=dword:00000046
"Position104"=dword:00000073
"Visible104"=dword:00000000
"Width104"=dword:0000003c
"Position105"=dword:00000074
"Visible105"=dword:00000000
"Width105"=dword:00000041
"Position106"=dword:0000000f
"Visible106"=dword:00000001
"Width106"=dword:00000050
"Position107"=dword:0000000b
"Visible107"=dword:00000001
"Width107"=dword:00000028
"Position108"=dword:00000043
"Visible108"=dword:00000000
"Width108"=dword:00000050
"Position109"=dword:0000002f
"Visible109"=dword:00000000
"Width109"=dword:00000050
"Position110"=dword:00000031
"Visible110"=dword:00000000
"Width110"=dword:00000055
"Position111"=dword:00000032
"Visible111"=dword:00000000
"Width111"=dword:00000082
"Position112"=dword:00000034
"Visible112"=dword:00000000
"Width112"=dword:00000087
"Position113"=dword:00000075
"Visible113"=dword:00000000
"Width113"=dword:00000050
"Position114"=dword:00000076
"Visible114"=dword:00000000
"Width114"=dword:00000050
"Position115"=dword:00000077
"Visible115"=dword:00000000
"Width115"=dword:00000050
"Position116"=dword:00000078
"Visible116"=dword:00000000
"Width116"=dword:00000050
"Position117"=dword:00000079
"Visible117"=dword:00000000
"Width117"=dword:00000050
"Position118"=dword:0000007a
"Visible118"=dword:00000000
"Width118"=dword:00000050
"Position119"=dword:0000007b
"Visible119"=dword:00000000
"Width119"=dword:00000050
"Position120"=dword:0000007c
"Visible120"=dword:00000000
"Width120"=dword:00000050
"Position121"=dword:0000007d
"Visible121"=dword:00000000
"Width121"=dword:00000050
"Position122"=dword:0000007e
"Visible122"=dword:00000000
"Width122"=dword:00000050
"Position123"=dword:0000007f
"Visible123"=dword:00000000
"Width123"=dword:00000050
"Position124"=dword:00000080
"Visible124"=dword:00000000
"Width124"=dword:00000050
"Position125"=dword:00000081
"Visible125"=dword:00000000
"Width125"=dword:00000050
"Position126"=dword:00000082
"Visible126"=dword:00000000
"Width126"=dword:00000050
"Position127"=dword:00000083
"Visible127"=dword:00000000
"Width127"=dword:00000050
"Position128"=dword:00000084
"Visible128"=dword:00000000
"Width128"=dword:00000050
"Position129"=dword:00000085
"Visible129"=dword:00000000
"Width129"=dword:00000050
"Position130"=dword:00000086
"Visible130"=dword:00000000
"Width130"=dword:00000050
"Position131"=dword:00000087
"Visible131"=dword:00000000
"Width131"=dword:00000050
"Position132"=dword:00000088
"Visible132"=dword:00000000
"Width132"=dword:00000050
"Position133"=dword:00000089
"Visible133"=dword:00000000
"Width133"=dword:00000050
"Position134"=dword:0000008a
"Visible134"=dword:00000000
"Width134"=dword:00000050
"Position135"=dword:0000008b
"Visible135"=dword:00000000
"Width135"=dword:00000050
"Position136"=dword:0000008c
"Visible136"=dword:00000000
"Width136"=dword:00000050
"Position137"=dword:0000008d
"Visible137"=dword:00000000
"Width137"=dword:00000050
"Position138"=dword:0000008e
"Visible138"=dword:00000000
"Width138"=dword:00000050
"Position139"=dword:0000008f
"Visible139"=dword:00000000
"Width139"=dword:00000050
"Position140"=dword:00000090
"Visible140"=dword:00000000
"Width140"=dword:00000050
"Position141"=dword:00000091
"Visible141"=dword:00000000
"Width141"=dword:00000050
"Position142"=dword:00000092
"Visible142"=dword:00000000
"Width142"=dword:00000050
"Position143"=dword:00000093
"Visible143"=dword:00000000
"Width143"=dword:00000050
"Position144"=dword:00000094
"Visible144"=dword:00000000
"Width144"=dword:00000050
"Position145"=dword:00000095
"Visible145"=dword:00000000
"Width145"=dword:00000050
"Position146"=dword:00000004
"Visible146"=dword:00000000
"Width146"=dword:00000037
"Position147"=dword:00000005
"Visible147"=dword:00000000
"Width147"=dword:00000028
"Position148"=dword:00000006
"Visible148"=dword:00000000
"Width148"=dword:00000037
"Position149"=dword:00000007
"Visible149"=dword:00000001
"Width149"=dword:00000028

[HKEY_USERS\S-1-5-21-1993962763-2000478354-839522115-1000\Software\G*e*n*i*e*"!\FM Genie Scout\Columns\Staff]
"Position0"=dword:00000000
"Visible0"=dword:00000001
"Width0"=dword:0000007d
"Position1"=dword:00000001
"Visible1"=dword:00000001
"Width1"=dword:00000064
"Position2"=dword:00000002
"Visible2"=dword:00000001
"Width2"=dword:00000064
"Position3"=dword:00000003
"Visible3"=dword:00000001
"Width3"=dword:00000069
"Position4"=dword:00000005
"Visible4"=dword:00000001
"Width4"=dword:00000028
"Position5"=dword:00000006
"Visible5"=dword:00000001
"Width5"=dword:00000028
"Position6"=dword:00000004
"Visible6"=dword:00000001
"Width6"=dword:00000028
"Position7"=dword:00000007
"Visible7"=dword:00000001
"Width7"=dword:00000050
"Position8"=dword:00000008
"Visible8"=dword:00000000
"Width8"=dword:00000050
"Position9"=dword:00000009
"Visible9"=dword:00000000
"Width9"=dword:0000004b
"Position10"=dword:0000000a
"Visible10"=dword:00000000
"Width10"=dword:0000002d
"Position11"=dword:0000000b
"Visible11"=dword:00000000
"Width11"=dword:0000003c
"Position12"=dword:0000000c
"Visible12"=dword:00000000
"Width12"=dword:0000004b
"Position13"=dword:0000000d
"Visible13"=dword:00000000
"Width13"=dword:00000064
"Position14"=dword:0000000e
"Visible14"=dword:00000000
"Width14"=dword:00000064
"Position15"=dword:0000000f
"Visible15"=dword:00000000
"Width15"=dword:0000004b
"Position16"=dword:00000010
"Visible16"=dword:00000000
"Width16"=dword:00000064
"Position17"=dword:00000011
"Visible17"=dword:00000000
"Width17"=dword:0000003c
"Position18"=dword:00000012
"Visible18"=dword:00000000
"Width18"=dword:0000004b
"Position19"=dword:00000013
"Visible19"=dword:00000000
"Width19"=dword:00000050
"Position20"=dword:00000014
"Visible20"=dword:00000000
"Width20"=dword:00000046
"Position21"=dword:00000015
"Visible21"=dword:00000000
"Width21"=dword:0000004b
"Position22"=dword:00000016
"Visible22"=dword:00000000
"Width22"=dword:00000046
"Position23"=dword:00000017
"Visible23"=dword:00000000
"Width23"=dword:00000046
"Position24"=dword:00000018
"Visible24"=dword:00000000
"Width24"=dword:0000003c
"Position25"=dword:00000019
"Visible25"=dword:00000000
"Width25"=dword:00000041
"Position26"=dword:0000001a
"Visible26"=dword:00000000
"Width26"=dword:0000003c
"Position27"=dword:0000001b
"Visible27"=dword:00000000
"Width27"=dword:00000055
"Position28"=dword:0000001c
"Visible28"=dword:00000000
"Width28"=dword:00000069
"Position29"=dword:0000001d
"Visible29"=dword:00000000
"Width29"=dword:0000006e
"Position30"=dword:0000001e
"Visible30"=dword:00000000
"Width30"=dword:00000064
"Position31"=dword:0000001f
"Visible31"=dword:00000000
"Width31"=dword:00000078
"Position32"=dword:00000020
"Visible32"=dword:00000000
"Width32"=dword:00000064
"Position33"=dword:00000021
"Visible33"=dword:00000000
"Width33"=dword:00000087
"Position34"=dword:00000022
"Visible34"=dword:00000000
"Width34"=dword:00000069
"Position35"=dword:00000023
"Visible35"=dword:00000000
"Width35"=dword:0000006e
"Position36"=dword:00000024
"Visible36"=dword:00000000
"Width36"=dword:00000073
"Position37"=dword:00000025
"Visible37"=dword:00000000
"Width37"=dword:0000004b
"Position38"=dword:00000026
"Visible38"=dword:00000000
"Width38"=dword:0000002d
"Position39"=dword:00000027
"Visible39"=dword:00000000
"Width39"=dword:00000055
"Position40"=dword:00000028
"Visible40"=dword:00000000
"Width40"=dword:00000046
"Position41"=dword:00000029
"Visible41"=dword:00000000
"Width41"=dword:0000004b
"Position42"=dword:0000002a
"Visible42"=dword:00000000
"Width42"=dword:0000003c
"Position43"=dword:0000002b
"Visible43"=dword:00000000
"Width43"=dword:00000046
"Position44"=dword:0000002c
"Visible44"=dword:00000000
"Width44"=dword:00000073
"Position45"=dword:0000002d
"Visible45"=dword:00000000
"Width45"=dword:0000004b
"Position46"=dword:0000002e
"Visible46"=dword:00000000
"Width46"=dword:00000073
"Position47"=dword:0000002f
"Visible47"=dword:00000000
"Width47"=dword:0000007d
"Position48"=dword:00000030
"Visible48"=dword:00000000
"Width48"=dword:0000006e
"Position49"=dword:00000031
"Visible49"=dword:00000000
"Width49"=dword:00000037
"Position50"=dword:00000032
"Visible50"=dword:00000000
"Width50"=dword:00000064
"Position51"=dword:00000033
"Visible51"=dword:00000000
"Width51"=dword:00000037
"Position52"=dword:00000034
"Visible52"=dword:00000000
"Width52"=dword:0000004b
"Position53"=dword:00000035
"Visible53"=dword:00000000
"Width53"=dword:00000046
"Position54"=dword:00000036
"Visible54"=dword:00000000
"Width54"=dword:00000037
"Position55"=dword:00000037
"Visible55"=dword:00000000
"Width55"=dword:0000003c
"Position56"=dword:00000038
"Visible56"=dword:00000000
"Width56"=dword:00000055
"Position57"=dword:00000039
"Visible57"=dword:00000000
"Width57"=dword:0000003c
"Position58"=dword:0000003a
"Visible58"=dword:00000000
"Width58"=dword:0000003c
"Position59"=dword:0000003b
"Visible59"=dword:00000000
"Width59"=dword:00000055
"Position60"=dword:0000003c
"Visible60"=dword:00000000
"Width60"=dword:00000046
"Position61"=dword:0000003d
"Visible61"=dword:00000000
"Width61"=dword:0000004b
"Position62"=dword:0000003e
"Visible62"=dword:00000000
"Width62"=dword:00000055
"Position63"=dword:0000003f
"Visible63"=dword:00000000
"Width63"=dword:0000005a
"Position64"=dword:00000040
"Visible64"=dword:00000000
"Width64"=dword:0000006e
"Position65"=dword:00000041
"Visible65"=dword:00000000
"Width65"=dword:00000050
"Position66"=dword:00000042
"Visible66"=dword:00000000
"Width66"=dword:00000032
"Position67"=dword:00000043
"Visible67"=dword:00000000
"Width67"=dword:00000064
"Position68"=dword:00000044
"Visible68"=dword:00000000
"Width68"=dword:0000004b
"Position69"=dword:00000045
"Visible69"=dword:00000000
"Width69"=dword:0000002d
"Position70"=dword:00000046
"Visible70"=dword:00000000
"Width70"=dword:0000004b
"Position71"=dword:00000047
"Visible71"=dword:00000000
"Width71"=dword:0000005a
"Position72"=dword:00000048
"Visible72"=dword:00000000
"Width72"=dword:0000005a
"Position73"=dword:00000049
"Visible73"=dword:00000000
"Width73"=dword:00000050
"Position74"=dword:0000004a
"Visible74"=dword:00000000
"Width74"=dword:0000004b
"Position75"=dword:0000004b
"Visible75"=dword:00000000
"Width75"=dword:00000050
"Position76"=dword:0000004c
"Visible76"=dword:00000000
"Width76"=dword:0000005a
"Position77"=dword:0000004d
"Visible77"=dword:00000000
"Width77"=dword:00000041
"Position78"=dword:0000004e
"Visible78"=dword:00000000
"Width78"=dword:00000041
"Position79"=dword:0000004f
"Visible79"=dword:00000000
"Width79"=dword:00000041
"Position80"=dword:00000050
"Visible80"=dword:00000000
"Width80"=dword:00000041
"Position81"=dword:00000051
"Visible81"=dword:00000000
"Width81"=dword:00000041
"Position82"=dword:00000052
"Visible82"=dword:00000000
"Width82"=dword:00000041
"Position83"=dword:00000053
"Visible83"=dword:00000000
"Width83"=dword:00000041
"Position84"=dword:00000054
"Visible84"=dword:00000000
"Width84"=dword:00000041
"Position85"=dword:00000055
"Visible85"=dword:00000000
"Width85"=dword:00000041
"Position86"=dword:00000056
"Visible86"=dword:00000000
"Width86"=dword:00000050

[HKEY_USERS\S-1-5-21-1993962763-2000478354-839522115-1000\Software\G*e*n*i*e*"!\FM Genie Scout\Rating Coefficients]
"GKWeightCoef"=dword:00000062
"GKCurrentAbilityCoef"=dword:00000000
"GKCornersCoef"=dword:00000000
"GKCrossingCoef"=dword:00000000
"GKDribblingCoef"=dword:00000000
"GKFinishingCoef"=dword:00000000
"GKFirstTouchCoef"=dword:00000000
"GKFreeKicksCoef"=dword:00000000
"GKHeadingCoef"=dword:00000000
"GKLongShotsCoef"=dword:00000000
"GKLongThrowsCoef"=dword:00000000
"GKMarkingCoef"=dword:00000000
"GKPassingCoef"=dword:00000000
"GKPenaltiesCoef"=dword:00000000
"GKTacklingCoef"=dword:00000005
"GKTechniqueCoef"=dword:00000000
"GKLeftFootCoef"=dword:00000000
"GKRightFootCoef"=dword:00000000
"GKAggressionCoef"=dword:0000000a
"GKAnticipationCoef"=dword:00000005
"GKBraveryCoef"=dword:00000014
"GKComposureCoef"=dword:00000014
"GKConcentrationCoef"=dword:0000000a
"GKConsistencyCoef"=dword:0000000a
"GKCreativityCoef"=dword:00000000
"GKDecisionsCoef"=dword:00000014
"GKDeterminationCoef"=dword:0000000a
"GKDirtinessCoef"=dword:fffffffb
"GKFlairCoef"=dword:00000000
"GKImportantMatchesCoef"=dword:0000000a
"GKInfluenceCoef"=dword:0000000a
"GKOffTheBallCoef"=dword:00000000
"GKPositioningCoef"=dword:00000050
"GKTeamworkCoef"=dword:00000005
"GKWorkRateCoef"=dword:00000000
"GKAccelerationCoef"=dword:00000005
"GKAgilityCoef"=dword:0000000a
"GKBalanceCoef"=dword:0000000a
"GKInjuryPronenessCoef"=dword:fffffffb
"GKJumpingCoef"=dword:00000050
"GKNaturalFitnessCoef"=dword:00000005
"GKPaceCoef"=dword:00000000
"GKStaminaCoef"=dword:00000000
"GKStrengthCoef"=dword:0000000a
"GKVersatilityCoef"=dword:00000000
"GKAerialAbilityCoef"=dword:00000032
"GKCommandOfAreaCoef"=dword:00000014
"GKCommunicationCoef"=dword:00000032
"GKEccentricityCoef"=dword:ffffffec
"GKHandlingCoef"=dword:00000064
"GKKickingCoef"=dword:0000000a
"GKOneOnOnesCoef"=dword:00000032
"GKReflexesCoef"=dword:00000064
"GKRushingOutCoef"=dword:00000014
"GKTendencyToPunchCoef"=dword:fffffff6
"GKThrowingCoef"=dword:0000000a
"GKAdaptabilityCoef"=dword:00000005
"GKAmbitionCoef"=dword:0000000a
"GKControversyCoef"=dword:fffffffb
"GKLoyalityCoef"=dword:00000005
"GKPressureCoef"=dword:00000005
"GKProfessionalismCoef"=dword:00000005
"GKSportsmanshipCoef"=dword:00000005
"GKTemperamentCoef"=dword:00000005
"SWWeightCoef"=dword:00000066
"SWCurrentAbilityCoef"=dword:00000000
"SWCornersCoef"=dword:00000000
"SWCrossingCoef"=dword:00000000
"SWDribblingCoef"=dword:00000000
"SWFinishingCoef"=dword:00000000
"SWFirstTouchCoef"=dword:00000014
"SWFreeKicksCoef"=dword:0000000a
"SWHeadingCoef"=dword:00000064
"SWLongShotsCoef"=dword:0000000a
"SWLongThrowsCoef"=dword:00000000
"SWMarkingCoef"=dword:00000064
"SWPassingCoef"=dword:0000000a
"SWPenaltiesCoef"=dword:00000005
"SWTacklingCoef"=dword:00000064
"SWTechniqueCoef"=dword:0000000a
"SWLeftFootCoef"=dword:00000005
"SWRightFootCoef"=dword:00000005
"SWAggressionCoef"=dword:00000014
"SWAnticipationCoef"=dword:00000014
"SWBraveryCoef"=dword:00000028
"SWComposureCoef"=dword:00000028
"SWConcentrationCoef"=dword:0000003c
"SWConsistencyCoef"=dword:0000000a
"SWCreativityCoef"=dword:0000000a
"SWDecisionsCoef"=dword:00000014
"SWDeterminationCoef"=dword:0000000a
"SWDirtinessCoef"=dword:ffffffe7
"SWFlairCoef"=dword:00000000
"SWImportantMatchesCoef"=dword:0000000a
"SWInfluenceCoef"=dword:0000000a
"SWOffTheBallCoef"=dword:0000000a
"SWPositioningCoef"=dword:00000064
"SWTeamworkCoef"=dword:00000028
"SWWorkRateCoef"=dword:00000014
"SWAccelerationCoef"=dword:0000001e
"SWAgilityCoef"=dword:0000000a
"SWBalanceCoef"=dword:00000014
"SWInjuryPronenessCoef"=dword:fffffffb
"SWJumpingCoef"=dword:00000064
"SWNaturalFitnessCoef"=dword:00000005
"SWPaceCoef"=dword:00000014
"SWStaminaCoef"=dword:0000000a
"SWStrengthCoef"=dword:00000050
"SWVersatilityCoef"=dword:00000005
"SWAerialAbilityCoef"=dword:00000000
"SWCommandOfAreaCoef"=dword:00000000
"SWCommunicationCoef"=dword:00000000
"SWEccentricityCoef"=dword:00000000
"SWHandlingCoef"=dword:00000000
"SWKickingCoef"=dword:00000000
"SWOneOnOnesCoef"=dword:00000005
"SWReflexesCoef"=dword:00000005
"SWRushingOutCoef"=dword:00000000
"SWTendencyToPunchCoef"=dword:00000000
"SWThrowingCoef"=dword:00000000
"SWAdaptabilityCoef"=dword:00000005
"SWAmbitionCoef"=dword:0000000a
"SWControversyCoef"=dword:fffffffb
"SWLoyalityCoef"=dword:00000005
"SWPressureCoef"=dword:00000005
"SWProfessionalismCoef"=dword:00000005
"SWSportsmanshipCoef"=dword:00000005
"SWTemperamentCoef"=dword:00000005
"CBWeightCoef"=dword:00000064
"CBCurrentAbilityCoef"=dword:00000000
"CBCornersCoef"=dword:00000000
"CBCrossingCoef"=dword:00000000
"CBDribblingCoef"=dword:00000000
"CBFinishingCoef"=dword:00000000
"CBFirstTouchCoef"=dword:00000014
"CBFreeKicksCoef"=dword:0000000a
"CBHeadingCoef"=dword:00000064
"CBLongShotsCoef"=dword:0000000a
"CBLongThrowsCoef"=dword:00000000
"CBMarkingCoef"=dword:00000050
"CBPassingCoef"=dword:00000014
"CBPenaltiesCoef"=dword:00000005
"CBTacklingCoef"=dword:00000064
"CBTechniqueCoef"=dword:0000000a
"CBLeftFootCoef"=dword:00000005
"CBRightFootCoef"=dword:00000005
"CBAggressionCoef"=dword:00000014
"CBAnticipationCoef"=dword:00000014
"CBBraveryCoef"=dword:00000028
"CBComposureCoef"=dword:00000014
"CBConcentrationCoef"=dword:00000028
"CBConsistencyCoef"=dword:0000000a
"CBCreativityCoef"=dword:0000000a
"CBDecisionsCoef"=dword:00000014
"CBDeterminationCoef"=dword:0000000a
"CBDirtinessCoef"=dword:ffffffec
"CBFlairCoef"=dword:00000000
"CBImportantMatchesCoef"=dword:0000000a
"CBInfluenceCoef"=dword:0000000a
"CBOffTheBallCoef"=dword:0000000a
"CBPositioningCoef"=dword:00000050
"CBTeamworkCoef"=dword:00000028
"CBWorkRateCoef"=dword:00000014
"CBAccelerationCoef"=dword:00000028
"CBAgilityCoef"=dword:0000000a
"CBBalanceCoef"=dword:00000014
"CBInjuryPronenessCoef"=dword:fffffffb
"CBJumpingCoef"=dword:00000064
"CBNaturalFitnessCoef"=dword:00000005
"CBPaceCoef"=dword:0000001e
"CBStaminaCoef"=dword:0000000a
"CBStrengthCoef"=dword:0000003c
"CBVersatilityCoef"=dword:00000005
"CBAerialAbilityCoef"=dword:00000000
"CBCommandOfAreaCoef"=dword:00000000
"CBCommunicationCoef"=dword:00000000
"CBEccentricityCoef"=dword:00000000
"CBHandlingCoef"=dword:00000000
"CBKickingCoef"=dword:00000000
"CBOneOnOnesCoef"=dword:00000005
"CBReflexesCoef"=dword:00000005
"CBRushingOutCoef"=dword:00000000
"CBTendencyToPunchCoef"=dword:00000000
"CBThrowingCoef"=dword:00000000
"CBAdaptabilityCoef"=dword:00000005
"CBAmbitionCoef"=dword:0000000a
"CBControversyCoef"=dword:fffffffb
"CBLoyalityCoef"=dword:00000005
"CBPressureCoef"=dword:00000005
"CBProfessionalismCoef"=dword:00000005
"CBSportsmanshipCoef"=dword:00000005
"CBTemperamentCoef"=dword:00000005
"FBWeightCoef"=dword:00000068
"FBCurrentAbilityCoef"=dword:00000000
"FBCornersCoef"=dword:0000000a
"FBCrossingCoef"=dword:0000001e
"FBDribblingCoef"=dword:00000014
"FBFinishingCoef"=dword:00000000
"FBFirstTouchCoef"=dword:00000014
"FBFreeKicksCoef"=dword:0000000a
"FBHeadingCoef"=dword:0000003c
"FBLongShotsCoef"=dword:0000000a
"FBLongThrowsCoef"=dword:0000000a
"FBMarkingCoef"=dword:0000003c
"FBPassingCoef"=dword:0000001e
"FBPenaltiesCoef"=dword:00000005
"FBTacklingCoef"=dword:00000064
"FBTechniqueCoef"=dword:00000014
"FBLeftFootCoef"=dword:00000005
"FBRightFootCoef"=dword:00000005
"FBAggressionCoef"=dword:0000000f
"FBAnticipationCoef"=dword:00000050
"FBBraveryCoef"=dword:00000014
"FBComposureCoef"=dword:0000000a
"FBConcentrationCoef"=dword:0000001e
"FBConsistencyCoef"=dword:0000000a
"FBCreativityCoef"=dword:0000000a
"FBDecisionsCoef"=dword:00000014
"FBDeterminationCoef"=dword:0000000a
"FBDirtinessCoef"=dword:fffffff6
"FBFlairCoef"=dword:00000005
"FBImportantMatchesCoef"=dword:0000000a
"FBInfluenceCoef"=dword:0000000a
"FBOffTheBallCoef"=dword:00000014
"FBPositioningCoef"=dword:00000064
"FBTeamworkCoef"=dword:00000014
"FBWorkRateCoef"=dword:00000014
"FBAccelerationCoef"=dword:0000003c
"FBAgilityCoef"=dword:0000000a
"FBBalanceCoef"=dword:00000014
"FBInjuryPronenessCoef"=dword:fffffffb
"FBJumpingCoef"=dword:0000003c
"FBNaturalFitnessCoef"=dword:00000005
"FBPaceCoef"=dword:00000050
"FBStaminaCoef"=dword:0000003c
"FBStrengthCoef"=dword:00000028
"FBVersatilityCoef"=dword:00000005
"FBAerialAbilityCoef"=dword:00000000
"FBCommandOfAreaCoef"=dword:00000000
"FBCommunicationCoef"=dword:00000000
"FBEccentricityCoef"=dword:00000000
"FBHandlingCoef"=dword:00000000
"FBKickingCoef"=dword:00000000
"FBOneOnOnesCoef"=dword:00000005
"FBReflexesCoef"=dword:00000005
"FBRushingOutCoef"=dword:00000000
"FBTendencyToPunchCoef"=dword:00000000
"FBThrowingCoef"=dword:00000000
"FBAdaptabilityCoef"=dword:00000005
"FBAmbitionCoef"=dword:0000000a
"FBControversyCoef"=dword:fffffffb
"FBLoyalityCoef"=dword:00000005
"FBPressureCoef"=dword:00000005
"FBProfessionalismCoef"=dword:00000005
"FBSportsmanshipCoef"=dword:00000005
"FBTemperamentCoef"=dword:00000005
"WBWeightCoef"=dword:00000069
"WBCurrentAbilityCoef"=dword:00000000
"WBCornersCoef"=dword:0000000a
"WBCrossingCoef"=dword:0000003c
"WBDribblingCoef"=dword:00000028
"WBFinishingCoef"=dword:0000000a
"WBFirstTouchCoef"=dword:00000014
"WBFreeKicksCoef"=dword:0000000a
"WBHeadingCoef"=dword:00000028
"WBLongShotsCoef"=dword:00000014
"WBLongThrowsCoef"=dword:0000000a
"WBMarkingCoef"=dword:0000003c
"WBPassingCoef"=dword:00000028
"WBPenaltiesCoef"=dword:00000005
"WBTacklingCoef"=dword:00000064
"WBTechniqueCoef"=dword:00000028
"WBLeftFootCoef"=dword:00000005
"WBRightFootCoef"=dword:00000005
"WBAggressionCoef"=dword:0000000a
"WBAnticipationCoef"=dword:00000050
"WBBraveryCoef"=dword:0000000a
"WBComposureCoef"=dword:0000000a
"WBConcentrationCoef"=dword:00000014
"WBConsistencyCoef"=dword:0000000a
"WBCreativityCoef"=dword:00000014
"WBDecisionsCoef"=dword:00000014
"WBDeterminationCoef"=dword:0000000a
"WBDirtinessCoef"=dword:fffffff6
"WBFlairCoef"=dword:0000000a
"WBImportantMatchesCoef"=dword:0000000a
"WBInfluenceCoef"=dword:0000000a
"WBOffTheBallCoef"=dword:00000014
"WBPositioningCoef"=dword:00000064
"WBTeamworkCoef"=dword:00000014
"WBWorkRateCoef"=dword:00000028
"WBAccelerationCoef"=dword:00000050
"WBAgilityCoef"=dword:0000000a
"WBBalanceCoef"=dword:00000014
"WBInjuryPronenessCoef"=dword:fffffffb
"WBJumpingCoef"=dword:00000014
"WBNaturalFitnessCoef"=dword:00000005
"WBPaceCoef"=dword:00000064
"WBStaminaCoef"=dword:00000050
"WBStrengthCoef"=dword:00000028
"WBVersatilityCoef"=dword:00000005
"WBAerialAbilityCoef"=dword:00000000
"WBCommandOfAreaCoef"=dword:00000000
"WBCommunicationCoef"=dword:00000000
"WBEccentricityCoef"=dword:00000000
"WBHandlingCoef"=dword:00000000
"WBKickingCoef"=dword:00000000
"WBOneOnOnesCoef"=dword:00000005
"WBReflexesCoef"=dword:00000005
"WBRushingOutCoef"=dword:00000000
"WBTendencyToPunchCoef"=dword:00000000
"WBThrowingCoef"=dword:00000000
"WBAdaptabilityCoef"=dword:00000005
"WBAmbitionCoef"=dword:0000000a
"WBControversyCoef"=dword:fffffffb
"WBLoyalityCoef"=dword:00000005
"WBPressureCoef"=dword:00000005
"WBProfessionalismCoef"=dword:00000005
"WBSportsmanshipCoef"=dword:00000005
"WBTemperamentCoef"=dword:00000005
"DMWeightCoef"=dword:00000066
"DMCurrentAbilityCoef"=dword:00000000
"DMCornersCoef"=dword:0000000a
"DMCrossingCoef"=dword:0000001e
"DMDribblingCoef"=dword:00000014
"DMFinishingCoef"=dword:0000000a
"DMFirstTouchCoef"=dword:0000001e
"DMFreeKicksCoef"=dword:0000000a
"DMHeadingCoef"=dword:00000028
"DMLongShotsCoef"=dword:00000014
"DMLongThrowsCoef"=dword:00000005
"DMMarkingCoef"=dword:0000003c
"DMPassingCoef"=dword:00000028
"DMPenaltiesCoef"=dword:00000005
"DMTacklingCoef"=dword:00000064
"DMTechniqueCoef"=dword:0000001e
"DMLeftFootCoef"=dword:00000005
"DMRightFootCoef"=dword:00000005
"DMAggressionCoef"=dword:00000028
"DMAnticipationCoef"=dword:00000028
"DMBraveryCoef"=dword:00000014
"DMComposureCoef"=dword:0000000a
"DMConcentrationCoef"=dword:00000014
"DMConsistencyCoef"=dword:0000000a
"DMCreativityCoef"=dword:00000014
"DMDecisionsCoef"=dword:00000014
"DMDeterminationCoef"=dword:0000000a
"DMDirtinessCoef"=dword:fffffff6
"DMFlairCoef"=dword:0000000a
"DMImportantMatchesCoef"=dword:0000000a
"DMInfluenceCoef"=dword:0000000a
"DMOffTheBallCoef"=dword:0000001e
"DMPositioningCoef"=dword:00000050
"DMTeamworkCoef"=dword:00000028
"DMWorkRateCoef"=dword:00000050
"DMAccelerationCoef"=dword:00000028
"DMAgilityCoef"=dword:0000000a
"DMBalanceCoef"=dword:0000000a
"DMInjuryPronenessCoef"=dword:fffffffb
"DMJumpingCoef"=dword:00000028
"DMNaturalFitnessCoef"=dword:00000005
"DMPaceCoef"=dword:00000028
"DMStaminaCoef"=dword:0000003c
"DMStrengthCoef"=dword:00000028
"DMVersatilityCoef"=dword:00000005
"DMAerialAbilityCoef"=dword:00000000
"DMCommandOfAreaCoef"=dword:00000000
"DMCommunicationCoef"=dword:00000000
"DMEccentricityCoef"=dword:00000000
"DMHandlingCoef"=dword:00000000
"DMKickingCoef"=dword:00000000
"DMOneOnOnesCoef"=dword:00000005
"DMReflexesCoef"=dword:00000005
"DMRushingOutCoef"=dword:00000000
"DMTendencyToPunchCoef"=dword:00000000
"DMThrowingCoef"=dword:00000000
"DMAdaptabilityCoef"=dword:00000005
"DMAmbitionCoef"=dword:0000000a
"DMControversyCoef"=dword:fffffffb
"DMLoyalityCoef"=dword:00000005
"DMPressureCoef"=dword:00000005
"DMProfessionalismCoef"=dword:00000005
"DMSportsmanshipCoef"=dword:00000005
"DMTemperamentCoef"=dword:00000005
"MWeightCoef"=dword:00000067
"MCurrentAbilityCoef"=dword:00000000
"MCornersCoef"=dword:0000000a
"MCrossingCoef"=dword:00000028
"MDribblingCoef"=dword:00000032
"MFinishingCoef"=dword:00000014
"MFirstTouchCoef"=dword:0000001e
"MFreeKicksCoef"=dword:0000000a
"MHeadingCoef"=dword:0000001e
"MLongShotsCoef"=dword:00000014
"MLongThrowsCoef"=dword:00000005
"MMarkingCoef"=dword:00000028
"MPassingCoef"=dword:00000046
"MPenaltiesCoef"=dword:00000005
"MTacklingCoef"=dword:0000003c
"MTechniqueCoef"=dword:00000032
"MLeftFootCoef"=dword:00000005
"MRightFootCoef"=dword:00000005
"MAggressionCoef"=dword:0000001e
"MAnticipationCoef"=dword:00000028
"MBraveryCoef"=dword:0000000a
"MComposureCoef"=dword:0000000a
"MConcentrationCoef"=dword:0000000a
"MConsistencyCoef"=dword:0000000a
"MCreativityCoef"=dword:0000003c
"MDecisionsCoef"=dword:0000001e
"MDeterminationCoef"=dword:0000000a
"MDirtinessCoef"=dword:fffffffb
"MFlairCoef"=dword:0000000a
"MImportantMatchesCoef"=dword:0000000a
"MInfluenceCoef"=dword:0000000a
"MOffTheBallCoef"=dword:00000028
"MPositioningCoef"=dword:00000028
"MTeamworkCoef"=dword:00000032
"MWorkRateCoef"=dword:00000032
"MAccelerationCoef"=dword:00000032
"MAgilityCoef"=dword:0000000a
"MBalanceCoef"=dword:0000000a
"MInjuryPronenessCoef"=dword:fffffffb
"MJumpingCoef"=dword:00000028
"MNaturalFitnessCoef"=dword:00000005
"MPaceCoef"=dword:00000028
"MStaminaCoef"=dword:0000003c
"MStrengthCoef"=dword:0000001e
"MVersatilityCoef"=dword:00000005
"MAerialAbilityCoef"=dword:00000000
"MCommandOfAreaCoef"=dword:00000000
"MCommunicationCoef"=dword:00000000
"MEccentricityCoef"=dword:00000000
"MHandlingCoef"=dword:00000000
"MKickingCoef"=dword:00000000
"MOneOnOnesCoef"=dword:00000005
"MReflexesCoef"=dword:00000005
"MRushingOutCoef"=dword:00000000
"MTendencyToPunchCoef"=dword:00000000
"MThrowingCoef"=dword:00000000
"MAdaptabilityCoef"=dword:00000005
"MAmbitionCoef"=dword:0000000a
"MControversyCoef"=dword:fffffffb
"MLoyalityCoef"=dword:00000005
"MPressureCoef"=dword:00000005
"MProfessionalismCoef"=dword:00000005
"MSportsmanshipCoef"=dword:00000005
"MTemperamentCoef"=dword:00000005
"AMWeightCoef"=dword:00000066
"AMCurrentAbilityCoef"=dword:00000000
"AMCornersCoef"=dword:0000000a
"AMCrossingCoef"=dword:0000003c
"AMDribblingCoef"=dword:00000050
"AMFinishingCoef"=dword:00000028
"AMFirstTouchCoef"=dword:0000001e
"AMFreeKicksCoef"=dword:0000000a
"AMHeadingCoef"=dword:00000014
"AMLongShotsCoef"=dword:00000014
"AMLongThrowsCoef"=dword:00000005
"AMMarkingCoef"=dword:0000000a
"AMPassingCoef"=dword:00000064
"AMPenaltiesCoef"=dword:00000005
"AMTacklingCoef"=dword:0000000a
"AMTechniqueCoef"=dword:00000050
"AMLeftFootCoef"=dword:00000005
"AMRightFootCoef"=dword:00000005
"AMAggressionCoef"=dword:0000000a
"AMAnticipationCoef"=dword:0000001e
"AMBraveryCoef"=dword:0000000a
"AMComposureCoef"=dword:0000000a
"AMConcentrationCoef"=dword:0000000a
"AMConsistencyCoef"=dword:0000000a
"AMCreativityCoef"=dword:00000064
"AMDecisionsCoef"=dword:00000028
"AMDeterminationCoef"=dword:0000000a
"AMDirtinessCoef"=dword:fffffffb
"AMFlairCoef"=dword:00000014
"AMImportantMatchesCoef"=dword:0000000a
"AMInfluenceCoef"=dword:0000000a
"AMOffTheBallCoef"=dword:0000003c
"AMPositioningCoef"=dword:00000014
"AMTeamworkCoef"=dword:0000003c
"AMWorkRateCoef"=dword:00000014
"AMAccelerationCoef"=dword:0000003c
"AMAgilityCoef"=dword:0000000a
"AMBalanceCoef"=dword:0000000a
"AMInjuryPronenessCoef"=dword:fffffffb
"AMJumpingCoef"=dword:00000014
"AMNaturalFitnessCoef"=dword:00000005
"AMPaceCoef"=dword:0000003c
"AMStaminaCoef"=dword:0000003c
"AMStrengthCoef"=dword:00000014
"AMVersatilityCoef"=dword:00000005
"AMAerialAbilityCoef"=dword:00000000
"AMCommandOfAreaCoef"=dword:00000000
"AMCommunicationCoef"=dword:00000000
"AMEccentricityCoef"=dword:00000000
"AMHandlingCoef"=dword:00000000
"AMKickingCoef"=dword:00000000
"AMOneOnOnesCoef"=dword:00000005
"AMReflexesCoef"=dword:00000005
"AMRushingOutCoef"=dword:00000000
"AMTendencyToPunchCoef"=dword:00000000
"AMThrowingCoef"=dword:00000000
"AMAdaptabilityCoef"=dword:00000005
"AMAmbitionCoef"=dword:0000000a
"AMControversyCoef"=dword:fffffffb
"AMLoyalityCoef"=dword:00000005
"AMPressureCoef"=dword:00000005
"AMProfessionalismCoef"=dword:00000005
"AMSportsmanshipCoef"=dword:00000005
"AMTemperamentCoef"=dword:00000005
"WWeightCoef"=dword:00000066
"WCurrentAbilityCoef"=dword:00000000
"WCornersCoef"=dword:0000000a
"WCrossingCoef"=dword:00000064
"WDribblingCoef"=dword:00000064
"WFinishingCoef"=dword:0000003c
"WFirstTouchCoef"=dword:0000001e
"WFreeKicksCoef"=dword:0000000a
"WHeadingCoef"=dword:00000014
"WLongShotsCoef"=dword:00000014
"WLongThrowsCoef"=dword:00000005
"WMarkingCoef"=dword:0000000a
"WPassingCoef"=dword:0000003c
"WPenaltiesCoef"=dword:00000005
"WTacklingCoef"=dword:0000000a
"WTechniqueCoef"=dword:00000050
"WLeftFootCoef"=dword:00000005
"WRightFootCoef"=dword:00000005
"WAggressionCoef"=dword:0000000a
"WAnticipationCoef"=dword:00000014
"WBraveryCoef"=dword:0000000a
"WComposureCoef"=dword:0000000a
"WConcentrationCoef"=dword:0000000a
"WConsistencyCoef"=dword:0000000a
"WCreativityCoef"=dword:0000003c
"WDecisionsCoef"=dword:00000014
"WDeterminationCoef"=dword:0000000a
"WDirtinessCoef"=dword:fffffffb
"WFlairCoef"=dword:0000000a
"WImportantMatchesCoef"=dword:00000014
"WInfluenceCoef"=dword:0000000a
"WOffTheBallCoef"=dword:0000003c
"WPositioningCoef"=dword:00000014
"WTeamworkCoef"=dword:0000001e
"WWorkRateCoef"=dword:0000001e
"WAccelerationCoef"=dword:00000050
"WAgilityCoef"=dword:00000014
"WBalanceCoef"=dword:0000000a
"WInjuryPronenessCoef"=dword:fffffffb
"WJumpingCoef"=dword:00000014
"WNaturalFitnessCoef"=dword:00000005
"WPaceCoef"=dword:00000064
"WStaminaCoef"=dword:0000003c
"WStrengthCoef"=dword:00000014
"WVersatilityCoef"=dword:00000005
"WAerialAbilityCoef"=dword:00000000
"WCommandOfAreaCoef"=dword:00000000
"WCommunicationCoef"=dword:00000000
"WEccentricityCoef"=dword:00000000
"WHandlingCoef"=dword:00000000
"WKickingCoef"=dword:00000000
"WOneOnOnesCoef"=dword:00000005
"WReflexesCoef"=dword:00000005
"WRushingOutCoef"=dword:00000000
"WTendencyToPunchCoef"=dword:00000000
"WThrowingCoef"=dword:00000000
"WAdaptabilityCoef"=dword:00000005
"WAmbitionCoef"=dword:0000000a
"WControversyCoef"=dword:fffffffb
"WLoyalityCoef"=dword:00000005
"WPressureCoef"=dword:00000005
"WProfessionalismCoef"=dword:00000005
"WSportsmanshipCoef"=dword:00000005
"WTemperamentCoef"=dword:00000005
"FSTWeightCoef"=dword:00000064
"FSTCurrentAbilityCoef"=dword:00000000
"FSTCornersCoef"=dword:0000000a
"FSTCrossingCoef"=dword:0000000a
"FSTDribblingCoef"=dword:00000050
"FSTFinishingCoef"=dword:00000064
"FSTFirstTouchCoef"=dword:00000028
"FSTFreeKicksCoef"=dword:0000000a
"FSTHeadingCoef"=dword:00000028
"FSTLongShotsCoef"=dword:00000014
"FSTLongThrowsCoef"=dword:00000000
"FSTMarkingCoef"=dword:00000000
"FSTPassingCoef"=dword:00000028
"FSTPenaltiesCoef"=dword:00000005
"FSTTacklingCoef"=dword:00000000
"FSTTechniqueCoef"=dword:00000050
"FSTLeftFootCoef"=dword:00000005
"FSTRightFootCoef"=dword:00000005
"FSTAggressionCoef"=dword:0000000a
"FSTAnticipationCoef"=dword:0000000a
"FSTBraveryCoef"=dword:0000000a
"FSTComposureCoef"=dword:0000000a
"FSTConcentrationCoef"=dword:0000000a
"FSTConsistencyCoef"=dword:0000000a
"FSTCreativityCoef"=dword:00000028
"FSTDecisionsCoef"=dword:0000000a
"FSTDeterminationCoef"=dword:0000000a
"FSTDirtinessCoef"=dword:fffffffb
"FSTFlairCoef"=dword:0000000a
"FSTImportantMatchesCoef"=dword:0000000a
"FSTInfluenceCoef"=dword:0000000a
"FSTOffTheBallCoef"=dword:00000050
"FSTPositioningCoef"=dword:0000000a
"FSTTeamworkCoef"=dword:0000000a
"FSTWorkRateCoef"=dword:0000000a
"FSTAccelerationCoef"=dword:00000064
"FSTAgilityCoef"=dword:00000028
"FSTBalanceCoef"=dword:0000000a
"FSTInjuryPronenessCoef"=dword:fffffffb
"FSTJumpingCoef"=dword:00000014
"FSTNaturalFitnessCoef"=dword:00000005
"FSTPaceCoef"=dword:00000064
"FSTStaminaCoef"=dword:00000028
"FSTStrengthCoef"=dword:00000014
"FSTVersatilityCoef"=dword:00000005
"FSTAerialAbilityCoef"=dword:00000000
"FSTCommandOfAreaCoef"=dword:00000000
"FSTCommunicationCoef"=dword:00000000
"FSTEccentricityCoef"=dword:00000000
"FSTHandlingCoef"=dword:00000000
"FSTKickingCoef"=dword:00000000
"FSTOneOnOnesCoef"=dword:00000005
"FSTReflexesCoef"=dword:00000005
"FSTRushingOutCoef"=dword:00000000
"FSTTendencyToPunchCoef"=dword:00000000
"FSTThrowingCoef"=dword:00000000
"FSTAdaptabilityCoef"=dword:00000005
"FSTAmbitionCoef"=dword:0000000a
"FSTControversyCoef"=dword:fffffffb
"FSTLoyalityCoef"=dword:00000005
"FSTPressureCoef"=dword:00000005
"FSTProfessionalismCoef"=dword:00000005
"FSTSportsmanshipCoef"=dword:00000005
"FSTTemperamentCoef"=dword:00000005
"TSTWeightCoef"=dword:00000065
"TSTCurrentAbilityCoef"=dword:00000000
"TSTCornersCoef"=dword:00000000
"TSTCrossingCoef"=dword:0000000a
"TSTDribblingCoef"=dword:0000003c
"TSTFinishingCoef"=dword:00000050
"TSTFirstTouchCoef"=dword:0000001e
"TSTFreeKicksCoef"=dword:0000000a
"TSTHeadingCoef"=dword:00000064
"TSTLongShotsCoef"=dword:00000014
"TSTLongThrowsCoef"=dword:00000000
"TSTMarkingCoef"=dword:00000000
"TSTPassingCoef"=dword:00000028
"TSTPenaltiesCoef"=dword:00000005
"TSTTacklingCoef"=dword:00000000
"TSTTechniqueCoef"=dword:00000028
"TSTLeftFootCoef"=dword:00000005
"TSTRightFootCoef"=dword:00000005
"TSTAggressionCoef"=dword:00000014
"TSTAnticipationCoef"=dword:0000000a
"TSTBraveryCoef"=dword:00000014
"TSTComposureCoef"=dword:0000000a
"TSTConcentrationCoef"=dword:0000000a
"TSTConsistencyCoef"=dword:0000000a
"TSTCreativityCoef"=dword:00000014
"TSTDecisionsCoef"=dword:0000000a
"TSTDeterminationCoef"=dword:0000000a
"TSTDirtinessCoef"=dword:fffffffb
"TSTFlairCoef"=dword:0000000a
"TSTImportantMatchesCoef"=dword:0000000a
"TSTInfluenceCoef"=dword:0000000a
"TSTOffTheBallCoef"=dword:00000050
"TSTPositioningCoef"=dword:00000014
"TSTTeamworkCoef"=dword:0000000a
"TSTWorkRateCoef"=dword:0000000a
"TSTAccelerationCoef"=dword:00000028
"TSTAgilityCoef"=dword:00000014
"TSTBalanceCoef"=dword:00000014
"TSTInjuryPronenessCoef"=dword:fffffffb
"TSTJumpingCoef"=dword:00000064
"TSTNaturalFitnessCoef"=dword:00000005
"TSTPaceCoef"=dword:00000028
"TSTStaminaCoef"=dword:00000014
"TSTStrengthCoef"=dword:00000050
"TSTVersatilityCoef"=dword:00000005
"TSTAerialAbilityCoef"=dword:00000000
"TSTCommandOfAreaCoef"=dword:00000000
"TSTCommunicationCoef"=dword:00000000
"TSTEccentricityCoef"=dword:00000000
"TSTHandlingCoef"=dword:00000000
"TSTKickingCoef"=dword:00000000
"TSTOneOnOnesCoef"=dword:00000005
"TSTReflexesCoef"=dword:00000005
"TSTRushingOutCoef"=dword:00000000
"TSTTendencyToPunchCoef"=dword:00000000
"TSTThrowingCoef"=dword:00000000
"TSTAdaptabilityCoef"=dword:00000005
"TSTAmbitionCoef"=dword:0000000a
"TSTControversyCoef"=dword:fffffffb
"TSTLoyalityCoef"=dword:00000005
"TSTPressureCoef"=dword:00000005
"TSTProfessionalismCoef"=dword:00000005
"TSTSportsmanshipCoef"=dword:00000005
"TSTTemperamentCoef"=dword:00000005
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(348)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL
.
Completion time: 2009-08-10 3:10
ComboFix-quarantined-files.txt 2009-08-10 02:09

Pre-Run: 34,312,593,408 bytes free
Post-Run: 34,293,932,032 bytes free

1934

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:24 PM

Posted 10 August 2009 - 02:51 PM

The logs are clean of malware but you have some important files missing.

We need to run a system file check.

Go to the Run box on the Start Menu and type in:

sfc /scannow

More info on this process can be found here.

Please post back with the results.
Posted Image
m0le is a proud member of UNITE

#7 domehead

domehead
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:24 PM

Posted 12 August 2009 - 10:24 AM

Phew! That was difficult!

sfc didn't recognise my W2k with SP4 that I had as my install cd. Didn't know where to find a replacement cd. I read the article on using sfc, put the I386 directory onto my hard drive and edited the registry to look the for the files, but that didn't work either. I suppose that was because it was the I386 from the service pack 4 update. In the end, I had to go find a system install disk.

Eventually got there - several files were pulled off the cd.

I do have to confess that, before you first responded to me, I had tried many different Anti-V and Anti-Spyware tools. The last one was the trinity rescue kit, that boots into linux. I had run that, with the auto Virus scan option and then you posted to the thread, so I just got on with your instructions. I reckon that it was this scan that deleted those files, as I had not noticed them being missing before! If I should have said something earlier, then I am sorry. :thumbup2:

Now, after running sfc I rebooted and it still sits for about a minute at the 'Preparing network connections...' message. (I have a similar pc that displays that message for only 5 seconds.)

While posting this, I was expecting to be interrupted by services.exe hogging the cpu, but it hasn't happened yet. Funnily enough, I am quite disturbed by that - this problem has been plaguing me for weeks - dare I hope for light at the end of the tunnel?

There's always hope... :)

#8 domehead

domehead
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:24 PM

Posted 12 August 2009 - 10:38 AM

DOH!!!

No there isn't :thumbup2:

I managed to catch services.exe using Process Explorer:-

Process PID CPU Description Company Name
System Idle Process 0
Interrupts n/a Hardware Interrupts
DPCs n/a 3.13 Deferred Procedure Calls
System 8
smss.exe 304 Windows NT Session Manager Microsoft Corporation
csrss.exe 328 Client Server Runtime Process Microsoft Corporation
WINLOGON.EXE 348 Windows NT Logon Application Microsoft Corporation
SERVICES.EXE 376 96.88 Services and Controller app Microsoft Corporation
svchost.exe 556 Generic Host Process for Win32 Services Microsoft Corporation
spoolsv.exe 588 Spooler SubSystem App Microsoft Corporation
aswUpdSv.exe 644 avast! Antivirus updating service ALWIL Software
ashServ.exe 660 avast! antivirus service ALWIL Software
svchost.exe 692 Generic Host Process for Win32 Services Microsoft Corporation
jqs.exe 724 Java™ Quick Starter Service Sun Microsystems, Inc.
PnkBstrA.exe 756
mstask.exe 784 Task Scheduler Engine Microsoft Corporation
stisvc.exe 892 Still Image Devices Monitor Microsoft Corporation
TomTomHOMEServi 936 Windows Service for TomTom HOME TomTom
ULCDRSvr.exe 1044 ULCDRSvr Ulead Systems, Inc.
vsmon.exe 1104 TrueVector Service Zone Labs, LLC
winmgmt.exe 1292 Windows Management Instrumentation Microsoft Corporation
svchost.exe 1332 Generic Host Process for Win32 Services Microsoft Corporation
ashMaiSv.exe 1572 avast! e-Mail Scanner Service ALWIL Software
ashWebSv.exe 1600 avast! Web Scanner ALWIL Software
LSASS.EXE 388 LSA Executable and Server DLL (Export Version) Microsoft Corporation
explorer.exe 1184 Windows Explorer Microsoft Corporation
zlclient.exe 1188 ZoneAlarm Client Zone Labs, LLC
ashDisp.exe 1280 avast! service GUI component ALWIL Software
jusched.exe 1308 Java™ Platform SE binary Sun Microsystems, Inc.
rundll32.exe 1316 Run a DLL as an App Microsoft Corporation
procexp.exe 1828 Sysinternals Process Explorer Sysinternals - www.sysinternals.com
firefox.exe 1152 Firefox Mozilla Corporation


As you can see, 96.88% of my poor little cpu's workload for about 3-5 minutes - so annoying!

#9 domehead

domehead
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:24 PM

Posted 13 August 2009 - 07:33 PM

A bit more information:-

I wanted to check the startup stuff, so I used Autoruns and spotted a reference to 'catchme.sys' as well as some other driver files that are missing.

Here are the log entries -

+ catchme File not found: C:\DOCUME~1\MF\LOCALS~1\Temp\catchme.sys
+ Changer File not found: C:\WINNT\System32\Drivers\Changer.sys
+ ENTECH File not found: C:\WINNT\system32\DRIVERS\ENTECH.sys
+ lbrtfdc File not found: C:\WINNT\System32\Drivers\lbrtfdc.sys
+ mcdbus File not found: system32\DRIVERS\mcdbus.sys
+ PCIDump File not found: C:\WINNT\System32\Drivers\PCIDump.sys
+ sglfb File not found: C:\WINNT\System32\Drivers\sglfb.sys
+ tga File not found: C:\WINNT\System32\Drivers\tga.sys
+ vsc32 File not found: system32\DRIVERS\vsc.sys
+ vidc.444p File not found: C:\Program Files\t@b\0.958\686\tabdec.dll
+ vidc.mpng File not found: C:\Program Files\t@b\0.958\686\tabdec.dll
+ vidc.mvjp File not found: C:\Program Files\t@b\0.958\686\tabdec.dll

This may be a complete red herring, but it may be important - hope I am not adding too much confusion!


Here is the full log -

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
+ avast! avast! service GUI component ALWIL Software c:\program files\alwil software\avast4\ashdisp.exe
+ CloneCDElbyCDFL ElbyCheck Elaborate Bytes AG c:\program files\clonecd\elbycheck.exe
+ EPSON Stylus Photo R220 Series EPSON Status Monitor 3 SEIKO EPSON CORPORATION c:\winnt\system32\spool\drivers\w32x86\3\e_fatiaie.exe
+ NvCplDaemon NVIDIA Display Properties Extension NVIDIA Corporation c:\winnt\system32\nvcpl.dll
+ SunJavaUpdateSched Java™ Platform SE binary Sun Microsystems, Inc. c:\program files\java\jre6\bin\jusched.exe
+ ZoneAlarm Client ZoneAlarm Client Zone Labs, LLC c:\program files\security\zonealarm\zlclient.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
+ NvMediaCenter NVIDIA Media Center Library NVIDIA Corporation c:\winnt\system32\nvmctray.dll
HKLM\SOFTWARE\Classes\Protocols\Handler
+ belarc Belarc VoilaX Control Belarc, Inc. c:\program files\belarc\advisor\system\bavoilax.dll
+ skype4com Skype for COM API Skype Technologies c:\program files\common files\skype\skype4com.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
+ SABShellExecuteHook Class ShellExecuteHook SuperAdBlocker.com c:\program files\superantispyware\sasseh.dll
HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers
+ 7-Zip 7-Zip Shell Extension Igor Pavlov c:\program files\7-zip\7-zip.dll
+ avast avast! Shell Extension ALWIL Software c:\program files\alwil software\avast4\ashshell.dll
+ EPPShellEx SEIKO EPSON CORPORATION c:\program files\epson\creativity suite\easy photo print\eppshellex.dll
+ LavasoftShellExt Shell Extension c:\program files\lavasoft\ad-aware\shellext.dll
+ M2WShlExMenu Mp3 to Wave Converter Plus Shell Extension DLL Acoustica c:\program files\acoustica audio converter pro\m2wshlex.dll
+ ProgramChecker ProgramChecker Shell Extensions Zenturi, Inc c:\program files\zenturi\programchecker\pcpshell.dll
+ Quick Par Quick Par Shell Extension (English) Peter B Clements c:\program files\utils\quickpar\quickparshlext.dll
+ SASContextMenu Class SUPERAntiSpyware Context Menu Extension SUPERAntiSpyware.com c:\program files\superantispyware\sasctxmn.dll
+ WinRAR c:\program files\utils\winrar\rarext.dll
+ ZipStar4 Explorer-Erweiterung für ZipStar SpeedProject c:\program files\utils\zipstar 4\zsshell.dll
+ ZLAVShExt zlavscan shell extension Zone Labs, LLC c:\program files\security\zonealarm\zlavscan.dll
HKLM\Software\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers
+ MBAMShlExt Malwarebytes' Anti-Malware Malwarebytes Corporation c:\program files\malwarebytes' anti-malware\mbamext.dll
HKLM\Software\Classes\Directory\ShellEx\ContextMenuHandlers
+ 7-Zip 7-Zip Shell Extension Igor Pavlov c:\program files\7-zip\7-zip.dll
+ Juke Juke Shell Extension WoLoSoft International c:\program files\wolosoft\juke\jukeext.dll
+ SASContextMenu Class SUPERAntiSpyware Context Menu Extension SUPERAntiSpyware.com c:\program files\superantispyware\sasctxmn.dll
+ WinRAR c:\program files\utils\winrar\rarext.dll
+ ZipStar4 Explorer-Erweiterung für ZipStar SpeedProject c:\program files\utils\zipstar 4\zsshell.dll
HKLM\Software\Classes\Directory\Shellex\DragDropHandlers
+ 7-Zip 7-Zip Shell Extension Igor Pavlov c:\program files\7-zip\7-zip.dll
+ WinRAR c:\program files\utils\winrar\rarext.dll
HKLM\Software\Classes\Folder\Shellex\ColumnHandlers
+ PDF Shell Extension PDF Shell Extension Adobe Systems, Inc. c:\program files\common files\adobe\acrobat\activex\pdfshell.dll
HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers
+ avast avast! Shell Extension ALWIL Software c:\program files\alwil software\avast4\ashshell.dll
+ LavasoftShellExt Shell Extension c:\program files\lavasoft\ad-aware\shellext.dll
+ MBAMShlExt Malwarebytes' Anti-Malware Malwarebytes Corporation c:\program files\malwarebytes' anti-malware\mbamext.dll
+ MP3ToWave Mp3 to Wave Converter Plus Shell Extension DLL Acoustica c:\program files\acoustica audio converter pro\m2wshlex.dll
+ WinRAR c:\program files\utils\winrar\rarext.dll
+ ZLAVShExt zlavscan shell extension Zone Labs, LLC c:\program files\security\zonealarm\zlavscan.dll
HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers
+ 00nView NVIDIA Desktop Explorer, Version 45.23 NVIDIA Corporation c:\winnt\system32\nvshell.dll
HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
+ Web Folders c:\program files\common files\microsoft shared\web folders\msonsext.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
+ 7-Zip Shell Extension 7-Zip Shell Extension Igor Pavlov c:\program files\7-zip\7-zip.dll
+ avast avast! Shell Extension ALWIL Software c:\program files\alwil software\avast4\ashshell.dll
+ Desktop Explorer NVIDIA Desktop Explorer, Version 45.23 NVIDIA Corporation c:\winnt\system32\nvshell.dll
+ Desktop Explorer Menu NVIDIA Desktop Explorer, Version 45.23 NVIDIA Corporation c:\winnt\system32\nvshell.dll
+ Display Panning CPL Extension File not found: deskpan.dll
+ HyperTerminal Icon Ext HyperTerminal Applet Library Hilgraeve, Inc. c:\winnt\system32\hticons.dll
+ Multiscan zlavscan shell extension Zone Labs, LLC c:\program files\security\zonealarm\zlavscan.dll
+ nView Desktop Context Menu NVIDIA Desktop Explorer, Version 45.23 NVIDIA Corporation c:\winnt\system32\nvshell.dll
+ QuickPar ContextMenu extension Quick Par Shell Extension (English) Peter B Clements c:\program files\utils\quickpar\quickparshlext.dll
+ SxContextMenu1stConv c:\program files\free m4a to mp3 converter\m4a_menu.dll
+ VirtualCloneDrive CloseTray Elaborate Bytes AG c:\program files\elaborate bytes\virtualclonedrive\elbyvcdshell.dll
+ WinRAR shell extension c:\program files\utils\winrar\rarext.dll
+ WoLoSoft Juke Menu Extension Juke Shell Extension WoLoSoft International c:\program files\wolosoft\juke\jukeext.dll
+ ZipStar Shell Extension Explorer-Erweiterung für ZipStar SpeedProject c:\program files\utils\zipstar 4\zsshell.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
+ Adobe PDF Link Helper Adobe PDF Helper for Internet Explorer Adobe Systems Incorporated c:\program files\common files\adobe\acrobat\activex\acroiehelpershim.dll
+ Java™ Plug-In 2 SSV Helper Java™ Platform SE binary Sun Microsystems, Inc. c:\program files\java\jre6\bin\jp2ssv.dll
+ JQSIEStartDetectorImpl Class Java™ Quick Starter binary Sun Microsystems, Inc. c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
HKLM\Software\Microsoft\Internet Explorer\Extensions
+ Show &Related Links File not found: C:\WINNT\web\related.htm
Task Scheduler
+ AppleSoftwareUpdate.job Apple Software Update Apple Inc. c:\program files\apple software update\softwareupdate.exe
+ SmartDefrag.job Smart Defrag IObit c:\program files\iobit\iobit smartdefrag\iobit smartdefrag.exe
HKLM\System\CurrentControlSet\Services
+ aswUpdSv Provides automatic updating for the avast! antivirus. ALWIL Software c:\program files\alwil software\avast4\aswupdsv.exe
+ avast! Antivirus Manages and implements avast! antivirus services for this computer. This includes the resident protection, the virus chest and the scheduler. ALWIL Software c:\program files\alwil software\avast4\ashserv.exe
+ avast! Mail Scanner Implements mail scanning for avast! antivirus. ALWIL Software c:\program files\alwil software\avast4\ashmaisv.exe
+ avast! Web Scanner Implements web (HTTP) scanning for avast! antivirus. ALWIL Software c:\program files\alwil software\avast4\ashwebsv.exe
+ dmadmin Administrative service for disk management requests VERITAS Software Corp. c:\winnt\system32\dmadmin.exe
+ JavaQuickStarterService Prefetches JRE files for faster startup of Java applets and applications Sun Microsystems, Inc. c:\program files\java\jre6\bin\jqs.exe
+ Lavasoft Ad-Aware Service Ad-Aware Service Lavasoft c:\program files\lavasoft\ad-aware\aawservice.exe
+ PnkBstrA PunkBuster Service Component [v1029] http://www.evenbalance.com c:\winnt\system32\pnkbstra.exe
+ sassvc Provides support for Safe & Sound c:\program files\zenturi\programchecker\sassvc.exe
+ TomTomHOMEService TomTom Home Service for ejecting devices TomTom c:\program files\tomtom home 2\tomtomhomeservice.exe
+ UleadBurningHelper ULCDRSvr Ulead Systems, Inc. c:\program files\common files\ulead systems\dvd\ulcdrsvr.exe
+ vsmon Monitors internet traffic and generates alerts for disallowed access. Zone Labs, LLC c:\winnt\system32\zonelabs\vsmon.exe
HKLM\System\CurrentControlSet\Services
+ Aavmker4 avast! Base Kernel-Mode Device Driver for Windows NT/2000/XP ALWIL Software c:\winnt\system32\drivers\aavmker4.sys
+ Asapi ASAPI VOB Computersysteme GmbH c:\winnt\system32\drivers\asapi.sys
+ Aspi32 ASPI for WIN32 Kernel Driver Adaptec c:\winnt\system32\drivers\aspi32.sys
+ aswFsBlk avast! mini-filter driver (aswFsBlk) ALWIL Software c:\winnt\system32\drivers\aswfsblk.sys
+ aswMon avast! File System Filter Driver for Windows NT/2000 ALWIL Software c:\winnt\system32\drivers\aswmon.sys
+ aswRdr avast! TDI RDR Driver ALWIL Software c:\winnt\system32\drivers\aswrdr.sys
+ aswSP avast! self protection module ALWIL Software c:\winnt\system32\drivers\aswsp.sys
+ aswTdi avast! TDI Filter Driver ALWIL Software c:\winnt\system32\drivers\aswtdi.sys
+ BANTExt c:\winnt\system32\drivers\bantext.sys
+ catchme File not found: C:\DOCUME~1\MF\LOCALS~1\Temp\catchme.sys
+ Cdr4_2K CDR4 CD and DVD Place Holder Driver (see PxHelp) Sonic Solutions c:\winnt\system32\drivers\cdr4_2k.sys
+ Cdralw2k CDRAL Place Holder Driver (see PxHelp) Sonic Solutions c:\winnt\system32\drivers\cdralw2k.sys
+ Changer File not found: C:\WINNT\System32\Drivers\Changer.sys
+ dmio NT Disk Manager I/O Driver VERITAS Software Corp. c:\winnt\system32\drivers\dmio.sys
+ dmload NT Disk Manager Startup Driver VERITAS Software Corp. c:\winnt\system32\drivers\dmload.sys
+ ElbyCDFL ElbyCDIO Filter Driver Elaborate Bytes AG c:\winnt\system32\drivers\elbycdfl.sys
+ ElbyCDIO ElbyCD Windows NT/2000/XP I/O driver Elaborate Bytes AG c:\winnt\system32\drivers\elbycdio.sys
+ ElbyVCD VirtualCloneCD Driver Elaborate Bytes AG c:\winnt\system32\drivers\elbyvcd.sys
+ ENTECH File not found: C:\WINNT\system32\DRIVERS\ENTECH.sys
+ L6PODLV GuitarPort WDM Audio Device Driver Line 6 c:\winnt\system32\drivers\l6podlv.sys
+ Lbd Ad-Aware mini-filter driver Lavasoft AB c:\winnt\system32\drivers\lbd.sys
+ lbrtfdc File not found: C:\WINNT\System32\Drivers\lbrtfdc.sys
+ mcdbus File not found: system32\DRIVERS\mcdbus.sys
+ nv NVIDIA Compatible Windows 2000 Miniport Driver, Version 45.23 NVIDIA Corporation c:\winnt\system32\drivers\nv4_mini.sys
+ nv_agp NVIDIA nForce AGP Filter NVIDIA Corporation c:\winnt\system32\drivers\nv_agp.sys
+ nvax NVIDIA® nForce™ MCP Audio Enumerator NVIDIA Corporation c:\winnt\system32\drivers\nvax.sys
+ NVENET NVIDIA nForce MCP Networking Driver. NVIDIA Corporation c:\winnt\system32\drivers\nvenet.sys
+ nvnforce NVIDIA® nForce™ Audio Driver NVIDIA Corporation c:\winnt\system32\drivers\nvapu.sys
+ Pcatip Patin-Couffin Autoplay™ support driver VSO Software c:\winnt\system32\drivers\pcatip.sys
+ PCIDump File not found: C:\WINNT\System32\Drivers\PCIDump.sys
+ Pcouffin Patin-Couffin low level access layer for CD devices VSO Software c:\winnt\system32\drivers\pcouffin.sys
+ Ptilink Direct Parallel Link Driver Parallel Technologies, Inc. c:\winnt\system32\drivers\ptilink.sys
+ PxHelp20 Px Engine Device Driver for Windows 2000/XP Sonic Solutions c:\winnt\system32\drivers\pxhelp20.sys
+ SASDIFSV SASDIFSV.SYS SUPERAdBlocker.com and SUPERAntiSpyware.com c:\program files\superantispyware\sasdifsv.sys
+ SASENUM SASENUM.SYS SUPERAdBlocker.com and SUPERAntiSpyware.com c:\program files\superantispyware\sasenum.sys
+ SASKUTIL SASKUTIL.SYS SUPERAdBlocker.com and SUPERAntiSpyware.com c:\program files\superantispyware\saskutil.sys
+ SecDrv Macrovision SECURITY Driver Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K. c:\winnt\system32\drivers\secdrv.sys
+ sglfb File not found: C:\WINNT\System32\Drivers\sglfb.sys
+ sptd c:\winnt\system32\drivers\sptd.sys
+ srescan srescan Zone Labs, LLC c:\winnt\system32\zonelabs\srescan.sys
+ sunkfilt62 c:\winnt\system32\drivers\sunkfilt62.sys
+ tga File not found: C:\WINNT\System32\Drivers\tga.sys
+ vaxscsi SCSI miniport Alcohol Soft Co., Ltd. c:\winnt\system32\drivers\vaxscsi.sys
+ VClone VirtualCloneCD Driver Elaborate Bytes AG c:\winnt\system32\drivers\vclone.sys
+ vsc32 File not found: system32\DRIVERS\vsc.sys
+ vsdatant TrueVector Device Driver Zone Labs, LLC c:\winnt\system32\vsdatant.sys
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
+ msacm.ac3acm AC-3 ACM Decompressor fccHandler c:\winnt\system32\ac3acm.acm
+ msacm.alf2cd NCT ALF2CD Audio CODEC NCT Company c:\winnt\system32\alf2cd.acm
+ msacm.iac2 Indeo® audio software Intel Corporation c:\winnt\system32\iac25_32.ax
+ msacm.l3acm MPEG Layer-3 Audio Codec Kristal Studio c:\winnt\system32\l3codeca.acm
+ msacm.scg726 SHARP G.726 ACM Audio Decoder SHARP Corporation c:\winnt\system32\scg726.acm
+ msacm.sl_anet Audio codec for MS ACM Sipro Lab Telecom Inc. c:\winnt\system32\sl_anet.acm
+ msacm.trspch DSP Group TrueSpeech™ Audio Codec for MSACM V3.50 DSP GROUP, INC. c:\winnt\system32\tssoft32.acm
+ msacm.voxacm160 Voxware Audio Compression Manager Driver Voxware, Inc. c:\winnt\system32\vct3216.acm
+ vidc.444p File not found: C:\Program Files\t@b\0.958\686\tabdec.dll
+ vidc.cvid Cinepak® Codec Radius Inc. c:\winnt\system32\iccvid.dll
+ vidc.DIVX DivX DivX, Inc. c:\winnt\system32\divx.dll
+ vidc.dvsd MainConcept DV Codec MainConcept c:\winnt\system32\mcdvd_32.dll
+ VIDC.FFDS c:\winnt\system32\ff_vfw.dll
+ VIDC.FPS1 Fraps Beepa P/L c:\winnt\system32\frapsvid.dll
+ vidc.iv31 c:\winnt\system32\ir32_32.dll
+ vidc.iv32 c:\winnt\system32\ir32_32.dll
+ vidc.iv50 Intel Indeo® video 5.10 Intel Corporation c:\winnt\system32\ir50_32.dll
+ vidc.mpng File not found: C:\Program Files\t@b\0.958\686\tabdec.dll
+ vidc.mvjp File not found: C:\Program Files\t@b\0.958\686\tabdec.dll
+ vidc.tscc TechSmith Screen Capture Codec TechSmith Corporation c:\winnt\system32\tsccvid.dll
+ vidc.XVID c:\winnt\system32\xvidvfw.dll
+ vidc.yv12 DivX DivX, Inc. c:\winnt\system32\divx.dll
HKLM\Software\Classes\Filter
+ AudioEngineInput c:\program files\steinberg\wavelab\system\plugins\audioengine.dll
+ AudioEngineOutput c:\program files\steinberg\wavelab\system\plugins\audioengine.dll
+ Indeo® video 4.4 Compression Filter Intel Indeo® Video 4.5 Intel Corporation c:\winnt\system32\ir41_32.ax
+ Indeo® video 4.4 Decompression Filter Intel Indeo® Video 4.5 Intel Corporation c:\winnt\system32\ir41_32.ax
+ Sony Acoustic Mirror Sony Acoustic Mirror Sony Pictures Digital Inc. c:\program files\sony\shared plug-ins\audio\sfmirror.dll
+ Sony Amplitude Modulation Sony XFX 3 Plug-In Pack Sony Pictures Digital Inc. c:\program files\sony\shared plug-ins\audio\sfppack3.dll
+ Sony Chorus Sony XFX 1 Plug-In Pack Sony Pictures Digital Inc. c:\program files\sony\shared plug-ins\audio\sfppack1.dll
+ Sony Distortion Sony XFX 3 Plug-In Pack Sony Pictures Digital Inc. c:\program files\sony\shared plug-ins\audio\sfppack3.dll
+ Sony ExpressFX Amplitude Modulation Sony ExpressFX 2 Sony Pictures Digital Inc. c:\program files\sony\shared plug-ins\audio\sfxpfx2.dll
+ Sony ExpressFX Audio Restoration Sony ExpressFX Audio Restoration Sony Pictures Digital Inc. c:\program files\sony\shared plug-ins\audio\xpvinyl.dll
+ Sony ExpressFX Chorus Sony ExpressFX 2 Sony Pictures Digital Inc. c:\program files\sony\shared plug-ins\audio\sfxpfx2.dll
+ Sony ExpressFX Delay Sony ExpressFX 2 Sony Pictures Digital Inc. c:\program files\sony\shared plug-ins\audio\sfxpfx2.dll
+ Sony ExpressFX Distortion Sony ExpressFX 1 Sony Pictures Digital Inc. c:\program files\sony\shared plug-ins\audio\sfxpfx1.dll
+ Sony ExpressFX Dynamics Sony ExpressFX 3 Sony Pictures Digital Inc. c:\program files\sony\shared plug-ins\audio\sfxpfx3.dll
+ Sony ExpressFX Equalization Sony ExpressFX 2 Sony Pictures Digital Inc. c:\program files\sony\shared plug-ins\audio\sfxpfx2.dll
+ Sony ExpressFX Flange/Wah-Wah Sony ExpressFX 1 Sony Pictures Digital Inc. c:\program files\sony\shared plug-ins\audio\sfxpfx1.dll
+ Sony ExpressFX Graphic EQ Sony ExpressFX 3 Sony Pictures Digital Inc. c:\program files\sony\shared plug-ins\audio\sfxpfx3.dll
+ Sony ExpressFX Noise Gate Sony ExpressFX 3 Sony Pictures Digital Inc. c:\program files\sony\shared plug-ins\audio\sfxpfx3.dll
+ Sony ExpressFX Reverb Sony ExpressFX 1 Sony Pictures Digital Inc. c:\program files\sony\shared plug-ins\audio\sfxpfx1.dll
+ Sony ExpressFX Stutter Sony ExpressFX 1 Sony Pictures Digital Inc. c:\program files\sony\shared plug-ins\audio\sfxpfx1.dll
+ Sony ExpressFX Time Stretch Sony ExpressFX 3 Sony Pictures Digital Inc. c:\program files\sony\shared plug-ins\audio\sfxpfx3.dll
+ Sony Flange/Wah-wah Sony XFX 3 Plug-In Pack Sony Pictures Digital Inc. c:\program files\sony\shared plug-ins\audio\sfppack3.dll
+ Sony Gapper/Snipper Sony XFX 3 Plug-In Pack Sony Pictures Digital Inc. c:\program files\sony\shared plug-ins\audio\sfppack3.dll
+ Sony Graphic Dynamics Sony XFX 2 Plug-In Pack Sony Pictures Digital Inc. c:\program files\sony\shared plug-ins\audio\sfppack2.dll
+ Sony Graphic EQ Sony XFX 2 Plug-In Pack Sony Pictures Digital Inc. c:\program files\sony\shared plug-ins\audio\sfppack2.dll
+ Sony MPEG2 TS Splitter Sample Sony Corporation c:\program files\common files\sony digital images\mpeg_ts\tssplt.ax
+ Sony Multi-Band Dynamics Sony XFX 2 Plug-In Pack Sony Pictures Digital Inc. c:\program files\sony\shared plug-ins\audio\sfppack2.dll
+ Sony Multi-Tap Delay Sony XFX 1 Plug-In Pack Sony Pictures Digital Inc. c:\program files\sony\shared plug-ins\audio\sfppack1.dll
+ Sony Noise Gate Sony XFX 2 Plug-In Pack Sony Pictures Digital Inc. c:\program files\sony\shared plug-ins\audio\sfppack2.dll
+ Sony Paragraphic EQ Sony XFX 2 Plug-In Pack Sony Pictures Digital Inc. c:\program files\sony\shared plug-ins\audio\sfppack2.dll
+ Sony Parametric EQ Sony XFX 2 Plug-In Pack Sony Pictures Digital Inc. c:\program files\sony\shared plug-ins\audio\sfppack2.dll
+ Sony Pitch Shift Sony XFX 1 Plug-In Pack Sony Pictures Digital Inc. c:\program files\sony\shared plug-ins\audio\sfppack1.dll
+ Sony Reverb Sony XFX 1 Plug-In Pack Sony Pictures Digital Inc. c:\program files\sony\shared plug-ins\audio\sfppack1.dll
+ Sony Simple Delay Sony XFX 1 Plug-In Pack Sony Pictures Digital Inc. c:\program files\sony\shared plug-ins\audio\sfppack1.dll
+ Sony Smooth/Enhance Sony XFX 3 Plug-In Pack Sony Pictures Digital Inc. c:\program files\sony\shared plug-ins\audio\sfppack3.dll
+ Sony Time Stretch Sony XFX 1 Plug-In Pack Sony Pictures Digital Inc. c:\program files\sony\shared plug-ins\audio\sfppack1.dll
+ Sony Vibrato Sony XFX 3 Plug-In Pack Sony Pictures Digital Inc. c:\program files\sony\shared plug-ins\audio\sfppack3.dll
+ Sony Wave Hammer Sony Wave Hammer Sony Pictures Digital Inc. c:\program files\sony\shared plug-ins\audio\sfhammer.dll
+ Wavelab EQ-1 WaveLab EQ-1 Spectral Design c:\program files\steinberg\wavelab\system\plugins\eq.dll
HKLM\Software\Classes\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance
+ ACELP.net Audio Decoder ACELP.net Audio Decoder Sipro Lab Telecom Inc. c:\winnt\system32\acelpdec.ax
+ CyberLink Audio Decoder CyberLink Audio Decoder Filter CyberLink Corp. c:\program files\cyberlink\powerdvd\audiofilter\claud.ax
+ CyberLink Audio Effect (PDVD6) CyberLink Audio Effect Filter CyberLink Corporation c:\program files\cyberlink\powerdvd\audiofilter\claudfx.ax
+ CyberLink Audio Spectrum Analyzer (PDVD6) CLAudSpa.ax CyberLink Corp. c:\program files\cyberlink\powerdvd\audiofilter\claudspa.ax
+ CyberLink AudioCD Filter (PDVD6) CyberLink AudioCD Filter CyberLink Corp. c:\program files\cyberlink\powerdvd\audiofilter\claudiocd.ax
+ CyberLink Demux (PDVD6) MPEG-2 Dempltiplexer CyberLink Corp. c:\program files\cyberlink\powerdvd\navfilter\cldemuxer.ax
+ CyberLink DVD Navigator (PDVD6) CyberLink DVD Navigation Filter CyberLink Corp. c:\program files\cyberlink\powerdvd\navfilter\clnavx.ax
+ CyberLink Line21 Decoder (PDVD6) CyberLink Line21 Decoder Filter CyberLink Corp. c:\program files\cyberlink\powerdvd\videofilter\clline21.ax
+ Cyberlink SubTitle Importor (PDVD6) CLSubTitle.ax CyberLink Corp. c:\program files\cyberlink\powerdvd\videofilter\clsubtitle.ax
+ CyberLink TimeStretch Filter (PDVD6) CLAuTS.ax CyberLink Corp. c:\program files\cyberlink\powerdvd\audiofilter\clauts.ax
+ CyberLink Video/SP Decoder CyberLink Video/SP Filter CyberLink Corp. c:\program files\cyberlink\powerdvd\videofilter\clvsd.ax
+ DivX AAC Decoder AAC Audio Decoder Filter DivX, Inc. c:\program files\divx\divx plus directshow filters\daac.ax
+ DivX Decoder Filter DivX® Decoder Filter DivX, Inc. c:\program files\divx\divx codec\divxdec.ax
+ DivX Demux DivX® Media Filter DivXNetworks c:\program files\divx\divx codec\divxmedia.ax
+ DivX H.264 Decoder DivX H.264 Decoder Filter DivX, Inc. c:\program files\divx\divx plus directshow filters\divxdech264.ax
+ DivX MKV Demux DivX MKV Splitter c:\program files\divx\divx plus directshow filters\dmfsource.ax
+ DivX Subtitle Decoder DivX® Media Filter DivXNetworks c:\program files\divx\divx codec\divxmedia.ax
+ DVD Audio Decoder Audio Decoder Ulead Systems, Inc. c:\program files\common files\ulead systems\mpeg\ulac32.ax
+ ffdshow Audio Decoder DirectShow and VFW video and audio decoding/encoding/processing filter c:\program files\ffdshow\ffdshow.ax
+ ffdshow Audio Processor DirectShow and VFW video and audio decoding/encoding/processing filter c:\program files\ffdshow\ffdshow.ax
+ ffdshow raw video filter DirectShow and VFW video and audio decoding/encoding/processing filter c:\program files\ffdshow\ffdshow.ax
+ ffdshow Video Decoder DirectShow and VFW video and audio decoding/encoding/processing filter c:\program files\ffdshow\ffdshow.ax
+ FinePix Color Filter FinePix Color Filter FUJI PHOTO FILM CO.,LTD. c:\program files\finepixviewer\extensions\helpers\mvfilters\fxcolorft.ax
+ FinePix Rotate Filter FinePix Rotate Filter FUJI PHOTO FILM CO.,LTD. c:\program files\finepixviewer\extensions\helpers\mvfilters\fxrotateft.ax
+ FLV Source FLV Splitter Gabest c:\winnt\system32\flvsplitter.ax
+ flv source filter for swf_toolbox c:\program files\swf & flv toolbox\swf_tbf2.dll
+ FLV Splitter FLV Splitter Gabest c:\winnt\system32\flvsplitter.ax
+ FLV Video Decoder FLV Splitter Gabest c:\winnt\system32\flvsplitter.ax
+ Fujifilm Setup Filter FujifilmSetupFilter FUJI PHOTO FILM CO., LTD. c:\program files\finepixviewer\extensions\helpers\mvfilters\fujifilmsetupfilter.ax
+ Indeo Video ® 5.1 Progressive Download Source Intel Indeo® video IVF Source Filter 5.10 Intel Corporation c:\winnt\system32\ivfsrc.ax
+ Indeo® audio software Indeo® audio software Intel Corporation c:\winnt\system32\iac25_32.ax
+ Indeo® video 5.10 Compression Filter Intel Indeo® video 5.10 Intel Corporation c:\winnt\system32\ir50_32.dll
+ Indeo® video 5.10 Decompression Filter Intel Indeo® video 5.10 Intel Corporation c:\winnt\system32\ir50_32.dll
+ MainConcept MPEG Audio Decoder MPEG Video and Audio Decoder MainConcept AG c:\program files\sony\shared plug-ins\file formats\mcmpeg\mcdsmpeg.ax
+ MainConcept MPEG Encoder MPEG Encoder and Muxer MainConcept AG c:\program files\sony\shared plug-ins\file formats\mcmpeg\mcesmpeg.ax
+ MainConcept MPEG Splitter Mpeg I/II Splitter MainConcept AG c:\program files\sony\shared plug-ins\file formats\mcmpeg\mcspmpeg.ax
+ MainConcept MPEG Video Decoder MPEG Video and Audio Decoder MainConcept AG c:\program files\sony\shared plug-ins\file formats\mcmpeg\mcdsmpeg.ax
+ mp3 encoder (part of Swf Toolbox) c:\program files\swf & flv toolbox\swf_tbf1.dll
+ MPEG Layer-3 Decoder MPEG Layer-3 Audio Decoder Fraunhofer Institut Integrierte Schaltungen IIS c:\winnt\system32\l3codecx.ax
+ ULead File Source (Async.) Ulead Async Filter Ulead Systems c:\program files\common files\ulead systems\mpeg\ulasync.ax
+ ULead Infinite Pin Tee Ulead Infinite Tee Filter Ulead Systems, Inc. c:\program files\common files\ulead systems\mpeg\uinftee.ax
+ Ulead MPEG Audio Decoder MPEG Video and Audio Decoder ULead Systems c:\program files\common files\ulead systems\mpeg\uldsmpeg.ax
+ Ulead MPEG Encoder MPEG Encoder and Muxer ULead Systems c:\program files\common files\ulead systems\mpeg\ulesmpeg.ax
+ Ulead MPEG Muxer MPEG Muxer ULead Systems c:\program files\common files\ulead systems\mpeg\ulmxmpeg.ax
+ Ulead MPEG Splitter ULead Mpeg I/II Splitter ULead Systems c:\program files\common files\ulead systems\mpeg\ulspmpeg.ax
+ Ulead MPEG Video Decoder MPEG Video and Audio Decoder ULead Systems c:\program files\common files\ulead systems\mpeg\uldsmpeg.ax
+ Ulead Video Deinterlace Filter Ulead Video DeInterlace Filter Ulead Systems c:\program files\common files\ulead systems\filters\deinterlace.ax
+ WAV Dest c:\winnt\wavdest.ax
+ XviD MPEG-4 Video Decoder c:\winnt\system32\xvid.ax
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
+ lsdelete c:\winnt\system32\lsdelete.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
+ !SASWinLogon SUPERAntiSpyware WinLogon Processor SUPERAntiSpyware.com c:\program files\superantispyware\saswinlo.dll
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors
+ EPSON Stylus Photo R220 Series 2KMonitor5E EPSON Bi-directional Monitor SEIKO EPSON CORPORATION c:\winnt\system32\e_flmaie.dll
+ EPSON Stylus Photo R220 Series 32MonitorBE EPSON Bi-directional Monitor SEIKO EPSON CORPORATION c:\winnt\system32\e_flmaie.dll

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:24 PM

Posted 13 August 2009 - 08:00 PM

Hi domehead,

There appears to be missing files on the system, enough problems to seriously hinder any work we can do here.

The good news is there doesn't seem to be any malware left on the PC - there is a possibility that the files have been deleted by the malware though it could have been deleted by other tools you have already used. If your install has been successful then I can safely say that from the logs you have no malware problem but a lot of system issues.

The Process Explorer shows nothing untoward either. Just a usual showing of multiple processes which normally cause no problems when running together.

The problem therefore slides out of this forum and out of my knowledge area too.

Please post in another Bleeping forum for support in this area.

If after you have solved those issues you are still suspicious then PM me.

m0le
Posted Image
m0le is a proud member of UNITE

#11 domehead

domehead
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:24 PM

Posted 14 August 2009 - 08:33 PM

OK M0le,

Thanks for trying anyway.

Domehead :thumbup2:

#12 domehead

domehead
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:24 PM

Posted 17 August 2009 - 10:20 PM

OK, After weeks of pain and hassle, I am daring to think I have this cracked! :)

Instead of just saying 'Yay!' and going on my merry way, I will document here what I have found so that any other poor schmucks like me can get their beloved PCs back on the road. Here goes...

Firstly - I am NOT an expert and I am not part of Bleeping Computer's crew of helpers (I keep trying to sign up for the training to help, but it's always full!) So please don't even try to blame me if you destroy your pc by following anything I suggest.

In my case, my PC is running Windows 2000 Professional with Service Pack 4. BUT - If you have XP, please stay with me, 'cos I may be able to help you, too!

The error I had manifested itself as the system file SERVICES.EXE taking up to 100% of the cpu's power at random intervals for random amounts of time, causing every other process running to grind to a halt.

The first job was to get rid of any malware - the guys here helped with that, but the problem still remained. I considered completely removing Windows, reformatting and reinstalling, but the thought of the hassle and time of reinstalling, configuring etc was really making me sweat.

I had no decent backups of my data or my operating system - If I backed it up now, wouldn't I be backing up whatever problem I had if I didn't know what it was?

The first really useful thing I did was to download Process Explorer
http://technet.microsoft.com/en-us/sysinte...s/bb896653.aspx - Genius! With it's help I began to understand more about the murky world of MS Services, because THAT is the place where all the trouble occurs.

Once I had witnessed the Service and Controller App (Services.exe) program completely hogging all the cpu, I knew I was getting closer, because the various services that this runs are viewable using this tool. I fooled around, adjusting priorities and suspending it, just to see what would happen.

Then I began to think about the services that it controls - could some of them be unnecessary? A bit of searching led me to the brilliant
http://www.blackviper.com/Articles/OS/OSguides.htm web site - check it out, guys. There are excellent guides to SAFE settings you can make to the Services in several different Windows versions. Hopefully, some of you will have your problem fixed after visiting this site!

I followed the guide for Win2k SP4 and Disabled or set to Manual several of the Services running under Services.exe - Unfortunately, the problem was still there! However, I knew I was close.

While trying to stop, start etc all these services, I remembered there is a tool called Event Viewer
(Start-Settings-Control Panel-Administrative Tools-Event Viewer) There are several Logs in there, all of which are worth looking at for revelations about what has been going on that you never knew about. In my case, the Event Log was the key. There were LOADS of Error entries from the Service Control Manager. With a Right-Click and View Properties, the following message was revealed:

Timeout (30000 milliseconds) waiting for a transaction response from the Dnscache service.

The messages seemed to line up pretty well with the times that the system-hogging was happening. Best of all, the DNSCache service is controlled by SERVICES.EXE.

Back at Black Viper, I checked again and DNS Client (Which is the name for DNS Cache service) is only found in Windows 2000 Pro (although may be in XP Pro too), and does not seem to be needed. I had left it alone because he advised that it was ok to do so, but it COULD be disabled - So I did. I rebooted my PC and the first thing I noticed was that the long delay on boot-up at the 'Preparing Network Connections...' screen had gone down to just a few seconds.

It booted up ok and the problem has not recurred since! (Well over 3 hours now!) :)

So that was half of the problem solved - the HOW

What about the WHY?

Well, please stay with me, dear readers, 'cos this bit is where I might be saying something useful for you who are suffering with this problem in XP (Usually in SVCHOSTS.EXE, I think). Please remember I am not a qualified techy and could be wrong!

Question: Do you have Spybot Search & Destroy installed, or have you ever had it installed? I think most of you will say Yes. Well, Spybot S&D allows you to protect your system from malicious web sites by stashing a list of them in your Hosts file, with their IP Address set to 127.0.0.1 (Tools-Hosts File-Add Spybot S&D hosts list) - Hmmm, I need to explain this a bit so it makes sense:

Everywhere on the Internet is reached by using its unique IP Address. We see the name, like www.bbc.co.uk, but the computer uses the IP address number to actually make the connection. This is what DNS Resolution means; resolving the address from the given name. One of the ways of doing this is provided by using a file called hosts (Located in C:\WINNT\system32\drivers\etc in Windows 2000) which contains a list of names of web sites, with their corresponding IP addresses. Any sensible DNS Resolution program would quickly check this file to see if it could locate the required address without having to send a query to the DNS servers on the internet.

The clever chaps at Spybot S&D realised that if they put in the names of all the nasty web sites they could find and make all of them resolve to the default address of 127.0.0.1, then links to those sites would fail to get there!
Here is an example of some hosts file entries:-

127.0.0.1 localhost # This needs to be here as the first entry. It refers to your own pc
212.58.224.138 www.bbc.co.uk # An example of a good safe site. A real address
127.0.0.1 nastystuffhere.com #Requests to go to Bad boys like this are pointed back to -
127.0.0.1 anothernastysite.com # - your own pc, so the links to these sites fail
etc...

There are THOUSANDS of entries in the file if you have added Spybot's hosts list to your hosts file and this seems to be the cause of the problem: The DNS Client Service gets bogged down in repeated calls that force it to go through the enlarged hosts file before it goes out to the internet. This is the WHY? part. :cool:

The only thing left now is to say that you could probably also solve this problem by editing out all the extra entries in hosts. However, it seemed to me that stopping the DNS Client sorted everything out and leaves me with the protection of the hosts file intact and one less process running!

I did a little more checking and found this http://accs-net.com/hosts/faq.html#19 which is excellent - Spybot S&D knew about this ages ago - I wish I had been able to find it earlier! There is also a link to it in their help system within the program itself - heh.

Hopefully, some of you guys will find this helpful. Sorry it was so long, but there is a lot here to take in. If BC wishes to use any part of it to help others, please feel free to do what you want with it.

Cheers

Domehead :thumbup2:

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:24 PM

Posted 19 August 2009 - 01:05 PM

Hey, glad to see that you have sorted out the services issue, domehead.

Thanks for the excellent read. Thanks also for the link to Black Viper - that looks a great site.

m0le
Posted Image
m0le is a proud member of UNITE

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:24 PM

Posted 23 August 2009 - 06:20 AM

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. :thumbup2:

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users