Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer Running Slow - Trafficswarm


  • Please log in to reply
19 replies to this topic

#1 rapla

rapla

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:06 AM

Posted 14 November 2005 - 07:32 PM

Hi,
I had a topic in web browsing and it is suggested to post a Hijackthis log here as my computer is still running slow.


This was my last message from Leurgy
If your computer is still slow your best option right now is to submit a HiJack This Log for our team to review. See Preparation Guide For Use Before Posting A Hijackthis Log, Instructions for receiving help in cleaning your computer.

Here is my Log and I confirm that I have deleted temp int. files etc and done a scan with Adaware before getting the log


Logfile of HijackThis v1.99.1
Scan saved at 00:29:14, on 15/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\WINDOWS\twain_32\S6U12BX\WATCH.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Sean Senior\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.trafficswarm.com/cgi-bin/swarm....5bff8770fc4c48a
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.netpede.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: dlexpertclick Class - {A6927151-F5B4-11D4-AE7A-00D00925CF52} - C:\PROGRA~1\DLExpert\dll\iehelper.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [SUPASTATUS] C:\Program Files\Internet Explorer\Connection Wizard\status.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [Outpost Firewall] C:\Program Files\Agnitum\Outpost Firewall\outpost.exe /waitservice
O4 - HKLM\..\Run: [OutpostFeedBack] C:\Program Files\Agnitum\Outpost Firewall\feedback.exe /dump:os_startup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Watch.lnk = C:\WINDOWS\twain_32\S6U12BX\WATCH.exe
O4 - Global Startup: abcHood Pager 1.0.lnk = C:\Program Files\Bridgewell\Page abc\abcpager\abcpager.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Download by DLExpert (Faster) - C:\Program Files\DLExpert\get.htm
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Download &All by DLExpert (Faster) - C:\Program Files\DLExpert\getall.htm
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Program Files\Agnitum\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll
O9 - Extra button: DLExpert - {4AB89EA8-E2B8-11d4-AE71-00D00925CF52} - C:\Program Files\DLExpert\DLExpert.exe
O9 - Extra 'Tools' menuitem: &DLExpert - {4AB89EA8-E2B8-11d4-AE71-00D00925CF52} - C:\Program Files\DLExpert\DLExpert.exe
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.timesupport.com
O16 - DPF: {084F552D-19EB-4668-9788-984CBC781A8F} (AsyncDownloader Class) - http://survey.otxresearch.com/Preloader.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1123799430603
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1123802204328
O17 - HKLM\System\CCS\Services\Tcpip\..\{30099643-13B0-4E6C-B9E5-7CAC7E439B6E}: NameServer = 159.134.237.6 159.134.248.17
O20 - AppInit_DLLs: C:\PROGRA~1\Agnitum\OUTPOS~1\wl_hook.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\Program Files\Agnitum\Outpost Firewall\outpost.exe

Hope you can advise further
regards,
Rapla

BC AdBot (Login to Remove)

 


#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 19 November 2005 - 10:25 AM

Hi rapla and Welcome to the Bleeping Computer!


Download WinPFind:
http://www.bleepingcomputer.com/files/winpfind.php

Right Click the Zip Folder and Select "Extract All"

Don't use it yet!

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

From the WinPFind folder-> Doubleclick WinPFind.exe and Click "Start Scan"

It will scan the entire System, so please be patient

One you see "Scan Complete"-> a log (WinPFind.txt) will be automatically generated in the WinPFind folder


Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK!

Under the "General" Tab

Make Sure "Normal Startup-load all device drivers and services" has a green tick by it

Click Apply>>Close>>Follow the Prompts to Restart


Restart back in Normal Mode and Please download Rootkit Revealer (link is at the very bottom of the page)
  • Unzip it to your desktop.
  • Open the rootkitrevealer folder and double-click rootkitrevealer.exe
  • Click the Scan button (bottom right)
  • It may take a while to scan (don't do anything while it's running)
  • When it's done, go up to File > Save. Choose to save it to your desktop.
  • Save it as RKR.log
  • Open RKR.log on your desktop and copy the entire contents and paste them here
Post back with a fresh HijackThis log and the reports from WinPFind and RootKitRevealer

#3 rapla

rapla
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  

Posted 19 November 2005 - 08:13 PM

Hi rapla and Welcome to the Bleeping Computer!


Download WinPFind:
http://www.bleepingcomputer.com/files/winpfind.php

Right Click the Zip Folder and Select "Extract All"

Don't use it yet!

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

From the WinPFind folder-> Doubleclick WinPFind.exe and Click "Start Scan"

It will scan the entire System, so please be patient

One you see "Scan Complete"-> a log (WinPFind.txt) will be automatically generated in the WinPFind folder


Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK!

Under the "General" Tab

Make Sure "Normal Startup-load all device drivers and services" has a green tick by it

Click Apply>>Close>>Follow the Prompts to Restart


Restart back in Normal Mode and Please download Rootkit Revealer (link is at the very bottom of the page)

  • Unzip it to your desktop.
  • Open the rootkitrevealer folder and double-click rootkitrevealer.exe
  • Click the Scan button (bottom right)
  • It may take a while to scan (don't do anything while it's running)
  • When it's done, go up to File > Save. Choose to save it to your desktop.
  • Save it as RKR.log
  • Open RKR.log on your desktop and copy the entire contents and paste them here
Post back with a fresh HijackThis log and the reports from WinPFind and RootKitRevealer





Hi and thanks for your help !!

First WinPfind report

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

Windows OS and Versions
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

Checking Selected Standard Folders

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 21/12/1999 07:58:02 21312 C:\WINDOWS\choice.exe

Checking %System% folder...
PECompact2 02/11/2005 05:34:18 2368864 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 02/11/2005 05:34:18 2368864 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 23/09/2005 11:25:22 63224 C:\WINDOWS\SYSTEM32\vmplay.dll
PEC2 18/08/2001 13:00:00 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
Umonitor 04/08/2004 08:56:44 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
aspack 04/08/2004 08:56:36 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
winsync 18/08/2001 13:00:00 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
UPX! 12/11/2005 14:59:18 473600 C:\WINDOWS\SYSTEM32\aswBoot.exe
PTech 03/08/2005 10:33:42 520456 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL

Checking %System%\Drivers folder and sub-folders...
PTech 04/08/2004 06:41:38 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
20/11/2005 00:31:32 S 2048 C:\WINDOWS\bootstat.dat
23/10/2005 14:45:20 H 4 C:\WINDOWS\a3kebook.ini
23/10/2005 14:45:20 H 20 C:\WINDOWS\akebook.ini
20/11/2005 00:30:28 H 1093632 C:\WINDOWS\system32\config\system.LOG
20/11/2005 00:30:28 H 61440 C:\WINDOWS\system32\config\software.LOG
20/11/2005 00:30:28 H 8192 C:\WINDOWS\system32\config\default.LOG
20/11/2005 00:31:42 H 1024 C:\WINDOWS\system32\config\SAM.LOG
20/11/2005 00:31:34 H 16384 C:\WINDOWS\system32\config\SECURITY.LOG
10/11/2005 14:01:10 H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
13/11/2005 00:07:58 HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
13/11/2005 00:07:58 HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\0659dc07-36ce-42df-847c-2dbad45739d5
28/09/2005 11:53:30 S 17402 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB900725.cat
05/10/2005 02:17:40 S 21737 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896688.cat
05/10/2005 20:33:38 S 12849 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896424.cat
20/11/2005 00:30:26 H 6 C:\WINDOWS\Tasks\SA.DAT
18/10/2005 21:53:40 RH 0 C:\WINDOWS\ShellNew\MSCREATE.DIR
13/10/2005 13:18:54 H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\81830fade50434252c160da6e86e315c\BIT8.tmp

Checking for CPL files...
Microsoft Corporation 04/08/2004 08:56:58 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 04/08/2004 08:56:58 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 04/08/2004 08:56:58 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 04/08/2004 08:56:58 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 04/08/2004 08:56:58 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 04/08/2004 08:56:58 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 04/08/2004 08:56:58 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 18/08/2001 13:00:00 187904 C:\WINDOWS\SYSTEM32\main.cpl
09/12/1996 22528 C:\WINDOWS\SYSTEM32\FINDFAST.CPL
Microsoft Corporation 18/08/2001 13:00:00 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 04/08/2004 08:56:58 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 04/08/2004 08:56:58 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Sun Microsystems, Inc. 26/08/2005 18:14:42 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 18/08/2001 13:00:00 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 04/08/2004 08:56:58 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Realtek Semiconductor Corp. 01/04/2003 09:47:50 R 6652928 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL
Microsoft Corporation 04/08/2004 08:56:58 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft Corporation 04/08/2004 08:56:58 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 04/08/2004 08:56:58 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 04/08/2004 08:56:58 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Microsoft Corporation 04/08/2004 08:56:58 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 04/08/2004 08:56:58 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 04/08/2004 08:56:58 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 04/08/2004 08:56:58 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 26/05/2005 04:16:30 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 18/08/2001 13:00:00 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 18/08/2001 13:00:00 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 18/08/2001 13:00:00 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl

Checking Selected Startup Folders

Checking files in %ALLUSERSPROFILE%\Startup folder...
25/02/2005 17:30:18 877 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\abcHood Pager 1.0.lnk
03/11/2005 18:56:22 1668 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
18/04/2002 20:12:52 HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
30/08/2005 00:24:08 804 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\EPSON Status Monitor 3 Environment Check 2.lnk
18/02/2005 17:30:42 642 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Watch.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
18/04/2002 20:05:28 HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
18/04/2002 20:12:52 HS 84 C:\Documents and Settings\Sean Senior\Start Menu\Programs\Startup\desktop.ini
18/10/2005 22:09:42 647 C:\Documents and Settings\Sean Senior\Start Menu\Programs\Startup\Office Startup.lnk

Checking files in %USERPROFILE%\Application Data folder...
03/11/2005 16:12:52 875 C:\Documents and Settings\Sean Senior\Application Data\AdobeDLM.log
18/04/2002 20:05:28 HS 62 C:\Documents and Settings\Sean Senior\Application Data\desktop.ini
03/11/2005 16:12:52 0 C:\Documents and Settings\Sean Senior\Application Data\dm.ini
16/10/2005 21:41:12 39 C:\Documents and Settings\Sean Senior\Application Data\sversion.ini

Checking Selected Registry Keys

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ASW
{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A} = C:\Program Files\Agnitum\Outpost Firewall\op_shell.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\avast
{472083B0-C522-11CF-8763-00608CC02F24} = C:\Program Files\Alwil Software\Avast4\ashShell.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WinZip\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\ASW
{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A} = C:\Program Files\Agnitum\Outpost Firewall\op_shell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\avast
{472083B0-C522-11CF-8763-00608CC02F24} = C:\Program Files\Alwil Software\Avast4\ashShell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WinZip\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ASW
{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A} = C:\Program Files\Agnitum\Outpost Firewall\op_shell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WinZip\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{724d43a9-0d85-11d4-9908-00400523e39a}
= C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A6927151-F5B4-11D4-AE7A-00D00925CF52}
dlexpertclick Class = C:\PROGRA~1\DLExpert\dll\iehelper.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{724d43a0-0d85-11d4-9908-00400523e39a} = &RoboForm : C:\Program Files\Siber Systems\AI RoboForm\roboform.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{320AF880-6646-11D3-ABEE-C5DBF3571F46}
ButtonText = Fill Forms :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{320AF880-6646-11D3-ABEE-C5DBF3571F49}
ButtonText = Save :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{44627E97-789B-40d4-B5C2-58BD171129A1}
ButtonText = Outpost Firewall Pro Quick Tune :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{4AB89EA8-E2B8-11d4-AE71-00D00925CF52}
ButtonText = DLExpert : C:\Program Files\DLExpert\DLExpert.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{724d43aa-0d85-11d4-9908-00400523e39a}
ButtonText = RoboForm :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}
Search Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{724D43A0-0D85-11D4-9908-00400523E39A} = &RoboForm : C:\Program Files\Siber Systems\AI RoboForm\roboform.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
SUPASTATUS C:\Program Files\Internet Explorer\Connection Wizard\status.exe
VTTimer VTTimer.exe
SoundMan SOUNDMAN.EXE
LXSUPMON C:\WINDOWS\System32\LXSUPMON.EXE RUN
gcasServ "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
Outpost Firewall C:\Program Files\Agnitum\Outpost Firewall\outpost.exe /waitservice
OutpostFeedBack C:\Program Files\Agnitum\Outpost Firewall\feedback.exe /dump:os_startup
avast! C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
FinePrint Dispatcher v5 "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
RoboForm "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs C:\PROGRA~1\Agnitum\OUTPOS~1\wl_hook.dll


Scan Complete
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 20/11/2005 00:38:21



Second - HijackThis Log

Logfile of HijackThis v1.99.1
Scan saved at 00:52:45, on 20/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\twain_32\S6U12BX\WATCH.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Documents and Settings\Sean Senior\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.trafficswarm.com/cgi-bin/swarm....5bff8770fc4c48a
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.netpede.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: dlexpertclick Class - {A6927151-F5B4-11D4-AE7A-00D00925CF52} - C:\PROGRA~1\DLExpert\dll\iehelper.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [SUPASTATUS] C:\Program Files\Internet Explorer\Connection Wizard\status.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [Outpost Firewall] C:\Program Files\Agnitum\Outpost Firewall\outpost.exe /waitservice
O4 - HKLM\..\Run: [OutpostFeedBack] C:\Program Files\Agnitum\Outpost Firewall\feedback.exe /dump:os_startup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Watch.lnk = C:\WINDOWS\twain_32\S6U12BX\WATCH.exe
O4 - Global Startup: abcHood Pager 1.0.lnk = C:\Program Files\Bridgewell\Page abc\abcpager\abcpager.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Download by DLExpert (Faster) - C:\Program Files\DLExpert\get.htm
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Download &All by DLExpert (Faster) - C:\Program Files\DLExpert\getall.htm
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Program Files\Agnitum\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll
O9 - Extra button: DLExpert - {4AB89EA8-E2B8-11d4-AE71-00D00925CF52} - C:\Program Files\DLExpert\DLExpert.exe
O9 - Extra 'Tools' menuitem: &DLExpert - {4AB89EA8-E2B8-11d4-AE71-00D00925CF52} - C:\Program Files\DLExpert\DLExpert.exe
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.timesupport.com
O16 - DPF: {084F552D-19EB-4668-9788-984CBC781A8F} (AsyncDownloader Class) - http://survey.otxresearch.com/Preloader.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1123799430603
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1123802204328
O17 - HKLM\System\CCS\Services\Tcpip\..\{30099643-13B0-4E6C-B9E5-7CAC7E439B6E}: NameServer = 159.134.237.6 159.134.248.17
O20 - AppInit_DLLs: C:\PROGRA~1\Agnitum\OUTPOS~1\wl_hook.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\Program Files\Agnitum\Outpost Firewall\outpost.exe



Thirdly RkR report
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesProcessed 19/11/2005 23:53 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesSuccessful 19/11/2005 23:53 4 bytes Data mismatch between Windows API and raw hive data.


I did have a problem saving the log details for RKR as follows:-

when I click on file-save the save window pops up with system32 selected in the window. When I click on the arrow to change this to "desktop"
the following warning window pops up :-

system32
X
C;\Documents and Settings\LocalService\Desktop refers to a location that is unavailable.It could be on a hard drive on this computer,or on a network.
Check to make sure that the disc is properly inserted,or that you have connected to the Internet or your network,and then try again. If it still annot be
located,the information might have been moved to a different location.
OK
After I click OK the desktop window appears in the box but when I click SAVE and go to the desktop there is no evidence of the file.

Hope all this helps,
Rapla

#4 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 20 November 2005 - 05:55 AM

Had to do a good bit of research on some of the entries from the WinPFind log.

Let me try to explain what I found.

C:\WINDOWS\SYSTEM32\vmplay.dll

This appears to be associated with a nasty sort of dialer,see the link below
http://securityresponse.symantec.com/avcen....adultchat.html


C:\WINDOWS\a3kebook.ini
and
C:\WINDOWS\akebook.ini

The akebook.ini file is installed and used by keylogger Probot.
http://logiguard.com/spyware/p/probot.htm

Some keyloggers are installed intentionally,so I need you to clarify whether you did or didnt install Probot


O4 - Global Startup: Watch.lnk = C:\WINDOWS\twain_32\S6U12BX\WATCH.exe
and
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Watch.lnk

Seems this is associated with NetZip and isnt really clarified as to being good or bad,here is a interesting link
http://www3.ca.com/securityadvisor/pest/pe...px?id=453094110



So lets put our heads together and see what we want to keep and what should go?


The dialer I mentioned,unless you installed it,needs to go!

The Keylogger and Netzip are pending your reply!


Let me know what ya come up with and we will go from there.

#5 rapla

rapla
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:06 AM

Posted 20 November 2005 - 11:10 AM

Had to do a good bit of research on some of the entries from the WinPFind log.

Let me try to explain what I found.

C:\WINDOWS\SYSTEM32\vmplay.dll

This appears to be associated with a nasty sort of dialer,see the link below
http://securityresponse.symantec.com/avcen....adultchat.html


C:\WINDOWS\a3kebook.ini
and
C:\WINDOWS\akebook.ini

The akebook.ini file is installed and used by keylogger Probot.
http://logiguard.com/spyware/p/probot.htm

Some keyloggers are installed intentionally,so I need you to clarify whether you did or didnt install Probot


O4 - Global Startup: Watch.lnk = C:\WINDOWS\twain_32\S6U12BX\WATCH.exe
and
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Watch.lnk

Seems this is associated with NetZip and isnt really clarified as to being good or bad,here is a interesting link
http://www3.ca.com/securityadvisor/pest/pe...px?id=453094110



So lets put our heads together and see what we want to keep and what should go?


The dialer I mentioned,unless you installed it,needs to go!

The Keylogger and Netzip are pending your reply!


Let me know what ya come up with and we will go from there.




Hi again,
Taking things from the top

The nasty dialler thing needs to go
The akebook file is unknown to me , as is Probot so maybe this should also go
Netzip is also unknown to me and should also go.

What is the worst seniaro if all these problems are deleted ?
If it is not going to have any major impact on the computer then I think they should all go.

Thanks for taking the trouble to look into these problems for me I do appreciate it.
Regards,
Rapla

#6 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 20 November 2005 - 11:43 AM

OK,this will take some searching on your part.

Go to Add\Remove Programs and search for anything that would relate to

Netzip
Netscape Download Accelerator
Probot


Remove any traces found.


Make sure Windows is Showing Hidden Files
http://www.bleepingcomputer.com/tutorials/...al62.html#winxp


Locate and Delete any of these found

C:\WINDOWS\adult_chat.exe<- File

C:\WINDOWS\a3kebook.ini<- File

C:\WINDOWS\akebook.ini<- File

C:\WINDOWS\SYSTEM32\vmplay.dll<- File

C:\WINDOWS\SYSTEM32\npnzdad.exe<- File

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Watch.lnk

C:\WINDOWS\twain_32\S6U12BX<- Folder

C:\program files\pinfo<- Folder

C:\program files\hbt<- Folder

C:\program files\nog<- Folder

C:\program files\nethunter group<- Folder

C:\program files\common files\netzip download demon<- Folder


Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.trafficswarm.com/cgi-bin/swarm....5bff8770fc4c48a

O4 - Global Startup: Watch.lnk = C:\WINDOWS\twain_32\S6U12BX\WATCH.exe

O16 - DPF: {084F552D-19EB-4668-9788-984CBC781A8F} (AsyncDownloader Class) - http://survey.otxresearch.com/Preloader.dll

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button


Last lets get a hefty Reg Cleaner and move out all dead registry entries

RegSupreme Pro
http://majorgeeks.com/RegSupreme_Pro_d4256.html

Once downloaded and launched,Click Yes to Update the Cache-> Click "Registry Cleaner"-> Click "Aggresive" and "Start"-> Fix everything it finds-> Name the Backup it creates and Save it somewhere safe


After all this,have the PC scanned here
Panda Active Scan

You will need to be using Internet Explorer for the Scan to work

Save the Report it generates

Post back with a fresh HijackThis log and the report from Panda

#7 rapla

rapla
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  

Posted 20 November 2005 - 07:34 PM

OK,this will take some searching on your part.

Go to Add\Remove Programs and search for anything that would relate to

Netzip
Netscape Download Accelerator
Probot


Remove any traces found.


Make sure Windows is Showing Hidden Files
http://www.bleepingcomputer.com/tutorials/...al62.html#winxp


Locate and Delete any of these found

C:\WINDOWS\adult_chat.exe<- File

C:\WINDOWS\a3kebook.ini<- File

C:\WINDOWS\akebook.ini<- File

C:\WINDOWS\SYSTEM32\vmplay.dll<- File

C:\WINDOWS\SYSTEM32\npnzdad.exe<- File

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Watch.lnk

C:\WINDOWS\twain_32\S6U12BX<- Folder

C:\program files\pinfo<- Folder

C:\program files\hbt<- Folder

C:\program files\nog<- Folder

C:\program files\nethunter group<- Folder

C:\program files\common files\netzip download demon<- Folder


Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.trafficswarm.com/cgi-bin/swarm....5bff8770fc4c48a

O4 - Global Startup: Watch.lnk = C:\WINDOWS\twain_32\S6U12BX\WATCH.exe

O16 - DPF: {084F552D-19EB-4668-9788-984CBC781A8F} (AsyncDownloader Class) - http://survey.otxresearch.com/Preloader.dll

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button


Last lets get a hefty Reg Cleaner and move out all dead registry entries

RegSupreme Pro
http://majorgeeks.com/RegSupreme_Pro_d4256.html

Once downloaded and launched,Click Yes to Update the Cache-> Click "Registry Cleaner"-> Click "Aggresive" and "Start"-> Fix everything it finds-> Name the Backup it creates and Save it somewhere safe


After all this,have the PC scanned here
Panda Active Scan

You will need to be using Internet Explorer for the Scan to work

Save the Report it generates

Post back with a fresh HijackThis log and the report from Panda





Hello again,
1/ I did a thorough search as far as I knew how but could not find anything for the following
Netzip
Netscape Download Accelerator
Probot
2/ Carried out instructions to make sure windows show hidden files
3/ Located and deleted the following
C:\WINDOWS\a3kebook.ini<- File

C:\WINDOWS\akebook.ini<- File

C:\WINDOWS\SYSTEM32\vmplay.dll<- File

C:\WINDOWS\twain_32\S6U12BX<- Folder

I could not find any of the others listed

I then opened HijackThis but could not find the following:-

O4 - Global Startup: Watch.lnk = C:\WINDOWS\twain_32\S6U12BX\WATCH.exe

I fixed the remaining 2 items

I ran Reg Supreme and here is the report

Windows Registry Editor Version 5.00

; File created by TBackupTool
; Component version: 1.4
; Component used by: RegSupreme Pro
; Program version: 1.2
; File Description: First RegSupreme Backup
; Date: 20.11.2005
; Time: 22:21:53


[HKEY_CLASSES_ROOT\AcroAccess.AcroAccess\CLSID\]
@="{C523F39F-9C83-11D3-9094-00104BD0D535}"

[HKEY_CLASSES_ROOT\AcroAccess.AcroAccess\CurVer\]
@="AcroAccess.AcroAccess.1"

[HKEY_CLASSES_ROOT\AcroAccess.AcroAccess\]
@="AcroAccess Class"

[HKEY_CLASSES_ROOT\AcroAccess.AcroAccess.1\CLSID\]
@="{C523F39F-9C83-11D3-9094-00104BD0D535}"

[HKEY_CLASSES_ROOT\AcroAccess.AcroAccess.1\]
@="AcroAccess Class"

[HKEY_CLASSES_ROOT\AcroAccess.AcrobatAccess\CLSID\]
@="{C523F39F-9C83-11D3-9094-00104BD0D535}"

[HKEY_CLASSES_ROOT\AcroAccess.AcrobatAccess\CurVer\]
@="AcroAccess.AcrobatAccess.1"

[HKEY_CLASSES_ROOT\AcroAccess.AcrobatAccess\]
@="AcrobatAccess Class"

[HKEY_CLASSES_ROOT\AcroAccess.AcrobatAccess.1\CLSID\]
@="{C523F39F-9C83-11D3-9094-00104BD0D535}"

[HKEY_CLASSES_ROOT\AcroAccess.AcrobatAccess.1\]
@="AcrobatAccess Class"

[HKEY_CLASSES_ROOT\Applications\WINWORD.EXE\TaskbarExceptionsIcons\explorer.exe,16]
@="%ProgramFiles%\\Microsoft Office\\Office10\\OUTLOOK.EXE"

[HKEY_CLASSES_ROOT\CLSID\{6BC09692-0CE6-11D1-BAAE-00C04FC2E20D}\InprocServer32\]
@="C:\\WINDOWS\\System32\\iasrecst.dll"
"ThreadingModel"="Free"

[HKEY_CLASSES_ROOT\CLSID\{6BC09692-0CE6-11D1-BAAE-00C04FC2E20D}\]
@="IAS Attribute Dictionary"
"AppID"="{A5CEB593-CCC3-486B-AB91-9C5C5ED4C9E1}"

[HKEY_CLASSES_ROOT\CLSID\{6BC09693-0CE6-11D1-BAAE-00C04FC2E20D}\InprocServer32\]
@="C:\\WINDOWS\\System32\\iasrecst.dll"
"ThreadingModel"="Free"

[HKEY_CLASSES_ROOT\CLSID\{6BC09693-0CE6-11D1-BAAE-00C04FC2E20D}\]
@="IAS Netsh Jet Helper"
"AppID"="{A5CEB593-CCC3-486B-AB91-9C5C5ED4C9E1}"

[HKEY_CLASSES_ROOT\CLSID\{98D9A6F1-4696-4B5E-A2E8-36B3F9C1E12C}\LocalServer32\]
@="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AcroRd32Info.exe\" /PDFShell"

[HKEY_CLASSES_ROOT\CLSID\{98D9A6F1-4696-4B5E-A2E8-36B3F9C1E12C}\ProgID\]
@="PDFShellServer.PDFShellInfo.1"

[HKEY_CLASSES_ROOT\CLSID\{98D9A6F1-4696-4B5E-A2E8-36B3F9C1E12C}\TypeLib\]
@="{41C5FFFE-36DD-415D-9ED0-2976A342A1C8}"

[HKEY_CLASSES_ROOT\CLSID\{98D9A6F1-4696-4B5E-A2E8-36B3F9C1E12C}\VersionIndependentProgID\]
@="PDFShellServer.PDFShellInfo"

[HKEY_CLASSES_ROOT\CLSID\{98D9A6F1-4696-4B5E-A2E8-36B3F9C1E12C}\]
"AppID"="{A5090E95-F1E2-41C8-BDA1-5AEB6C321FDE}"
@="PDFShellInfo Class"

[HKEY_CLASSES_ROOT\CLSID\{B5DD9A64-5C4B-4a48-BE56-97C1A8F85708}\Control\]

[HKEY_CLASSES_ROOT\CLSID\{B5DD9A64-5C4B-4a48-BE56-97C1A8F85708}\InprocServer32\]
@="C:\\WINDOWS\\system32\\vmplay.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{B5DD9A64-5C4B-4a48-BE56-97C1A8F85708}\Insertable\]

[HKEY_CLASSES_ROOT\CLSID\{B5DD9A64-5C4B-4a48-BE56-97C1A8F85708}\MiscStatus\1\]
@="131473"

[HKEY_CLASSES_ROOT\CLSID\{B5DD9A64-5C4B-4a48-BE56-97C1A8F85708}\MiscStatus\]
@="0"

[HKEY_CLASSES_ROOT\CLSID\{B5DD9A64-5C4B-4a48-BE56-97C1A8F85708}\ProgID\]
@="FastVideoPlayerLite.FastVideoPlayerLiteCtrl.1"

[HKEY_CLASSES_ROOT\CLSID\{B5DD9A64-5C4B-4a48-BE56-97C1A8F85708}\Programmable\]

[HKEY_CLASSES_ROOT\CLSID\{B5DD9A64-5C4B-4a48-BE56-97C1A8F85708}\ToolboxBitmap32\]
@="C:\\WINDOWS\\system32\\vmplay.dll, 101"

[HKEY_CLASSES_ROOT\CLSID\{B5DD9A64-5C4B-4a48-BE56-97C1A8F85708}\TypeLib\]
@="{022850CB-74FD-486d-8B1C-573ECFD599AD}"

[HKEY_CLASSES_ROOT\CLSID\{B5DD9A64-5C4B-4a48-BE56-97C1A8F85708}\Version\]
@="1.0"

[HKEY_CLASSES_ROOT\CLSID\{B5DD9A64-5C4B-4a48-BE56-97C1A8F85708}\VersionIndependentProgID\]
@="FastVideoPlayerLite.FastVideoPlayerLiteCtrl"

[HKEY_CLASSES_ROOT\CLSID\{B5DD9A64-5C4B-4a48-BE56-97C1A8F85708}\]
@="FastVideoPlayerLiteCtrl Class"

[HKEY_CLASSES_ROOT\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\InprocServer32\]
@="C:\\WINDOWS\\System32\\oleacc.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\TypeLib\]
@="{54559DA5-7D94-42C6-B8F1-E3910737BBF1}"

[HKEY_CLASSES_ROOT\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\]
@="MSAA AccPropServices"
"AppID"="{667524BE-9EC0-4196-91C9-C6ED1F7A899D}"

[HKEY_CLASSES_ROOT\CLSID\{C523F39F-9C83-11D3-9094-00104BD0D535}\InprocServer32\]
@="C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\plug_ins\\Accessibility.api"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{C523F39F-9C83-11D3-9094-00104BD0D535}\LocalServer32\]
@="blank"

[HKEY_CLASSES_ROOT\CLSID\{C523F39F-9C83-11D3-9094-00104BD0D535}\ProgID\]
@="AcroAccess.AcrobatAccess.1"

[HKEY_CLASSES_ROOT\CLSID\{C523F39F-9C83-11D3-9094-00104BD0D535}\Programmable\]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C523F39F-9C83-11D3-9094-00104BD0D535}\TypeLib\]
@="{C523F390-9C83-11D3-9094-00104BD0D535}"

[HKEY_CLASSES_ROOT\CLSID\{C523F39F-9C83-11D3-9094-00104BD0D535}\VersionIndependentProgID\]
@="AcroAccess.AcrobatAccess"

[HKEY_CLASSES_ROOT\CLSID\{C523F39F-9C83-11D3-9094-00104BD0D535}\]
@="AcrobatAccess Class"
"AppID"="{8A523F4F-AB44-4477-BAB0-151E5936D144}"

[HKEY_CLASSES_ROOT\CLSID\{FFD709F0-AF39-11D2-B854-0000F81E8872}\Control\]
@=""

[HKEY_CLASSES_ROOT\CLSID\{FFD709F0-AF39-11D2-B854-0000F81E8872}\Implemented Categories\{BE0975F0-BBDD-11CF-97DF-00AA001F73C1}\]
@=""

[HKEY_CLASSES_ROOT\CLSID\{FFD709F0-AF39-11D2-B854-0000F81E8872}\Implemented Categories\]
@=""

[HKEY_CLASSES_ROOT\CLSID\{FFD709F0-AF39-11D2-B854-0000F81E8872}\InprocServer32\]
@="msjava.dll"
"ThreadingModel"="Both"
"JavaClass"="com.ms.wfc.html.DhComponentWrapper$DhInnerSafeControl"

[HKEY_CLASSES_ROOT\CLSID\{FFD709F0-AF39-11D2-B854-0000F81E8872}\]
@="Java Class: com.ms.wfc.html.DhComponentWrapper$DhInnerSafeControl"
"AppID"="{FFD709F0-AF39-11D2-B854-0000F81E8872}"

[HKEY_CLASSES_ROOT\com.sun.star.ServiceManager\CLSID\]

[HKEY_CLASSES_ROOT\com.sun.star.ServiceManager\CurVer\]

[HKEY_CLASSES_ROOT\com.sun.star.ServiceManager\]

[HKEY_CLASSES_ROOT\com.sun.star.ServiceManager.1\CLSID\]

[HKEY_CLASSES_ROOT\com.sun.star.ServiceManager.1\]

[HKEY_CLASSES_ROOT\FastVideoPlayerLite.FastVideoPlayerLiteCtrl\CLSID\]
@="{B5DD9A64-5C4B-4a48-BE56-97C1A8F85708}"

[HKEY_CLASSES_ROOT\FastVideoPlayerLite.FastVideoPlayerLiteCtrl\CurVer\]
@="FastVideoPlayerLite.FastVideoPlayerLiteCtrl.1"

[HKEY_CLASSES_ROOT\FastVideoPlayerLite.FastVideoPlayerLiteCtrl\]
@="FastVideoPlayerLiteCtrl Class"

[HKEY_CLASSES_ROOT\FastVideoPlayerLite.FastVideoPlayerLiteCtrl.1\CLSID\]
@="{B5DD9A64-5C4B-4a48-BE56-97C1A8F85708}"

[HKEY_CLASSES_ROOT\FastVideoPlayerLite.FastVideoPlayerLiteCtrl.1\Insertable\]

[HKEY_CLASSES_ROOT\FastVideoPlayerLite.FastVideoPlayerLiteCtrl.1\]
@="FastVideoPlayerLiteCtrl Class"

[HKEY_CLASSES_ROOT\Installer\Products\9EC9653600AFC964FAC55E4D9DA3FC19\SourceList]
"LastUsedSource"="n;1;C:\\DOCUME~1\\SEANSE~1\\LOCALS~1\\Temp\\IXP000.TMP\\"

[HKEY_CLASSES_ROOT\Installer\Products\9EC9653600AFC964FAC55E4D9DA3FC19\SourceList\Net]
"1"="C:\\DOCUME~1\\SEANSE~1\\LOCALS~1\\Temp\\IXP000.TMP\\"

[HKEY_CLASSES_ROOT\Interface\{044E4D81-136A-101C-99A2-86B9AD896A58}\ProxyStubClsid\]
@="{00020420-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{044E4D81-136A-101C-99A2-86B9AD896A58}\ProxyStubClsid32\]
@="{00020420-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{044E4D81-136A-101C-99A2-86B9AD896A58}\TypeLib\]
@="{044E4D83-136A-101C-99A2-86B9AD896A58}"
"Version"="4.0"

[HKEY_CLASSES_ROOT\Interface\{044E4D81-136A-101C-99A2-86B9AD896A58}\]
@="_DFxsnd32"

[HKEY_CLASSES_ROOT\Interface\{044E4D82-136A-101C-99A2-86B9AD896A58}\ProxyStubClsid\]
@="{00020420-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{044E4D82-136A-101C-99A2-86B9AD896A58}\ProxyStubClsid32\]
@="{00020420-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{044E4D82-136A-101C-99A2-86B9AD896A58}\TypeLib\]
@="{044E4D83-136A-101C-99A2-86B9AD896A58}"
"Version"="4.0"

[HKEY_CLASSES_ROOT\Interface\{044E4D82-136A-101C-99A2-86B9AD896A58}\]
@="_DFxsnd32Events"

[HKEY_CLASSES_ROOT\Interface\{099944FB-BCDA-453E-8C41-E13DA2ADF7F3}\ProxyStubClsid\]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{099944FB-BCDA-453E-8C41-E13DA2ADF7F3}\ProxyStubClsid32\]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{099944FB-BCDA-453E-8C41-E13DA2ADF7F3}\TypeLib\]
@="{CD260094-DE10-4AEE-AC73-EF87F6E12683}"
"Version"="1.0"

[HKEY_CLASSES_ROOT\Interface\{099944FB-BCDA-453E-8C41-E13DA2ADF7F3}\]
@="IRTCMediaEvent"

[HKEY_CLASSES_ROOT\Interface\{09BCB597-F0FA-48F9-B420-468CEA7FDE04}\ProxyStubClsid\]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{09BCB597-F0FA-48F9-B420-468CEA7FDE04}\ProxyStubClsid32\]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{09BCB597-F0FA-48F9-B420-468CEA7FDE04}\TypeLib\]
@="{CD260094-DE10-4AEE-AC73-EF87F6E12683}"
"Version"="1.0"

[HKEY_CLASSES_ROOT\Interface\{09BCB597-F0FA-48F9-B420-468CEA7FDE04}\]
@="IRTCParticipantStateChangeEvent"

[HKEY_CLASSES_ROOT\Interface\{13FA24C7-5748-4B21-91F5-7397609CE747}\ProxyStubClsid\]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{13FA24C7-5748-4B21-91F5-7397609CE747}\ProxyStubClsid32\]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{13FA24C7-5748-4B21-91F5-7397609CE747}\TypeLib\]
@="{CD260094-DE10-4AEE-AC73-EF87F6E12683}"
"Version"="1.0"

[HKEY_CLASSES_ROOT\Interface\{13FA24C7-5748-4B21-91F5-7397609CE747}\]
@="IRTCEventNotification"

[HKEY_CLASSES_ROOT\Interface\{176DDFBE-FEC0-4D55-BC87-84CFF1EF7F91}\ProxyStubClsid\]
@="{00020420-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{176DDFBE-FEC0-4D55-BC87-84CFF1EF7F91}\ProxyStubClsid32\]
@="{00020420-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{176DDFBE-FEC0-4D55-BC87-84CFF1EF7F91}\TypeLib\]
@="{CD260094-DE10-4AEE-AC73-EF87F6E12683}"
"Version"="1.0"

[HKEY_CLASSES_ROOT\Interface\{176DDFBE-FEC0-4D55-BC87-84CFF1EF7F91}\]
@="IRTCDispatchEventNotification"

[HKEY_CLASSES_ROOT\Interface\{27395F86-0C0C-101B-A3C9-08002B2F49FB}\ProxyStubClsid\]
@="{00020420-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{27395F86-0C0C-101B-A3C9-08002B2F49FB}\ProxyStubClsid32\]
@="{00020420-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{27395F86-0C0C-101B-A3C9-08002B2F49FB}\TypeLib\]
@="{27395F88-0C0C-101B-A3C9-08002B2F49FB}"
"Version"="1.0"

[HKEY_CLASSES_ROOT\Interface\{27395F86-0C0C-101B-A3C9-08002B2F49FB}\]
@="IPicClipCtrl"

[HKEY_CLASSES_ROOT\Interface\{27395F87-0C0C-101B-A3C9-08002B2F49FB}\ProxyStubClsid\]
@="{00020420-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{27395F87-0C0C-101B-A3C9-08002B2F49FB}\ProxyStubClsid32\]
@="{00020420-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{27395F87-0C0C-101B-A3C9-08002B2F49FB}\TypeLib\]
@="{27395F88-0C0C-101B-A3C9-08002B2F49FB}"
"Version"="1.0"

[HKEY_CLASSES_ROOT\Interface\{27395F87-0C0C-101B-A3C9-08002B2F49FB}\]
@="PictureClipEvents"

[HKEY_CLASSES_ROOT\Interface\{2B493B7A-3CBA-4170-9C8B-76A9DACDD644}\ProxyStubClsid\]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{2B493B7A-3CBA-4170-9C8B-76A9DACDD644}\ProxyStubClsid32\]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{2B493B7A-3CBA-4170-9C8B-76A9DACDD644}\TypeLib\]
@="{CD260094-DE10-4AEE-AC73-EF87F6E12683}"
"Version"="1.0"

[HKEY_CLASSES_ROOT\Interface\{2B493B7A-3CBA-4170-9C8B-76A9DACDD644}\]
@="IRTCClientEvent"

[HKEY_CLASSES_ROOT\Interface\{4C23BF51-390C-4992-A41D-41EEC05B2A4B}\ProxyStubClsid\]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{4C23BF51-390C-4992-A41D-41EEC05B2A4B}\ProxyStubClsid32\]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{4C23BF51-390C-4992-A41D-41EEC05B2A4B}\TypeLib\]
@="{CD260094-DE10-4AEE-AC73-EF87F6E12683}"
"Version"="1.0"

[HKEY_CLASSES_ROOT\Interface\{4C23BF51-390C-4992-A41D-41EEC05B2A4B}\]
@="IRTCIntensityEvent"

[HKEY_CLASSES_ROOT\Interface\{4D789DE1-5734-11CF-901E-0020AF7543C2}\ProxyStubClsid\]
@="{00020420-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{4D789DE1-5734-11CF-901E-0020AF7543C2}\ProxyStubClsid32\]
@="{00020420-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{4D789DE1-5734-11CF-901E-0020AF7543C2}\TypeLib\]
@="{4D789DE3-5734-11CF-901E-0020AF7543C2}"
"Version"="4.0"

[HKEY_CLASSES_ROOT\Interface\{4D789DE1-5734-11CF-901E-0020AF7543C2}\]
@="_DFxlbl32"

[HKEY_CLASSES_ROOT\Interface\{4D789DE2-5734-11CF-901E-0020AF7543C2}\ProxyStubClsid\]
@="{00020420-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{4D789DE2-5734-11CF-901E-0020AF7543C2}\ProxyStubClsid32\]
@="{00020420-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{4D789DE2-5734-11CF-901E-0020AF7543C2}\TypeLib\]
@="{4D789DE3-5734-11CF-901E-0020AF7543C2}"
"Version"="4.0"

[HKEY_CLASSES_ROOT\Interface\{4D789DE2-5734-11CF-901E-0020AF7543C2}\]
@="_DFxlbl32Events"

[HKEY_CLASSES_ROOT\Interface\{5FC43926-557A-11CF-BF88-0040956003D8}\ProxyStubClsid\]
@="{00020420-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{5FC43926-557A-11CF-BF88-0040956003D8}\ProxyStubClsid32\]
@="{00020420-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{5FC43926-557A-11CF-BF88-0040956003D8}\TypeLib\]
@="{5FC43928-557A-11CF-BF88-0040956003D8}"
"Version"="4.0"

[HKEY_CLASSES_ROOT\Interface\{5FC43926-557A-11CF-BF88-0040956003D8}\]
@="_DFximg32"

[HKEY_CLASSES_ROOT\Interface\{5FC43927-557A-11CF-BF88-0040956003D8}\ProxyStubClsid\]
@="{00020420-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{5FC43927-557A-11CF-BF88-0040956003D8}\ProxyStubClsid32\]
@="{00020420-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{5FC43927-557A-11CF-BF88-0040956003D8}\TypeLib\]
@="{5FC43928-557A-11CF-BF88-0040956003D8}"
"Version"="4.0"

[HKEY_CLASSES_ROOT\Interface\{5FC43927-557A-11CF-BF88-0040956003D8}\]
@="_DFximg32Events"

[HKEY_CLASSES_ROOT\Interface\{62D0991B-50AB-4F02-B948-CA94F26F8F95}\ProxyStubClsid\]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{62D0991B-50AB-4F02-B948-CA94F26F8F95}\ProxyStubClsid32\]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{62D0991B-50AB-4F02-B948-CA94F26F8F95}\TypeLib\]
@="{CD260094-DE10-4AEE-AC73-EF87F6E12683}"
"Version"="1.0"

[HKEY_CLASSES_ROOT\Interface\{62D0991B-50AB-4F02-B948-CA94F26F8F95}\]
@="IRTCRegistrationStateChangeEvent"

[HKEY_CLASSES_ROOT\Interface\{79002EE1-4773-11CF-BF88-0040956003D8}\ProxyStubClsid\]
@="{00020420-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{79002EE1-4773-11CF-BF88-0040956003D8}\ProxyStubClsid32\]
@="{00020420-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{79002EE1-4773-11CF-BF88-0040956003D8}\TypeLib\]
@="{79002EE3-4773-11CF-BF88-0040956003D8}"
"Version"="4.0"

[HKEY_CLASSES_ROOT\Interface\{79002EE1-4773-11CF-BF88-0040956003D8}\]
@="_DFxvid32"

[HKEY_CLASSES_ROOT\Interface\{79002EE2-4773-11CF-BF88-0040956003D8}\ProxyStubClsid\]
@="{00020420-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{79002EE2-4773-11CF-BF88-0040956003D8}\ProxyStubClsid32\]
@="{00020420-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{79002EE2-4773-11CF-BF88-0040956003D8}\TypeLib\]
@="{79002EE3-4773-11CF-BF88-0040956003D8}"
"Version"="4.0"

[HKEY_CLASSES_ROOT\Interface\{79002EE2-4773-11CF-BF88-0040956003D8}\]
@="_DFxvid32Events"

[HKEY_CLASSES_ROOT\Interface\{9FF86C1B-7E6F-4A7F-932A-244FE7296DAE}\ProxyStubClsid\]
@="{00020420-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{9FF86C1B-7E6F-4A7F-932A-244FE7296DAE}\ProxyStubClsid32\]
@="{00020420-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{9FF86C1B-7E6F-4A7F-932A-244FE7296DAE}\TypeLib\]
@="{022850CB-74FD-486D-8B1C-573ECFD599AD}"
"Version"="1.0"

[HKEY_CLASSES_ROOT\Interface\{9FF86C1B-7E6F-4A7F-932A-244FE7296DAE}\]
@="_IFastVideoPlayerLiteCtrlEvents"

[HKEY_CLASSES_ROOT\Interface\{A6BFF4C0-F7C8-4D3C-9A41-3550F78A95B0}\ProxyStubClsid\]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{A6BFF4C0-F7C8-4D3C-9A41-3550F78A95B0}\ProxyStubClsid32\]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{A6BFF4C0-F7C8-4D3C-9A41-3550F78A95B0}\TypeLib\]
@="{CD260094-DE10-4AEE-AC73-EF87F6E12683}"
"Version"="1.0"

[HKEY_CLASSES_ROOT\Interface\{A6BFF4C0-F7C8-4D3C-9A41-3550F78A95B0}\]
@="IRTCSessionOperationCompleteEvent"

[HKEY_CLASSES_ROOT\Interface\{B5BAD703-5952-48B3-9321-7F4500521506}\ProxyStubClsid\]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{B5BAD703-5952-48B3-9321-7F4500521506}\ProxyStubClsid32\]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{B5BAD703-5952-48B3-9321-7F4500521506}\TypeLib\]
@="{CD260094-DE10-4AEE-AC73-EF87F6E12683}"
"Version"="1.0"

[HKEY_CLASSES_ROOT\Interface\{B5BAD703-5952-48B3-9321-7F4500521506}\]
@="IRTCSessionStateChangeEvent"

[HKEY_CLASSES_ROOT\Interface\{CA8A9781-280D-11CF-A24D-444553540000}\ProxyStubClsid\]
@="{00020420-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{CA8A9781-280D-11CF-A24D-444553540000}\ProxyStubClsid32\]
@="{00020420-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{CA8A9781-280D-11CF-A24D-444553540000}\TypeLib\]
@="{CA8A9783-280D-11CF-A24D-444553540000}"
"Version"="1.3"

[HKEY_CLASSES_ROOT\Interface\{CA8A9781-280D-11CF-A24D-444553540000}\]
@="_DPdf"

[HKEY_CLASSES_ROOT\Interface\{CA8A9782-280D-11CF-A24D-444553540000}\ProxyStubClsid\]
@="{00020420-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{CA8A9782-280D-11CF-A24D-444553540000}\ProxyStubClsid32\]
@="{00020420-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{CA8A9782-280D-11CF-A24D-444553540000}\TypeLib\]
@="{CA8A9783-280D-11CF-A24D-444553540000}"
"Version"="1.3"

[HKEY_CLASSES_ROOT\Interface\{CA8A9782-280D-11CF-A24D-444553540000}\]
@="_DPdfEvents"

[HKEY_CLASSES_ROOT\Interface\{D2A2F5F2-EBA6-11CD-AF37-02608CA1D0B7}\BaseInterface\]
@="{00020400-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{D2A2F5F2-EBA6-11CD-AF37-02608CA1D0B7}\NumMethod\]
@="6"

[HKEY_CLASSES_ROOT\Interface\{D2A2F5F2-EBA6-11CD-AF37-02608CA1D0B7}\ProxyStubClsid32\]
@="{00020420-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{D2A2F5F2-EBA6-11CD-AF37-02608CA1D0B7}\TypeLib\]
@="{D2A2F5F0-EBA6-11CD-AF37-02608CA1D0B7}"

[HKEY_CLASSES_ROOT\Interface\{D2A2F5F2-EBA6-11CD-AF37-02608CA1D0B7}\]
@="_DVBScript"

[HKEY_CLASSES_ROOT\Interface\{D3609541-1B29-4DE5-A4AD-5AEBAF319512}\ProxyStubClsid\]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{D3609541-1B29-4DE5-A4AD-5AEBAF319512}\ProxyStubClsid32\]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{D3609541-1B29-4DE5-A4AD-5AEBAF319512}\TypeLib\]
@="{CD260094-DE10-4AEE-AC73-EF87F6E12683}"
"Version"="1.0"

[HKEY_CLASSES_ROOT\Interface\{D3609541-1B29-4DE5-A4AD-5AEBAF319512}\]
@="IRTCMessagingEvent"

[HKEY_CLASSES_ROOT\Interface\{EC7C8096-B918-4044-94F1-E4FBA0361D5C}\ProxyStubClsid\]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{EC7C8096-B918-4044-94F1-E4FBA0361D5C}\ProxyStubClsid32\]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{EC7C8096-B918-4044-94F1-E4FBA0361D5C}\TypeLib\]
@="{CD260094-DE10-4AEE-AC73-EF87F6E12683}"
"Version"="1.0"

[HKEY_CLASSES_ROOT\Interface\{EC7C8096-B918-4044-94F1-E4FBA0361D5C}\]
@="IRTCCollection"

[HKEY_CLASSES_ROOT\Interface\{EE7E970D-3D17-4645-8660-D7F40B917092}\ProxyStubClsid\]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{EE7E970D-3D17-4645-8660-D7F40B917092}\ProxyStubClsid32\]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{EE7E970D-3D17-4645-8660-D7F40B917092}\TypeLib\]
@="{022850CB-74FD-486D-8B1C-573ECFD599AD}"
"Version"="1.0"

[HKEY_CLASSES_ROOT\Interface\{EE7E970D-3D17-4645-8660-D7F40B917092}\]
@="IFastVideoPlayerLiteCtrl"

[HKEY_CLASSES_ROOT\Interface\{F30D7261-587A-424F-822C-312788F43548}\ProxyStubClsid\]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{F30D7261-587A-424F-822C-312788F43548}\ProxyStubClsid32\]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{F30D7261-587A-424F-822C-312788F43548}\TypeLib\]
@="{CD260094-DE10-4AEE-AC73-EF87F6E12683}"
"Version"="1.0"

[HKEY_CLASSES_ROOT\Interface\{F30D7261-587A-424F-822C-312788F43548}\]
@="IRTCWatcherEvent"

[HKEY_CLASSES_ROOT\Interface\{F36D755D-17E6-404E-954F-0FC07574C78D}\ProxyStubClsid\]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{F36D755D-17E6-404E-954F-0FC07574C78D}\ProxyStubClsid32\]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{F36D755D-17E6-404E-954F-0FC07574C78D}\TypeLib\]
@="{CD260094-DE10-4AEE-AC73-EF87F6E12683}"
"Version"="1.0"

[HKEY_CLASSES_ROOT\Interface\{F36D755D-17E6-404E-954F-0FC07574C78D}\]
@="IRTCBuddyEvent"

[HKEY_CLASSES_ROOT\PDFShellServer.PDFShellInfo\CLSID\]
@="{98D9A6F1-4696-4B5E-A2E8-36B3F9C1E12C}"

[HKEY_CLASSES_ROOT\PDFShellServer.PDFShellInfo\CurVer\]
@="PDFShellServer.PDFShellInfo.1"

[HKEY_CLASSES_ROOT\PDFShellServer.PDFShellInfo\]
@="PDFShellInfo Class"

[HKEY_CLASSES_ROOT\PDFShellServer.PDFShellInfo.1\CLSID\]
@="{98D9A6F1-4696-4B5E-A2E8-36B3F9C1E12C}"

[HKEY_CLASSES_ROOT\PDFShellServer.PDFShellInfo.1\]
@="PDFShellInfo Class"

[HKEY_CLASSES_ROOT\Preloader.AsyncDownloader\CLSID\]
@="{084F552D-19EB-4668-9788-984CBC781A8F}"

[HKEY_CLASSES_ROOT\Preloader.AsyncDownloader\CurVer\]
@="Preloader.AsyncDownloader.1"

[HKEY_CLASSES_ROOT\Preloader.AsyncDownloader\]
@="AsyncDownloader Class"

[HKEY_CLASSES_ROOT\Preloader.AsyncDownloader.1\CLSID\]
@="{084F552D-19EB-4668-9788-984CBC781A8F}"

[HKEY_CLASSES_ROOT\Preloader.AsyncDownloader.1\]
@="AsyncDownloader Class"

[HKEY_CLASSES_ROOT\scalc3.StarCalcDocument.3\NotInsertable\]

[HKEY_CLASSES_ROOT\scalc3.StarCalcDocument.3\]

[HKEY_CLASSES_ROOT\schart3.StarChartDocument.3\NotInsertable\]

[HKEY_CLASSES_ROOT\schart3.StarChartDocument.3\]

[HKEY_CLASSES_ROOT\sdraw3.StarDrawDocument.3\NotInsertable\]

[HKEY_CLASSES_ROOT\sdraw3.StarDrawDocument.3\]

[HKEY_CLASSES_ROOT\simage3.StarImageDocument.3\NotInsertable\]

[HKEY_CLASSES_ROOT\simage3.StarImageDocument.3\]

[HKEY_CLASSES_ROOT\smath3.StarMathDocument.3\NotInsertable\]

[HKEY_CLASSES_ROOT\smath3.StarMathDocument.3\]

[HKEY_CLASSES_ROOT\soffice.Application\CLSID\]

[HKEY_CLASSES_ROOT\soffice.Application\CurVer\]

[HKEY_CLASSES_ROOT\soffice.Application\]

[HKEY_CLASSES_ROOT\soffice.Application.1\CLSID\]

[HKEY_CLASSES_ROOT\soffice.Application.1\]

[HKEY_CLASSES_ROOT\soffice.StarCalcDocument\CLSID\]

[HKEY_CLASSES_ROOT\soffice.StarCalcDocument\CurVer\]

[HKEY_CLASSES_ROOT\soffice.StarCalcDocument\]

[HKEY_CLASSES_ROOT\soffice.StarCalcDocument.5\CLSID\]

[HKEY_CLASSES_ROOT\soffice.StarCalcDocument.5\protocol\StdFileEditing\verb\0\]

[HKEY_CLASSES_ROOT\soffice.StarCalcDocument.5\protocol\StdFileEditing\verb\1\]

[HKEY_CLASSES_ROOT\soffice.StarCalcDocument.5\protocol\StdFileEditing\verb\2\]

[HKEY_CLASSES_ROOT\soffice.StarCalcDocument.5\protocol\StdFileEditing\verb\]

[HKEY_CLASSES_ROOT\soffice.StarCalcDocument.5\protocol\StdFileEditing\]

[HKEY_CLASSES_ROOT\soffice.StarCalcDocument.5\protocol\]

[HKEY_CLASSES_ROOT\soffice.StarCalcDocument.5\shell\open\command\]

[HKEY_CLASSES_ROOT\soffice.StarCalcDocument.5\shell\open\]

[HKEY_CLASSES_ROOT\soffice.StarCalcDocument.5\shell\print\command\]

[HKEY_CLASSES_ROOT\soffice.StarCalcDocument.5\shell\print\]

[HKEY_CLASSES_ROOT\soffice.StarCalcDocument.5\shell\printto\command\]

[HKEY_CLASSES_ROOT\soffice.StarCalcDocument.5\shell\printto\]

[HKEY_CLASSES_ROOT\soffice.StarCalcDocument.5\shell\]

[HKEY_CLASSES_ROOT\soffice.StarCalcDocument.5\]

[HKEY_CLASSES_ROOT\soffice.StarChartDocument\CLSID\]

[HKEY_CLASSES_ROOT\soffice.StarChartDocument\CurVer\]

[HKEY_CLASSES_ROOT\soffice.StarChartDocument\]

[HKEY_CLASSES_ROOT\soffice.StarChartDocument.5\CLSID\]

[HKEY_CLASSES_ROOT\soffice.StarChartDocument.5\protocol\StdFileEditing\verb\0\]

[HKEY_CLASSES_ROOT\soffice.StarChartDocument.5\protocol\StdFileEditing\verb\1\]

[HKEY_CLASSES_ROOT\soffice.StarChartDocument.5\protocol\StdFileEditing\verb\2\]

[HKEY_CLASSES_ROOT\soffice.StarChartDocument.5\protocol\StdFileEditing\verb\]

[HKEY_CLASSES_ROOT\soffice.StarChartDocument.5\protocol\StdFileEditing\]

[HKEY_CLASSES_ROOT\soffice.StarChartDocument.5\protocol\]

[HKEY_CLASSES_ROOT\soffice.StarChartDocument.5\shell\open\command\]

[HKEY_CLASSES_ROOT\soffice.StarChartDocument.5\shell\open\]

[HKEY_CLASSES_ROOT\soffice.StarChartDocument.5\shell\print\command\]

[HKEY_CLASSES_ROOT\soffice.StarChartDocument.5\shell\print\]

[HKEY_CLASSES_ROOT\soffice.StarChartDocument.5\shell\printto\command\]

[HKEY_CLASSES_ROOT\soffice.StarChartDocument.5\shell\printto\]

[HKEY_CLASSES_ROOT\soffice.StarChartDocument.5\shell\]

[HKEY_CLASSES_ROOT\soffice.StarChartDocument.5\]

[HKEY_CLASSES_ROOT\soffice.StarDrawDocument\CLSID\]

[HKEY_CLASSES_ROOT\soffice.StarDrawDocument\CurVer\]

[HKEY_CLASSES_ROOT\soffice.StarDrawDocument\]

[HKEY_CLASSES_ROOT\soffice.StarDrawDocument.5\CLSID\]

[HKEY_CLASSES_ROOT\soffice.StarDrawDocument.5\protocol\StdFileEditing\verb\0\]

[HKEY_CLASSES_ROOT\soffice.StarDrawDocument.5\protocol\StdFileEditing\verb\1\]

[HKEY_CLASSES_ROOT\soffice.StarDrawDocument.5\protocol\StdFileEditing\verb\2\]

[HKEY_CLASSES_ROOT\soffice.StarDrawDocument.5\protocol\StdFileEditing\verb\]

[HKEY_CLASSES_ROOT\soffice.StarDrawDocument.5\protocol\StdFileEditing\]

[HKEY_CLASSES_ROOT\soffice.StarDrawDocument.5\protocol\]

[HKEY_CLASSES_ROOT\soffice.StarDrawDocument.5\shell\open\command\]

[HKEY_CLASSES_ROOT\soffice.StarDrawDocument.5\shell\open\]

[HKEY_CLASSES_ROOT\soffice.StarDrawDocument.5\shell\print\command\]

[HKEY_CLASSES_ROOT\soffice.StarDrawDocument.5\shell\print\]

[HKEY_CLASSES_ROOT\soffice.StarDrawDocument.5\shell\printto\command\]

[HKEY_CLASSES_ROOT\soffice.StarDrawDocument.5\shell\printto\]

[HKEY_CLASSES_ROOT\soffice.StarDrawDocument.5\shell\]

[HKEY_CLASSES_ROOT\soffice.StarDrawDocument.5\]

[HKEY_CLASSES_ROOT\soffice.StarFrameDocument.5\shell\open\command\]

[HKEY_CLASSES_ROOT\soffice.StarFrameDocument.5\shell\open\]

[HKEY_CLASSES_ROOT\soffice.StarFrameDocument.5\shell\print\command\]

[HKEY_CLASSES_ROOT\soffice.StarFrameDocument.5\shell\print\]

[HKEY_CLASSES_ROOT\soffice.StarFrameDocument.5\shell\printto\command\]

[HKEY_CLASSES_ROOT\soffice.StarFrameDocument.5\shell\printto\]

[HKEY_CLASSES_ROOT\soffice.StarFrameDocument.5\shell\]

[HKEY_CLASSES_ROOT\soffice.StarFrameDocument.5\]

[HKEY_CLASSES_ROOT\soffice.StarImageDocument\CLSID\]

[HKEY_CLASSES_ROOT\soffice.StarImageDocument\CurVer\]

[HKEY_CLASSES_ROOT\soffice.StarImageDocument\]

[HKEY_CLASSES_ROOT\soffice.StarImageDocument.5\CLSID\]

[HKEY_CLASSES_ROOT\soffice.StarImageDocument.5\protocol\StdFileEditing\verb\0\]

[HKEY_CLASSES_ROOT\soffice.StarImageDocument.5\protocol\StdFileEditing\verb\1\]

[HKEY_CLASSES_ROOT\soffice.StarImageDocument.5\protocol\StdFileEditing\verb\2\]

[HKEY_CLASSES_ROOT\soffice.StarImageDocument.5\protocol\StdFileEditing\verb\]

[HKEY_CLASSES_ROOT\soffice.StarImageDocument.5\protocol\StdFileEditing\]

[HKEY_CLASSES_ROOT\soffice.StarImageDocument.5\protocol\]

[HKEY_CLASSES_ROOT\soffice.StarImageDocument.5\shell\open\command\]

[HKEY_CLASSES_ROOT\soffice.StarImageDocument.5\shell\open\]

[HKEY_CLASSES_ROOT\soffice.StarImageDocument.5\shell\print\command\]

[HKEY_CLASSES_ROOT\soffice.StarImageDocument.5\shell\print\]

[HKEY_CLASSES_ROOT\soffice.StarImageDocument.5\shell\printto\command\]

[HKEY_CLASSES_ROOT\soffice.StarImageDocument.5\shell\printto\]

[HKEY_CLASSES_ROOT\soffice.StarImageDocument.5\shell\]

[HKEY_CLASSES_ROOT\soffice.StarImageDocument.5\]

[HKEY_CLASSES_ROOT\soffice.StarImpressDocument\CLSID\]

[HKEY_CLASSES_ROOT\soffice.StarImpressDocument\CurVer\]

[HKEY_CLASSES_ROOT\soffice.StarImpressDocument\]

[HKEY_CLASSES_ROOT\soffice.StarImpressDocument.5\CLSID\]

[HKEY_CLASSES_ROOT\soffice.StarImpressDocument.5\protocol\StdFileEditing\verb\0\]

[HKEY_CLASSES_ROOT\soffice.StarImpressDocument.5\protocol\StdFileEditing\verb\1\]

[HKEY_CLASSES_ROOT\soffice.StarImpressDocument.5\protocol\StdFileEditing\verb\2\]

[HKEY_CLASSES_ROOT\soffice.StarImpressDocument.5\protocol\StdFileEditing\verb\]

[HKEY_CLASSES_ROOT\soffice.StarImpressDocument.5\protocol\StdFileEditing\]

[HKEY_CLASSES_ROOT\soffice.StarImpressDocument.5\protocol\]

[HKEY_CLASSES_ROOT\soffice.StarImpressDocument.5\shell\open\command\]

[HKEY_CLASSES_ROOT\soffice.StarImpressDocument.5\shell\open\]

[HKEY_CLASSES_ROOT\soffice.StarImpressDocument.5\shell\print\command\]

[HKEY_CLASSES_ROOT\soffice.StarImpressDocument.5\shell\print\]

[HKEY_CLASSES_ROOT\soffice.StarImpressDocument.5\shell\printto\command\]

[HKEY_CLASSES_ROOT\soffice.StarImpressDocument.5\shell\printto\]

[HKEY_CLASSES_ROOT\soffice.StarImpressDocument.5\shell\]

[HKEY_CLASSES_ROOT\soffice.StarImpressDocument.5\]

[HKEY_CLASSES_ROOT\soffice.StarMailDocument\shell\open\command\]

[HKEY_CLASSES_ROOT\soffice.StarMailDocument\shell\open\]

[HKEY_CLASSES_ROOT\soffice.StarMailDocument\shell\]

[HKEY_CLASSES_ROOT\soffice.StarMailDocument\]

[HKEY_CLASSES_ROOT\soffice.StarMathDocument\CLSID\]

[HKEY_CLASSES_ROOT\soffice.StarMathDocument\CurVer\]

[HKEY_CLASSES_ROOT\soffice.StarMathDocument\]

[HKEY_CLASSES_ROOT\soffice.StarMathDocument.5\CLSID\]

[HKEY_CLASSES_ROOT\soffice.StarMathDocument.5\protocol\StdFileEditing\verb\0\]

[HKEY_CLASSES_ROOT\soffice.StarMathDocument.5\protocol\StdFileEditing\verb\1\]

[HKEY_CLASSES_ROOT\soffice.StarMathDocument.5\protocol\StdFileEditing\verb\2\]

[HKEY_CLASSES_ROOT\soffice.StarMathDocument.5\protocol\StdFileEditing\verb\]

[HKEY_CLASSES_ROOT\soffice.StarMathDocument.5\protocol\StdFileEditing\]

[HKEY_CLASSES_ROOT\soffice.StarMathDocument.5\protocol\]

[HKEY_CLASSES_ROOT\soffice.StarMathDocument.5\shell\open\command\]

[HKEY_CLASSES_ROOT\soffice.StarMathDocument.5\shell\open\]

[HKEY_CLASSES_ROOT\soffice.StarMathDocument.5\shell\print\command\]

[HKEY_CLASSES_ROOT\soffice.StarMathDocument.5\shell\print\]

[HKEY_CLASSES_ROOT\soffice.StarMathDocument.5\shell\printto\command\]

[HKEY_CLASSES_ROOT\soffice.StarMathDocument.5\shell\printto\]

[HKEY_CLASSES_ROOT\soffice.StarMathDocument.5\shell\]

[HKEY_CLASSES_ROOT\soffice.StarMathDocument.5\]

[HKEY_CLASSES_ROOT\soffice.StarQueryFolder\shell\open\command\]

[HKEY_CLASSES_ROOT\soffice.StarQueryFolder\shell\open\ddeexec\Application\]

[HKEY_CLASSES_ROOT\soffice.StarQueryFolder\shell\open\ddeexec\Topic\]

[HKEY_CLASSES_ROOT\soffice.StarQueryFolder\shell\open\ddeexec\]

[HKEY_CLASSES_ROOT\soffice.StarQueryFolder\shell\open\]

[HKEY_CLASSES_ROOT\soffice.StarQueryFolder\shell\]

[HKEY_CLASSES_ROOT\soffice.StarQueryFolder\]

[HKEY_CLASSES_ROOT\soffice.StarStorageDocument.5\CLSID\]

[HKEY_CLASSES_ROOT\soffice.StarStorageDocument.5\DefaultIcon\]

[HKEY_CLASSES_ROOT\soffice.StarStorageDocument.5\shell\open\command\]

[HKEY_CLASSES_ROOT\soffice.StarStorageDocument.5\shell\open\]

[HKEY_CLASSES_ROOT\soffice.StarStorageDocument.5\shell\]

[HKEY_CLASSES_ROOT\soffice.StarStorageDocument.5\]

[HKEY_CLASSES_ROOT\soffice.StarWriterDocument\CLSID\]

[HKEY_CLASSES_ROOT\soffice.StarWriterDocument\CurVer\]

[HKEY_CLASSES_ROOT\soffice.StarWriterDocument\]

[HKEY_CLASSES_ROOT\soffice.StarWriterDocument.5\CLSID\]

[HKEY_CLASSES_ROOT\soffice.StarWriterDocument.5\protocol\StdFileEditing\verb\0\]

[HKEY_CLASSES_ROOT\soffice.StarWriterDocument.5\protocol\StdFileEditing\verb\1\]

[HKEY_CLASSES_ROOT\soffice.StarWriterDocument.5\protocol\StdFileEditing\verb\2\]

[HKEY_CLASSES_ROOT\soffice.StarWriterDocument.5\protocol\StdFileEditing\verb\]

[HKEY_CLASSES_ROOT\soffice.StarWriterDocument.5\protocol\StdFileEditing\]

[HKEY_CLASSES_ROOT\soffice.StarWriterDocument.5\protocol\]

[HKEY_CLASSES_ROOT\soffice.StarWriterDocument.5\shell\open\command\]

[HKEY_CLASSES_ROOT\soffice.StarWriterDocument.5\shell\open\]

[HKEY_CLASSES_ROOT\soffice.StarWriterDocument.5\shell\print\command\]

[HKEY_CLASSES_ROOT\soffice.StarWriterDocument.5\shell\print\]

[HKEY_CLASSES_ROOT\soffice.StarWriterDocument.5\shell\printto\command\]

[HKEY_CLASSES_ROOT\soffice.StarWriterDocument.5\shell\printto\]

[HKEY_CLASSES_ROOT\soffice.StarWriterDocument.5\shell\]

[HKEY_CLASSES_ROOT\soffice.StarWriterDocument.5\]

[HKEY_CLASSES_ROOT\soffice.StarWriterGlobalDocument\CLSID\]

[HKEY_CLASSES_ROOT\soffice.StarWriterGlobalDocument\CurVer\]

[HKEY_CLASSES_ROOT\soffice.StarWriterGlobalDocument\]

[HKEY_CLASSES_ROOT\soffice.StarWriterGlobalDocument.5\CLSID\]

[HKEY_CLASSES_ROOT\soffice.StarWriterGlobalDocument.5\protocol\StdFileEditing\verb\0\]

[HKEY_CLASSES_ROOT\soffice.StarWriterGlobalDocument.5\protocol\StdFileEditing\verb\1\]

[HKEY_CLASSES_ROOT\soffice.StarWriterGlobalDocument.5\protocol\StdFileEditing\verb\2\]

[HKEY_CLASSES_ROOT\soffice.StarWriterGlobalDocument.5\protocol\StdFileEditing\verb\]

[HKEY_CLASSES_ROOT\soffice.StarWriterGlobalDocument.5\protocol\StdFileEditing\]

[HKEY_CLASSES_ROOT\soffice.StarWriterGlobalDocument.5\protocol\]

[HKEY_CLASSES_ROOT\soffice.StarWriterGlobalDocument.5\shell\open\command\]

[HKEY_CLASSES_ROOT\soffice.StarWriterGlobalDocument.5\shell\open\]

[HKEY_CLASSES_ROOT\soffice.StarWriterGlobalDocument.5\shell\print\command\]

[HKEY_CLASSES_ROOT\soffice.StarWriterGlobalDocument.5\shell\print\]

[HKEY_CLASSES_ROOT\soffice.StarWriterGlobalDocument.5\shell\printto\command\]

[HKEY_CLASSES_ROOT\soffice.StarWriterGlobalDocument.5\shell\printto\]

[HKEY_CLASSES_ROOT\soffice.StarWriterGlobalDocument.5\shell\]

[HKEY_CLASSES_ROOT\soffice.StarWriterGlobalDocument.5\]

[HKEY_CLASSES_ROOT\Software\Microsoft\Multimedia\Components\Informational\playback_DefaultPlaylist\Files\File0]
@="C:\\DOCUME~1\\ALLUSE~1\\DOCUME~1\\MYMUSI~1\\SAMPLE~2\\Favorites -- 4 and 5 star rated.wpl"

[HKEY_CLASSES_ROOT\Software\Microsoft\Multimedia\Components\Informational\playback_DefaultPlaylist\Files\File1]
@="C:\\DOCUME~1\\ALLUSE~1\\DOCUME~1\\MYMUSI~1\\SAMPLE~2\\High bitrate media in my library.wpl"

[HKEY_CLASSES_ROOT\Software\Microsoft\Multimedia\Components\Informational\playback_DefaultPlaylist\Files\File2]
@="C:\\DOCUME~1\\ALLUSE~1\\DOCUME~1\\MYMUSI~1\\SAMPLE~2\\Low bitrate media in my library.wpl"

[HKEY_CLASSES_ROOT\staroffice\DefaultIcon\]

[HKEY_CLASSES_ROOT\staroffice\shell\open\command\]

[HKEY_CLASSES_ROOT\staroffice\shell\open\]

[HKEY_CLASSES_ROOT\staroffice\shell\]

[HKEY_CLASSES_ROOT\staroffice\]

[HKEY_CLASSES_ROOT\TypeLib\{022850CB-74FD-486D-8B1C-573ECFD599AD}\1.0\0\win32\]
@="C:\\WINDOWS\\system32\\vmplay.dll"

[HKEY_CLASSES_ROOT\TypeLib\{022850CB-74FD-486D-8B1C-573ECFD599AD}\1.0\0\]

[HKEY_CLASSES_ROOT\TypeLib\{022850CB-74FD-486D-8B1C-573ECFD599AD}\1.0\FLAGS\]
@="0"

[HKEY_CLASSES_ROOT\TypeLib\{022850CB-74FD-486D-8B1C-573ECFD599AD}\1.0\HELPDIR\]
@="C:\\WINDOWS\\system32\\"

[HKEY_CLASSES_ROOT\TypeLib\{022850CB-74FD-486D-8B1C-573ECFD599AD}\1.0\]
@="FastVideoPlayerLite 1.0 Type Library"

[HKEY_CLASSES_ROOT\TypeLib\{022850CB-74FD-486D-8B1C-573ECFD599AD}\]

[HKEY_CURRENT_USER\Software\Macromedia\FlashPlayerUpdate]
"Path"="C:\\DOCUME~1\\SEANSE~1\\LOCALS~1\\Temp\\FlashPlayerUpdate.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\F20B0E8AE2272934C99AF8F59408EA8B\SourceList]
"LastUsedSource"="n;1;C:\\DOCUME~1\\SEANSE~1\\LOCALS~1\\Temp\\_is121\\"

[HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\F20B0E8AE2272934C99AF8F59408EA8B\SourceList\Net]
"1"="C:\\DOCUME~1\\SEANSE~1\\LOCALS~1\\Temp\\_is121\\"

[HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Setup\CreatedLinks]
"Shortcut0"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Accessories\\Entertainment\\Windows Media Player.lnk"
"Shortcut2"="C:\\Documents and Settings\\Default User\\Start Menu\\Programs\\Windows Media Player.lnk"
"Shortcut3"="C:\\Documents and Settings\\Owner\\Application Data\\Microsoft\\Internet Explorer\\Quick Launch\\Windows Media Player.lnk"
"Shortcut4"="C:\\Documents and Settings\\Owner\\Start Menu\\Programs\\Windows Media Player.lnk"
"Shortcut6"="C:\\Documents and Settings\\Sean Senior\\Desktop\\Windows Media Player.lnk"

[HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Setup\FileMoveCache\Source]
"0"="C:\\DOCUME~1\\SEANSE~1\\LOCALS~1\\Temp\\setb2.tmp"
"1"="C:\\DOCUME~1\\SEANSE~1\\LOCALS~1\\Temp\\setb3.tmp"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.BIN\OpenWithList\]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.BIN\]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DAT\OpenWithList\]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DAT\]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.msg\OpenWithList\]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.msg\]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ref\OpenWithList\]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ref\]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.usp\OpenWithList\]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.usp\]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\OpenWithList\]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\DOCUME~1\\SEANSE~1\\LOCALS~1\\Temp\\INS43.tmp"="INS43"
"C:\\DOCUME~1\\SEANSE~1\\LOCALS~1\\Temp\\INS47.tmp"="INS47"

[HKEY_CURRENT_USER\Software\Nico Mak Computing\WinZip\WIZDIR]
"WIZDIR1"="C:\\Program Files\\user\\download"
"WIZDIR3"="c:\\download"
"WIZDIR12"="C:\\Documents and Settings\\Sean Senior\\Desktop\\SPIDER HITS"
"WIZDIR13"="C:\\Documents and Settings\\Sean Senior\\My Documents\\spiderHits\\spiderHits"
"WIZDIR18"="C:\\Documents and Settings\\Sean Senior\\Desktop\\PTG"

[HKEY_CURRENT_USER\Software\Sam Francke\CSVed\Histoos\MRU Items]
"DefaultText"="C:\\Documents and Settings\\Sean Senior\\Desktop\\Autoffa 24 oct 4 nov.txt"
"F0"="C:\\Documents and Settings\\Sean Senior\\Desktop\\Autoffa 24 oct 4 nov.txt"
"F1"="C:\\Documents and Settings\\Sean Senior\\Desktop\\AutoFFA20.csv"
"F2"="C:\\Documents and Settings\\Sean Senior\\Desktop\\AutoFFA21.txt"
"F3"="C:\\Documents and Settings\\Sean Senior\\Desktop\\AutoFFA23.txt"
"F4"="C:\\Documents and Settings\\Sean Senior\\Desktop\\AotoFFA22.txt"
"F6"="C:\\Documents and Settings\\Sean Senior\\Desktop\\Autoffa19.txt"
"F7"="C:\\Documents and Settings\\Sean Senior\\Desktop\\AutoFFA18.csv"
"F8"="C:\\Documents and Settings\\Sean Senior\\Desktop\\Autoffa18.txt"
"F9"="C:\\Documents and Settings\\Sean Senior\\Desktop\\AutoFFA17.txt"
"F10"="C:\\Documents and Settings\\Sean Senior\\Desktop\\AutoFFA16.txt"
"F11"="C:\\Documents and Settings\\Sean Senior\\Desktop\\AutoFFA15.txt"
"F12"="C:\\Documents and Settings\\Sean Senior\\Desktop\\AutoFFA14.txt"
"F13"="C:\\Documents and Settings\\Sean Senior\\Desktop\\AutoFFA13.txt"
"F14"="C:\\Documents and Settings\\Sean Senior\\Desktop\\AutoFFa12.txt"
"F15"="C:\\Documents and Settings\\Sean Senior\\Desktop\\AutoFFA11.csv"
"F16"="C:\\Documents and Settings\\Sean Senior\\Desktop\\AutoFFA11.txt"
"F17"="C:\\Documents and Settings\\Sean Senior\\Desktop\\AutoFFA10.csv"
"F18"="C:\\Documents and Settings\\Sean Senior\\Desktop\\AutoFFA10.txt"
"F19"="C:\\Documents and Settings\\Sean Senior\\Desktop\\AutoFFA6.csv"

[HKEY_CURRENT_USER\Software\Sam Francke\CSVed\options]
"LastUsedFile"="C:\\Documents and Settings\\Sean Senior\\Desktop\\Autoffa 24 oct 4 nov.txt"

[HKEY_CURRENT_USER\Software\Ying3\DLExpert\http://ardownload.adobe.com/pub/adobe/reader/win/7x/7.0.5/enu/AdbeRdr705_DLM_enu_full.exe]
"LOCALFILE"="C:\\DOCUME~1\\SEANSE~1\\LOCALS~1\\Temp\\AdbeRdr705_DLM_enu_full.exe"

[HKEY_CURRENT_USER\Software\Ying3\DLExpert\http://dl.filekicker.com/send/dir/143860-2RB1/fp545.exe]
"LOCALFILE"="C:\\DOCUME~1\\SEANSE~1\\LOCALS~1\\Temp\\fp545.exe"

[HKEY_CURRENT_USER\Software\Ying3\DLExpert\http://download.divx.com/divx/DivXPlay.exe]
"LOCALFILE"="C:\\DOCUME~1\\SEANSE~1\\LOCALS~1\\Temp\\DivXPlay.exe"

[HKEY_CURRENT_USER\Software\Ying3\DLExpert\http://download.ewido.net/ewido-setup.exe]
"LOCALFILE"="C:\\DOCUME~1\\SEANSE~1\\LOCALS~1\\Temp\\ewido-setup.exe"

[HKEY_CURRENT_USER\Software\Ying3\DLExpert\http://downloads.pcworld.com/pub/new/internet/browsers___clients/cbsetup.exe]
"LOCALFILE"="C:\\DOCUME~1\\SEANSE~1\\LOCALS~1\\Temp\\cbsetup.exe"

[HKEY_CURRENT_USER\Software\Ying3\DLExpert\http://downloads.pcworld.com/pub/new/privacy___security/ad_blockers/ie-spyad.exe]
"LOCALFILE"="C:\\DOCUME~1\\SEANSE~1\\LOCALS~1\\Temp\\ie-spyad_1.exe"

[HKEY_CURRENT_USER\Software\Ying3\DLExpert\http://files.avast.com/iavs4pro/setupeng.exe]
"LOCALFILE"="C:\\DOCUME~1\\SEANSE~1\\LOCALS~1\\Temp\\setupeng.exe"

[HKEY_CURRENT_USER\Software\Ying3\DLExpert\http://reddragon.listbizz.com/AdBlaster.zip]
"LOCALFILE"="C:\\DOCUME~1\\SEANSE~1\\LOCALS~1\\Temp\\AdBlaster.zip"

[HKEY_CURRENT_USER\Software\Ying3\DLExpert\http://reddragon.listbizz.com/pconly.zip]
"LOCALFILE"="C:\\DOCUME~1\\SEANSE~1\\LOCALS~1\\Temp\\pconly.zip"

[HKEY_CURRENT_USER\Software\Ying3\DLExpert\http://updates.ls-servers.com/aawsepersonal.exe]
"LOCALFILE"="C:\\DOCUME~1\\SEANSE~1\\LOCALS~1\\Temp\\aawsepersonal.exe"

[HKEY_CURRENT_USER\Software\Ying3\DLExpert\http://www.adobe.com/products/acrobat/readstep2_servefile.html?option=full&order=1&type=&language=English&pla

#8 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 22 November 2005 - 05:11 AM

Sorry about the delay!

Scan the System with WinPFind again in Safe Mode please

Post any results from Panda and a fresh HijackThis log and WinPFind Log

#9 rapla

rapla
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:06 AM

Posted 22 November 2005 - 07:39 AM

Sorry about the delay!

Scan the System with WinPFind again in Safe Mode please

Post any results from Panda and a fresh HijackThis log and WinPFind Log



Hi Again,
When I ran the Panda download from your link I got a Virus warning that the download had a worm ,so I had to abort and therefore do not have a scan report.
Below however are the WinPfind and HJT logs.

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

Windows OS and Versions
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

Checking Selected Standard Folders

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 21/12/1999 07:58:02 21312 C:\WINDOWS\choice.exe

Checking %System% folder...
PECompact2 02/11/2005 05:34:18 2368864 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 02/11/2005 05:34:18 2368864 C:\WINDOWS\SYSTEM32\MRT.exe
PEC2 18/08/2001 13:00:00 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
Umonitor 04/08/2004 08:56:44 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
aspack 04/08/2004 08:56:36 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
winsync 18/08/2001 13:00:00 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
UPX! 12/11/2005 14:59:18 473600 C:\WINDOWS\SYSTEM32\aswBoot.exe
PTech 03/08/2005 10:33:42 520456 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL

Checking %System%\Drivers folder and sub-folders...
PTech 04/08/2004 06:41:38 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
22/11/2005 11:38:54 S 2048 C:\WINDOWS\bootstat.dat
20/11/2005 22:05:24 HS 5 C:\WINDOWS\system32\AuxDrv32ds_d.ods
22/11/2005 11:37:56 H 1093632 C:\WINDOWS\system32\config\system.LOG
22/11/2005 11:37:56 H 61440 C:\WINDOWS\system32\config\software.LOG
22/11/2005 11:37:56 H 8192 C:\WINDOWS\system32\config\default.LOG
22/11/2005 11:39:04 H 1024 C:\WINDOWS\system32\config\SAM.LOG
22/11/2005 11:38:56 H 16384 C:\WINDOWS\system32\config\SECURITY.LOG
10/11/2005 14:01:10 H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
13/11/2005 00:07:58 HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
13/11/2005 00:07:58 HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\0659dc07-36ce-42df-847c-2dbad45739d5
28/09/2005 11:53:30 S 17402 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB900725.cat
05/10/2005 02:17:40 S 21737 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896688.cat
05/10/2005 20:33:38 S 12849 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896424.cat
22/11/2005 11:37:54 H 6 C:\WINDOWS\Tasks\SA.DAT
18/10/2005 21:53:40 RH 0 C:\WINDOWS\ShellNew\MSCREATE.DIR
13/10/2005 13:18:54 H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\81830fade50434252c160da6e86e315c\BIT8.tmp

Checking for CPL files...
Microsoft Corporation 04/08/2004 08:56:58 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 04/08/2004 08:56:58 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 04/08/2004 08:56:58 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 04/08/2004 08:56:58 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 04/08/2004 08:56:58 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 04/08/2004 08:56:58 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 04/08/2004 08:56:58 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 18/08/2001 13:00:00 187904 C:\WINDOWS\SYSTEM32\main.cpl
09/12/1996 22528 C:\WINDOWS\SYSTEM32\FINDFAST.CPL
Microsoft Corporation 18/08/2001 13:00:00 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 04/08/2004 08:56:58 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 04/08/2004 08:56:58 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Sun Microsystems, Inc. 26/08/2005 18:14:42 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 18/08/2001 13:00:00 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 04/08/2004 08:56:58 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Realtek Semiconductor Corp. 01/04/2003 09:47:50 R 6652928 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL
Microsoft Corporation 04/08/2004 08:56:58 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft Corporation 04/08/2004 08:56:58 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 04/08/2004 08:56:58 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 04/08/2004 08:56:58 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Microsoft Corporation 04/08/2004 08:56:58 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 04/08/2004 08:56:58 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 04/08/2004 08:56:58 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 04/08/2004 08:56:58 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 26/05/2005 04:16:30 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 18/08/2001 13:00:00 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 18/08/2001 13:00:00 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 18/08/2001 13:00:00 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl

Checking Selected Startup Folders

Checking files in %ALLUSERSPROFILE%\Startup folder...
25/02/2005 17:30:18 877 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\abcHood Pager 1.0.lnk
03/11/2005 18:56:22 1668 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
18/04/2002 20:12:52 HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
30/08/2005 00:24:08 804 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\EPSON Status Monitor 3 Environment Check 2.lnk
21/11/2005 23:22:12 750 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
18/04/2002 20:05:28 HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
18/04/2002 20:12:52 HS 84 C:\Documents and Settings\Sean Senior\Start Menu\Programs\Startup\desktop.ini
21/11/2005 23:22:12 750 C:\Documents and Settings\Sean Senior\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
18/10/2005 22:09:42 647 C:\Documents and Settings\Sean Senior\Start Menu\Programs\Startup\Office Startup.lnk

Checking files in %USERPROFILE%\Application Data folder...
03/11/2005 16:12:52 875 C:\Documents and Settings\Sean Senior\Application Data\AdobeDLM.log
18/04/2002 20:05:28 HS 62 C:\Documents and Settings\Sean Senior\Application Data\desktop.ini
03/11/2005 16:12:52 0 C:\Documents and Settings\Sean Senior\Application Data\dm.ini
16/10/2005 21:41:12 39 C:\Documents and Settings\Sean Senior\Application Data\sversion.ini

Checking Selected Registry Keys

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =
FunWebProducts =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ASW
{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A} = C:\Program Files\Agnitum\Outpost Firewall\op_shell.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\avast
{472083B0-C522-11CF-8763-00608CC02F24} = C:\Program Files\Alwil Software\Avast4\ashShell.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WinZip\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\ASW
{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A} = C:\Program Files\Agnitum\Outpost Firewall\op_shell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\avast
{472083B0-C522-11CF-8763-00608CC02F24} = C:\Program Files\Alwil Software\Avast4\ashShell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WinZip\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ASW
{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A} = C:\Program Files\Agnitum\Outpost Firewall\op_shell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WinZip\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00A6FAF1-072E-44cf-8957-5838F569A31D}
MyWebSearch Search Assistant BHO = C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{07B18EA1-A523-4961-B6BB-170DE4475CCA}
mwsBar BHO = C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{724d43a9-0d85-11d4-9908-00400523e39a}
= C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A6927151-F5B4-11D4-AE7A-00D00925CF52}
dlexpertclick Class = C:\PROGRA~1\DLExpert\dll\iehelper.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{724d43a0-0d85-11d4-9908-00400523e39a} = &RoboForm : C:\Program Files\Siber Systems\AI RoboForm\roboform.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{320AF880-6646-11D3-ABEE-C5DBF3571F46}
ButtonText = Fill Forms :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{320AF880-6646-11D3-ABEE-C5DBF3571F49}
ButtonText = Save :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{44627E97-789B-40d4-B5C2-58BD171129A1}
ButtonText = Outpost Firewall Pro Quick Tune :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{4AB89EA8-E2B8-11d4-AE71-00D00925CF52}
ButtonText = DLExpert : C:\Program Files\DLExpert\DLExpert.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{724d43aa-0d85-11d4-9908-00400523e39a}
ButtonText = RoboForm :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}
Search Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{724D43A0-0D85-11D4-9908-00400523E39A} = &RoboForm : C:\Program Files\Siber Systems\AI RoboForm\roboform.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
SUPASTATUS C:\Program Files\Internet Explorer\Connection Wizard\status.exe
VTTimer VTTimer.exe
SoundMan SOUNDMAN.EXE
LXSUPMON C:\WINDOWS\System32\LXSUPMON.EXE RUN
gcasServ "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
Outpost Firewall C:\Program Files\Agnitum\Outpost Firewall\outpost.exe /waitservice
OutpostFeedBack C:\Program Files\Agnitum\Outpost Firewall\feedback.exe /dump:os_startup
avast! C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
FinePrint Dispatcher v5 "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
MyWebSearch Email Plugin C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
RoboForm "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
MyWebSearch Email Plugin C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs C:\PROGRA~1\Agnitum\OUTPOS~1\wl_hook.dll


Scan Complete
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 22/11/2005 11:45:45




Logfile of HijackThis v1.99.1
Scan saved at 11:53:35, on 22/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Documents and Settings\Sean Senior\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.netpede.com/
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: dlexpertclick Class - {A6927151-F5B4-11D4-AE7A-00D00925CF52} - C:\PROGRA~1\DLExpert\dll\iehelper.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [SUPASTATUS] C:\Program Files\Internet Explorer\Connection Wizard\status.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [Outpost Firewall] C:\Program Files\Agnitum\Outpost Firewall\outpost.exe /waitservice
O4 - HKLM\..\Run: [OutpostFeedBack] C:\Program Files\Agnitum\Outpost Firewall\feedback.exe /dump:os_startup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O4 - Global Startup: abcHood Pager 1.0.lnk = C:\Program Files\Bridgewell\Page abc\abcpager\abcpager.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O8 - Extra context menu item: &Download by DLExpert (Faster) - C:\Program Files\DLExpert\get.htm
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZUxdm020YYIE
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Download &All by DLExpert (Faster) - C:\Program Files\DLExpert\getall.htm
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Program Files\Agnitum\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll
O9 - Extra button: DLExpert - {4AB89EA8-E2B8-11d4-AE71-00D00925CF52} - C:\Program Files\DLExpert\DLExpert.exe
O9 - Extra 'Tools' menuitem: &DLExpert - {4AB89EA8-E2B8-11d4-AE71-00D00925CF52} - C:\Program Files\DLExpert\DLExpert.exe
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.timesupport.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...tup1.0.0.15.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1123799430603
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1123802204328
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Agnitum\OUTPOS~1\wl_hook.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\Program Files\Agnitum\Outpost Firewall\outpost.exe

Hope you can manage without the panda scan,
Regards,
Rapla

#10 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 23 November 2005 - 05:33 AM

Now thats a first,never heard of the Panda Scan doing anything like that.

Lets try another Online Scan that may be more user friendly.

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


#11 rapla

rapla
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  

Posted 23 November 2005 - 10:10 AM

Now thats a first,never heard of the Panda Scan doing anything like that.

Lets try another Online Scan that may be more user friendly.

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT

  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.



Hi again,
I have posted the report from Kaspersky below as requested
Thanks again,
Rapla

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Wednesday, November 23, 2005 15:04:56
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 23/11/2005
Kaspersky Anti-Virus database records: 161198
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 51792
Number of viruses found: 17
Number of infected objects: 36
Number of suspicious objects: 0
Duration of the scan process: 1988 sec

Infected Object Name - Virus Name
C:\WINDOWS\system32\f3PSSavr.scr Infected: not-a-virus:AdWare.Win32.MyWebSearch
C:\Documents and Settings\Sean Senior\Local Settings\Temporary Internet Files\Content.IE5\QF7TC7ZO\MyFunCardsFWBInitialSetup1.0.0.15[1].exe Infected: not-a-virus:AdWare.Win32.FunWeb.e
C:\Documents and Settings\Sean Senior\Local Settings\Application Data\Identities\{93A6F33D-7CCF-4972-85DA-2D1B2B382956}\Microsoft\Outlook Express\Paypal.dbx/[From Paypal <accounts@email.paypal.com>][Date Thu, 18 Aug 2005 06:58:06 -0400]/html Infected: Trojan-Spy.HTML.Paylap.ca
C:\Documents and Settings\Sean Senior\Local Settings\Application Data\Identities\{93A6F33D-7CCF-4972-85DA-2D1B2B382956}\Microsoft\Outlook Express\Paypal.dbx Infected: Trojan-Spy.HTML.Paylap.ca
C:\Documents and Settings\Sean Senior\Desktop\AdBlaster files\AdBlaster\adblaster.exe Infected: not-a-virus:AdWare.Win32.Megap.a
C:\Program Files\MyWebSearch\bar\1.bin\F3CJPEG.DLL Infected: not-a-virus:AdWare.Win32.FunWeb.d
C:\Program Files\MyWebSearch\bar\1.bin\F3DTACTL.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.z
C:\Program Files\MyWebSearch\bar\1.bin\F3HISTSW.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch
C:\Program Files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch
C:\Program Files\MyWebSearch\bar\1.bin\F3HTTPCT.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.af
C:\Program Files\MyWebSearch\bar\1.bin\F3POPSWT.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.af
C:\Program Files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR Infected: not-a-virus:AdWare.Win32.MyWebSearch
C:\Program Files\MyWebSearch\bar\1.bin\F3REPROX.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.v
C:\Program Files\MyWebSearch\bar\1.bin\F3RESTUB.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch
C:\Program Files\MyWebSearch\bar\1.bin\F3SCHMON.EXE Infected: not-a-virus:AdWare.Win32.MyWebSearch
C:\Program Files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.l
C:\Program Files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch
C:\Program Files\MyWebSearch\bar\1.bin\M3HTML.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.f
C:\Program Files\MyWebSearch\bar\1.bin\M3IDLE.DLL Infected: not-a-virus:AdWare.Win32.IWon.a
C:\Program Files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch
C:\Program Files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.l
C:\Program Files\MyWebSearch\bar\1.bin\M3SKIN.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.ad
C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.p
C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE Infected: not-a-virus:AdWare.Win32.MyWebSearch
C:\Program Files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.ab
C:\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch
C:\Program Files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.i
C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.l
C:\System Volume Information\_restore{82B8AF80-9ABC-4FBD-AC5A-2CF4AD5767EA}\RP161\A0029340.exe Infected: not-a-virus:Dialer.Win32.gen
C:\System Volume Information\_restore{82B8AF80-9ABC-4FBD-AC5A-2CF4AD5767EA}\RP165\A0030477.dll Infected: Trojan-Downloader.Win32.Dyfuca.et
C:\System Volume Information\_restore{82B8AF80-9ABC-4FBD-AC5A-2CF4AD5767EA}\RP166\A0031521.dll Infected: Trojan-Downloader.Win32.Dyfuca.et
C:\System Volume Information\_restore{82B8AF80-9ABC-4FBD-AC5A-2CF4AD5767EA}\RP168\A0032989.dll Infected: Trojan-Downloader.Win32.Dyfuca.et
C:\System Volume Information\_restore{82B8AF80-9ABC-4FBD-AC5A-2CF4AD5767EA}\RP168\A0033311.exe Infected: not-a-virus:Dialer.Win32.gen
C:\System Volume Information\_restore{82B8AF80-9ABC-4FBD-AC5A-2CF4AD5767EA}\RP169\A0033849.dll Infected: Trojan-Downloader.Win32.Dyfuca.et
C:\System Volume Information\_restore{82B8AF80-9ABC-4FBD-AC5A-2CF4AD5767EA}\RP192\A0045212.DLL Infected: not-a-virus:AdWare.Win32.FunWeb.e
C:\Recycled\Dc3.dll Infected: Trojan-Downloader.Win32.Dyfuca.et

Scan process completed.

#12 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 24 November 2005 - 03:42 AM

Is this a Dell Computer?

Seems Kaspersky doesnt like MyWebSearch at all.

I thought Dell was shipping this software installed on most of thier computers.

It will be your choice whether to keep it or not?

Let me know and we will go from there.

#13 rapla

rapla
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:06 AM

Posted 24 November 2005 - 09:20 AM

Hi,
No, my computer is a TIME computer and actually I only downloaded MY WEB SEARCH a couple of days ago, from another program I was running.
I suggest we get rid of it, as it is showing up as a problem in the scan.
To be honest I am not keen on it anyway.
Thanks again,
Rapla

#14 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 24 November 2005 - 03:28 PM

Go to Add\Remove Programs and Remove---> MyWebSearch

There may be more than one entry with varying names.


Lets clean out the old Mail.

Open Outlook Express and Click Tools-> Options-> Maintenance

Place a check by "Empty messages from the Deleted Items folder on exit"

Then click the tab labeled "Clean Up Now"

Close out Outlook Express.


Now,Locate and Delete these

C:\WINDOWS\system32\f3PSSavr.scr<- File

C:\Program Files\MyWebSearch<- Folder

C:\Documents and Settings\Sean Senior\Desktop\AdBlaster files\AdBlaster


Download and Run CCleaner:
http://www.filehippo.com/download_ccleaner.html
This is to help keep those Temporary Files Cleaned Up

All you will want to use on this is the Opening Page(Windows Tab)Just Click Run Cleaner and let it do its thing!


Please Install these 2 to add to the Security of the PC!

SpywareBlaster:
http://www.javacoolsoftware.com/spywareblaster.html
Update Immediatly!

WinHelp2002 Hosts File
http://www.mvps.org/winhelp2002/hosts2.htm

Disable System Restore
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

Go ahead and Reconfigure Msconfig the way you like the PC to Startup!

Go ahead and remove any of the tools downloaded that are of no use anymore!

Post back and let me know how things are?

#15 rapla

rapla
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  

Posted 27 November 2005 - 10:52 AM

Hi Again,
Taking things step by step,
I deleted most of MY WEB SEARCH but could not delete the file in Windows Explorer
The following message keeps coming up :- "Cannot delete MWSOEMON.EXE access is denied.
Make sure the disc is not full or write protected and that the file is not currently in use.


Ok cleaned out the old mail


could not locate C:\WINDOWS\system32\f3PSSavr.scr so could not delete it.
same problem with MYWEBSEARCH folder as described above
I use the adblaster program so do you think I should remove it?


Download and Run CCleaner: Done ok

WinHelp2002 Hosts File
SpywareBlaster: both downloaded and run however I dont know what to do with the Hosts file


I have disabled the System restore and reset the startup programs in msconfig.
Do you want me to reset System Restore to ON ?

Finally where do I look for downloaded tools that I might not need?


summary
MyWEBSEARCH seems to be a problem to remove
C:\WINDOWS\system32\f3PSSavr.scr is also a problem
System restore - do ineed to run again
Hosts file - not sure how to use
downloaded tools - where do i find?


Thanks for all the trouble you are taking on these problems
it is appreciated,
regards,
Rapla




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users