Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Don't Know What Is Infecting My Machine


  • Please log in to reply
23 replies to this topic

#1 memutt

memutt

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 17 December 2005 - 02:08 AM

I have a cd/cdrw drive, a dvdrom drive and a dvd-rom burner. Sometime around the end of september my drives began having trouble reading the media I put in any of those drives. I can burn data disc from data on my hard drive, but can't watch a dvd. or listen to music etc... I don't have the first clue what could be causing my problem I happened on this site through a web search. If there is anything you can help me with I would really appreciate it. Thanks


Logfile of HijackThis v1.99.1
Scan saved at 10:49:06 PM, on 12/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\America Online 9.0a\waol.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Kelly Davis\My Documents\downloads\hijackthis_sfx.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher 2006\SCActiveBlock.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [SpyCatcher Reminder] "C:\Program Files\SpyCatcher 2006\SpyCatcher.exe" reminder
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher 2006\Scheduler daemon.exe
O4 - Global Startup: SpyCatcher Protector.lnk = C:\Program Files\SpyCatcher 2006\Protector.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {78AEEDE8-7345-4FB5-A8FE-4BFF16EF25FC} (McAfee Virtual Technician Control Class) - http://us-download.mcafee.com/products/protected/mvt/mvt.cab
O16 - DPF: {87056D28-9730-4A47-B9F9-7E890B62C58A} (WildfireActiveXHost Class) - http://aolsvc.aol.com/onlinegames/ghtumblebugs/axhost.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,21/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C7DA8351-83F5-48D7-BF53-832373BD511D}: NameServer = 205.188.146.145
O17 - HKLM\System\CCS\Services\Tcpip\..\{E6C4E684-E75F-4E8B-A11A-9CA8996C5B71}: NameServer = 205.188.146.145
O20 - AppInit_DLLs: interceptor.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

:thumbsup: :flowers:

BC AdBot (Login to Remove)

 


#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 20 December 2005 - 04:03 AM

Hi memutt and Welcome to the Bleeping Computer!

Im not seeing much in the HijackThis log,so lets look a little deeper!


Download WinPFind:
http://www.bleepingcomputer.com/files/winpfind.php

Right Click the Zip Folder and Select "Extract All"

Don't use it yet

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

From the WinPFind folder-> Doubleclick WinPFind.exe and Click "Start Scan"

It will scan the entire System, so please be patient

One you see "Scan Complete"-> a log (WinPFind.txt) will be automatically generated in the WinPFind folder


Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK!

Under the "General" Tab

Make Sure "Normal Startup-load all device drivers and services" has a green tick by it

Click Apply->Close->Follow the Prompts to Restart

Restart Normal and have the PC Scanned here:
Panda Active Scan

You will need to be using Internet Explorer for the Scan to work

Save the Report it generates

Post back with a fresh HijackThis log and the reports from WinPFind and Panda

#3 memutt

memutt
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  

Posted 21 December 2005 - 08:02 AM

thanks so much for looking at my log. I did everything you have suggested here is the new hjt log the winp and the panda in that order.
THIS TOOK ALL DAY WOW. Tell me what you think : )


Logfile of HijackThis v1.99.1
Scan saved at 4:44:37 AM, on 12/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Program Files\America Online 9.0a\waol.exe
C:\WINDOWS\system32\cidaemon.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher 2006\SCActiveBlock.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [SpyCatcher Reminder] "C:\Program Files\SpyCatcher 2006\SpyCatcher.exe" reminder
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - Global Startup: SpyCatcher Protector.lnk = C:\Program Files\SpyCatcher 2006\Protector.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {78AEEDE8-7345-4FB5-A8FE-4BFF16EF25FC} (McAfee Virtual Technician Control Class) - http://us-download.mcafee.com/products/protected/mvt/mvt.cab
O16 - DPF: {87056D28-9730-4A47-B9F9-7E890B62C58A} (WildfireActiveXHost Class) - http://aolsvc.aol.com/onlinegames/ghtumblebugs/axhost.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,21/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E6C4E684-E75F-4E8B-A11A-9CA8996C5B71}: NameServer = 205.188.146.145
O20 - AppInit_DLLs: interceptor.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


WINPFIND

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

Windows OS and Versions
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

Checking Selected Standard Folders

Checking %SystemDrive% folder...
PEC2 11/19/2005 5:34:22 PM HS 132763648 C:\hiberfil.sys
qoologic 12/20/2005 8:01:04 AM 204131 C:\WinPFind.zip

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
PEC2 3/31/2003 12:00:00 PM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
aspack 8/4/2004 12:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
winsync 3/31/2003 12:00:00 PM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
UPX! 11/27/2005 9:02:16 PM 1980416 C:\WINDOWS\SYSTEM32\Butterfly Oasis Screensaver.scr
PEC2 11/27/2005 9:02:16 PM 1980416 C:\WINDOWS\SYSTEM32\Butterfly Oasis Screensaver.scr
Umonitor 8/4/2004 12:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
PECompact2 8/4/2005 10:01:54 AM 1449304 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2005 10:01:54 AM 1449304 C:\WINDOWS\SYSTEM32\MRT.exe

Checking %System%\Drivers folder and sub-folders...
PTech 8/3/2004 10:41:38 PM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
12/20/2005 12:04:42 PM S 2048 C:\WINDOWS\bootstat.dat
12/19/2005 8:18:18 AM H 54156 C:\WINDOWS\QTFont.qfn
12/19/2005 8:06:14 AM H 35874 C:\WINDOWS\system32\vsconfig.xml
12/1/2005 8:15:00 AM H 4212 C:\WINDOWS\system32\zllictbl.dat
12/20/2005 12:03:08 PM H 921600 C:\WINDOWS\system32\config\system.LOG
12/20/2005 12:03:08 PM H 122880 C:\WINDOWS\system32\config\software.LOG
12/20/2005 12:03:08 PM H 8192 C:\WINDOWS\system32\config\default.LOG
12/20/2005 12:05:08 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
12/20/2005 12:04:48 PM H 28672 C:\WINDOWS\system32\config\SECURITY.LOG
11/18/2005 2:57:00 PM HS 7680 C:\WINDOWS\system32\DirectX\Dinput\Thumbs.db
12/13/2005 2:18:04 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\RBVXRV1F\desktop.ini
12/13/2005 2:18:06 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\7Y4CQ77P\desktop.ini
12/13/2005 2:18:06 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\B1CQ4JE5\desktop.ini
12/13/2005 2:18:06 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\20V7V3AD\desktop.ini
12/20/2005 9:13:30 AM H 0 C:\WINDOWS\LastGood\INF\oem16.inf
12/20/2005 9:13:30 AM H 0 C:\WINDOWS\LastGood\INF\oem16.PNF
12/20/2005 12:02:56 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/4/2004 12:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 3/31/2003 12:00:00 PM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 3/31/2003 12:00:00 PM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 3/31/2003 12:00:00 PM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Sun Microsystems, Inc. 6/3/2005 3:52:54 AM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
RealNetworks, Inc. 4/2/2005 5:42:14 PM 24576 C:\WINDOWS\SYSTEM32\prefscpl.cpl
Apple Computer, Inc. 7/27/2003 10:05:54 AM 295936 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 3/31/2003 12:00:00 PM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 3/31/2003 12:00:00 PM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 3/31/2003 12:00:00 PM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl

Checking Selected Startup Folders

Checking files in %ALLUSERSPROFILE%\Startup folder...
4/2/2005 5:22:48 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
11/7/2005 6:45:06 AM 698 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SpyCatcher Protector.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
4/2/2005 5:01:30 PM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
8/10/2005 9:40:36 AM H 185 C:\Documents and Settings\All Users\Application Data\hpothb07.dat
8/10/2005 9:40:36 AM H 257 C:\Documents and Settings\All Users\Application Data\hpothb07.tif
4/4/2005 2:33:52 PM 188 C:\Documents and Settings\All Users\Application Data\hpzinstall.log

Checking files in %USERPROFILE%\Startup folder...
4/2/2005 5:22:48 PM HS 84 C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
4/2/2005 5:01:30 PM HS 62 C:\Documents and Settings\Administrator\Application Data\desktop.ini

Checking Selected Registry Keys

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\CopyToCD
{2AA59FC0-31E8-42DA-9D3C-E9A52953853B} = C:\PROGRA~1\vso\COPYTO~1\CTCDSH~1.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\EasyZip
{1D9721CD-50B7-4AC3-99CB-BB1F05B52364} = C:\PROGRA~1\EASYOF~1\CONTEX~1.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\PROGRA~1\YAHOO!\COMMON\ymmapi20041123.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ZFAdd
{8FF88D27-7BD0-11D1-BFB7-00AA00262A11} = C:\Program Files\WinAce\arcext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{CFC7205E-2792-4378-9591-3879CC6C9022}
= c:\progra~1\mcafee.com\vso\mcvsshl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\CopyToCD
{2AA59FC0-31E8-42DA-9D3C-E9A52953853B} = C:\PROGRA~1\vso\COPYTO~1\CTCDSH~1.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\{CFC7205E-2792-4378-9591-3879CC6C9022}
= c:\progra~1\mcafee.com\vso\mcvsshl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\CopyToCD
{2AA59FC0-31E8-42DA-9D3C-E9A52953853B} = C:\PROGRA~1\vso\COPYTO~1\CTCDSH~1.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EasyZip
{1D9721CD-50B7-4AC3-99CB-BB1F05B52364} = C:\PROGRA~1\EASYOF~1\CONTEX~1.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ZFAdd
{8FF88D27-7BD0-11D1-BFB7-00AA00262A11} = C:\Program Files\WinAce\arcext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0A87E45F-537A-40B4-B812-E2544C21A09F}
SpywareBlock Class = C:\Program Files\SpyCatcher 2006\SCActiveBlock.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
=
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
Real.com = C:\WINDOWS\System32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{BA52B914-B692-46c4-B683-905236F6F655} = McAfee VirusScan : c:\progra~1\mcafee.com\vso\mcvsshl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{85d1f590-48f4-11d9-9669-0800200c9a66}
MenuText = Uninstall BitDefender Online Scanner v8 :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
ButtonText = AIM : C:\Program Files\AIM\aim.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
ButtonText = Real.com :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
MCUpdateExe c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
MCAgentExe c:\PROGRA~1\mcafee.com\agent\McAgent.exe
dvd43 C:\Program Files\dvd43\dvd43_tray.exe
SpyCatcher Reminder "C:\Program Files\SpyCatcher 2006\SpyCatcher.exe" reminder
Zone Labs Client C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
NeroFilterCheck C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\ExpandFrom

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\ExpandTo

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services
ZESOFT 2
ERSvc 2
BITS 2
ImapiService 3


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE
item Adobe Gamma Loader
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE
item Adobe Gamma Loader

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE
item Adobe Reader Speed Launch
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE
item Adobe Reader Speed Launch

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\AMERIC~1.0A\aoltray.exe -check
item America Online 9.0 Tray Icon
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\AMERIC~1.0A\aoltray.exe -check
item America Online 9.0 Tray Icon

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
backup C:\WINDOWS\pss\hp psc 1000 series.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\HEWLET~1\DIGITA~1\bin\hpohmr08.exe
item hp psc 1000 series
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
backup C:\WINDOWS\pss\hp psc 1000 series.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\HEWLET~1\DIGITA~1\bin\hpohmr08.exe
item hp psc 1000 series

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\HEWLET~1\DIGITA~1\bin\hpotdd01.exe
item hpoddt01.exe
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\HEWLET~1\DIGITA~1\bin\hpotdd01.exe
item hpoddt01.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
backup C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkCommon Startup
location Common Startup
command C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
item MyWebSearch Email Plugin
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
backup C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkCommon Startup
location Common Startup
command C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
item MyWebSearch Email Plugin

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpySubtract.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SpySubtract.lnk
backup C:\WINDOWS\pss\SpySubtract.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\INTERM~1\SPYSUB~1\SpySub.exe -autostart
item SpySubtract
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SpySubtract.lnk
backup C:\WINDOWS\pss\SpySubtract.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\INTERM~1\SPYSUB~1\SpySub.exe -autostart
item SpySubtract

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Kelly Davis^Start Menu^Programs^Startup^Corel Desktop Application Director.LNK
path C:\Documents and Settings\Kelly Davis\Start Menu\Programs\Startup\Corel Desktop Application Director.LNK
backup C:\WINDOWS\pss\Corel Desktop Application Director.LNKStartup
location Startup
command C:\Corel\Office7\Dad7\QUICK.EXE
item Corel Desktop Application Director
path C:\Documents and Settings\Kelly Davis\Start Menu\Programs\Startup\Corel Desktop Application Director.LNK
backup C:\WINDOWS\pss\Corel Desktop Application Director.LNKStartup
location Startup
command C:\Corel\Office7\Dad7\QUICK.EXE
item Corel Desktop Application Director

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Kelly Davis^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk
path C:\Documents and Settings\Kelly Davis\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
backup C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkStartup
location Startup
command C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
item MyWebSearch Email Plugin
path C:\Documents and Settings\Kelly Davis\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
backup C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkStartup
location Startup
command C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
item MyWebSearch Email Plugin

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Kelly Davis^Start Menu^Programs^Startup^PerfectPrint.LNK
path C:\Documents and Settings\Kelly Davis\Start Menu\Programs\Startup\PerfectPrint.LNK
backup C:\WINDOWS\pss\PerfectPrint.LNKStartup
location Startup
command C:\Corel\Office7\Shared\PFit7\PFPPOP70.EXE /l-US
item PerfectPrint
path C:\Documents and Settings\Kelly Davis\Start Menu\Programs\Startup\PerfectPrint.LNK
backup C:\WINDOWS\pss\PerfectPrint.LNKStartup
location Startup
command C:\Corel\Office7\Shared\PFit7\PFPPOP70.EXE /l-US
item PerfectPrint

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Cmp77W
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item pmbmlxka
hkey HKLM
command C:\WINDOWS\pmbmlxka.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item pmbmlxka
hkey HKLM
command C:\WINDOWS\pmbmlxka.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\InCD
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item InCD
hkey HKLM
command C:\Program Files\Ahead\InCD\InCD.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item InCD
hkey HKLM
command C:\Program Files\Ahead\InCD\InCD.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\IST Service
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item istsvc
hkey HKLM
command C:\Program Files\ISTsvc\istsvc.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item istsvc
hkey HKLM
command C:\Program Files\ISTsvc\istsvc.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\jctgr
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item jctgr
hkey HKLM
command C:\WINDOWS\jctgr.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item jctgr
hkey HKLM
command C:\WINDOWS\jctgr.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MCAgentExe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item McAgent
hkey HKLM
command c:\PROGRA~1\mcafee.com\agent\McAgent.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item McAgent
hkey HKLM
command c:\PROGRA~1\mcafee.com\agent\McAgent.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MCUpdateExe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item McUpdate
hkey HKLM
command C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item McUpdate
hkey HKLM
command C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MSMSGS
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item msmsgs
hkey HKCU
command "C:\Program Files\Messenger\msmsgs.exe" /background
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item msmsgs
hkey HKCU
command "C:\Program Files\Messenger\msmsgs.exe" /background
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\NeroFilterCheck
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item NeroCheck
hkey HKLM
command C:\WINDOWS\system32\NeroCheck.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item NeroCheck
hkey HKLM
command C:\WINDOWS\system32\NeroCheck.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\OASClnt
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item oasclnt
hkey HKLM
command C:\Program Files\McAfee.com\VSO\oasclnt.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item oasclnt
hkey HKLM
command C:\Program Files\McAfee.com\VSO\oasclnt.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\PhotoShow Deluxe Media Manager
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mssysmgr
hkey HKCU
command C:\PROGRA~1\Nero\data\xtras\mssysmgr.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mssysmgr
hkey HKCU
command C:\PROGRA~1\Nero\data\xtras\mssysmgr.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickFinder Scheduler
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item QFSCHED
hkey HKLM
command c:\Corel\Office7\Shared\QFinder7\QFSCHED.EXE
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item QFSCHED
hkey HKLM
command c:\Corel\Office7\Shared\QFinder7\QFSCHED.EXE
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item qttask
hkey HKLM
command "C:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item qttask
hkey HKLM
command "C:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\RealTray
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item RealPlay
hkey HKLM
command C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item RealPlay
hkey HKLM
command C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\sais
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item sais
hkey HKLM
command c:\program files\180solutions\sais.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item sais
hkey HKLM
command c:\program files\180solutions\sais.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SPSTEALT
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item TempToolbox
hkey HKCU
command "C:\Documents and Settings\Kelly Davis\Desktop\dvd squeeze\dvdsqeeze\TempToolbox.exe" /stealt
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item TempToolbox
hkey HKCU
command "C:\Documents and Settings\Kelly Davis\Desktop\dvd squeeze\dvdsqeeze\TempToolbox.exe" /stealt
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SunJavaUpdateSched
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item jusched
hkey HKLM
command C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item jusched
hkey HKLM
command C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\USB Storage Toolbox
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Res
hkey HKLM
command C:\Program Files\USBToolbox\Res.EXE
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Res
hkey HKLM
command C:\Program Files\USBToolbox\Res.EXE
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\VirusScan Online
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mcvsshld
hkey HKLM
command C:\Program Files\McAfee.com\VSO\mcvsshld.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mcvsshld
hkey HKLM
command C:\Program Files\McAfee.com\VSO\mcvsshld.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\VSOCheckTask
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mcmnhdlr
hkey HKLM
command "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mcmnhdlr
hkey HKLM
command "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Yahoo! Pager
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ypager
hkey HKCU
command C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ypager
hkey HKCU
command C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\# L"h'9Ӝ3rWC:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\# L"h'9Ӝ3rWC:\Program Files

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 2
bootini 0
services 2
startup 2


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs interceptor.dll


Scan Complete
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 12/20/2005 2:23:57 PM





PANDA




Incident Status Location

Possible Virus. Not disinfected C:\Program Files\EasyOffice\EasyWord.exe

#4 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 21 December 2005 - 07:58 PM

I see pleanty of leftovers but not anything that appears active at the moment.

Open HijackThis and Click the "Open Misc Tools Section" tab

Select Generate StartUpList log and make sure that both Boxes beside it are checked:

Put a check by:
List all minor sections(Full)
and
List Empty Sections(Complete)

It will produce a NotePad Page,I need you to post the entire contents of that page to the next post

#5 memutt

memutt
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 22 December 2005 - 08:04 AM

Thanks Cretemonster, here's the requested information. Hope it helps, it's all greek to me : )


StartupList report, 12/22/2005, 4:57:11 AM
StartupList version: 1.52.2
Started from : C:\Program Files\HijackThis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\System32\svchost.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\SpyCatcher 2006\Protector.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
C:\Program Files\America Online 9.0a\waol.exe
C:\Program Files\Common Files\AOL\ACS\acsd.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\America Online 9.0a\shellmon.exe
C:\PROGRA~1\McAfee.com\Agent\mcupdui.exe
C:\WINDOWS\TEMP\mcu114.tmp\mcappins.exe
c:\program files\mcafee.com\shared\mghtml.exe
C:\Program Files\HijackThis\HijackThis.exe
c:\PROGRA~1\mcafee.com\agent\mcupdate.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Kelly Davis\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
SpyCatcher Protector.lnk = C:\Program Files\SpyCatcher 2006\Protector.exe

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

MCUpdateExe = c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
MCAgentExe = c:\PROGRA~1\mcafee.com\agent\mcagent.exe
dvd43 = C:\Program Files\dvd43\dvd43_tray.exe
SpyCatcher Reminder = "C:\Program Files\SpyCatcher 2006\SpyCatcher.exe" reminder
Zone Labs Client = C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
VSOCheckTask = "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
VirusScan Online = C:\Program Files\McAfee.com\VSO\mcvsshld.exe
OASClnt = C:\Program Files\McAfee.com\VSO\oasclnt.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\System32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{4b218e3e-bc98-4770-93d3-2731b9329278}] *
StubPath = %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

[{8b15971b-5355-4c82-8c07-7e181ea07608}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=interceptor.dll

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=
SCRNSAVE.EXE=C:\WINDOWS\system32\BUTTER~1.SCR
drivers=

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\SpyCatcher 2006\SCActiveBlock.dll - {0A87E45F-537A-40B4-B812-E2544C21A09F}

--------------------------------------------------

Enumerating Task Scheduler jobs:

FRU Task #Hewlett-Packard#hp psc 1200 series#1112650644.job
McAfee.com Scan for Viruses - My Computer (PMJ-Kelly Davis).job
FRU Task #Hewlett-Packard#hp psc 1200 series#1135128887.job
WebReg 20051220174629.job

--------------------------------------------------

Enumerating Download Program Files:

[Musicnotes Viewer]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\mnviewer.dll
CODEBASE = http://www.musicnotes.com/download/mnviewer.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwa...director/sw.cab

[McAfee.com Operating System Class]
InProcServer32 = C:\WINDOWS\system32\mcinsctl.dll
CODEBASE = http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cab

[BDSCANONLINE Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\oscan8.ocx
CODEBASE = http://download.bitdefender.com/resources/scan8/oscan8.cab

[McAfee Virtual Technician Control Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MVT.dll
CODEBASE = http://us-download.mcafee.com/products/protected/mvt/mvt.cab

[WildfireActiveXHost Class]
InProcServer32 = C:\WINDOWS\DOWNLO~1\axhost.dll
CODEBASE = http://aolsvc.aol.com/onlinegames/ghtumblebugs/axhost.cab

[Java Plug-in 1.5.0_04]
InProcServer32 = C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
CODEBASE = http://acs.pandasoftware.com/activescan/as5free/asinst.cab

[DwnldGroupMgr Class]
InProcServer32 = C:\WINDOWS\System32\mcgdmgr.dll
CODEBASE = http://download.mcafee.com/molbin/shared/m...,21/mcgdmgr.cab

[Java Plug-in 1.5.0_04]
InProcServer32 = C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash8.ocx
CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (system)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
ESS Allegro Audio Driver (WDM): system32\drivers\es198x.sys (manual start)
AOL Connectivity Service: C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe (autostart)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
ATWPKT2: \??\C:\PROGRA~1\COMMON~1\AOL\ACS\ATWPKT2.SYS (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (autostart)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
dmio: System32\drivers\dmio.sys (disabled)
dmload: System32\drivers\dmload.sys (disabled)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
dvd43llh: System32\DRIVERS\dvd43llh.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Fax: %systemroot%\system32\fxssvc.exe (autostart)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
FltMgr: system32\drivers\fltmgr.sys (system)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
Game Port Enumerator: System32\DRIVERS\gameenum.sys (manual start)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
HCF_MSFT: System32\DRIVERS\HCF_MSFT.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
HID Input Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft HID Class Driver: system32\DRIVERS\hidusb.sys (manual start)
IEEE-1284.4 Driver HPZid412: System32\DRIVERS\HPZid412.sys (manual start)
Print Class Driver for IEEE-1284.4 HPZipr12: System32\DRIVERS\HPZipr12.sys (manual start)
USB to IEEE-1284.4 Translation Driver HPZius12: System32\DRIVERS\HPZius12.sys (manual start)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
i81x: System32\DRIVERS\i81xnt5.sys (manual start)
iAimFP0: System32\DRIVERS\wADV01nt.sys (manual start)
iAimFP1: System32\DRIVERS\wADV02NT.sys (manual start)
iAimFP2: System32\DRIVERS\wADV05NT.sys (manual start)
iAimFP3: System32\DRIVERS\wSiINTxx.sys (manual start)
iAimFP4: System32\DRIVERS\wVchNTxx.sys (manual start)
iAimFP5: system32\DRIVERS\wADV07nt.sys (manual start)
iAimFP6: system32\DRIVERS\wADV08nt.sys (manual start)
iAimFP7: system32\DRIVERS\wADV09nt.sys (manual start)
iAimTV0: System32\DRIVERS\wATV01nt.sys (manual start)
iAimTV1: System32\DRIVERS\wATV02NT.sys (manual start)
iAimTV2: System32\DRIVERS\wATV03nt.sys (manual start)
iAimTV3: System32\DRIVERS\wATV04nt.sys (manual start)
iAimTV4: System32\DRIVERS\wCh7xxNT.sys (manual start)
iAimTV5: system32\DRIVERS\wATV10nt.sys (manual start)
iAimTV6: system32\DRIVERS\wATV06nt.sys (manual start)
CD-Burning Filter Driver: System32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)
InCDPass: System32\DRIVERS\InCDPass.sys (system)
InCD Helper: C:\Program Files\Ahead\InCD\InCDsrv.exe (autostart)
InCD Helper (read only): C:\Program Files\Ahead\InCD\InCDsrv.exe -r (autostart)
IntelIde: System32\DRIVERS\intelide.sys (system)
IPv6 Windows Firewall Driver: system32\drivers\ip6fw.sys (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Keyboard HID Driver: system32\DRIVERS\kbdhid.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
McAfee WSC Integration: c:\program files\mcafee.com\agent\mcdetect.exe (autostart)
McAfee.com McShield: c:\PROGRA~1\mcafee.com\vso\mcshield.exe (autostart)
McAfee Task Scheduler: c:\PROGRA~1\mcafee.com\agent\mctskshd.exe (autostart)
McAfee SecurityCenter Update Manager: C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (autostart)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: System32\DRIVERS\mouhid.sys (manual start)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\System32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: System32\DRIVERS\mssmbios.sys (manual start)
Microsoft MPU-401 MIDI UART Driver: system32\drivers\msmpu401.sys (manual start)
NaiAvFilter1: system32\drivers\naiavf5x.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
Intel PentiumIII Processor Driver: System32\DRIVERS\p3.sys (system)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
Low level access layer for CD devices: System32\Drivers\Pcouffin.sys (manual start)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
Pml Driver HPZ12: C:\WINDOWS\System32\HPZipm12.exe (manual start)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: System32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{3A7C1B95-A69F-420B-A426-088F133DAA4D} (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows User Mode Driver Framework: C:\WINDOWS\System32\wdfmgr.exe (autostart)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB Generic Parent Driver: System32\DRIVERS\usbccgp.sys (manual start)
Microsoft USB Standard Hub Driver: System32\DRIVERS\usbhub.sys (manual start)
Microsoft USB PRINTER Class: System32\DRIVERS\usbprint.sys (manual start)
USB Scanner Driver: System32\DRIVERS\usbscan.sys (manual start)
USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start)
VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)
vsdatant: System32\vsdatant.sys (system)
TrueVector Internet Monitor: C:\WINDOWS\system32\ZONELABS\vsmon.exe -service (autostart)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
WAN Miniport (ATW): System32\DRIVERS\wanatw4.sys (manual start)
WAN Miniport (ATW) Service: "C:\WINDOWS\wanmpsvc.exe" (autostart)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
Windows Socket 2.0 Non-IFS Service Provider Support Environment: \SystemRoot\System32\drivers\ws2ifsl.sys (disabled)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 33,908 bytes
Report generated in 11.006 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

#6 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 22 December 2005 - 08:15 PM

Do me a favor,go into Safe Mode and see if your CD-Roms work correctly?

#7 memutt

memutt
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  

Posted 24 December 2005 - 03:30 AM

cretemonster,
Okay here what happened. I rebooted in safe mode - all three drives will read burned audio cds but will not play them. I recieved messages that there might be a device I/O problem, or corrupted disk. non of the drives were able to identify contents of original audio cds, however they atleast acknowledged there was some type of content which is an improvement. neither of the dvd drives could read content on original or burned dvds. I recieved the same I/O messages with the dvd attempt. I check the device manager and it claims there is nothing wrong with the drives. don't know if it matters but all burned material I used to test the drives were burned on this machine and it couldn'trecognize the formatting!?!!

Merry Christmas

Memutt

#8 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 28 December 2005 - 10:19 AM

OK,lets get some of the old stuff cleaned up and Im going to ask for some extra eyes over the next couple of days.

Copy the text below to a blank notepad page and save it to the desktop as Clr.reg but dont run it just yet.


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services]
"ZESOFT"

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Cmp77W]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\IST Service]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\jctgr]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\sais]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\# L"h'9Ӝ3rWC]



Go back to Safe Mode and be sure Windows is Showing Hidden Files.
http://www.bleepingcomputer.com/tutorials/...al62.html#winxp

Search the system for any of the entries below and delete if found.

C:\WINDOWS\jctgr.exe<- File

C:\WINDOWS\pmbmlxka.exe<- File

C:\Program Files\ISTsvc<- Folder

C:\Program Files\180solutions<- Folder


Now,locate and double click Clr.reg and allow it to merge into the registry.

Click Start-> Run-> Type in Msconfig and click OK.

Click the Services tab and check that every entry has a checkmark by it.

If you have to make any changes-> Click Apply->Close->Follow the Prompts to Restart


Restart Normal and Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


#9 memutt

memutt
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 28 December 2005 - 04:38 PM

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Wednesday, December 28, 2005 13:18:00
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 28/12/2005
Kaspersky Anti-Virus database records: 168037
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
I:\

Scan Statistics:
Total number of scanned objects: 53114
Number of viruses found: 9
Number of infected objects: 25
Number of suspicious objects: 0
Duration of the scan process: 11994 sec

Infected Object Name - Virus Name
C:\Documents and Settings\Kelly Davis\My Documents\downloads\frepatwe.exe/doc\NH20040517.4a.yy.exe/NHInstall.exe Infected: not-a-virus:AdWare.Win32.NavExcel.d
C:\Documents and Settings\Kelly Davis\My Documents\downloads\frepatwe.exe/doc\NH20040517.4a.yy.exe/v2.0.4a.cab/NHelper.dll Infected: not-a-virus:AdWare.Win32.NavExcel.b
C:\Documents and Settings\Kelly Davis\My Documents\downloads\frepatwe.exe/doc\NH20040517.4a.yy.exe/v2.0.4a.cab/NHUninstaller.exe Infected: not-a-virus:AdWare.Win32.NavExcel
C:\Documents and Settings\Kelly Davis\My Documents\downloads\frepatwe.exe/doc\NH20040517.4a.yy.exe/v2.0.4a.cab/NHUpdater.exe Infected: not-a-virus:AdWare.Win32.NavExcel.b
C:\Documents and Settings\Kelly Davis\My Documents\downloads\frepatwe.exe/doc\NH20040517.4a.yy.exe/v2.0.4a.cab Infected: not-a-virus:AdWare.Win32.NavExcel.b
C:\Documents and Settings\Kelly Davis\My Documents\downloads\frepatwe.exe/doc\NH20040517.4a.yy.exe Infected: not-a-virus:AdWare.Win32.NavExcel.b
C:\Documents and Settings\Kelly Davis\My Documents\downloads\frepatwe.exe/doc\STUNTB.exe Infected: not-a-virus:AdWare.Win32.NavExcel.i
C:\Documents and Settings\Kelly Davis\My Documents\downloads\frepatwe.exe/doc\whCC-2MGAMES.exe/whAgent.exe Infected: not-a-virus:AdWare.Win32.WebHancer.351
C:\Documents and Settings\Kelly Davis\My Documents\downloads\frepatwe.exe/doc\whCC-2MGAMES.exe/whInstaller.exe Infected: not-a-virus:AdWare.Win32.WebHancer
C:\Documents and Settings\Kelly Davis\My Documents\downloads\frepatwe.exe/doc\whCC-2MGAMES.exe/whSurvey.exe Infected: not-a-virus:AdWare.Win32.WebHancer
C:\Documents and Settings\Kelly Davis\My Documents\downloads\frepatwe.exe/doc\whCC-2MGAMES.exe/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer
C:\Documents and Settings\Kelly Davis\My Documents\downloads\frepatwe.exe/doc\whCC-2MGAMES.exe/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer
C:\Documents and Settings\Kelly Davis\My Documents\downloads\frepatwe.exe/doc\whCC-2MGAMES.exe Infected: not-a-virus:AdWare.Win32.WebHancer
C:\Documents and Settings\Kelly Davis\My Documents\downloads\frepatwe.exe Infected: not-a-virus:AdWare.Win32.WebHancer
C:\Documents and Settings\Kelly Davis\My Documents\downloads\2mfreesolwe.exe/doc\d10.exe Infected: Trojan-Downloader.Win32.Small.akj
C:\Documents and Settings\Kelly Davis\My Documents\downloads\2mfreesolwe.exe/doc\istinstall_153191.exe Infected: Trojan-Downloader.Win32.IstBar.er
C:\Documents and Settings\Kelly Davis\My Documents\downloads\2mfreesolwe.exe/doc\whCC-2MGAMES.exe/whAgent.exe Infected: not-a-virus:AdWare.Win32.WebHancer.351
C:\Documents and Settings\Kelly Davis\My Documents\downloads\2mfreesolwe.exe/doc\whCC-2MGAMES.exe/whInstaller.exe Infected: not-a-virus:AdWare.Win32.WebHancer
C:\Documents and Settings\Kelly Davis\My Documents\downloads\2mfreesolwe.exe/doc\whCC-2MGAMES.exe/whSurvey.exe Infected: not-a-virus:AdWare.Win32.WebHancer
C:\Documents and Settings\Kelly Davis\My Documents\downloads\2mfreesolwe.exe/doc\whCC-2MGAMES.exe/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer
C:\Documents and Settings\Kelly Davis\My Documents\downloads\2mfreesolwe.exe/doc\whCC-2MGAMES.exe/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer
C:\Documents and Settings\Kelly Davis\My Documents\downloads\2mfreesolwe.exe/doc\whCC-2MGAMES.exe Infected: not-a-virus:AdWare.Win32.WebHancer
C:\Documents and Settings\Kelly Davis\My Documents\downloads\2mfreesolwe.exe Infected: not-a-virus:AdWare.Win32.WebHancer
C:\Recycled\Dc3\sais.exe Infected: not-a-virus:AdWare.Win32.180Solutions
C:\Recycled\Dc3\saishook.dll Infected: not-a-virus:AdWare.Win32.180Solutions

Scan process completed.



thanks memutt

#10 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 28 December 2005 - 07:30 PM

Go back into Safe Mode-> Locate and Delete these 2 files

C:\Documents and Settings\Kelly Davis\My Documents\downloads\2mfreesolwe.exe

C:\Documents and Settings\Kelly Davis\My Documents\downloads\frepatwe.exe

Open the Search Assistant(Click Start>>Click Search)
Select All Files and Folders,
Select Advanced Options,
Make sure there is a check by every box under Advanced Options

Now under All Files and Folders,enter these into the text box:

NH20040517.4a.yy.exe
NHInstall.exe
v2.0.4a.cab
NHelper.dll
NHUninstaller.exe
NHUpdater.exe
STUNTB.exe
whCC-2MGAMES.exe
whAgent.exe
whInstaller.exe
whSurvey.exe
webhdll.dll
whiehlpr.dll
d10.exe
istinstall_153191.exe


If any are found that match exactly,please delete.


Still in Safe Mode-> Scan the System with WinPFind again.


Restart Normal and Copy & paste the text in bold below into notepad and save it as recyclerem.bat
(Set filetype to "All Files")


attrib -r -s -h %systemdrive%\Recycler
del %systemdrive%\Recycler
attrib -r -s -h %systemdrive%\Recycled
del %systemdrive%\Recycled
shutdown /r /t 0 /f


Close all programs and doubleclick recyclerem.bat

Your computer will reboot and you will have a shiny new (empty) recycle bin.


Post back with the WinPFind log and let me know if there is any improvement?

#11 memutt

memutt
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  

Posted 30 December 2005 - 10:12 AM

Windows OS and Versions
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

Checking Selected Standard Folders

Checking %SystemDrive% folder...
PEC2 11/19/2005 5:34:22 PM HS 132763648 C:\hiberfil.sys
qoologic 12/20/2005 8:01:04 AM 204131 C:\WinPFind.zip

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
PEC2 3/31/2003 12:00:00 PM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
aspack 8/4/2004 12:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
winsync 3/31/2003 12:00:00 PM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
UPX! 11/27/2005 9:02:16 PM 1980416 C:\WINDOWS\SYSTEM32\Butterfly Oasis Screensaver.scr
PEC2 11/27/2005 9:02:16 PM 1980416 C:\WINDOWS\SYSTEM32\Butterfly Oasis Screensaver.scr
Umonitor 8/4/2004 12:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
PECompact2 12/7/2005 1:38:52 PM 2714976 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 12/7/2005 1:38:52 PM 2714976 C:\WINDOWS\SYSTEM32\MRT.exe
PTech 7/12/2005 6:04:22 PM 520456 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll

Checking %System%\Drivers folder and sub-folders...
PTech 8/3/2004 10:41:38 PM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
12/22/2005 11:28:54 AM H 331609 C:\WINDOWS\hpothb07.tif
12/22/2005 11:28:54 AM H 12979 C:\WINDOWS\hpothb07.dat
12/29/2005 8:28:16 AM S 2048 C:\WINDOWS\bootstat.dat
12/26/2005 6:35:46 PM H 54156 C:\WINDOWS\QTFont.qfn
12/28/2005 8:52:10 AM H 35874 C:\WINDOWS\system32\vsconfig.xml
12/1/2005 8:15:00 AM H 4212 C:\WINDOWS\system32\zllictbl.dat
12/29/2005 8:26:58 AM H 913408 C:\WINDOWS\system32\config\system.LOG
12/29/2005 8:26:58 AM H 77824 C:\WINDOWS\system32\config\software.LOG
12/29/2005 8:26:58 AM H 8192 C:\WINDOWS\system32\config\default.LOG
12/29/2005 8:28:32 AM H 1024 C:\WINDOWS\system32\config\SAM.LOG
12/29/2005 8:28:16 AM H 16384 C:\WINDOWS\system32\config\SECURITY.LOG
12/26/2005 9:43:48 PM H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
11/18/2005 2:57:00 PM HS 7680 C:\WINDOWS\system32\DirectX\Dinput\Thumbs.db
12/27/2005 9:58:24 AM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
12/27/2005 9:58:24 AM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\fe943530-7c8e-40c8-b35e-a599f2884c12
12/21/2005 4:35:32 AM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\DZ2NPSO8\desktop.ini
12/21/2005 4:35:34 AM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\OPMBGPAB\desktop.ini
12/21/2005 4:35:34 AM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\14EFS8O2\desktop.ini
12/21/2005 4:35:36 AM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\C5EN4PYJ\desktop.ini
12/28/2005 9:08:32 AM H 0 C:\WINDOWS\LastGood\INF\oem16.inf
12/28/2005 9:08:34 AM H 0 C:\WINDOWS\LastGood\INF\oem16.PNF
12/29/2005 8:26:48 AM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/4/2004 12:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 3/31/2003 12:00:00 PM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 3/31/2003 12:00:00 PM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 3/31/2003 12:00:00 PM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
RealNetworks, Inc. 12/24/2005 7:13:16 AM 24576 C:\WINDOWS\SYSTEM32\prefscpl.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Sun Microsystems, Inc. 6/3/2005 3:52:54 AM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
5/25/2004 7:06:58 AM 417792 C:\WINDOWS\SYSTEM32\ac3filter.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Apple Computer, Inc. 7/27/2003 10:05:54 AM 295936 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 3/31/2003 12:00:00 PM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 3/31/2003 12:00:00 PM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 3/31/2003 12:00:00 PM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl

Checking Selected Startup Folders

Checking files in %ALLUSERSPROFILE%\Startup folder...
4/2/2005 5:22:48 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
11/7/2005 6:45:06 AM 698 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SpyCatcher Protector.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
4/2/2005 5:01:30 PM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
8/10/2005 9:40:36 AM H 185 C:\Documents and Settings\All Users\Application Data\hpothb07.dat
8/10/2005 9:40:36 AM H 257 C:\Documents and Settings\All Users\Application Data\hpothb07.tif
4/4/2005 2:33:52 PM 188 C:\Documents and Settings\All Users\Application Data\hpzinstall.log

Checking files in %USERPROFILE%\Startup folder...
4/2/2005 5:22:48 PM HS 84 C:\Documents and Settings\Kelly Davis\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
7/25/2005 2:04:30 PM 18432 C:\Documents and Settings\Kelly Davis\Application Data\00000230_VTS_0.IFO
5/21/2005 11:00:38 AM 12288 C:\Documents and Settings\Kelly Davis\Application Data\00000EC4_VTS_0.IFO
4/4/2005 4:28:00 PM 1931 C:\Documents and Settings\Kelly Davis\Application Data\AdobeDLM.log
4/2/2005 5:01:30 PM HS 62 C:\Documents and Settings\Kelly Davis\Application Data\desktop.ini
4/4/2005 4:27:58 PM 0 C:\Documents and Settings\Kelly Davis\Application Data\dm.ini
11/29/2005 10:42:44 AM H 930 C:\Documents and Settings\Kelly Davis\Application Data\hpothb07.dat
11/22/2005 1:53:38 PM H 1253 C:\Documents and Settings\Kelly Davis\Application Data\hpothb07.tif
12/15/2005 2:51:46 PM 4480 C:\Documents and Settings\Kelly Davis\Application Data\wklnhst.dat

Checking Selected Registry Keys

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\CopyToCD
{2AA59FC0-31E8-42DA-9D3C-E9A52953853B} = C:\PROGRA~1\vso\COPYTO~1\CTCDSH~1.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\EasyZip
{1D9721CD-50B7-4AC3-99CB-BB1F05B52364} = C:\PROGRA~1\EASYOF~1\CONTEX~1.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\PROGRA~1\YAHOO!\COMMON\ymmapi20041123.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ZFAdd
{8FF88D27-7BD0-11D1-BFB7-00AA00262A11} = C:\Program Files\WinAce\arcext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{CFC7205E-2792-4378-9591-3879CC6C9022}
= c:\progra~1\mcafee.com\vso\mcvsshl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\CopyToCD
{2AA59FC0-31E8-42DA-9D3C-E9A52953853B} = C:\PROGRA~1\vso\COPYTO~1\CTCDSH~1.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\{CFC7205E-2792-4378-9591-3879CC6C9022}
= c:\progra~1\mcafee.com\vso\mcvsshl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\CopyToCD
{2AA59FC0-31E8-42DA-9D3C-E9A52953853B} = C:\PROGRA~1\vso\COPYTO~1\CTCDSH~1.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EasyZip
{1D9721CD-50B7-4AC3-99CB-BB1F05B52364} = C:\PROGRA~1\EASYOF~1\CONTEX~1.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ZFAdd
{8FF88D27-7BD0-11D1-BFB7-00AA00262A11} = C:\Program Files\WinAce\arcext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0A87E45F-537A-40B4-B812-E2544C21A09F}
SpywareBlock Class = C:\Program Files\SpyCatcher 2006\SCActiveBlock.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
=
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
Real.com = C:\WINDOWS\system32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{BA52B914-B692-46c4-B683-905236F6F655} = McAfee VirusScan : c:\progra~1\mcafee.com\vso\mcvsshl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{85d1f590-48f4-11d9-9669-0800200c9a66}
MenuText = Uninstall BitDefender Online Scanner v8 :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
ButtonText = AIM : C:\Program Files\AIM\aim.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
ButtonText = Real.com :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}
Search Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{40D41A8B-D79B-43D7-99A7-9EE0F344C385} = AIM Search : C:\Program Files\AIM Toolbar\AIMBar.dll
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
MCAgentExe c:\PROGRA~1\mcafee.com\agent\mcagent.exe
dvd43 C:\Program Files\dvd43\dvd43_tray.exe
SpyCatcher Reminder "C:\Program Files\SpyCatcher 2006\SpyCatcher.exe" reminder
Zone Labs Client C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
MSConfig C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
MCUpdateExe c:\PROGRA~1\mcafee.com\agent\mcupdate.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\ExpandFrom

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\ExpandTo

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services
ZESOFT 2


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE
item Adobe Gamma Loader
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE
item Adobe Gamma Loader

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~2.EXE
item Adobe Reader Speed Launch
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~2.EXE
item Adobe Reader Speed Launch

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\AMERIC~1.0A\aoltray.exe -check
item America Online 9.0 Tray Icon
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\AMERIC~1.0A\aoltray.exe -check
item America Online 9.0 Tray Icon

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online Tray Icon.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online Tray Icon.lnk
backup C:\WINDOWS\pss\America Online Tray Icon.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\AMERIC~2.0\aoltray.exe -check
item America Online Tray Icon
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online Tray Icon.lnk
backup C:\WINDOWS\pss\America Online Tray Icon.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\AMERIC~2.0\aoltray.exe -check
item America Online Tray Icon

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL Companion.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL Companion.lnk
backup C:\WINDOWS\pss\AOL Companion.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\AOLCOM~1\COMPAN~1.EXE /s
item AOL Companion
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL Companion.lnk
backup C:\WINDOWS\pss\AOL Companion.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\AOLCOM~1\COMPAN~1.EXE /s
item AOL Companion

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
backup C:\WINDOWS\pss\hp psc 1000 series.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\HEWLET~1\DIGITA~1\bin\hpohmr08.exe
item hp psc 1000 series
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
backup C:\WINDOWS\pss\hp psc 1000 series.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\HEWLET~1\DIGITA~1\bin\hpohmr08.exe
item hp psc 1000 series

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\HEWLET~1\DIGITA~1\bin\hpotdd01.exe
item hpoddt01.exe
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\HEWLET~1\DIGITA~1\bin\hpotdd01.exe
item hpoddt01.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
backup C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkCommon Startup
location Common Startup
command C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
item MyWebSearch Email Plugin
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
backup C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkCommon Startup
location Common Startup
command C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
item MyWebSearch Email Plugin

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Kelly Davis^Start Menu^Programs^Startup^Corel Desktop Application Director.LNK
path C:\Documents and Settings\Kelly Davis\Start Menu\Programs\Startup\Corel Desktop Application Director.LNK
backup C:\WINDOWS\pss\Corel Desktop Application Director.LNKStartup
location Startup
command C:\Corel\Office7\Dad7\QUICK.EXE
item Corel Desktop Application Director
path C:\Documents and Settings\Kelly Davis\Start Menu\Programs\Startup\Corel Desktop Application Director.LNK
backup C:\WINDOWS\pss\Corel Desktop Application Director.LNKStartup
location Startup
command C:\Corel\Office7\Dad7\QUICK.EXE
item Corel Desktop Application Director

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Kelly Davis^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk
path C:\Documents and Settings\Kelly Davis\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
backup C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkStartup
location Startup
command C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
item MyWebSearch Email Plugin
path C:\Documents and Settings\Kelly Davis\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
backup C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkStartup
location Startup
command C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
item MyWebSearch Email Plugin

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Kelly Davis^Start Menu^Programs^Startup^PerfectPrint.LNK
path C:\Documents and Settings\Kelly Davis\Start Menu\Programs\Startup\PerfectPrint.LNK
backup C:\WINDOWS\pss\PerfectPrint.LNKStartup
location Startup
command C:\Corel\Office7\Shared\PFit7\PFPPOP70.EXE /l-US
item PerfectPrint
path C:\Documents and Settings\Kelly Davis\Start Menu\Programs\Startup\PerfectPrint.LNK
backup C:\WINDOWS\pss\PerfectPrint.LNKStartup
location Startup
command C:\Corel\Office7\Shared\PFit7\PFPPOP70.EXE /l-US
item PerfectPrint

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Kelly Davis^Start Menu^Programs^Startup^Scheduler.lnk
path C:\Documents and Settings\Kelly Davis\Start Menu\Programs\Startup\Scheduler.lnk
backup C:\WINDOWS\pss\Scheduler.lnkStartup
location Startup
command C:\PROGRA~1\SPYCAT~1\SCHEDU~1.EXE
item Scheduler
path C:\Documents and Settings\Kelly Davis\Start Menu\Programs\Startup\Scheduler.lnk
backup C:\WINDOWS\pss\Scheduler.lnkStartup
location Startup
command C:\PROGRA~1\SPYCAT~1\SCHEDU~1.EXE
item Scheduler

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\InCD
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item InCD
hkey HKLM
command C:\Program Files\Ahead\InCD\InCD.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item InCD
hkey HKLM
command C:\Program Files\Ahead\InCD\InCD.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MCUpdateExe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item McUpdate
hkey HKLM
command C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item McUpdate
hkey HKLM
command C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\NeroFilterCheck
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item NeroCheck
hkey HKLM
command C:\WINDOWS\system32\NeroCheck.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item NeroCheck
hkey HKLM
command C:\WINDOWS\system32\NeroCheck.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\OASClnt
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item oasclnt
hkey HKLM
command C:\Program Files\McAfee.com\VSO\oasclnt.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item oasclnt
hkey HKLM
command C:\Program Files\McAfee.com\VSO\oasclnt.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickFinder Scheduler
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item QFSCHED
hkey HKLM
command c:\Corel\Office7\Shared\QFinder7\QFSCHED.EXE
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item QFSCHED
hkey HKLM
command c:\Corel\Office7\Shared\QFinder7\QFSCHED.EXE
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item qttask
hkey HKLM
command "C:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item qttask
hkey HKLM
command "C:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\RealTray
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item RealPlay
hkey HKLM
command C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item RealPlay
hkey HKLM
command C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SunJavaUpdateSched
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item jusched
hkey HKLM
command C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item jusched
hkey HKLM
command C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\USB Storage Toolbox
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Res
hkey HKLM
command C:\Program Files\USBToolbox\Res.EXE
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Res
hkey HKLM
command C:\Program Files\USBToolbox\Res.EXE
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\VirusScan Online
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mcvsshld
hkey HKLM
command C:\Program Files\McAfee.com\VSO\mcvsshld.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mcvsshld
hkey HKLM
command C:\Program Files\McAfee.com\VSO\mcvsshld.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\VSOCheckTask
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mcmnhdlr
hkey HKLM
command "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mcmnhdlr
hkey HKLM
command "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\# L"h'9Ӝ3rWC:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\# L"h'9Ӝ3rWC:\Program Files

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 2


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145
NoDriveAutoRun -1


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs interceptor.dll


Scan Complete
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 12/29/2005 12:43:18 PM

#12 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 31 December 2005 - 07:35 AM

OK,go to Add\Remove Programs and Remove "My Web Search" if you did not intentionally install it!


Click Start-> Run-> Type in Services.msc and Click OK

Scroll that list and locate this entry

Zesoft

Right Click that entry and Select Properties-> Click Stop-> Go up and change the Startup Type to Disabled

Click Apply-> OK and Exit the Services Page


Click Start-> Run-> Copy&Paste the bold text below into the Open Box and Click OK

sc delete zesoft


Download Reglite from here
http://www.resplendence.com/download/rrtri.exe

Install Reglite and Open it.

Copy&Paste the line below into the address bar

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

Look in the larger right hand window and locate ZESOFT<- Right Click and Delete if found.

Do the exact same for this entry as well

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

Look in the larger right hand window and locate # L"h'9Ӝ3rWC<- Right Click and Delete if found.


Now search for these files and delete if found

C:\Windows\zeta.exe

C:\Documents and Settings\Kelly Davis\Application Data\wklnhst.dat


Have you tried making some registry changes since the last post?

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

NoDriveAutoRun -1 :thumbsup:

#13 memutt

memutt
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 31 December 2005 - 11:03 AM

Happy New Year Cretemonster,

Haven't performed the above actions because I can't find zesoft nor did the mysearch bar item appear in the add remove programs window. I didn't want to proceed in the wrong order in case that would cause unwanted results.

To answer your question about the registry. I have not intentionally made any changes. that doesn't mean I didn't, but am regrettablly to ignorant to know the difference. as it is I am at the mercy of your honesty and hoping you will not lead me into problems here I couldn't even dream of. That confession made I have just left my self wide open for trouble. :thumbsup: I am hoping all will be well. lol

Thanks for your help, I will proceed with the above instructions to the best of my ability once I know that skipping the steps which have not yeilded info is okay.

Memutt

Edited by memutt, 31 December 2005 - 11:07 AM.


#14 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 31 December 2005 - 12:47 PM

We are going to take this slowly with the understanding that I consult with many others about this particular issue before replying.

We have many trusted eyes looking in.

First thing,do you have the Windows Operating System CD

If so,what Service Pak Version is it?


Now,for the last instructions,go ahead and proceed as they will not affect a thing.

Also,Copy the text below into a blank notepad page and Save it to the desktop as Fix.reg

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveAutoRun"=0


Now double click Fix.reg and allow it to merge into the registry.


Next,Download and Save Blacklight to your desktop:

Double-click blbeta.exe then accept the agreement, leave [X]scan through Windows Explorer checked, click > scan then > next

You'll see a list of all items found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers).

Copy and paste this log in your next reply. Don't choose the rename option yet! I want to see the log first, because legitimate items can also be present there, such as "wbemtest.exe"


Also,Please download Rootkit Revealer (link is at the very bottom of the page)
  • Unzip it to your desktop.
  • Open the rootkitrevealer folder and double-click rootkitrevealer.exe
  • Click the Scan button (bottom right)
  • It may take a while to scan (don't do anything while it's running)
  • When it's done, go up to File > Save. Choose to save it to your desktop.
  • Open rootkitrevealer.txt on your desktop and copy the entire contents and paste them here
Go ahead with all my previous instructions and then run those 2 scans and lets see the results of those.

#15 memutt

memutt
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  

Posted 31 December 2005 - 02:58 PM

meant no offense, sorry.




12/31/05 10:46:07 [Info]: BlackLight Engine 1.0.30 initialized
12/31/05 10:46:07 [Info]: OS: 5.1 build 2600 (Service Pack 2)
12/31/05 10:46:08 [Note]: 7019 4
12/31/05 10:46:08 [Note]: 7005 0
12/31/05 10:46:38 [Note]: 7006 0
12/31/05 10:46:38 [Note]: 7011 1472
12/31/05 10:46:39 [Note]: 7018 1512
12/31/05 10:46:39 [Info]: Hidden process: C:\Program Files\SpyCatcher 2006\Protector.exe
12/31/05 10:46:41 [Note]: FSRAW library version 1.7.1014
12/31/05 10:47:48 [Note]: 7007 0



C:\Documents and Settings\All Users\Application Data\Tenebril\SpyCatcher\HiddenFiles.txt 12/30/2005 7:57 PM 129.24 KB Hidden from Windows API.
C:\Documents and Settings\All Users\Application Data\Tenebril\SpyCatcher\QuarantinedExecutables.txt 12/30/2005 7:57 PM 1.31 KB Hidden from Windows API.
C:\Documents and Settings\All Users\Application Data\Tenebril\SpyCatcher\QuarantinedLibraries.txt 12/30/2005 7:57 PM 937 bytes Hidden from Windows API.
C:\System Volume Information\catalog.wci\00010007.ci 12/31/2005 11:19 AM 4.00 KB Hidden from Windows API.
C:\System Volume Information\catalog.wci\00010007.dir 12/31/2005 11:19 AM 340 bytes Hidden from Windows API.
C:\System Volume Information\catalog.wci\CiFLfffc.000 12/31/2005 11:08 AM 240 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\CiFLfffc.001 12/31/2005 11:08 AM 64.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\CiFLfffc.002 12/31/2005 11:08 AM 64.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\CiFLfffd.000 12/31/2005 11:20 AM 240 bytes Hidden from Windows API.
C:\System Volume Information\catalog.wci\CiFLfffd.001 12/31/2005 11:20 AM 64.00 KB Hidden from Windows API.
C:\System Volume Information\catalog.wci\CiFLfffd.002 12/31/2005 11:20 AM 64.00 KB Hidden from Windows API.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users