Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Default Browser Keeps Changing Back To Ie


  • Please log in to reply
14 replies to this topic

#1 applesauce1234

applesauce1234

  • Members
  • 188 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:07:37 AM

Posted 29 May 2006 - 01:17 AM

Hey There

I have been having a browser problem, and no one in the general forum was able to help me out... TJ1911, a group moderator, suggested that I bring this problem to the HijackThis team... I recently downloaded and installed Mozzila FireFox... everything is working fine with FireFox, but I noticed that I am unable to set it as my default browser... the option comes up everytime if I want it to be my default browser, i always click yes, but the message comes back everytime I open FireFox...

some programs, such as WordPerfect recognize that FireFox is the default and will open URLs with it; others, however, such as MSN Messenger, still use IE6.0

I did all of the required steps, and here is my HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 2:11:04 AM, on 29/05/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\BitTornado\btdownloadgui.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\AVG\avgcc.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Soulseek\slsk.exe
C:\Program Files\BitTornado\btdownloadgui.exe
C:\Program Files\BitTornado\btdownloadgui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cbc.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.ca/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://fcp.sympatico.ca/fcp.aspx?lang=en&at=sa
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\AVG\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqna/downloads/sysinfo.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://maps.city.peterborough.on.ca/MapGui...13/mgaxctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1124729924656
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1141870139125
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by114fd.bay114.hotmail.msn.com/activex/HMAtchmt.ocx
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe



Any ideas would be greatly appreciated!! Thanks!


Colin Weadick

BC AdBot (Login to Remove)

 


#2 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,595 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:37 AM

Posted 29 May 2006 - 11:43 AM

Hi colinweadick,

I don't see any malware in your log but let's try some things using HijackThis and some other deep scanners. tg1911 asked me to look at your other thread that is here: http://www.bleepingcomputer.com/forums/ind...topic=53789&hl=

Something fishy that could be malware related is this that you posted in that thread:

uninstalling an item called "Internet Explorer Default Browser" from Add/Remove Program

I've never heard of such a program and the name is so generic I can't get any results in Google to research what it might be. The more you can tell me about what you know about it would be most helpful to both of us. Do you remember when this started happening and when you saw that program in Add/Remove for the first time? Perhaps it happened to appear about the same time you started using BitTornado? I personally don't use bit torrents or other downloaders/file-sharing apps so am not very familiar with them, but on a hunch, it might be that Bit Tornado needs IE as default.

You have a few items that aren't malicious except for one bit of grayware, but that can be tidyed up with HJT. Looking over your past threads, I see that you have now uninstalled Norton, so you should have no need for the 016's. It's doubtful that removing them will solve your default browser problem--but with computers and Norton sometimes you just never know.

So let's try the following and see what happens and I'll have some other ideas for you later if need be:

Scan again with HijackThis 1.99.1. Put a checkmark by the following entries, double-checking to be sure that only these entries are checked:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab



Close all other windows--you should only see HijackThis on your Desktop--and then click the "Fix checked" button.

If you don't still have ewido installed please download and install it again. It is a very efective scanner and remover even when the trial runs out and I suggest you keep it in your arsenal.

Download and install Ewido Security Suite.
When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
- Launch Ewido by double-clicking the desktop icon.
- You may get a message that the database could not be found. This is normal-- click the OK button.
- The program will now go to the main screen.
- On the left hand side of the main screen click update.
- Click on Start update.
- The update will start and a progress bar will show the updates being installed.
Once the updates are installed close Ewido.

If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Reboot your computer into Safe Mode and do the following:
  • Open ewido and click on scanner
    • Click on scanner
    • Click on Complete System Scan and the scan will begin.
    • NOTE: During some scans with ewido it is finding cases of false positives.**[list]
    • You will need to step through the process of cleaning files one-by-one.
    • If ewido detects a file you KNOW to be legitimate, select none as the action.
    • DO NOT select "Perform action on all infections"
    • If you are unsure of any entry found select none for now.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop.
Now close ewido security suite.

Run these two online scanners using IE. Panda will remove some true viruses/trojans, but only report "spyware" and KAV reports only. I mainly want to see the logs they produce.

Perform an onlinescan with Panda:
Panda Online
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a few minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report.

Since you've run ActiveScan before you may ust need to do the following:

Click Scan Your PC.
A new window will pop up. (You may need to click on the Information Bar in IE to allow the popup.)
Click Check Now
Fill in details (email, etc.), accept agreement then click Scan Now.

Please perform this online scan: Kaspersky Webscan
1. Read the Requirements and Privacy statement, then select "Accept"
2. A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
NOTE: If you are running XP SP2, you may need to click on the Information Bar to allow the ActiveX to install and may need to repeat step 1.
3. Select "Install" to download the ActiveX controls that allows ActiveScan to run.
4. If running MSAS beta you may receive an alert that an IE ActiveX program requires your approval. Click "Allow"
5. When the download is complete it will say ready, click "Next"
6. Click "Scan Settings" and check the option to use the EXTENDED DATABASE, then click "OK"
7. Select a target to scan: Click on "My Computer"
8. When the scan is complete choose to save the results as "Save as Text"
9. Post the Kaspersky scan results in your next reply.

Scan again with HijackThis and produce a new log to post along with the logs from the other scanners:

1. Ewido
2. Panda
3. Kaspersky

And let me know if anything has solved the problem.

The thing about people

is they change

when they walk away.--Mipso


#3 applesauce1234

applesauce1234
  • Topic Starter

  • Members
  • 188 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:07:37 AM

Posted 29 May 2006 - 08:29 PM

Hey There Papakid

Thanks for the feedback!

First of all, with regards to the "Internet Explorer Default Browser" thing from Add/Remove Program... i dont know what to tell you... i just remembered seeing it there in my list, and since I didnt want to use it anymore, I uninstalled it...

I have been using BitTornado to download files for about 8 months, and just recently switched over to FireFox... I get the FireFox browser issue, even if BitTornado is not open. I could reinstall it, and see if it says anything about requiring IE, if you think it might help.

Second of all, those Symantec items... i noticed that in RegEdit, I am unable to delete any of the registry entries for Symantec... it just says that there is an error... i uninstalled symantec using the online removal tool from their website, and tried to

registry cleaners, such as Crap Cleaner, are unable to eliminate those Symantec entries... i dont know if its related to anything, but i thought i would let you know...

third, after following your steps, I still have the browser problem... so here are the results of the scans...

1 - Ewido

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 3:38:54 PM, 29/05/2006
+ Report-Checksum: EEED6950

+ Scan result:

:mozilla.8:C:\Documents and Settings\Colin\Application Data\Mozilla\Firefox\Profiles\p9hjvbi3.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
C:\Program Files\HijackThis\backups\backup-20060529-142641-732.dll -> Not-A-Virus.Downloader.Win32.PopCap.b : Cleaned with backup


::Report End

2 - Panda


Incident Status Location

Adware:adware/mediatickets Not disinfected Windows Registry
Adware:adware/wupd Not disinfected Windows Registry

3 - Kaspersky

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Monday, May 29, 2006 9:10:37 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 30/05/2006
Kaspersky Anti-Virus database records: 197113
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 54798
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 00:42:07

Infected Object Name / Virus Name / Last Action
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP101\A0018872.dll Infected: not-a-virus:Downloader.Win32.PopCap.b skipped

Scan process completed.

4 - Newest HJT scan

Logfile of HijackThis v1.99.1
Scan saved at 9:12:14 PM, on 29/05/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\AVG\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\PROGRA~1\AVG\avgamsvr.exe
C:\PROGRA~1\AVG\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido security suite\ewidoctrl.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\BitTornado\btdownloadgui.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.ca/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://fcp.sympatico.ca/fcp.aspx?lang=en&at=sa
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\AVG\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqna/downloads/sysinfo.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://maps.city.peterborough.on.ca/MapGui...13/mgaxctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1124729924656
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1141870139125
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by114fd.bay114.hotmail.msn.com/activex/HMAtchmt.ocx
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

There you go... hope you can make something of it!

I cant think of anything to tell you... one thing that seems odd is that I am unable to tell if I am the administrator... the reason i say that is because if i log off windows in regular mode, there is only my login available... there is no "admin"... which leads me to believe that I am in fact the admin... but if i restart in safe mode, then there are two logins, mine and the admin... if i go to control panel/user accounts, it says that there exists only one login, and thats mine... it also says that I am the admin...

take care

Colin Weadick

Edited by colinweadick, 29 May 2006 - 08:30 PM.


#4 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,595 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:37 AM

Posted 30 May 2006 - 11:10 PM

Hi Colin, sorry for the delay.

Those logs look pretty clean. A couple of reg entries that may be harmless leftovers of previous infections, but Panda doesn't say exactly which reg entries are a problem. We'll look into this a little closer later.

Let's try something simple first. It may not help, but SpywareGuard has been known to prevent registry settings changes whether good or bad.

Right click the running icon of Spywareguard, it will open the program.
Then go to Menu, file, exit.
Then confirm the program is closed.

Now see if you can get the setting for Fiorefox as default to hold. Also fix the following line, as it didn't go away:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

i noticed that in RegEdit, I am unable to delete any of the registry entries for Symantec... it just says that there is an error... i uninstalled symantec using the online removal tool from their website, and tried to

registry cleaners, such as Crap Cleaner, are unable to eliminate those Symantec entries... i dont know if its related to anything, but i thought i would let you know...

You can try deleting those reg entries also if Ff being the default browser holds. But exactly which reg entries are you trying to delete? I don't see any leftovers in the HJT log. Norton is a bear to get rid of and don't know as I'd trust the online removal procedure. It's also fairly common for reg cleaners to delete the wrong thing in the registry and can do more harm than good. What did you use besides CCleaner?

As far as Bit torrent, best I can tell you is to open that program and see if there are any settings in there having to do with default browser.

one thing that seems odd is that I am unable to tell if I am the administrator... the reason i say that is because if i log off windows in regular mode, there is only my login available... there is no "admin"... which leads me to believe that I am in fact the admin... but if i restart in safe mode, then there are two logins, mine and the admin... if i go to control panel/user accounts, it says that there exists only one login, and thats mine... it also says that I am the admin...

That's normal for XP Home. Your confusing the name of the Admin account with accounts having adimintrative priviledges. If, for example, your main login account is named Colin, and when you created the account you chose to be an administrator rather than Limited, then Administrator will appear by Colin on the login screen and in Control Panel Accounts. You can create as many accounts as you want with adminitrative priviledges and name the account whatever you want--like Bob, Clarice, etc.

In XP home there is an account that is named Adminstrator that can only be accessed in Safe Mode.

Please post a new HJT log and let me know if disabling SpywareGuard has helped.

The thing about people

is they change

when they walk away.--Mipso


#5 applesauce1234

applesauce1234
  • Topic Starter

  • Members
  • 188 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:07:37 AM

Posted 31 May 2006 - 12:08 AM

Hey Papakid

Thanks for the reply...

first off, thanks for the info on user accounts... i figured i was the admin, but i thought it was strange how i could see another one named administrator, but just in safe mode... thanks for clearing that up...

second, i couldnt find any settings in bittornado that had to do with a browser...

third, as for the registry entries, if i do a scan doing CCleaner, about twenty items come up that say ***CC***... something that has to do with symantec... i can see them all in RegEdit, but am unable to delete them... even if i click on them, an error message comes up...

fourth, FF still doesnt want to be the default browser... i click check now to see if it the DB, then it says its not and asks me if i want it to be... i click yes, and then click check now again, and it just keeps repeating...

fifth, disabling spyware guard didnt change anything re: FF...

Logfile of HijackThis v1.99.1
Scan saved at 1:06:09 AM, on 31/05/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\avgamsvr.exe
C:\PROGRA~1\AVG\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido security suite\ewidoctrl.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\AVG\avgcc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\BitTornado\btdownloadgui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://fcp.sympatico.ca/fcp.aspx?lang=en&at=sa
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\AVG\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqna/downloads/sysinfo.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://maps.city.peterborough.on.ca/MapGui...13/mgaxctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1124729924656
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1141870139125
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by114fd.bay114.hotmail.msn.com/activex/HMAtchmt.ocx
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe



Colin

#6 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,595 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:37 AM

Posted 01 June 2006 - 05:58 PM

Hey Colin, sorry for the delay.

I want to let you know I'll be out of town til late tomorrow. I've been experimenting with an idea of how to fix your problem but haven't reached a point with it that I think is safe for you to try yet.

Two other things I'm looking at. Either Norton messed something up in the registry so you can't makes changes like you should, or one of your reg cleaners fixed something it shouldn't have.

Let's try this while I'm gone.

Go to the following page and follow those instructions for removing Norton exactly if those are the versions of Norton you had installed.
http://service1.symantec.com/SUPPORT/share...=&osv_lvl=&seg=

Disable AVG and Kerio before you run it and you may want to try uninstalling first. See if that helps.

The thing about people

is they change

when they walk away.--Mipso


#7 applesauce1234

applesauce1234
  • Topic Starter

  • Members
  • 188 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:07:37 AM

Posted 01 June 2006 - 06:50 PM

hey papakid... thanks for the reply.....

so i uninstalled kerio, avg and spywareguard... ran the norton tool... then reinstalled just kerio and avg

still no luck... let me know when you get back!

you said: "I've been experimenting with an idea of how to fix your problem but haven't reached a point with it that I think is safe for you to try yet."

is that because its really complicated? is there any way that we could do a remote computer fix? or is that more trouble than its worth? whatever you think will work best is the way to go!

colin

#8 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,595 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:37 AM

Posted 04 June 2006 - 11:46 AM

Hey Colin,

Well, doing a remote fix isn't a bad idea in itself but there are several reasons why I can't do it. One is that I'm not enough of a registry guru to know exactly what to fix but if I did it could be done thru the use of a reg file that would make the remote session unnecessary.

I have an idea of what needs to be changed in the registry but not been able to isolate it exactly. And I still don't know what might be causing it to not "hold".

To be honest, there is probably an easy fix for this problem. It could be that either Norton or one of those reg cleaners has corrupted your main user profile. This has happened to me before after switching AV's and firewall, etc.--couldn't really isolate which program exactly caused the problem. But I couldn't get IE to retain cookies and Windows Media player wouldn't work correctly. I went to Control Panel and created a new user account with Adminitrative priviledges. Problem solved.

So you might try that. The drawback is if you want to make the new account your main one, it's a hassle to get the new profile set up like you want it if you've done much customization and some programs you'll have to reinstall. Just transferring all your files over so they are more readily accessable is pretty easy.

If what is causing the problem is global however (IOW not specific to your login), this won't work. But you might try it just to see, and if the problem is solved I'll help you with what else you need to do to get set up.

I can go over what I was doing in my experiment if you're interested in that, but let's try that later. I'd like to see if we can find anything else lying around in the form of malware and maybe find out where those reg entries are that Panda found. We might even find what's causing the default not to hold. Please do the following:

Download Silentrunners from this page:

http://www.silentrunners.org/sr_scriptuse.html

Read over the instructions on that page.

Run the SilentRunners.vbs file. If your antivirus has a script blocker, you will get a warning asking if you want to allow SilentRunners.vbs to run. It might say something like "Malicious Script Warning". This script is not malicious so you are safe in allowing it to run.

When it has finished it will produce a Startup Programs text file. Copy and paste that text file here in your next reply.

Download WinPFind from here: http://www.bleepingcomputer.com/files/winpfind.php

Follow the instructions on that page for setting up and running it. When the scans are complete, please post the logs for both Silent Runners and WinPFind.

The thing about people

is they change

when they walk away.--Mipso


#9 applesauce1234

applesauce1234
  • Topic Starter

  • Members
  • 188 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:07:37 AM

Posted 04 June 2006 - 01:54 PM

Hey there Papakid

Thanks for the tips

I made a new User account, gave it admin privileges, and took away privileges for my former admin account... it still didnt work... so i switched back and deleted the new account...

I really dont understand anything about registry entries, but i am quite sure that i have errors with certain norton files... i shouldnt have any traces of Norton left, but in Regedit, there are a number of symantec files that cannot be deleted... do you think they could be connected to the problem?

Anyway, here are the logs, starting with WinPFind:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
SAHAgent 02/06/2006 2:25:06 PM 12704684 C:\AVG7QT.DAT
abetterinternet.com 02/06/2006 2:25:06 PM 12704684 C:\AVG7QT.DAT

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 22/08/2004 6:04:56 PM 69120 C:\WINDOWS\daemon.dll

Checking %System% folder...
aspack 18/03/2005 5:19:58 PM 2337488 C:\WINDOWS\SYSTEM32\d3dx9_25.dll
aspack 26/05/2005 4:34:52 PM 2297552 C:\WINDOWS\SYSTEM32\d3dx9_26.dll
aspack 22/07/2005 7:59:04 PM 2319568 C:\WINDOWS\SYSTEM32\d3dx9_27.dll
aspack 05/12/2005 6:09:18 PM 2323664 C:\WINDOWS\SYSTEM32\d3dx9_28.dll
aspack 03/02/2006 8:43:16 AM 2332368 C:\WINDOWS\SYSTEM32\d3dx9_29.dll
aspack 31/03/2006 12:40:58 PM 2388176 C:\WINDOWS\SYSTEM32\d3dx9_30.dll
PEC2 04/08/2004 6:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PEC2 06/02/2006 3:41:52 PM 574976 C:\WINDOWS\SYSTEM32\DivX.dll
PECompact2 06/02/2006 3:41:52 PM 574976 C:\WINDOWS\SYSTEM32\DivX.dll
PTech 17/05/2006 11:23:38 AM 579888 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
PECompact2 04/05/2006 12:26:22 AM 5818784 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 04/05/2006 12:26:22 AM 5818784 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 04/08/2004 6:00:00 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 04/08/2004 6:00:00 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
UPX! 06/02/2004 9:29:20 AM 23040 C:\WINDOWS\SYSTEM32\Shadow.ocx
winsync 04/08/2004 6:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
UPX! 01/06/2006 7:24:46 PM 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
FSG! 01/06/2006 7:24:46 PM 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PEC2 01/06/2006 7:24:46 PM 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
aspack 01/06/2006 7:24:46 PM 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts
127.0.0.1 abetterinternet.com #[Downloader.Stubby.A]
127.0.0.1 belt.abetterinternet.com
127.0.0.1 c.abetterinternet.com #[Adware-BetterInet application]
127.0.0.1 download.abetterinternet.com #[Adware.StopPopupAdsNow]
127.0.0.1 download2.abetterinternet.com #[Parasite.Transponder]
127.0.0.1 s.abetterinternet.com
127.0.0.1 thinstall.abetterinternet.com
127.0.0.1 www.abetterinternet.com
127.0.0.1 www.shopathomeselect.com #[Adware.SAHAgent]

SAHAgent 21/03/2006 4:10:02 AM 462696 C:\WINDOWS\SYSTEM32\drivers\etc\hosts.20060324-020835.backup
abetterinternet.com 21/03/2006 4:10:02 AM 462696 C:\WINDOWS\SYSTEM32\drivers\etc\hosts.20060324-020835.backup
SAHAgent 24/03/2006 3:08:36 AM R 462779 C:\WINDOWS\SYSTEM32\drivers\etc\hosts.msn
abetterinternet.com 24/03/2006 3:08:36 AM R 462779 C:\WINDOWS\SYSTEM32\drivers\etc\hosts.msn

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
01/06/2006 7:27:00 PM S 2048 C:\WINDOWS\bootstat.dat
04/06/2006 1:57:06 AM H 54156 C:\WINDOWS\QTFont.qfn
29/05/2006 3:42:02 PM HS 58880 C:\WINDOWS\Thumbs.db
06/04/2006 6:49:52 PM HS 848 C:\WINDOWS\system32\KGyGaAvL.sys
17/05/2006 11:24:42 AM S 7160 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\WGA.cat
10/04/2006 1:01:22 PM S 7160 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\WgaNotify.cat
04/06/2006 8:00:10 AM H 1024 C:\WINDOWS\system32\config\default.LOG
01/06/2006 7:27:02 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
04/06/2006 8:27:20 AM H 1024 C:\WINDOWS\system32\config\SECURITY.LOG
04/06/2006 2:13:28 PM H 1024 C:\WINDOWS\system32\config\software.LOG
04/06/2006 2:11:04 PM H 1024 C:\WINDOWS\system32\config\system.LOG
04/06/2006 2:19:08 AM H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
12/04/2006 10:12:22 PM S 558 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\A44F4E7CB3133FF765C39A53AD8FCFDD
12/04/2006 10:12:22 PM S 146 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\A44F4E7CB3133FF765C39A53AD8FCFDD
26/04/2006 12:19:26 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\014c39c4-d16e-4fc7-bbb8-463947d148c2
26/04/2006 12:19:26 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\Preferred
26/04/2006 12:18:48 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\09d5591c-ace9-4167-9774-a4347c4e635f
26/04/2006 12:18:48 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
04/06/2006 2:19:02 AM H 370 C:\WINDOWS\Tasks\MP Scheduled Scan.job
01/06/2006 7:27:02 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
25/05/2004 11:06:58 AM 417792 C:\WINDOWS\SYSTEM32\ac3filter.cpl
Microsoft Corporation 04/08/2004 6:00:00 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 04/08/2004 6:00:00 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Borland Software Corporation 07/10/2003 2:39:00 PM 184320 C:\WINDOWS\SYSTEM32\bdeadmin.cpl
Microsoft Corporation 04/08/2004 6:00:00 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 04/08/2004 6:00:00 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 04/08/2004 6:00:00 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 04/08/2004 6:00:00 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Intel Corporation 20/09/2005 9:35:12 AM 77824 C:\WINDOWS\SYSTEM32\igfxcpl.cpl
Microsoft Corporation 04/08/2004 6:00:00 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 04/08/2004 6:00:00 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 04/08/2004 6:00:00 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 04/08/2004 6:00:00 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 10/11/2005 2:03:50 PM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 04/08/2004 6:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 04/08/2004 6:00:00 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 04/08/2004 6:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 04/08/2004 6:00:00 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 04/08/2004 6:00:00 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
09/03/2006 3:29:00 PM 73728 C:\WINDOWS\SYSTEM32\nvtuicpl.cpl
Microsoft Corporation 04/08/2004 6:00:00 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 04/08/2004 6:00:00 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Intel® Corporation 09/12/2004 2:44:58 PM 77824 C:\WINDOWS\SYSTEM32\PRApplet.cpl
Microsoft Corporation 04/08/2004 6:00:00 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 04/08/2004 6:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 04/08/2004 6:00:00 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 04/08/2004 6:00:00 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 26/05/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 04/08/2004 6:00:00 AM 68608 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 04/08/2004 6:00:00 AM 549888 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 04/08/2004 6:00:00 AM 110592 C:\WINDOWS\SYSTEM32\dllcache\bthprops.cpl
Microsoft Corporation 04/08/2004 6:00:00 AM 135168 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 04/08/2004 6:00:00 AM 80384 C:\WINDOWS\SYSTEM32\dllcache\firewall.cpl
Microsoft Corporation 04/08/2004 6:00:00 AM 155136 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 04/08/2004 6:00:00 AM 358400 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 04/08/2004 6:00:00 AM 129536 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 04/08/2004 6:00:00 AM 380416 C:\WINDOWS\SYSTEM32\dllcache\irprops.cpl
Microsoft Corporation 04/08/2004 6:00:00 AM 68608 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 04/08/2004 6:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 04/08/2004 6:00:00 AM 618496 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 04/08/2004 6:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 04/08/2004 6:00:00 AM 25600 C:\WINDOWS\SYSTEM32\dllcache\netsetup.cpl
Microsoft Corporation 04/08/2004 6:00:00 AM 257024 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 04/08/2004 6:00:00 AM 32768 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 04/08/2004 6:00:00 AM 114688 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 04/08/2004 6:00:00 AM 155648 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 04/08/2004 6:00:00 AM 298496 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 04/08/2004 6:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 04/08/2004 6:00:00 AM 94208 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
Microsoft Corporation 04/08/2004 6:00:00 AM 148480 C:\WINDOWS\SYSTEM32\dllcache\wscui.cpl
Microsoft Corporation 26/05/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl
Intel Corporation 23/01/2005 5:33:44 PM 94208 C:\WINDOWS\SYSTEM32\ReinstallBackups\0008\DriverFiles\igfxcpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...

Checking files in %ALLUSERSPROFILE%\Application Data folder...
10/08/2004 1:57:42 PM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
04/11/2005 2:24:04 PM 2627 C:\Documents and Settings\All Users\Application Data\hpzinstall.log
29/05/2006 9:39:50 PM 1755 C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache

Checking files in %USERPROFILE%\Startup folder...

Checking files in %USERPROFILE%\Application Data folder...
10/08/2004 1:57:42 PM HS 62 C:\Documents and Settings\Colin\Application Data\desktop.ini
24/07/2005 11:10:46 PM 12358 C:\Documents and Settings\Colin\Application Data\PFP120JCM.{PB
24/07/2005 11:10:46 PM 61678 C:\Documents and Settings\Colin\Application Data\PFP120JPR.{PB

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft AVG Free\avgse.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WinZip\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft AVG Free\avgse.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\BitDefender Antivirus v8
{D653647D-D607-4DF6-A5B8-48D2BA195F7B} =
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WinZip\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WinZip\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\PROGRA~1\Spybot\SDHelper.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\system32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{21569614-B795-46B1-85F4-E737A8DC09AD}
Shell Search Band = %SystemRoot%\system32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}
Search Band = %SystemRoot%\system32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\system32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\system32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = :
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} = :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
IgfxTray C:\WINDOWS\system32\igfxtray.exe
HotKeysCmds C:\WINDOWS\system32\hkcmd.exe
NvCplDaemon RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
nwiz nwiz.exe /install
NvMediaCenter RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
AVG7_CC C:\PROGRA~1\GRISOF~1\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
CTFMON.EXE C:\WINDOWS\system32\ctfmon.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Attachments
ScanWithAntiVirus 3


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoActiveDesktopChanges 0
NoCDBurning 0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID
{17492023-C23A-453E-A040-C7C580BBF700} 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} =
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1
DisableTaskMgr 0


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\system32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon
= WgaLogon.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 04/06/2006 2:14:17 PM



"Silent Runners.vbs", revision 45, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" ["Sun Microsystems, Inc."]
"IgfxTray" = "C:\WINDOWS\system32\igfxtray.exe" ["Intel Corporation"]
"HotKeysCmds" = "C:\WINDOWS\system32\hkcmd.exe" ["Intel Corporation"]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]
"AVG7_CC" = "C:\PROGRA~1\GRISOF~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]

HKLM\Software\Microsoft\Active Setup\Installed Components\
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express"
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]
{8b15971b-5355-4c82-8c07-7e181ea07608}\(Default) = "Fax"
\StubPath = "rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.UnInstall.PerUser" [MS]
{94de52c8-2d59-4f1b-883e-79663d2d9a8c}\(Default) = "Fax Provider"
\StubPath = "rundll32.exe C:\WINDOWS\system32\Setup\FxsOcm.dll,XP_UninstallProvider" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\Spybot\SDHelper.dll" ["Safer Networking Limited"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {HKLM...CLSID} = "Portable Media Devices"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
-> {HKLM...CLSID} = "Shell Search Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{e82a2d71-5b2f-43a0-97b8-81be15854de8}" = "ShellLink for Application References"
-> {HKLM...CLSID} = "ShellLink for Application References"
\InProcServer32\(Default) = "C:\WINDOWS\system32\dfshim.dll" [MS]
"{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}" = "Shell Icon Handler for Application References"
-> {HKLM...CLSID} = "Shell Icon Handler for Application References"
\InProcServer32\(Default) = "C:\WINDOWS\system32\dfshim.dll" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\OFFICE11\msohev.dll" [MS]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {HKLM...CLSID} = "AVG7 Find Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}" = "Microsoft AntiMalware ShellExecuteHook"
-> {HKLM...CLSID} = "Microsoft AntiMalware ShellExecuteHook"
\InProcServer32\(Default) = "C:\PROGRA~1\WIFD1F~1\MpShHook.dll" [MS]
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Program Files\ewido security suite\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! WgaLogon\DLLName = "WgaLogon.dll" [MS]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Colin\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\logon.scr" [MS]


Enabled Scheduled Tasks:
------------------------

"MP Scheduled Scan" -> launches: "C:\Program Files\Windows Defender\MpCmdRun.exe Scan -ScanType config -Privileges restricted" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Explorer Bars

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{21569614-B795-46B1-85F4-E737A8DC09AD}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Shell Search Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AVG E-mail Scanner, AVGEMS, "C:\PROGRA~1\GRISOF~1\avgemc.exe" ["GRISOFT, s.r.o."]
AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\GRISOF~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\GRISOF~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
ewido security suite control, ewido security suite control, "C:\Program Files\ewido security suite\ewidoctrl.exe" ["ewido networks"]
HTTP SSL, HTTPFilter, "C:\WINDOWS\System32\svchost.exe -k HTTPFilter" {"C:\WINDOWS\System32\w3ssl.dll" [MS]}
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
Pml Driver HPZ12, Pml Driver HPZ12, "C:\WINDOWS\system32\HPZipm12.exe" ["HP"]
Windows Defender Service, WinDefend, ""C:\Program Files\Windows Defender\MsMpEng.exe"" [MS]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
PCL Language Monitor\Driver = "hpz3l3xu.dll" ["Hewlett-Packard Company"]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 43 seconds, including 18 seconds for message boxes)


Colin

#10 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,595 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:37 AM

Posted 08 June 2006 - 12:31 PM

Hi Colin, sorry for taking so long to get back to you. There are several things I'm looking at in your last logs but it's taking some time to research and I'm pretty swamped.

I'll get back with you as soon as I can on some things that can be fixed, but for now there is some more information I need.

1. I see Windows Defender running, but you don't have a normal startup entry for it, which is rather strange. Did you uninstall this program? Or make some tweak so it doesn't run at startup? This is another program whose protection portion can prevent changes, so could be the source of the problem.

2. Have you been using Nvidia's Desktop Explorer, i.e., you have more than one desktop? Or the one you're using as been customized? Did you turn off ActiveDesktop yourself?

I'll need to know more about that before knowing what all to fix. I'd also like to see what all you have installed by making a list of programs in Add/Remove.

Open HijackThis.

If you still have the New Users Quickstart screen enabled, click Open Misc Tools Section.
If you just have the regular opening screen, click the Config... button then the Misc Tools button.

Now click the Open Uninstall Manager button, then the Save List button. Save the list somewhere convenient like My Documents and then the list will open in Notepad. Copy and Paste that list into your next reply to this post.

Also include a fresh HijackThis log.

As far as you being unable to remove Norton leftovers in the registry, yes that may be part of the problem. Norton uses some techniques to protect itself in order that it not be tampered with. That's one reason it takes a removal tool to uninstall it now. Plus the other two files in that last page I linked you to. That is why it is important to follow those uninstall instructions exactly. If you did, either that method of uninstalling just didn't work, or something else is restricting changes to the registry.

Some shell extensions related to Norton showed up in those last logs. In my next post we'll try fixing them to see if that helps.

The thing about people

is they change

when they walk away.--Mipso


#11 applesauce1234

applesauce1234
  • Topic Starter

  • Members
  • 188 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:07:37 AM

Posted 08 June 2006 - 01:56 PM

Hey Papakid

Well, i just uninstalled windows defender... i can reinstall later.

also, a few days ago i bought and installed a nVidia graphics card... but i had this FireFox problem before I installed the card, so i dont think its related... desktop manager is DISABLED for nVidia... im afriad i dont know what you mean by "Did you turn off ActiveDesktop yourself?" i dont know if i did, nor do i know how to check...

heres the add/remove programs list from HJT:

{403EF592-953B-4794-BCEF-ECAB835C2095}
{7585478E9D9B42108671C12F8714CEFE}
Ad-Aware SE Personal
Adobe Reader 7.0.7
AVG Free Edition
BitTornado 0.3.15
CCleaner (remove only)
DAEMON Tools
DeepBurner v1.8.0.224
Dell Driver Reset Tool
Dell Support 5.0.0 (630)
DivX
DivX Converter
DivX Player
EasyCleaner
ewido security suite
FruityLoops v3.56 Full
Google Earth
HijackThis 1.99.1
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB912475)
Hotfix for Windows XP (KB915865)
Intel® 537EP V9x DFV PCI Modem
Intel® Extreme Graphics 2 Driver
Intel® PRO Network Adapters and Drivers
Intel® PROSet for Wired Connections
J2SE Runtime Environment 5.0
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_03
Kaspersky On-line Scanner
K-Lite Mega Codec Pack 1.51
Macromedia Flash Player
Macromedia Flash Player 8
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Office PowerPoint Viewer 2003
Microsoft Windows XP Video Decoder Checkup Utility
Mozilla Firefox (1.5.0.4)
MSN Messenger 7.5
MultiRes (remove only)
NVDVD
NVIDIA Drivers
Nvidia Omega Drivers Setup Files
OpenOffice.org 2.0
Panda ActiveScan
PC Camera (6029 CIF)
Quake 4™
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
SiSoftware Sandra Lite 2007 (Win64/32/CE)
Sony USB Driver
SoulSeek Client 156c
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
Sunbelt Kerio Personal Firewall
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB900930)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB912945)
VideoLAN VLC media player 0.8.5
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Installer Clean Up
Windows Media Connect
Windows Media Player 10
Windows Media Player 10
Windows Support Tools
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB893086
WinRAR archiver
WinZip
YP-C1

and heres the latest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 2:49:37 PM, on 08/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\GRISOF~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\GRISOF~1\avgamsvr.exe
C:\PROGRA~1\GRISOF~1\avgupsvc.exe
C:\PROGRA~1\GRISOF~1\avgemc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido security suite\ewidoctrl.exe
C:\Program Files\Sunbelt Firewall\Personal Firewall\kpf4ss.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Sunbelt Firewall\Personal Firewall\kpf4gui.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sunbelt Firewall\Personal Firewall\kpf4gui.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\system32\notepad.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://fcp.sympatico.ca/fcp.aspx?lang=en&at=sa
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOF~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqna/downloads/sysinfo.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://maps.city.peterborough.on.ca/MapGui...13/mgaxctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1124729924656
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1141870139125
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by114fd.bay114.hotmail.msn.com/activex/HMAtchmt.ocx
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\GRISOF~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\GRISOF~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\GRISOF~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Firewall\Personal Firewall\kpf4ss.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (Omega 1.6693) (P) (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007\Win32\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007\RpcSandraSrv.exe


Thanks again

Colin

#12 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,595 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:37 AM

Posted 14 June 2006 - 10:21 PM

OK, I've gone over these other logs with a fine tooth comb and don't see any malware that is readily apparent. Neither is it readily apparent to me what could cause your default browser issue.

Altho there are still some areas I'd like some more information on. One thing malware related to look at is your hosts files. You have abetterinternet and SAH blocked in your standard HOSTS file at C:\WINDOWS\SYSTEM32\drivers\etc\hosts. If you have modified the hosts file yourself to block certain sites, that's good, I just wonder why sites to just those two infections. More complete hosts files and more info can be found here: The Hosts File and what it can do for you

You also have a hosts.msn file and a backup. I can't see the contents of these files, I would think they block the same two malware sites. From what i can gather the msn one was put there by MSN Mesenger, possibley because of connection problems. You can go to the folder C:\WINDOWS\SYSTEM32\drivers\etc\, open hosts.msn in Notepad. If the only IP address you see is 127.0.0.1, then you should be OK. If you want you can delete hosts.msn and the backup file hosts.20060324-020835.backup.

If you want to restore the main hosts file to its original state, do the following:

Download: Hoster
Unzip hoster to an own folder, e.g., C:\Hoster
Start Hoster.exe, click 'Restore Original Hosts' and click OK.

I don't see the reg entries that Panda was flagging, whatever they are they should be harmless.

I do see one key that has been damaged or modified. Run the attached reg file to return this to default. Save it to your desktop and then double-click on it and allow it to merge to your registry.

I'll post back in a bit with another reg file to get rid of some minor Norton leftovers and a stray orphan and have some other things for you to do.

Attached Files


The thing about people

is they change

when they walk away.--Mipso


#13 applesauce1234

applesauce1234
  • Topic Starter

  • Members
  • 188 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:07:37 AM

Posted 14 June 2006 - 10:46 PM

Hey Papakid... thanks for the reply... first of all, i should let you know that I upgraded my memory and installed a nVIDIA graphics card... everything is running smoothly with them, but just to let you know, they are new... i also have a new microsoft keyboard, and it starts a program that you will see in my HJT log... finally, i am using diskeeper...

as for your concerns with the hosts file, i dont remember if i blocked abettterinternet or not... what if we deleted all of the blocked entries, and then i reblock them as required?

second, i opened up the hosts.msn file... you said i should only see one IP address, but there are hundreds... the first number is the one you said... then there is a space, and then there are hundreds of other addresses like the following: 127.0.0.1 000freexxx.com

third, i deleted the hosts.msn file and the backup...

fourth, i downloaded and ran hoster... are all of those blocked sites (e.g. 127.0.0.1 000freexxx.com) now gone?

fifth, i merged the reg file, as you said.

im not sure if you need it, but heres a HJT log...

thanks!

Logfile of HijackThis v1.99.1
Scan saved at 11:42:44 PM, on 14/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\GRISOF~1\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\GRISOF~1\avgamsvr.exe
C:\PROGRA~1\GRISOF~1\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Diskeeper\DkService.exe
C:\Program Files\ewido security suite\ewidoctrl.exe
C:\Program Files\Sunbelt Firewall\Personal Firewall\kpf4ss.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sunbelt Firewall\Personal Firewall\kpf4gui.exe
C:\Program Files\Sunbelt Firewall\Personal Firewall\kpf4gui.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOF~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqna/downloads/sysinfo.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://maps.city.peterborough.on.ca/MapGui...13/mgaxctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1124729924656
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1141870139125
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by114fd.bay114.hotmail.msn.com/activex/HMAtchmt.ocx
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\GRISOF~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\GRISOF~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\GRISOF~1\avgemc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper\DkService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Firewall\Personal Firewall\kpf4ss.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (Omega 1.6693) (P) (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007\Win32\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007\RpcSandraSrv.exe

#14 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,595 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:37 AM

Posted 14 June 2006 - 11:16 PM

OK, here's the other reg file attached below. Treat it like you did the last and let me know if there are any errors or problems.

Then run Winpfind again and post a new log from it.

Also there are a couple of files I'd like you to check out, one is a legit file that can sometimes be a virus and the other there is not enough info on whether it is legit or not.

Please click this link-->Jotti

When the jotti page has finished loading, click the browse button and navigate to the following files, then click Submit. You will only be able to have one file scanned at a time. Please post back the results of the scan in your next post.

C:\WINDOWS\SYSTEM32\Shadow.ocx
C:\WINDOWS\system32\ctfmon.exe


Regarding not being able to delete Norton/Symantec in regedit, do you get any kind of message saying you can't delete them? I so, please post back exactly the message you get.

I don't know if any of these fixes will solve your problem, or which reg entries you have tried to delete. Try this:

Download Registry Search.

- Create a new folder on your desktop named Regsearch
- Extract regsearch.zip file to the newly created folder.
- Open the Regsearch folder and double click regsearch.exe to start the program.
- Use copy and paste to enter the following bold text to search for and click OK.

Norton
Symantec
Live Update


- Notepad will be opened with text in it (the file will also be saved in the Regsearch folder as well).

Post this text in your next reply.

And one last scan for malware:

Download and Save Blacklite to your desktop.
F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml
*Double-click blbeta.exe then accept the agreement.
*Leave [X]scan through windows explorer checked,
*Click Scan then Next.
*When the scan is complete you'll see a list of all items found. Don't choose rename yet! I want to see the log first, because legit items such as "wbemtest.exe" can also be present.
*There will be also a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers).

Thanks for the info on what's new on your system. :thumbsup: And yes, if you are familiar with the hosts file you can block whatever you want or install one of the pre compiled hosts files listed in the tutorial I linked you to.

Sorry for taking so long to answer.

Attached Files

  • Attached File  CFix.reg   279bytes   2 downloads

The thing about people

is they change

when they walk away.--Mipso


#15 applesauce1234

applesauce1234
  • Topic Starter

  • Members
  • 188 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:07:37 AM

Posted 15 June 2006 - 11:59 AM

Hey there

The error message i get when opening those symantec files is:

Cannot open CCListView.cListItem: Error while opening key.

its the same for all CC files

File: Shadow.ocx
Status:
MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.)
MD5 3b1d316bc6d53d85fba186268e349142
Packers detected:
UPX
Scanner results
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
UNA
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

File: ctfmon.exe
Status:
OK (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 24232996a38c0b0cf151c2140ae29fc8
Packers detected:
-
Scanner results
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
UNA
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing



REGEDIT4

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.1.0

; Results at 15/06/2006 2:23:17 AM for strings:
; 'norton'
; 'symantec'
; 'live update'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{2BC66F43-93A8-11D3-BEB6-00105AA9B6AE}\1.0]
@="Norton Internet Security AntiVirus Scan 1.0 Library"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\Compatibility\NortonSystemInfo]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]
"C:\\Documents and Settings\\All Users\\Application Data\\Symantec\\"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/Program Files/Common Files/Symantec Shared/ecmldr32.dll]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/Program Files/Common Files/Symantec Shared/SymAData.dll]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceGroupOrder]
; Contents of value:
; System Reserved
; Boot Bus Extender System Bus Exten
; System Bus Extender SCSI miniport Port Primary Disk SC
; SCSI miniport Port Primary Disk SCSI Class SCSI CDROM Class FSFilter
; Port Primary Disk SCSI Class SCSI CDROM Class FSFilter Infrastructure FSF
; Primary Disk SCSI Class SCSI CDROM Class FSFilter Infrastructure FSFilter System FSFil
; SCSI Class SCSI CDROM Class FSFilter Infrastructure FSFilter System FSFilter Bottom FSFilter Copy
; SCSI CDROM Class FSFilter Infrastructure FSFilter System FSFilter Bottom FSFilter Copy Protection FSFilter Securit
; FSFilter Infrastructure FSFilter System FSFilter Bottom FSFilter Copy Protection FSFilter Security Enhancer FSFilter Open File FSFilter Ph
; FSFilter System FSFilter Bottom FSFilter Copy Protection FSFilter Security Enhancer FSFilter Open File FSFilter Physical Quota Management FSFilter Encrypt
; FSFilter Bottom FSFilter Copy Protection FSFilter Security Enhancer FSFilter Open File FSFilter Physical Quota Management FSFilter Encryption FSFilter Compression FSFilte
; FSFilter Copy Protection FSFilter Security Enhancer FSFilter Open File FSFilter Physical Quota Management FSFilter Encryption FSFilter Compression FSFilter HSM FSFilter Cluster File System FSFilt
; FSFilter Security Enhancer FSFilter Open File FSFilter Physical Quota Management FSFilter Encryption FSFilter Compression FSFilter HSM FSFilter Cluster File System FSFilter System Recovery FSFilter Quota Management FSFilte
; FSFilter Open File FSFilter Physical Quota Management FSFilter Encryption FSFilter Compression FSFilter HSM FSFilter Cluster File System FSFilter System Recovery FSFilter Quota Management FSFilter Content Screener FSFilter Continuous Backup
; FSFilter Physical Quota Management FSFilter Encryption FSFilter Compression FSFilter HSM FSFilter Cluster File System FSFilter System Recovery FSFilter Quota Management FSFilter Content Screener FSFilter Continuous Backup FSFilter Replication FSFilter Anti-Virus FSFilter Unde
; FSFilter Encryption FSFilter Compression FSFilter HSM FSFilter Cluster File System FSFilter System Recovery FSFilter Quota Management FSFilter Content Screener FSFilter Continuous Backup FSFilter Replication FSFilter Anti-Virus FSFilter Undelete FSFilter Activity Monitor FSFilter Top Filter Boot
; FSFilter Compression FSFilter HSM FSFilter Cluster File System FSFilter System Recovery FSFilter Quota Management FSFilter Content Screener FSFilter Continuous Backup FSFilter Replication FSFilter Anti-Virus FSFilter Undelete FSFilter Activity Monitor FSFilter Top Filter Boot File System Base Pointer Port Keyboard P
; FSFilter HSM FSFilter Cluster File System FSFilter System Recovery FSFilter Quota Management FSFilter Content Screener FSFilter Continuous Backup FSFilter Replication FSFilter Anti-Virus FSFilter Undelete FSFilter Activity Monitor FSFilter Top Filter Boot File System Base Pointer Port Keyboard Port Pointer Class Keyboard Class V
; FSFilter Cluster File System FSFilter System Recovery FSFilter Quota Management FSFilter Content Screener FSFilter Continuous Backup FSFilter Replication FSFilter Anti-Virus FSFilter Undelete FSFilter Activity Monitor FSFilter Top Filter Boot File System Base Pointer Port Keyboard Port Pointer Class Keyboard Class Video Init Video Video Save File System Eve
; FSFilter System Recovery FSFilter Quota Management FSFilter Content Screener FSFilter Continuous Backup FSFilter Replication FSFilter Anti-Virus FSFilter Undelete FSFilter Activity Monitor FSFilter Top Filter Boot File System Base Pointer Port Keyboard Port Pointer Class Keyboard Class Video Init Video Video Save File System Event Log Streams Drivers NDIS Wrapper COM Infrastructure
; FSFilter Quota Management FSFilter Content Screener FSFilter Continuous Backup FSFilter Replication FSFilter Anti-Virus FSFilter Undelete FSFilter Activity Monitor FSFilter Top Filter Boot File System Base Pointer Port Keyboard Port Pointer Class Keyboard Class Video Init Video Video Save File System Event Log Streams Drivers NDIS Wrapper COM Infrastructure UIGroup LocalValidation PlugPlay PNP_TDI NDIS TDI
; FSFilter Content Screener FSFilter Continuous Backup FSFilter Replication FSFilter Anti-Virus FSFilter Undelete FSFilter Activity Monitor FSFilter Top Filter Boot File System Base Pointer Port Keyboard Port Pointer Class Keyboard Class Video Init Video Video Save File System Event Log Streams Drivers NDIS Wrapper COM Infrastructure UIGroup LocalValidation PlugPlay PNP_TDI NDIS TDI Symantec Services NetBIOSGroup ShellSvcGroup Schedul
; FSFilter Continuous Backup FSFilter Replication FSFilter Anti-Virus FSFilter Undelete FSFilter Activity Monitor FSFilter Top Filter Boot File System Base Pointer Port Keyboard Port Pointer Class Keyboard Class Video Init Video Video Save File System Event Log Streams Drivers NDIS Wrapper COM Infrastructure UIGroup LocalValidation PlugPlay PNP_TDI NDIS TDI Symantec Services NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup Networ
; FSFilter Replication FSFilter Anti-Virus FSFilter Undelete FSFilter Activity Monitor FSFilter Top Filter Boot File System Base Pointer Port Keyboard Port Pointer Class Keyboard Class Video Init Video Video Save File System Event Log Streams Drivers NDIS Wrapper COM Infrastructure UIGroup LocalValidation PlugPlay PNP_TDI NDIS TDI Symantec Services NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel
; FSFilter Anti-Virus FSFilter Undelete FSFilter Activity Monitor FSFilter Top Filter Boot File System Base Pointer Port Keyboard Port Pointer Class Keyboard Class Video Init Video Video Save File System Event Log Streams Drivers NDIS Wrapper COM Infrastructure UIGroup LocalValidation PlugPlay PNP_TDI NDIS TDI Symantec Services NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuratio
; FSFilter Undelete FSFilter Activity Monitor FSFilter Top Filter Boot File System Base Pointer Port Keyboard Port Pointer Class Keyboard Class Video Init Video Video Save File System Event Log Streams Drivers NDIS Wrapper COM Infrastructure UIGroup LocalValidation PlugPlay PNP_TDI NDIS TDI Symantec Services NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; FSFilter Activity Monitor FSFilter Top Filter Boot File System Base Pointer Port Keyboard Port Pointer Class Keyboard Class Video Init Video Video Save File System Event Log Streams Drivers NDIS Wrapper COM Infrastructure UIGroup LocalValidation PlugPlay PNP_TDI NDIS TDI Symantec Services NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; FSFilter Top Filter Boot File System Base Pointer Port Keyboard Port Pointer Class Keyboard Class Video Init Video Video Save File System Event Log Streams Drivers NDIS Wrapper COM Infrastructure UIGroup LocalValidation PlugPlay PNP_TDI NDIS TDI Symantec Services NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; Filter Boot File System Base Pointer Port Keyboard Port Pointer Class Keyboard Class Video Init Video Video Save File System Event Log Streams Drivers NDIS Wrapper COM Infrastructure UIGroup LocalValidation PlugPlay PNP_TDI NDIS TDI Symantec Services NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; Boot File System Base Pointer Port Keyboard Port Pointer Class Keyboard Class Video Init Video Video Save File System Event Log Streams Drivers NDIS Wrapper COM Infrastructure UIGroup LocalValidation PlugPlay PNP_TDI NDIS TDI Symantec Services NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; Base Pointer Port Keyboard Port Pointer Class Keyboard Class Video Init Video Video Save File System Event Log Streams Drivers NDIS Wrapper COM Infrastructure UIGroup LocalValidation PlugPlay PNP_TDI NDIS TDI Symantec Services NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; Pointer Port Keyboard Port Pointer Class Keyboard Class Video Init Video Video Save File System Event Log Streams Drivers NDIS Wrapper COM Infrastructure UIGroup LocalValidation PlugPlay PNP_TDI NDIS TDI Symantec Services NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; Keyboard Port Pointer Class Keyboard Class Video Init Video Video Save File System Event Log Streams Drivers NDIS Wrapper COM Infrastructure UIGroup LocalValidation PlugPlay PNP_TDI NDIS TDI Symantec Services NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; Pointer Class Keyboard Class Video Init Video Video Save File System Event Log Streams Drivers NDIS Wrapper COM Infrastructure UIGroup LocalValidation PlugPlay PNP_TDI NDIS TDI Symantec Services NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; Keyboard Class Video Init Video Video Save File System Event Log Streams Drivers NDIS Wrapper COM Infrastructure UIGroup LocalValidation PlugPlay PNP_TDI NDIS TDI Symantec Services NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; Video Init Video Video Save File System Event Log Streams Drivers NDIS Wrapper COM Infrastructure UIGroup LocalValidation PlugPlay PNP_TDI NDIS TDI Symantec Services NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; Video Video Save File System Event Log Streams Drivers NDIS Wrapper COM Infrastructure UIGroup LocalValidation PlugPlay PNP_TDI NDIS TDI Symantec Services NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; Video Save File System Event Log Streams Drivers NDIS Wrapper COM Infrastructure UIGroup LocalValidation PlugPlay PNP_TDI NDIS TDI Symantec Services NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; File System Event Log Streams Drivers NDIS Wrapper COM Infrastructure UIGroup LocalValidation PlugPlay PNP_TDI NDIS TDI Symantec Services NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; Event Log Streams Drivers NDIS Wrapper COM Infrastructure UIGroup LocalValidation PlugPlay PNP_TDI NDIS TDI Symantec Services NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; Streams Drivers NDIS Wrapper COM Infrastructure UIGroup LocalValidation PlugPlay PNP_TDI NDIS TDI Symantec Services NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; NDIS Wrapper COM Infrastructure UIGroup LocalValidation PlugPlay PNP_TDI NDIS TDI Symantec Services NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; COM Infrastructure UIGroup LocalValidation PlugPlay PNP_TDI NDIS TDI Symantec Services NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; UIGroup LocalValidation PlugPlay PNP_TDI NDIS TDI Symantec Services NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; LocalValidation PlugPlay PNP_TDI NDIS TDI Symantec Services NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; PlugPlay PNP_TDI NDIS TDI Symantec Services NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; PNP_TDI NDIS TDI Symantec Services NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; NDIS TDI Symantec Services NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; TDI Symantec Services NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; Symantec Services NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; Parallel arbitrator Extended Base PCI Configuration MS Transactions
; Extended Base PCI Configuration MS Transactions
; PCI Configuration MS Transactions
; MS Transactions
;
"List"=hex(7):53,79,73,74,65,6d,20,52,65,73,65,72,76,65,64,00,42,6f,6f,74,20,\
42,75,73,20,45,78,74,65,6e,64,65,72,00,53,79,73,74,65,6d,20,42,75,73,20,45,\
78,74,65,6e,64,65,72,00,53,43,53,49,20,6d,69,6e,69,70,6f,72,74,00,50,6f,72,\
74,00,50,72,69,6d,61,72,79,20,44,69,73,6b,00,53,43,53,49,20,43,6c,61,73,73,\
00,53,43,53,49,20,43,44,52,4f,4d,20,43,6c,61,73,73,00,46,53,46,69,6c,74,65,\
72,20,49,6e,66,72,61,73,74,72,75,63,74,75,72,65,00,46,53,46,69,6c,74,65,72,\
20,53,79,73,74,65,6d,00,46,53,46,69,6c,74,65,72,20,42,6f,74,74,6f,6d,00,46,\
53,46,69,6c,74,65,72,20,43,6f,70,79,20,50,72,6f,74,65,63,74,69,6f,6e,00,46,\
53,46,69,6c,74,65,72,20,53,65,63,75,72,69,74,79,20,45,6e,68,61,6e,63,65,72,\
00,46,53,46,69,6c,74,65,72,20,4f,70,65,6e,20,46,69,6c,65,00,46,53,46,69,6c,\
74,65,72,20,50,68,79,73,69,63,61,6c,20,51,75,6f,74,61,20,4d,61,6e,61,67,65,\
6d,65,6e,74,00,46,53,46,69,6c,74,65,72,20,45,6e,63,72,79,70,74,69,6f,6e,00,\
46,53,46,69,6c,74,65,72,20,43,6f,6d,70,72,65,73,73,69,6f,6e,00,46,53,46,69,\
6c,74,65,72,20,48,53,4d,00,46,53,46,69,6c,74,65,72,20,43,6c,75,73,74,65,72,\
20,46,69,6c,65,20,53,79,73,74,65,6d,00,46,53,46,69,6c,74,65,72,20,53,79,73,\
74,65,6d,20,52,65,63,6f,76,65,72,79,00,46,53,46,69,6c,74,65,72,20,51,75,6f,\
74,61,20,4d,61,6e,61,67,65,6d,65,6e,74,00,46,53,46,69,6c,74,65,72,20,43,6f,\
6e,74,65,6e,74,20,53,63,72,65,65,6e,65,72,00,46,53,46,69,6c,74,65,72,20,43,\
6f,6e,74,69,6e,75,6f,75,73,20,42,61,63,6b,75,70,00,46,53,46,69,6c,74,65,72,\
20,52,65,70,6c,69,63,61,74,69,6f,6e,00,46,53,46,69,6c,74,65,72,20,41,6e,74,\
69,2d,56,69,72,75,73,00,46,53,46,69,6c,74,65,72,20,55,6e,64,65,6c,65,74,65,\
00,46,53,46,69,6c,74,65,72,20,41,63,74,69,76,69,74,79,20,4d,6f,6e,69,74,6f,\
72,00,46,53,46,69,6c,74,65,72,20,54,6f,70,00,46,69,6c,74,65,72,00,42,6f,6f,\
74,20,46,69,6c,65,20,53,79,73,74,65,6d,00,42,61,73,65,00,50,6f,69,6e,74,65,\
72,20,50,6f,72,74,00,4b,65,79,62,6f,61,72,64,20,50,6f,72,74,00,50,6f,69,6e,\
74,65,72,20,43,6c,61,73,73,00,4b,65,79,62,6f,61,72,64,20,43,6c,61,73,73,00,\
56,69,64,65,6f,20,49,6e,69,74,00,56,69,64,65,6f,00,56,69,64,65,6f,20,53,61,\
76,65,00,46,69,6c,65,20,53,79,73,74,65,6d,00,45,76,65,6e,74,20,4c,6f,67,00,\
53,74,72,65,61,6d,73,20,44,72,69,76,65,72,73,00,4e,44,49,53,20,57,72,61,70,\
70,65,72,00,43,4f,4d,20,49,6e,66,72,61,73,74,72,75,63,74,75,72,65,00,55,49,\
47,72,6f,75,70,00,4c,6f,63,61,6c,56,61,6c,69,64,61,74,69,6f,6e,00,50,6c,75,\
67,50,6c,61,79,00,50,4e,50,5f,54,44,49,00,4e,44,49,53,00,54,44,49,00,53,79,\
6d,61,6e,74,65,63,20,53,65,72,76,69,63,65,73,00,4e,65,74,42,49,4f,53,47,72,\
6f,75,70,00,53,68,65,6c,6c,53,76,63,47,72,6f,75,70,00,53,63,68,65,64,75,6c,\
65,72,47,72,6f,75,70,00,53,70,6f,6f,6c,65,72,47,72,6f,75,70,00,41,75,64,69,\
6f,47,72,6f,75,70,00,53,6d,61,72,74,43,61,72,64,47,72,6f,75,70,00,4e,65,74,\
77,6f,72,6b,50,72,6f,76,69,64,65,72,00,52,65,6d,6f,74,65,56,61,6c,69,64,61,\
74,69,6f,6e,00,4e,65,74,44,44,45,47,72,6f,75,70,00,50,61,72,61,6c,6c,65,6c,\
20,61,72,62,69,74,72,61,74,6f,72,00,45,78,74,65,6e,64,65,64,20,42,61,73,65,\
00,50,43,49,20,43,6f,6e,66,69,67,75,72,61,74,69,6f,6e,00,4d,53,20,54,72,61,\
6e,73,61,63,74,69,6f,6e,73,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\VirtualDeviceDrivers]
; Contents of value:
; C:\PROGRA~1\Symantec\S32EVNT1.DLL
;
"VDD"=hex(7):43,3a,5c,50,52,4f,47,52,41,7e,31,5c,53,79,6d,61,6e,74,65,63,5c,53,\
33,32,45,56,4e,54,31,2e,44,4c,4c,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\ServiceGroupOrder]
; Contents of value:
; System Reserved
; Boot Bus Extender System Bus Exten
; System Bus Extender SCSI miniport Port Primary Disk SC
; SCSI miniport Port Primary Disk SCSI Class SCSI CDROM Class FSFilter
; Port Primary Disk SCSI Class SCSI CDROM Class FSFilter Infrastructure FSF
; Primary Disk SCSI Class SCSI CDROM Class FSFilter Infrastructure FSFilter System FSFil
; SCSI Class SCSI CDROM Class FSFilter Infrastructure FSFilter System FSFilter Bottom FSFilter Copy
; SCSI CDROM Class FSFilter Infrastructure FSFilter System FSFilter Bottom FSFilter Copy Protection FSFilter Securit
; FSFilter Infrastructure FSFilter System FSFilter Bottom FSFilter Copy Protection FSFilter Security Enhancer FSFilter Open File FSFilter Ph
; FSFilter System FSFilter Bottom FSFilter Copy Protection FSFilter Security Enhancer FSFilter Open File FSFilter Physical Quota Management FSFilter Encrypt
; FSFilter Bottom FSFilter Copy Protection FSFilter Security Enhancer FSFilter Open File FSFilter Physical Quota Management FSFilter Encryption FSFilter Compression FSFilte
; FSFilter Copy Protection FSFilter Security Enhancer FSFilter Open File FSFilter Physical Quota Management FSFilter Encryption FSFilter Compression FSFilter HSM FSFilter Cluster File System FSFilt
; FSFilter Security Enhancer FSFilter Open File FSFilter Physical Quota Management FSFilter Encryption FSFilter Compression FSFilter HSM FSFilter Cluster File System FSFilter System Recovery FSFilter Quota Management FSFilte
; FSFilter Open File FSFilter Physical Quota Management FSFilter Encryption FSFilter Compression FSFilter HSM FSFilter Cluster File System FSFilter System Recovery FSFilter Quota Management FSFilter Content Screener FSFilter Continuous Backup
; FSFilter Physical Quota Management FSFilter Encryption FSFilter Compression FSFilter HSM FSFilter Cluster File System FSFilter System Recovery FSFilter Quota Management FSFilter Content Screener FSFilter Continuous Backup FSFilter Replication FSFilter Anti-Virus FSFilter Unde
; FSFilter Encryption FSFilter Compression FSFilter HSM FSFilter Cluster File System FSFilter System Recovery FSFilter Quota Management FSFilter Content Screener FSFilter Continuous Backup FSFilter Replication FSFilter Anti-Virus FSFilter Undelete FSFilter Activity Monitor FSFilter Top Filter Boot
; FSFilter Compression FSFilter HSM FSFilter Cluster File System FSFilter System Recovery FSFilter Quota Management FSFilter Content Screener FSFilter Continuous Backup FSFilter Replication FSFilter Anti-Virus FSFilter Undelete FSFilter Activity Monitor FSFilter Top Filter Boot File System Base Pointer Port Keyboard P
; FSFilter HSM FSFilter Cluster File System FSFilter System Recovery FSFilter Quota Management FSFilter Content Screener FSFilter Continuous Backup FSFilter Replication FSFilter Anti-Virus FSFilter Undelete FSFilter Activity Monitor FSFilter Top Filter Boot File System Base Pointer Port Keyboard Port Pointer Class Keyboard Class V
; FSFilter Cluster File System FSFilter System Recovery FSFilter Quota Management FSFilter Content Screener FSFilter Continuous Backup FSFilter Replication FSFilter Anti-Virus FSFilter Undelete FSFilter Activity Monitor FSFilter Top Filter Boot File System Base Pointer Port Keyboard Port Pointer Class Keyboard Class Video Init Video Video Save File System Eve
; FSFilter System Recovery FSFilter Quota Management FSFilter Content Screener FSFilter Continuous Backup FSFilter Replication FSFilter Anti-Virus FSFilter Undelete FSFilter Activity Monitor FSFilter Top Filter Boot File System Base Pointer Port Keyboard Port Pointer Class Keyboard Class Video Init Video Video Save File System Event Log Streams Drivers NDIS Wrapper COM Infrastructure
; FSFilter Quota Management FSFilter Content Screener FSFilter Continuous Backup FSFilter Replication FSFilter Anti-Virus FSFilter Undelete FSFilter Activity Monitor FSFilter Top Filter Boot File System Base Pointer Port Keyboard Port Pointer Class Keyboard Class Video Init Video Video Save File System Event Log Streams Drivers NDIS Wrapper COM Infrastructure UIGroup LocalValidation PlugPlay PNP_TDI NDIS TDI
; FSFilter Content Screener FSFilter Continuous Backup FSFilter Replication FSFilter Anti-Virus FSFilter Undelete FSFilter Activity Monitor FSFilter Top Filter Boot File System Base Pointer Port Keyboard Port Pointer Class Keyboard Class Video Init Video Video Save File System Event Log Streams Drivers NDIS Wrapper COM Infrastructure UIGroup LocalValidation PlugPlay PNP_TDI NDIS TDI Symantec Services NetBIOSGroup ShellSvcGroup Schedul
; FSFilter Continuous Backup FSFilter Replication FSFilter Anti-Virus FSFilter Undelete FSFilter Activity Monitor FSFilter Top Filter Boot File System Base Pointer Port Keyboard Port Pointer Class Keyboard Class Video Init Video Video Save File System Event Log Streams Drivers NDIS Wrapper COM Infrastructure UIGroup LocalValidation PlugPlay PNP_TDI NDIS TDI Symantec Services NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup Networ
; FSFilter Replication FSFilter Anti-Virus FSFilter Undelete FSFilter Activity Monitor FSFilter Top Filter Boot File System Base Pointer Port Keyboard Port Pointer Class Keyboard Class Video Init Video Video Save File System Event Log Streams Drivers NDIS Wrapper COM Infrastructure UIGroup LocalValidation PlugPlay PNP_TDI NDIS TDI Symantec Services NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel
; FSFilter Anti-Virus FSFilter Undelete FSFilter Activity Monitor FSFilter Top Filter Boot File System Base Pointer Port Keyboard Port Pointer Class Keyboard Class Video Init Video Video Save File System Event Log Streams Drivers NDIS Wrapper COM Infrastructure UIGroup LocalValidation PlugPlay PNP_TDI NDIS TDI Symantec Services NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuratio
; FSFilter Undelete FSFilter Activity Monitor FSFilter Top Filter Boot File System Base Pointer Port Keyboard Port Pointer Class Keyboard Class Video Init Video Video Save File System Event Log Streams Drivers NDIS Wrapper COM Infrastructure UIGroup LocalValidation PlugPlay PNP_TDI NDIS TDI Symantec Services NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; FSFilter Activity Monitor FSFilter Top Filter Boot File System Base Pointer Port Keyboard Port Pointer Class Keyboard Class Video Init Video Video Save File System Event Log Streams Drivers NDIS Wrapper COM Infrastructure UIGroup LocalValidation PlugPlay PNP_TDI NDIS TDI Symantec Services NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; FSFilter Top Filter Boot File System Base Pointer Port Keyboard Port Pointer Class Keyboard Class Video Init Video Video Save File System Event Log Streams Drivers NDIS Wrapper COM Infrastructure UIGroup LocalValidation PlugPlay PNP_TDI NDIS TDI Symantec Services NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; Filter Boot File System Base Pointer Port Keyboard Port Pointer Class Keyboard Class Video Init Video Video Save File System Event Log Streams Drivers NDIS Wrapper COM Infrastructure UIGroup LocalValidation PlugPlay PNP_TDI NDIS TDI Symantec Services NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; Boot File System Base Pointer Port Keyboard Port Pointer Class Keyboard Class Video Init Video Video Save File System Event Log Streams Drivers NDIS Wrapper COM Infrastructure UIGroup LocalValidation PlugPlay PNP_TDI NDIS TDI Symantec Services NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; Base Pointer Port Keyboard Port Pointer Class Keyboard Class Video Init Video Video Save File System Event Log Streams Drivers NDIS Wrapper COM Infrastructure UIGroup LocalValidation PlugPlay PNP_TDI NDIS TDI Symantec Services NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; Pointer Port Keyboard Port Pointer Class Keyboard Class Video Init Video Video Save File System Event Log Streams Drivers NDIS Wrapper COM Infrastructure UIGroup LocalValidation PlugPlay PNP_TDI NDIS TDI Symantec Services NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; Keyboard Port Pointer Class Keyboard Class Video Init Video Video Save File System Event Log Streams Drivers NDIS Wrapper COM Infrastructure UIGroup LocalValidation PlugPlay PNP_TDI NDIS TDI Symantec Services NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; Pointer Class Keyboard Class Video Init Video Video Save File System Event Log Streams Drivers NDIS Wrapper COM Infrastructure UIGroup LocalValidation PlugPlay PNP_TDI NDIS TDI Symantec Services NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; Keyboard Class Video Init Video Video Save File System Event Log Streams Drivers NDIS Wrapper COM Infrastructure UIGroup LocalValidation PlugPlay PNP_TDI NDIS TDI Symantec Services NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; Video Init Video Video Save File System Event Log Streams Drivers NDIS Wrapper COM Infrastructure UIGroup LocalValidation PlugPlay PNP_TDI NDIS TDI Symantec Services NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; Video Video Save File System Event Log Streams Drivers NDIS Wrapper COM Infrastructure UIGroup LocalValidation PlugPlay PNP_TDI NDIS TDI Symantec Services NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; Video Save File System Event Log Streams Drivers NDIS Wrapper COM Infrastructure UIGroup LocalValidation PlugPlay PNP_TDI NDIS TDI Symantec Services NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; File System Event Log Streams Drivers NDIS Wrapper COM Infrastructure UIGroup LocalValidation PlugPlay PNP_TDI NDIS TDI Symantec Services NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; Event Log Streams Drivers NDIS Wrapper COM Infrastructure UIGroup LocalValidation PlugPlay PNP_TDI NDIS TDI Symantec Services NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; Streams Drivers NDIS Wrapper COM Infrastructure UIGroup LocalValidation PlugPlay PNP_TDI NDIS TDI Symantec Services NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; NDIS Wrapper COM Infrastructure UIGroup LocalValidation PlugPlay PNP_TDI NDIS TDI Symantec Services NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; COM Infrastructure UIGroup LocalValidation PlugPlay PNP_TDI NDIS TDI Symantec Services NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; UIGroup LocalValidation PlugPlay PNP_TDI NDIS TDI Symantec Services NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; LocalValidation PlugPlay PNP_TDI NDIS TDI Symantec Services NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; PlugPlay PNP_TDI NDIS TDI Symantec Services NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; PNP_TDI NDIS TDI Symantec Services NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; NDIS TDI Symantec Services NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; TDI Symantec Services NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; Symantec Services NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; Parallel arbitrator Extended Base PCI Configuration MS Transactions
; Extended Base PCI Configuration MS Transactions
; PCI Configuration MS Transactions
; MS Transactions
;
"List"=hex(7):53,79,73,74,65,6d,20,52,65,73,65,72,76,65,64,00,42,6f,6f,74,20,\
42,75,73,20,45,78,74,65,6e,64,65,72,00,53,79,73,74,65,6d,20,42,75,73,20,45,\
78,74,65,6e,64,65,72,00,53,43,53,49,20,6d,69,6e,69,70,6f,72,74,00,50,6f,72,\
74,00,50,72,69,6d,61,72,79,20,44,69,73,6b,00,53,43,53,49,20,43,6c,61,73,73,\
00,53,43,53,49,20,43,44,52,4f,4d,20,43,6c,61,73,73,00,46,53,46,69,6c,74,65,\
72,20,49,6e,66,72,61,73,74,72,75,63,74,75,72,65,00,46,53,46,69,6c,74,65,72,\
20,53,79,73,74,65,6d,00,46,53,46,69,6c,74,65,72,20,42,6f,74,74,6f,6d,00,46,\
53,46,69,6c,74,65,72,20,43,6f,70,79,20,50,72,6f,74,65,63,74,69,6f,6e,00,46,\
53,46,69,6c,74,65,72,20,53,65,63,75,72,69,74,79,20,45,6e,68,61,6e,63,65,72,\
00,46,53,46,69,6c,74,65,72,20,4f,70,65,6e,20,46,69,6c,65,00,46,53,46,69,6c,\
74,65,72,20,50,68,79,73,69,63,61,6c,20,51,75,6f,74,61,20,4d,61,6e,61,67,65,\
6d,65,6e,74,00,46,53,46,69,6c,74,65,72,20,45,6e,63,72,79,70,74,69,6f,6e,00,\
46,53,46,69,6c,74,65,72,20,43,6f,6d,70,72,65,73,73,69,6f,6e,00,46,53,46,69,\
6c,74,65,72,20,48,53,4d,00,46,53,46,69,6c,74,65,72,20,43,6c,75,73,74,65,72,\
20,46,69,6c,65,20,53,79,73,74,65,6d,00,46,53,46,69,6c,74,65,72,20,53,79,73,\
74,65,6d,20,52,65,63,6f,76,65,72,79,00,46,53,46,69,6c,74,65,72,20,51,75,6f,\
74,61,20,4d,61,6e,61,67,65,6d,65,6e,74,00,46,53,46,69,6c,74,65,72,20,43,6f,\
6e,74,65,6e,74,20,53,63,72,65,65,6e,65,72,00,46,53,46,69,6c,74,65,72,20,43,\
6f,6e,74,69,6e,75,6f,75,73,20,42,61,63,6b,75,70,00,46,53,46,69,6c,74,65,72,\
20,52,65,70,6c,69,63,61,74,69,6f,6e,00,46,53,46,69,6c,74,65,72,20,41,6e,74,\
69,2d,56,69,72,75,73,00,46,53,46,69,6c,74,65,72,20,55,6e,64,65,6c,65,74,65,\
00,46,53,46,69,6c,74,65,72,20,41,63,74,69,76,69,74,79,20,4d,6f,6e,69,74,6f,\
72,00,46,53,46,69,6c,74,65,72,20,54,6f,70,00,46,69,6c,74,65,72,00,42,6f,6f,\
74,20,46,69,6c,65,20,53,79,73,74,65,6d,00,42,61,73,65,00,50,6f,69,6e,74,65,\
72,20,50,6f,72,74,00,4b,65,79,62,6f,61,72,64,20,50,6f,72,74,00,50,6f,69,6e,\
74,65,72,20,43,6c,61,73,73,00,4b,65,79,62,6f,61,72,64,20,43,6c,61,73,73,00,\
56,69,64,65,6f,20,49,6e,69,74,00,56,69,64,65,6f,00,56,69,64,65,6f,20,53,61,\
76,65,00,46,69,6c,65,20,53,79,73,74,65,6d,00,45,76,65,6e,74,20,4c,6f,67,00,\
53,74,72,65,61,6d,73,20,44,72,69,76,65,72,73,00,4e,44,49,53,20,57,72,61,70,\
70,65,72,00,43,4f,4d,20,49,6e,66,72,61,73,74,72,75,63,74,75,72,65,00,55,49,\
47,72,6f,75,70,00,4c,6f,63,61,6c,56,61,6c,69,64,61,74,69,6f,6e,00,50,6c,75,\
67,50,6c,61,79,00,50,4e,50,5f,54,44,49,00,4e,44,49,53,00,54,44,49,00,53,79,\
6d,61,6e,74,65,63,20,53,65,72,76,69,63,65,73,00,4e,65,74,42,49,4f,53,47,72,\
6f,75,70,00,53,68,65,6c,6c,53,76,63,47,72,6f,75,70,00,53,63,68,65,64,75,6c,\
65,72,47,72,6f,75,70,00,53,70,6f,6f,6c,65,72,47,72,6f,75,70,00,41,75,64,69,\
6f,47,72,6f,75,70,00,53,6d,61,72,74,43,61,72,64,47,72,6f,75,70,00,4e,65,74,\
77,6f,72,6b,50,72,6f,76,69,64,65,72,00,52,65,6d,6f,74,65,56,61,6c,69,64,61,\
74,69,6f,6e,00,4e,65,74,44,44,45,47,72,6f,75,70,00,50,61,72,61,6c,6c,65,6c,\
20,61,72,62,69,74,72,61,74,6f,72,00,45,78,74,65,6e,64,65,64,20,42,61,73,65,\
00,50,43,49,20,43,6f,6e,66,69,67,75,72,61,74,69,6f,6e,00,4d,53,20,54,72,61,\
6e,73,61,63,74,69,6f,6e,73,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\VirtualDeviceDrivers]
; Contents of value:
; C:\PROGRA~1\Symantec\S32EVNT1.DLL
;
"VDD"=hex(7):43,3a,5c,50,52,4f,47,52,41,7e,31,5c,53,79,6d,61,6e,74,65,63,5c,53,\
33,32,45,56,4e,54,31,2e,44,4c,4c,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceGroupOrder]
; Contents of value:
; System Reserved
; Boot Bus Extender System Bus Exten
; System Bus Extender SCSI miniport Port Primary Disk SC
; SCSI miniport Port Primary Disk SCSI Class SCSI CDROM Class FSFilter
; Port Primary Disk SCSI Class SCSI CDROM Class FSFilter Infrastructure FSF
; Primary Disk SCSI Class SCSI CDROM Class FSFilter Infrastructure FSFilter System FSFil
; SCSI Class SCSI CDROM Class FSFilter Infrastructure FSFilter System FSFilter Bottom FSFilter Copy
; SCSI CDROM Class FSFilter Infrastructure FSFilter System FSFilter Bottom FSFilter Copy Protection FSFilter Securit
; FSFilter Infrastructure FSFilter System FSFilter Bottom FSFilter Copy Protection FSFilter Security Enhancer FSFilter Open File FSFilter Ph
; FSFilter System FSFilter Bottom FSFilter Copy Protection FSFilter Security Enhancer FSFilter Open File FSFilter Physical Quota Management FSFilter Encrypt
; FSFilter Bottom FSFilter Copy Protection FSFilter Security Enhancer FSFilter Open File FSFilter Physical Quota Management FSFilter Encryption FSFilter Compression FSFilte
; FSFilter Copy Protection FSFilter Security Enhancer FSFilter Open File FSFilter Physical Quota Management FSFilter Encryption FSFilter Compression FSFilter HSM FSFilter Cluster File System FSFilt
; FSFilter Security Enhancer FSFilter Open File FSFilter Physical Quota Management FSFilter Encryption FSFilter Compression FSFilter HSM FSFilter Cluster File System FSFilter System Recovery FSFilter Quota Management FSFilte
; FSFilter Open File FSFilter Physical Quota Management FSFilter Encryption FSFilter Compression FSFilter HSM FSFilter Cluster File System FSFilter System Recovery FSFilter Quota Management FSFilter Content Screener FSFilter Continuous Backup
; FSFilter Physical Quota Management FSFilter Encryption FSFilter Compression FSFilter HSM FSFilter Cluster File System FSFilter System Recovery FSFilter Quota Management FSFilter Content Screener FSFilter Continuous Backup FSFilter Replication FSFilter Anti-Virus FSFilter Unde
; FSFilter Encryption FSFilter Compression FSFilter HSM FSFilter Cluster File System FSFilter System Recovery FSFilter Quota Management FSFilter Content Screener FSFilter Continuous Backup FSFilter Replication FSFilter Anti-Virus FSFilter Undelete FSFilter Activity Monitor FSFilter Top Filter Boot
; FSFilter Compression FSFilter HSM FSFilter Cluster File System FSFilter System Recovery FSFilter Quota Management FSFilter Content Screener FSFilter Continuous Backup FSFilter Replication FSFilter Anti-Virus FSFilter Undelete FSFilter Activity Monitor FSFilter Top Filter Boot File System Base Pointer Port Keyboard P
; FSFilter HSM FSFilter Cluster File System FSFilter System Recovery FSFilter Quota Management FSFilter Content Screener FSFilter Continuous Backup FSFilter Replication FSFilter Anti-Virus FSFilter Undelete FSFilter Activity Monitor FSFilter Top Filter Boot File System Base Pointer Port Keyboard Port Pointer Class Keyboard Class V
; FSFilter Cluster File System FSFilter System Recovery FSFilter Quota Management FSFilter Content Screener FSFilter Continuous Backup FSFilter Replication FSFilter Anti-Virus FSFilter Undelete FSFilter Activity Monitor FSFilter Top Filter Boot File System Base Pointer Port Keyboard Port Pointer Class Keyboard Class Video Init Video Video Save File System Eve
; FSFilter System Recovery FSFilter Quota Management FSFilter Content Screener FSFilter Continuous Backup FSFilter Replication FSFilter Anti-Virus FSFilter Undelete FSFilter Activity Monitor FSFilter Top Filter Boot File System Base Pointer Port Keyboard Port Pointer Class Keyboard Class Video Init Video Video Save File System Event Log Streams Drivers NDIS Wrapper COM Infrastructure
; FSFilter Quota Management FSFilter Content Screener FSFilter Continuous Backup FSFilter Replication FSFilter Anti-Virus FSFilter Undelete FSFilter Activity Monitor FSFilter Top Filter Boot File System Base Pointer Port Keyboard Port Pointer Class Keyboard Class Video Init Video Video Save File System Event Log Streams Drivers NDIS Wrapper COM Infrastructure UIGroup LocalValidation PlugPlay PNP_TDI NDIS TDI
; FSFilter Content Screener FSFilter Continuous Backup FSFilter Replication FSFilter Anti-Virus FSFilter Undelete FSFilter Activity Monitor FSFilter Top Filter Boot File System Base Pointer Port Keyboard Port Pointer Class Keyboard Class Video Init Video Video Save File System Event Log Streams Drivers NDIS Wrapper COM Infrastructure UIGroup LocalValidation PlugPlay PNP_TDI NDIS TDI Symantec Services NetBIOSGroup ShellSvcGroup Schedul
; FSFilter Continuous Backup FSFilter Replication FSFilter Anti-Virus FSFilter Undelete FSFilter Activity Monitor FSFilter Top Filter Boot File System Base Pointer Port Keyboard Port Pointer Class Keyboard Class Video Init Video Video Save File System Event Log Streams Drivers NDIS Wrapper COM Infrastructure UIGroup LocalValidation PlugPlay PNP_TDI NDIS TDI Symantec Services NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup Networ
; FSFilter Replication FSFilter Anti-Virus FSFilter Undelete FSFilter Activity Monitor FSFilter Top Filter Boot File System Base Pointer Port Keyboard Port Pointer Class Keyboard Class Video Init Video Video Save File System Event Log Streams Drivers NDIS Wrapper COM Infrastructure UIGroup LocalValidation PlugPlay PNP_TDI NDIS TDI Symantec Services NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel
; FSFilter Anti-Virus FSFilter Undelete FSFilter Activity Monitor FSFilter Top Filter Boot File System Base Pointer Port Keyboard Port Pointer Class Keyboard Class Video Init Video Video Save File System Event Log Streams Drivers NDIS Wrapper COM Infrastructure UIGroup LocalValidation PlugPlay PNP_TDI NDIS TDI Symantec Services NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuratio
; FSFilter Undelete FSFilter Activity Monitor FSFilter Top Filter Boot File System Base Pointer Port Keyboard Port Pointer Class Keyboard Class Video Init Video Video Save File System Event Log Streams Drivers NDIS Wrapper COM Infrastructure UIGroup LocalValidation PlugPlay PNP_TDI NDIS TDI Symantec Services NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; FSFilter Activity Monitor FSFilter Top Filter Boot File System Base Pointer Port Keyboard Port Pointer Class Keyboard Class Video Init Video Video Save File System Event Log Streams Drivers NDIS Wrapper COM Infrastructure UIGroup LocalValidation PlugPlay PNP_TDI NDIS TDI Symantec Services NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; FSFilter Top Filter Boot File System Base Pointer Port Keyboard Port Pointer Class Keyboard Class Video Init Video Video Save File System Event Log Streams Drivers NDIS Wrapper COM Infrastructure UIGroup LocalValidation PlugPlay PNP_TDI NDIS TDI Symantec Services NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; Filter Boot File System Base Pointer Port Keyboard Port Pointer Class Keyboard Class Video Init Video Video Save File System Event Log Streams Drivers NDIS Wrapper COM Infrastructure UIGroup LocalValidation PlugPlay PNP_TDI NDIS TDI Symantec Services NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; Boot File System Base Pointer Port Keyboard Port Pointer Class Keyboard Class Video Init Video Video Save File System Event Log Streams Drivers NDIS Wrapper COM Infrastructure UIGroup LocalValidation PlugPlay PNP_TDI NDIS TDI Symantec Services NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; Base Pointer Port Keyboard Port Pointer Class Keyboard Class Video Init Video Video Save File System Event Log Streams Drivers NDIS Wrapper COM Infrastructure UIGroup LocalValidation PlugPlay PNP_TDI NDIS TDI Symantec Services NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; Pointer Port Keyboard Port Pointer Class Keyboard Class Video Init Video Video Save File System Event Log Streams Drivers NDIS Wrapper COM Infrastructure UIGroup LocalValidation PlugPlay PNP_TDI NDIS TDI Symantec Services NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; Keyboard Port Pointer Class Keyboard Class Video Init Video Video Save File System Event Log Streams Drivers NDIS Wrapper COM Infrastructure UIGroup LocalValidation PlugPlay PNP_TDI NDIS TDI Symantec Services NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; Pointer Class Keyboard Class Video Init Video Video Save File System Event Log Streams Drivers NDIS Wrapper COM Infrastructure UIGroup LocalValidation PlugPlay PNP_TDI NDIS TDI Symantec Services NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; Keyboard Class Video Init Video Video Save File System Event Log Streams Drivers NDIS Wrapper COM Infrastructure UIGroup LocalValidation PlugPlay PNP_TDI NDIS TDI Symantec Services NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; Video Init Video Video Save File System Event Log Streams Drivers NDIS Wrapper COM Infrastructure UIGroup LocalValidation PlugPlay PNP_TDI NDIS TDI Symantec Services NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; Video Video Save File System Event Log Streams Drivers NDIS Wrapper COM Infrastructure UIGroup LocalValidation PlugPlay PNP_TDI NDIS TDI Symantec Services NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; Video Save File System Event Log Streams Drivers NDIS Wrapper COM Infrastructure UIGroup LocalValidation PlugPlay PNP_TDI NDIS TDI Symantec Services NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; File System Event Log Streams Drivers NDIS Wrapper COM Infrastructure UIGroup LocalValidation PlugPlay PNP_TDI NDIS TDI Symantec Services NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; Event Log Streams Drivers NDIS Wrapper COM Infrastructure UIGroup LocalValidation PlugPlay PNP_TDI NDIS TDI Symantec Services NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; Streams Drivers NDIS Wrapper COM Infrastructure UIGroup LocalValidation PlugPlay PNP_TDI NDIS TDI Symantec Services NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; NDIS Wrapper COM Infrastructure UIGroup LocalValidation PlugPlay PNP_TDI NDIS TDI Symantec Services NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; COM Infrastructure UIGroup LocalValidation PlugPlay PNP_TDI NDIS TDI Symantec Services NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; UIGroup LocalValidation PlugPlay PNP_TDI NDIS TDI Symantec Services NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; LocalValidation PlugPlay PNP_TDI NDIS TDI Symantec Services NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; PlugPlay PNP_TDI NDIS TDI Symantec Services NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; PNP_TDI NDIS TDI Symantec Services NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; NDIS TDI Symantec Services NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; TDI Symantec Services NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; Symantec Services NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; RemoteValidation NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; NetDDEGroup Parallel arbitrator Extended Base PCI Configuration MS Transactions
; Parallel arbitrator Extended Base PCI Configuration MS Transactions
; Extended Base PCI Configuration MS Transactions
; PCI Configuration MS Transactions
; MS Transactions
;
"List"=hex(7):53,79,73,74,65,6d,20,52,65,73,65,72,76,65,64,00,42,6f,6f,74,20,\
42,75,73,20,45,78,74,65,6e,64,65,72,00,53,79,73,74,65,6d,20,42,75,73,20,45,\
78,74,65,6e,64,65,72,00,53,43,53,49,20,6d,69,6e,69,70,6f,72,74,00,50,6f,72,\
74,00,50,72,69,6d,61,72,79,20,44,69,73,6b,00,53,43,53,49,20,43,6c,61,73,73,\
00,53,43,53,49,20,43,44,52,4f,4d,20,43,6c,61,73,73,00,46,53,46,69,6c,74,65,\
72,20,49,6e,66,72,61,73,74,72,75,63,74,75,72,65,00,46,53,46,69,6c,74,65,72,\
20,53,79,73,74,65,6d,00,46,53,46,69,6c,74,65,72,20,42,6f,74,74,6f,6d,00,46,\
53,46,69,6c,74,65,72,20,43,6f,70,79,20,50,72,6f,74,65,63,74,69,6f,6e,00,46,\
53,46,69,6c,74,65,72,20,53,65,63,75,72,69,74,79,20,45,6e,68,61,6e,63,65,72,\
00,46,53,46,69,6c,74,65,72,20,4f,70,65,6e,20,46,69,6c,65,00,46,53,46,69,6c,\
74,65,72,20,50,68,79,73,69,63,61,6c,20,51,75,6f,74,61,20,4d,61,6e,61,67,65,\
6d,65,6e,74,00,46,53,46,69,6c,74,65,72,20,45,6e,63,72,79,70,74,69,6f,6e,00,\
46,53,46,69,6c,74,65,72,20,43,6f,6d,70,72,65,73,73,69,6f,6e,00,46,53,46,69,\
6c,74,65,72,20,48,53,4d,00,46,53,46,69,6c,74,65,72,20,43,6c,75,73,74,65,72,\
20,46,69,6c,65,20,53,79,73,74,65,6d,00,46,53,46,69,6c,74,65,72,20,53,79,73,\
74,65,6d,20,52,65,63,6f,76,65,72,79,00,46,53,46,69,6c,74,65,72,20,51,75,6f,\
74,61,20,4d,61,6e,61,67,65,6d,65,6e,74,00,46,53,46,69,6c,74,65,72,20,43,6f,\
6e,74,65,6e,74,20,53,63,72,65,65,6e,65,72,00,46,53,46,69,6c,74,65,72,20,43,\
6f,6e,74,69,6e,75,6f,75,73,20,42,61,63,6b,75,70,00,46,53,46,69,6c,74,65,72,\
20,52,65,70,6c,69,63,61,74,69,6f,6e,00,46,53,46,69,6c,74,65,72,20,41,6e,74,\
69,2d,56,69,72,75,73,00,46,53,46,69,6c,74,65,72,20,55,6e,64,65,6c,65,74,65,\
00,46,53,46,69,6c,74,65,72,20,41,63,74,69,76,69,74,79,20,4d,6f,6e,69,74,6f,\
72,00,46,53,46,69,6c,74,65,72,20,54,6f,70,00,46,69,6c,74,65,72,00,42,6f,6f,\
74,20,46,69,6c,65,20,53,79,73,74,65,6d,00,42,61,73,65,00,50,6f,69,6e,74,65,\
72,20,50,6f,72,74,00,4b,65,79,62,6f,61,72,64,20,50,6f,72,74,00,50,6f,69,6e,\
74,65,72,20,43,6c,61,73,73,00,4b,65,79,62,6f,61,72,64,20,43,6c,61,73,73,00,\
56,69,64,65,6f,20,49,6e,69,74,00,56,69,64,65,6f,00,56,69,64,65,6f,20,53,61,\
76,65,00,46,69,6c,65,20,53,79,73,74,65,6d,00,45,76,65,6e,74,20,4c,6f,67,00,\
53,74,72,65,61,6d,73,20,44,72,69,76,65,72,73,00,4e,44,49,53,20,57,72,61,70,\
70,65,72,00,43,4f,4d,20,49,6e,66,72,61,73,74,72,75,63,74,75,72,65,00,55,49,\
47,72,6f,75,70,00,4c,6f,63,61,6c,56,61,6c,69,64,61,74,69,6f,6e,00,50,6c,75,\
67,50,6c,61,79,00,50,4e,50,5f,54,44,49,00,4e,44,49,53,00,54,44,49,00,53,79,\
6d,61,6e,74,65,63,20,53,65,72,76,69,63,65,73,00,4e,65,74,42,49,4f,53,47,72,\
6f,75,70,00,53,68,65,6c,6c,53,76,63,47,72,6f,75,70,00,53,63,68,65,64,75,6c,\
65,72,47,72,6f,75,70,00,53,70,6f,6f,6c,65,72,47,72,6f,75,70,00,41,75,64,69,\
6f,47,72,6f,75,70,00,53,6d,61,72,74,43,61,72,64,47,72,6f,75,70,00,4e,65,74,\
77,6f,72,6b,50,72,6f,76,69,64,65,72,00,52,65,6d,6f,74,65,56,61,6c,69,64,61,\
74,69,6f,6e,00,4e,65,74,44,44,45,47,72,6f,75,70,00,50,61,72,61,6c,6c,65,6c,\
20,61,72,62,69,74,72,61,74,6f,72,00,45,78,74,65,6e,64,65,64,20,42,61,73,65,\
00,50,43,49,20,43,6f,6e,66,69,67,75,72,61,74,69,6f,6e,00,4d,53,20,54,72,61,\
6e,73,61,63,74,69,6f,6e,73,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\VirtualDeviceDrivers]
; Contents of value:
; C:\PROGRA~1\Symantec\S32EVNT1.DLL
;
"VDD"=hex(7):43,3a,5c,50,52,4f,47,52,41,7e,31,5c,53,79,6d,61,6e,74,65,63,5c,53,\




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users