Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis Log - 13:26 - 15/7/06


  • This topic is locked This topic is locked
27 replies to this topic

#1 PrittStick

PrittStick

  • Members
  • 97 posts
  • OFFLINE
  •  
  • Location:Wolverhampton, England
  • Local time:06:08 AM

Posted 15 July 2006 - 07:37 AM

I have some sort of virus on my computer and after running a virus scan over night in Safe Mode using AntiVir it found a few problems, all of which I either quarantined or deleted. I tried to get back onto my PC in normal mode and the virus continued to send stuff to my contacts on MSN and stop me from going on the internet. I then went into Safe Mode with Networking to try and get an update on my AntiVir which proved impossible. It wont let me get an update, it says:

"The following error is occured on trying to start the update:

Scheduler not loaded.."

I am now stuck so I have chosen to do a HijackThis log and see if anything can be done that way, thanks.


Logfile of HijackThis v1.99.1
Scan saved at 13:21:16, on 15/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AntiVir PersonalEdition Classic\avcenter.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Windows Recylinder Check] cbhxkjcnhf.exe
O4 - HKLM\..\RunServices: [Windows Recylinder Check] cbhxkjcnhf.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Update Service] "C:\Program Files\Common Files\Teknum Systems\update.exe" /startup
O4 - HKCU\..\Run: [TClock.exe] C:\Program Files\TClock\tclock_install.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: MemTurbo.lnk = C:\Program Files\Silicon Prairie Software\MemTurbo\memturbo.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Packard Bell - {1D49B7D4-524D-4ac9-BC34-B4822CAE4BB1} - C:\Apps\IECustom\script.htm (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\Agnitum\OUTPOS~1\TRASH.EXE (HKCU)
O9 - Extra 'Tools' menuitem: Show Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\Agnitum\OUTPOS~1\TRASH.EXE (HKCU)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3F0EECCE-E138-11D1-8712-0060083D83F5} (LPViewer Class) - http://www.mgisoft.com/ActiveX/LPControl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} - http://appdirectory.messenger.msn.com/AppD...sharingctrl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1137776560328
O16 - DPF: {79E0C1C0-316D-11D5-A72A-006097BFA1AC} (EPSON Web Printer-SelfTest Control Class) - http://support.epson-europe.com/selftest/Prg/ESTPTest.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppD...ap/PhtPkMSN.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BC01A402-4730-11D2-B36C-0000E8DF722B} - http://www.digitalworkshop.co.uk/ilm450.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MySQL - Unknown owner - C:\mysql\bin\mysqld-nt.exe (file missing)
O23 - Service: NMSAccess - Unknown owner - C:\Program Files\Cheetah Burner\Cheetah DVD Burner\NMSAccess.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp WinStyler\WinStylerThemeSvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH - C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:02:08 AM

Posted 25 July 2006 - 05:42 PM

Hello PrittStick and welcome to the BC HijackThis forum. No, you wouldn't be able to get the AntiVir updates from Safe Mode because the services for AntiVir are not started when in Safe Mode. Let's start with this.

Please print these directions and then proceed with the following steps in order.

Step #1

Download CCleaner and install it but do not run it yet.

Step #2

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Step #3

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - Default URLSearchHook is missing
O2 - BHO: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll
O4 - HKLM\..\Run: [Windows Recylinder Check] cbhxkjcnhf.exe
O4 - HKLM\..\RunServices: [Windows Recylinder Check] cbhxkjcnhf.exe
O4 - HKCU\..\Run: [TClock.exe] C:\Program Files\TClock\tclock_install.exe

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #4

We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide file extensions for known types option.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Find the following files/folders and delete them (don't worry if they are already gone):C:\Program Files\ToolBar888\ <--folder
C:\Program Files\TClock\ <--folder

Now perform a search for these files and delete all instances. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.cbhxkjcnhf.exe
Step #5

Start CCleaner and click on the Run Cleaner button in the lower right-hand corner. When it is finished close CCleaner.

Step #6

Reboot normally and run at least 2 of the following on-line virus scans:Bitdefender <<<Add a check by 'Autoclean'.
eTrust <<<'Cure' whatever is found, then delete if unsuccessful
Housecall <<<Put on 'Autoclean' and delete what it can't clean.
Panda ActiveScan <<<Accept default settings
If there are any files that cannot be automatically disinfected or quarantined then you will need to delete them manually.

Step #7

If you do not already have Ad-Aware SE 1.06 then follow these download and setup instructions: Ad-Aware SE Setup. Otherwise, just check for updates.

Start Ad-aware SE, click the Start button and choose Perform Full System Scan. Click the Next button and wait for the scan to complete. If anything was found, right-click on the list and choose Select All and remove all it finds.

Step #8

OK. Reboot your computer normally, start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 PrittStick

PrittStick
  • Topic Starter

  • Members
  • 97 posts
  • OFFLINE
  •  
  • Location:Wolverhampton, England
  • Local time:06:08 AM

Posted 30 July 2006 - 10:13 AM

Hey OldTimer. I've had a couple of problems following your instructions. Step 4 was a slight problem, I only found a document with the same name but it was all in block capitals and had something written at the end of it, it was weird. Step 6 I could not do because something stops my internet access after about two minutes on it and I think it's to do with the virus resulting in me not being able to complete any of the online scans, this problem continues when I am in Safe Mode with Networking. After creating this topic I have noticed that somehow, the virus has completly uninstalled my firewall (ZoneAlarm Pro) and it wont let me set-up Windows Firewall. I have tried downloading the free version of ZoneAlarm Firewall but it blocks me from installing it.

Everything else that you told me to do I have completed, Step 7 found 20 critical problems and 4 other problems. However, after completing all of this, I have noticed nothing different, I am still getting viruses coming through and I am not getting onto the internet, (I can however get onto programs that use the internet such as MSN, it just wont let me use an explorer).

This is the updated HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 16:05:25, on 30/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TuneUp WinStyler\WinStylerThemeSvc.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\dfndrfg_7.exe
C:\nwnmfg_7.exe
C:\kybrdfg_7.exe
C:\Program Files\Common Files\{14595C67-0A5F-1033-1022-02020916002c}\Update.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Silicon Prairie Software\MemTurbo\memturbo.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe
C:\Program Files\Cheetah Burner\Cheetah DVD Burner\NMSAccess.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [defender] C:\\dfndrfg_7.exe
O4 - HKLM\..\Run: [newname] C:\\nwnmfg_7.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [keyboard] C:\\kybrdfg_7.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Update Service] "C:\Program Files\Common Files\Teknum Systems\update.exe" /startup
O4 - HKCU\..\Run: [imuf] C:\stub_113_4_0_4_0newer.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: MemTurbo.lnk = C:\Program Files\Silicon Prairie Software\MemTurbo\memturbo.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Packard Bell - {1D49B7D4-524D-4ac9-BC34-B4822CAE4BB1} - C:\Apps\IECustom\script.htm (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\Agnitum\OUTPOS~1\TRASH.EXE (HKCU)
O9 - Extra 'Tools' menuitem: Show Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\Agnitum\OUTPOS~1\TRASH.EXE (HKCU)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3F0EECCE-E138-11D1-8712-0060083D83F5} (LPViewer Class) - http://www.mgisoft.com/ActiveX/LPControl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} - http://appdirectory.messenger.msn.com/AppD...sharingctrl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1137776560328
O16 - DPF: {79E0C1C0-316D-11D5-A72A-006097BFA1AC} (EPSON Web Printer-SelfTest Control Class) - http://support.epson-europe.com/selftest/Prg/ESTPTest.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppD...ap/PhtPkMSN.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BC01A402-4730-11D2-B36C-0000E8DF722B} - http://www.digitalworkshop.co.uk/ilm450.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MySQL - Unknown owner - C:\mysql\bin\mysqld-nt.exe (file missing)
O23 - Service: NMSAccess - Unknown owner - C:\Program Files\Cheetah Burner\Cheetah DVD Burner\NMSAccess.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp WinStyler\WinStylerThemeSvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH - C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe




P.S - To post this reply I have had to type it up, save it in notepad, restart my computer and quickly post it before the virus makes my internet go off again.

#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:02:08 AM

Posted 31 July 2006 - 03:17 PM

Hi PrittStick. Yes, you still have quite an infection there. Let's try this.

First download ewido anti-spyware from HERE and save that file to your desktop. If you cannot download it then download it to a different computer and burn it to a CD to bring to this computer.
  • Once you have downloaded ewido anti-spyware, locate the icon on the desktop (or use the CD) and double-click it to launch the set up program.
  • Once the setup is complete you will need run ewido and update the definition files. If you cannot update it then we will just run it without an update for now.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close ewido anti-spyware, Do Not run a scan just yet, we will shortly.
  • Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
    IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:
  • Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • ewido will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close ewido and reboot your system back into Normal Mode and post the results of the ewido report scan.
I will review the information when it comes in.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#5 PrittStick

PrittStick
  • Topic Starter

  • Members
  • 97 posts
  • OFFLINE
  •  
  • Location:Wolverhampton, England
  • Local time:06:08 AM

Posted 06 August 2006 - 09:52 AM

Okay I have been able to complete successfully all of the steps except for steps two and three, the updating process.

When starting my PC up after completing the tasks ewido repeatedly sent me the same message asking me what to do with the location: C:\WINDOWS\System32\sstqn.dll

I chose the option, Clean and Quarantine after everytime and eventually it stopped. I then went into 'Run' and went to the System32 folder. I found a file called Sexual.ocx which seemed a bit dodgy aswell...

One other thing, when I loaded the PC ewido told me that it had just completed an automatic update.

Here is the log:

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 00:02:18 05/08/2006

+ Scan result:



C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll -> Adware.Minibug : Cleaned with backup (quarantined).
C:\ucmoreiex.exe/IUCMORE.DLL -> Adware.Ucmore : Cleaned with backup (quarantined).
C:\ucmoreiex.exe/UCMTSAIE.DLL -> Adware.Ucmore : Cleaned with backup (quarantined).
C:\ucmoreiex.exe/empty_00000001 -> Adware.Ucmore : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ssqqopq.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ssqropn.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\WINDOWS\system32\sstqn.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\kybrded_7.exe -> Downloader.Adload.cu : Cleaned with backup (quarantined).
C:\nwnmed_7.exe -> Downloader.Adload.cy : Cleaned with backup (quarantined).
C:\drsmartload1.exe -> Downloader.Adload.de : Cleaned with backup (quarantined).
C:\kybrdac_6.exe -> Downloader.VB.ada : Cleaned with backup (quarantined).
C:\nwnmac_6.exe -> Downloader.VB.ada : Cleaned with backup (quarantined).
C:\kybrdaca_6.exe -> Downloader.VB.agi : Cleaned with backup (quarantined).
C:\kybrddd_6.exe -> Downloader.VB.aid : Cleaned with backup (quarantined).
C:\drsmartload422a.exe -> Hijacker.VB.fg : Cleaned with backup (quarantined).
C:\drsmartload45a4.exe -> Hijacker.VB.fg : Cleaned with backup (quarantined).
C:\drsmartload45a7c.exe -> Hijacker.VB.fg : Cleaned with backup (quarantined).
C:\drsmartload45a7d.exe -> Hijacker.VB.fg : Cleaned with backup (quarantined).
C:\drsmartload46a4.exe -> Hijacker.VB.fg : Cleaned with backup (quarantined).
C:\drsmartload46a7c.exe -> Hijacker.VB.fg : Cleaned with backup (quarantined).
C:\drsmartload46a7d.exe -> Hijacker.VB.fg : Cleaned with backup (quarantined).
C:\drsmartload46a7i.exe -> Hijacker.VB.fg : Cleaned with backup (quarantined).
C:\drsmartload849a.exe -> Hijacker.VB.fg : Cleaned with backup (quarantined).
C:\drsmartload849a4.exe -> Hijacker.VB.fg : Cleaned with backup (quarantined).
C:\drsmartload849a7c.exe -> Hijacker.VB.fg : Cleaned with backup (quarantined).
C:\drsmartload849a7d.exe -> Hijacker.VB.fg : Cleaned with backup (quarantined).
C:\drsmartload849a7i.exe -> Hijacker.VB.fg : Cleaned with backup (quarantined).
C:\dfndrac_6.exe -> Hijacker.VB.nh : Cleaned with backup (quarantined).
C:\dfndrdd_6.exe -> Hijacker.VB.nh : Cleaned with backup (quarantined).
C:\dfndred_7.exe -> Hijacker.VB.nh : Cleaned with backup (quarantined).
C:\WINDOWS\system32\XMLEXT\tmserv.dll -> Not-A-Virus.Monitor.Win32.HandyKeylogger.a : Cleaned with backup (quarantined).
C:\WINDOWS\system32\XMLEXT\splash.exe -> Not-A-Virus.Monitor.Win32.QuickKeyLogger.e : Cleaned with backup (quarantined).
:mozilla.100:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-10.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
:mozilla.101:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-10.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
:mozilla.102:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-10.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
:mozilla.103:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-10.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
:mozilla.104:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-10.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
:mozilla.105:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-10.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
:mozilla.31:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-19.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
:mozilla.45:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-9.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
:mozilla.46:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-9.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
:mozilla.47:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-9.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
:mozilla.48:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-9.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
:mozilla.49:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-9.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
:mozilla.50:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-9.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
:mozilla.63:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-15.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
:mozilla.66:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-9.txt -> TrackingCookie.Realcastmedia : Cleaned with backup (quarantined).
:mozilla.67:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-9.txt -> TrackingCookie.Realcastmedia : Cleaned with backup (quarantined).
:mozilla.152:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-15.txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
:mozilla.153:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-15.txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
:mozilla.154:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-15.txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
:mozilla.155:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-15.txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
:mozilla.156:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-15.txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
:mozilla.166:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-16.txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
:mozilla.167:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-16.txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
:mozilla.167:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-17.txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
:mozilla.168:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-16.txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
:mozilla.168:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-17.txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
:mozilla.169:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-16.txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
:mozilla.169:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-17.txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
:mozilla.170:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-16.txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
:mozilla.170:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-17.txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
:mozilla.171:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-17.txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
:mozilla.193:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-18.txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
:mozilla.194:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-18.txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
:mozilla.195:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-18.txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
:mozilla.196:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-18.txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
:mozilla.197:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-18.txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
:mozilla.108:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-15.txt -> TrackingCookie.Web-stat : Cleaned with backup (quarantined).
:mozilla.109:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-15.txt -> TrackingCookie.Web-stat : Cleaned with backup (quarantined).
:mozilla.110:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-15.txt -> TrackingCookie.Web-stat : Cleaned with backup (quarantined).
:mozilla.126:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-16.txt -> TrackingCookie.Web-stat : Cleaned with backup (quarantined).
:mozilla.127:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-16.txt -> TrackingCookie.Web-stat : Cleaned with backup (quarantined).
:mozilla.127:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-17.txt -> TrackingCookie.Web-stat : Cleaned with backup (quarantined).
:mozilla.128:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-16.txt -> TrackingCookie.Web-stat : Cleaned with backup (quarantined).
:mozilla.128:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-17.txt -> TrackingCookie.Web-stat : Cleaned with backup (quarantined).
:mozilla.129:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-17.txt -> TrackingCookie.Web-stat : Cleaned with backup (quarantined).
:mozilla.153:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-18.txt -> TrackingCookie.Web-stat : Cleaned with backup (quarantined).
:mozilla.154:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-18.txt -> TrackingCookie.Web-stat : Cleaned with backup (quarantined).
:mozilla.155:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-18.txt -> TrackingCookie.Web-stat : Cleaned with backup (quarantined).
:mozilla.110:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-6.txt -> TrackingCookie.Yadro : Cleaned with backup (quarantined).
:mozilla.112:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-9.txt -> TrackingCookie.Yadro : Cleaned with backup (quarantined).
:mozilla.146:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-10.txt -> TrackingCookie.Yadro : Cleaned with backup (quarantined).
:mozilla.177:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-7.txt -> TrackingCookie.Yadro : Cleaned with backup (quarantined).
:mozilla.22:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-2.txt -> TrackingCookie.Yadro : Cleaned with backup (quarantined).
:mozilla.24:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-3.txt -> TrackingCookie.Yadro : Cleaned with backup (quarantined).
:mozilla.45:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-8.txt -> TrackingCookie.Yadro : Cleaned with backup (quarantined).
:mozilla.82:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-4.txt -> TrackingCookie.Yadro : Cleaned with backup (quarantined).
:mozilla.82:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-5.txt -> TrackingCookie.Yadro : Cleaned with backup (quarantined).
:mozilla.106:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-10.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
:mozilla.107:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-10.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
:mozilla.109:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-10.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
:mozilla.172:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-15.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
:mozilla.173:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-15.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
:mozilla.174:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-15.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
:mozilla.29:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-13.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
:mozilla.30:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-13.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
:mozilla.31:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-13.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
:mozilla.37:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\uq97pcr3.Default User\cookies-2.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
:mozilla.38:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\uq97pcr3.Default User\cookies-2.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
:mozilla.39:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\uq97pcr3.Default User\cookies-2.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
:mozilla.40:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\uq97pcr3.Default User\cookies-2.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
:mozilla.41:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\uq97pcr3.Default User\cookies-2.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
:mozilla.43:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-1.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
:mozilla.44:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-1.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
:mozilla.45:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-1.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
:mozilla.51:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-9.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
:mozilla.52:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-9.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
:mozilla.54:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-9.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
:mozilla.55:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-14.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
:mozilla.56:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-14.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
:mozilla.57:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-14.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
:mozilla.60:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-16.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
:mozilla.62:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-16.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
:mozilla.62:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-17.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
:mozilla.63:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-16.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
:mozilla.64:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-17.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
:mozilla.65:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-17.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
:mozilla.77:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-7.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
:mozilla.78:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-7.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
:mozilla.80:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-7.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
:mozilla.89:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-18.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
:mozilla.91:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-18.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
:mozilla.92:C:\Documents and Settings\FAMILEY\Application Data\Mozilla\Firefox\Profiles\default.94p\cookies-18.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
C:\Program Files\Common Files\{14595C67-0A5F-1033-1022-02020916002c}\__delete_on_reboot__U_p_d_a_t_e_._e_x_e_ -> Trojan.Starter.65 : Cleaned with backup (quarantined).


::Report end

Edited by PrittStick, 06 August 2006 - 09:52 AM.


#6 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:02:08 AM

Posted 08 August 2006 - 08:01 PM

Hi PrittStick. Ok, let's see what HijackThis shows us now.

Boot normally, start HijackThis and click the Do a system scan and save a log button to perform a scan and create a log file. When the scan is complete, Notepad will open up with the log file in it. While in Notepad, press Ctrl-A to select all text and then Ctrl-C to copy the text to the clipboard.

POST the log in this thread using the Add Reply button. Click in the data-entry window and press Ctrl-V to paste the log into the window. Add any other comments which you believe might be helpful in our analysis. and click the Add Reply button.

I will review your log when it comes in.


DO NOT MAKE ANY CHANGES OR CLICK "FIX CHECKED" UNTIL I CHECK THE LOG, AS SOME OF THE FILES ARE LEGIT AND VITAL TO THE FUNCTION OF YOUR COMPUTER

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#7 PrittStick

PrittStick
  • Topic Starter

  • Members
  • 97 posts
  • OFFLINE
  •  
  • Location:Wolverhampton, England
  • Local time:06:08 AM

Posted 10 August 2006 - 10:16 AM

Only a couple of new symptoms, first one is that ewido goes off after starting up when I load the PC and a box comes up saying some reason for it. The other problem is that the internet doesn't work AT ALL anymore, not even for the first 5 minutes like it used to, it still works for 5 minutes in safe mode though. By the way, MSN still works at all times and the same goes for any program which needs internet access but doesn't involve 'surfing the web'

Thanks and here's the log...




Logfile of HijackThis v1.99.1
Scan saved at 16:13:39, on 10/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: MemTurbo.lnk = C:\Program Files\Silicon Prairie Software\MemTurbo\memturbo.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Packard Bell - {1D49B7D4-524D-4ac9-BC34-B4822CAE4BB1} - C:\Apps\IECustom\script.htm (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\Agnitum\OUTPOS~1\TRASH.EXE (HKCU)
O9 - Extra 'Tools' menuitem: Show Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\Agnitum\OUTPOS~1\TRASH.EXE (HKCU)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3F0EECCE-E138-11D1-8712-0060083D83F5} (LPViewer Class) - http://www.mgisoft.com/ActiveX/LPControl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} - http://appdirectory.messenger.msn.com/AppD...sharingctrl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1137776560328
O16 - DPF: {79E0C1C0-316D-11D5-A72A-006097BFA1AC} (EPSON Web Printer-SelfTest Control Class) - http://support.epson-europe.com/selftest/Prg/ESTPTest.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppD...ap/PhtPkMSN.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BC01A402-4730-11D2-B36C-0000E8DF722B} - http://www.digitalworkshop.co.uk/ilm450.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MySQL - Unknown owner - C:\mysql\bin\mysqld-nt.exe (file missing)
O23 - Service: NMSAccess - Unknown owner - C:\Program Files\Cheetah Burner\Cheetah DVD Burner\NMSAccess.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp WinStyler\WinStylerThemeSvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH - C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#8 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:02:08 AM

Posted 10 August 2006 - 07:11 PM

Hi PrittStick. Let's try a different scanner and see what it shows us.

Download WinPFind2.zip and unzip it to your Desktop. It will create a folder named WinPFind2. Do NOT run the program directly from the zip file.

From a normal boot do the following:
  • Open the folder and double-click on winpfind2.exe to start the program.
  • Click the Show All checkboxes after these items:
    • Winsock2 Catalogs
      Protocol Handlers
      Protocol Filers
  • In the AddOn-Options box click the checkboxes for:
    • HKCU_IEDesktop.def
    • Policies.def
    to select them.
  • Now click the Run All Scans button on the toolbar.
  • When the scans are complete click the Simple Report button in the lower right-hand corner to create a report file. Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button to post the information back here and I will review it when it comes in.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#9 PrittStick

PrittStick
  • Topic Starter

  • Members
  • 97 posts
  • OFFLINE
  •  
  • Location:Wolverhampton, England
  • Local time:06:08 AM

Posted 12 August 2006 - 02:46 PM

Logfile created on: 08/12/2006 20:40
WinPFind2 by OldTimer - Version 1.0.3 Folder = C:\Documents and Settings\FAMILEY\Desktop\WinPFind2\
Microsoft Windows XP (Version = Service Pack 2)
Internet Explorer (Version - 6.0.2900.2180)


<Processes>
ati2evxx.exe - c:\windows\system32\ati2evxx.exe - (ATI Technologies Inc. )
ati2evxx.exe - c:\windows\system32\ati2evxx.exe - (ATI Technologies Inc. )
avguard.exe - c:\program files\antivir personaledition classic\avguard.exe - (AVIRA GmbH )
crypserv.exe - c:\windows\system32\crypserv.exe - (Kenonic Controls Ltd. )
ctfmon.exe - c:\windows\system32\ctfmon.exe - (Microsoft Corporation )
explorer.exe - c:\windows\explorer.exe - (Microsoft Corporation )
fbguard.exe - c:\program files\firebird\firebird_1_5\bin\fbguard.exe - (The Firebird Project )
fbserver.exe - c:\program files\firebird\firebird_1_5\bin\fbserver.exe - (The Firebird Project )
firefox.exe - c:\program files\mozilla firefox\firefox.exe - (Mozilla Corporation )
guard.exe - c:\program files\ewido anti-spyware 4.0\guard.exe - (Anti-Malware Development a.s. )
jusched.exe - c:\program files\java\jre1.5.0_06\bin\jusched.exe - (Sun Microsystems, Inc. )
lsass.exe - c:\windows\system32\lsass.exe - (Microsoft Corporation )
memturbo.exe - c:\program files\silicon prairie software\memturbo\memturbo.exe - (SharewareOnline.com, Inc. )
msascui.exe - c:\program files\windows defender\msascui.exe - (Microsoft Corporation )
msgplus.exe - c:\program files\messengerplus! 3\msgplus.exe - (Patchou )
msmpeng.exe - c:\program files\windows defender\msmpeng.exe - (Microsoft Corporation )
nmsaccess.exe - c:\program files\cheetah burner\cheetah dvd burner\nmsaccess.exe - ( )
pdsched.exe - c:\program files\raxco\perfectdisk\pdsched.exe - (Raxco Software, Inc. )
sagent2.exe - c:\program files\common files\epson\ebapi\sagent2.exe - (SEIKO EPSON CORPORATION )
sched.exe - c:\program files\antivir personaledition classic\sched.exe - (Avira GmbH )
services.exe - c:\windows\system32\services.exe - (Microsoft Corporation )
skype.exe - c:\program files\skype\phone\skype.exe - ( )
slserv.exe - c:\windows\system32\slserv.exe - (Smart Link )
smss.exe - \systemroot\system32\smss.exe - (Microsoft Corporation )
spoolsv.exe - c:\windows\system32\spoolsv.exe - (Microsoft Corporation )
svchost.exe - c:\windows\system32\svchost.exe - (Microsoft Corporation )
svchost.exe - c:\windows\system32\svchost.exe - (Microsoft Corporation )
svchost.exe - c:\windows\system32\svchost.exe - (Microsoft Corporation )
ulcdrsvr.exe - c:\program files\common files\ulead systems\dvd\ulcdrsvr.exe - (Ulead Systems, Inc. )
vcssecs.exe - c:\program files\virtual cd v4 sdk\system\vcssecs.exe - (H+H Software GmbH )
winlogon.exe - \??\c:\windows\system32\winlogon.exe - (Microsoft Corporation )
winpfind2.exe - c:\documents and settings\familey\desktop\winpfind2\winpfind2.exe - (OldTimer Tools )
winstylerthemesvc.exe - c:\program files\tuneup winstyler\winstylerthemesvc.exe - (TuneUp Software GmbH )
wscntfy.exe - c:\windows\system32\wscntfy.exe - (Microsoft Corporation )
wuauclt.exe - c:\windows\system32\wuauclt.exe - (Microsoft Corporation )

<Registry Entries>

Version Info
WinPFind2 by OldTimer - Version 1.0.3 -
Microsoft Windows XP Version = Service Pack 2 -
Internet Explorer Version = 6.0.2900.2180 -

Internet Explorer Settings
HKLM->Main\\Start Page - about:blank
HKLM->Main\\Search Page - http://searchbar.findthewebsiteyouneed.com
HKLM->Main\\Default Page -
HKLM->Main\\Default Search -
HKLM->Main\\Local Page - C:\WINDOWS\system32\blank.htm
HKCU->Main\\Start Page - http://www.findthewebsiteyouneed.com
HKCU->Main\\Search Page - http://searchbar.findthewebsiteyouneed.com
HKCU->Main\\Local Page - C:\WINDOWS\system32\blank.htm
HKCU->Internet Settings\\ProxyEnable - 0
HKCU->Internet Settings\\ProxyOverride -

BHO's
HKLM->Browser Helper Objects\{617D95B6-D1B0-425A-AD40-D6D966AC9D6C} - Reg Data missing or invalid = Reg Data missing or invalid (File not found))
HKLM->Browser Helper Objects\{72C1BB09-D2AF-401C-BA68-99863B5BF324} - = C:\WINDOWS\system32\sstqn.dll ( )
HKLM->Browser Helper Objects\{7BFCC1EB-D72A-446F-9127-B1D9C37A292E} - Reg Data missing or invalid = Reg Data missing or invalid (File not found))

Internet Explorer Bars, Toolbars and Extensions
HKCU->Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD} - Reg Data missing or invalid = Reg Data missing or invalid (File not found))
HKCU->Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1} - File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation )
HKCU->Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E} - Favorites Band = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation )
HKCU->Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E} - Explorer Band = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation )
HKLM->Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD} - Reg Data missing or invalid = Reg Data missing or invalid (File not found))
HKLM->Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376} - &Tip of the Day = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation )
HKLM->Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - Real.com = C:\WINDOWS\System32\Shdocvw.dll (Microsoft Corporation )
HKCU->Toolbar\ShellBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\System32\browseui.dll (Microsoft Corporation )
HKCU->Toolbar\WebBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\System32\browseui.dll (Microsoft Corporation )
HKCU->Toolbar\WebBrowser\\{0CA29372-ED37-DBDA-B112-F235F398C0F1} - Reg Data missing or invalid = Reg Data missing or invalid (File not found))
HKCU->Toolbar\WebBrowser\\{0E5CBF21-D15F-11D0-8301-00AA005B4383} - &Links = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation )
HKCU->Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} - Reg Data missing or invalid = Reg Data missing or invalid (File not found))
HKCU->Toolbar\WebBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Reg Data missing or invalid = Reg Data missing or invalid (File not found))
HKCU->Toolbar\WebBrowser\\{CBCC61FA-0221-4CCC-B409-CEE865CACA3A} - Reg Data missing or invalid = Reg Data missing or invalid (File not found))
HKCU->Toolbar\WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Data missing or invalid = Reg Data missing or invalid (File not found))
HKCU->Extensions\CmdMapping\\{072F3B8A-2DA2-40e2-B841-88899F240200} - 8192 - Reg Data missing or invalid
HKCU->Extensions\CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - 8193 - Sun Java Console
HKCU->Extensions\CmdMapping\\{1D49B7D4-524D-4ac9-BC34-B4822CAE4BB1} - 8194 -
HKCU->Extensions\CmdMapping\\{2499216C-4BA5-11D5-BD9C-000103C116D5} - 8195 - Reg Data missing or invalid
HKCU->Extensions\CmdMapping\\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - 8196 - Reg Data missing or invalid
HKCU->Extensions\CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} - 8200 -
HKCU->Extensions\CmdMapping\\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - 8197 - Reg Data missing or invalid
HKCU->Extensions\CmdMapping\\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - 8198 - Reg Data missing or invalid
HKCU->Extensions\CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} - 8199 - Windows Messenger
HKCU->Extensions\CmdMapping\\NextId - 8201
HKLM->Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - MenuText: Sun Java Console = C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll (Sun Microsystems, Inc. )
HKLM->Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} (HKCU CLSID) - MenuText: Sun Java Console = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (Sun Microsystems, Inc. )
HKLM->Extensions\{1D49B7D4-524D-4ac9-BC34-B4822CAE4BB1} - ButtonText: Packard Bell = C:\Apps\IECustom\script.htm (File not found))
HKLM->Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263} - ButtonText: Research = (File not found))
HKLM->Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683} - ButtonText: Messenger = C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation )
HKCU->MenuExt\E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 (Microsoft Corporation )

Approved Shell Extensions (Non-Microsoft only)
HKLM->Shell Extensions\Approved\{0DF44EAA-FF21-4412-828E-260A8728E7F1} - Taskbar and Start Menu = Reg Data missing or invalid (File not found))
HKLM->Shell Extensions\Approved\{10970560-332E-4042-96C9-02AB2FDDD088} - HandyBits Zip&Go Menu = Reg Data missing or invalid (File not found))
HKLM->Shell Extensions\Approved\{32683183-48a0-441b-a342-7c2a440a9478} - Media Band = Reg Data missing or invalid (File not found))
HKLM->Shell Extensions\Approved\{357BE06B-49FE-43F6-9165-DBBF878B5E6A} - = Reg Data missing or invalid (File not found))
HKLM->Shell Extensions\Approved\{42071714-76d4-11d1-8b24-00a0c9068ff3} - Display Panning CPL Extension = Reg Data missing or invalid (File not found))
HKLM->Shell Extensions\Approved\{45AC2688-0253-4ED8-97DE-B5370FA7D48A} - Shell Extension for Malware scanning = C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll (H+BEDV Datentechnik GmbH )
HKLM->Shell Extensions\Approved\{661825E5-B9A4-4D3E-8B74-3B6B63C32A80} - Shell Extensions for Font Creator = Reg Data missing or invalid (File not found))
HKLM->Shell Extensions\Approved\{6EE51AA0-77A0-11D7-B4E1-000347126E46} - Window Washer Shell Shredding Utility = Reg Data missing or invalid (File not found))
HKLM->Shell Extensions\Approved\{764BF0E1-F219-11ce-972D-00AA00A14F56} - Shell extensions for file compression = Reg Data missing or invalid (File not found))
HKLM->Shell Extensions\Approved\{7A9D77BD-5403-11d2-8785-2E0420524153} - User Accounts = Reg Data missing or invalid (File not found))
HKLM->Shell Extensions\Approved\{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} - Encryption Context Menu = Reg Data missing or invalid (File not found))
HKLM->Shell Extensions\Approved\{88895560-9AA2-1069-930E-00AA0030EBC8} - HyperTerminal Icon Ext = C:\WINDOWS\System32\hticons.dll (Hilgraeve, Inc. )
HKLM->Shell Extensions\Approved\{89614271-D5D4-453F-BE13-E7A6E05BB7D6} - = Reg Data missing or invalid (File not found))
HKLM->Shell Extensions\Approved\{A0752120-6D75-D111-B5B1-0800095A2318} - HandyBits EasyCrypto Shell Extensions = C:\WINDOWS\System32\tsseCryp.dll ( )
HKLM->Shell Extensions\Approved\{A0752130-6D75-D111-B5B1-0800095A2318} - HandyBits File Shredder Virtual Folder = Reg Data missing or invalid (File not found))
HKLM->Shell Extensions\Approved\{B41DB860-8EE4-11D2-9906-E49FADC173CA} - WinRAR shell extension = C:\Program Files\WinRAR\rarext.dll ( )
HKLM->Shell Extensions\Approved\{B5FB6487-7E79-4816-B73B-8A65E41971DA} - BullGuard Antivirus v4 = Reg Data missing or invalid (File not found))
HKLM->Shell Extensions\Approved\{B8323370-FF27-11D2-97B6-204C4F4F5020} - SmartFTP Shell Extension DLL = C:\Program Files\SmartFTP\smarthook.dll (SmartFTP )
HKLM->Shell Extensions\Approved\{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} - iTunes = C:\Program Files\iTunes\iTunesMiniPlayer.dll (Apple Computer, Inc. )
HKLM->Shell Extensions\Approved\{D8A8853A-DB04-45D4-8732-A5CC49CE6107} - deskMenu2 Shell Extension = C:\WINDOWS\system32\deskMenu2.dll ( )
HKLM->Shell Extensions\Approved\{E0D79304-84BE-11CE-9641-444553540000} - WinZip = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc. )
HKLM->Shell Extensions\Approved\{E0D79305-84BE-11CE-9641-444553540000} - WinZip = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc. )
HKLM->Shell Extensions\Approved\{E0D79306-84BE-11CE-9641-444553540000} - WinZip = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc. )
HKLM->Shell Extensions\Approved\{E0D79307-84BE-11CE-9641-444553540000} - WinZip = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc. )
HKLM->Shell Extensions\Approved\{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} - Shell Extensions for RealOne Player = C:\Program Files\Real\RealPlayer\rpshell.dll (RealNetworks, Inc. )
HKCU->Shell Extensions\Approved\{BDEADF00-C265-11d0-BCED-00A0C90AB50F} - Web Folders = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL (Microsoft Corporation )

ContextMenuHandlers (Non-Microsoft only)
HKLM->* - deskMenu2 - {D8A8853A-DB04-45D4-8732-A5CC49CE6107} = C:\WINDOWS\system32\deskMenu2.dll ( )
HKLM->* - EasyCryptoMenu - {A0752120-6D75-D111-B5B1-0800095A2318} = C:\WINDOWS\System32\tsseCryp.dll ( )
HKLM->* - EncodeDivXExt - {E9F5B111-CACC-4FD4-81FD-4EB4FD6765A3} = C:\Program Files\DivX\Dr.DivX\EncodeDivXExt.dll ( )
HKLM->* - ewido anti-spyware - {8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll (Anti-Malware Development a.s. )
HKLM->* - SharedMenuHandler - {916F1ADF-2F02-46C2-B7D2-310468390750} = C:\WINDOWS\SYSTEM32\ssmenu.dll (Teknum Systems AS )
HKLM->* - Shell Extension for Malware scanning - {45AC2688-0253-4ED8-97DE-B5370FA7D48A} = C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll (H+BEDV Datentechnik GmbH )
HKLM->* - WinRAR - {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll ( )
HKLM->* - WinZip - {E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc. )
HKLM->Directory - EasyCryptoMenu - {A0752120-6D75-D111-B5B1-0800095A2318} = C:\WINDOWS\System32\tsseCryp.dll ( )
HKLM->Directory - ewido anti-spyware - {8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll (Anti-Malware Development a.s. )
HKLM->Directory - SharedMenuHandler - {916F1ADF-2F02-46C2-B7D2-310468390750} = C:\WINDOWS\SYSTEM32\ssmenu.dll (Teknum Systems AS )
HKLM->Directory - WinRAR - {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll ( )
HKLM->Directory - WinZip - {E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc. )
HKLM->Folder - BullGuard Antivirus v4 - {B5FB6487-7E79-4816-B73B-8A65E41971DA} = Reg Data missing or invalid (File not found))
HKLM->Folder - Shell Extension for Malware scanning - {45AC2688-0253-4ED8-97DE-B5370FA7D48A} = C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll (H+BEDV Datentechnik GmbH )
HKLM->Folder - WinRAR - {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll ( )
HKLM->Folder - WinZip - {E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc. )

ColumnHandlers (Non-Microsoft only)
HKLM->Folder - {F9DB5320-233E-11D1-9F84-707F02C10627} - PDF Shell Extension = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll (Adobe Systems, Inc. )

Registry Run Keys
HKLM->Run\\MessengerPlus3 - "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" (Patchou )
HKLM->Run\\SunJavaUpdateSched - C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe (Sun Microsystems, Inc. )
HKLM->Run\\UserFaultCheck - %systemroot%\system32\dumprep 0 -u (File not found))
HKLM->Run\\Windows Defender - "C:\Program Files\Windows Defender\MSASCui.exe" -hide (Microsoft Corporation )
HKLM->Run\OptionalComponents\IMAIL - Installed = 1
HKLM->Run\OptionalComponents\MAPI - Installed = 1
HKLM->Run\OptionalComponents\MSFS - Installed = 1
HKCU->Run\\ctfmon.exe - C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation )
HKCU->Run\\Skype - "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized ( )
HKCU->Run\\Update Service - "C:\Program Files\Common Files\Teknum Systems\update.exe" /startup (File not found))

Startup Lnks
HKCU->Startup - desktop.ini - C:\Documents and Settings\FAMILEY\Start Menu\Programs\Startup\desktop.ini ( )
HKCU->Startup - MemTurbo.lnk - C:\Program Files\Silicon Prairie Software\MemTurbo\memturbo.exe (SharewareOnline.com, Inc. )

Disabled MSConfig Items
HKLM->StartUpFolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk - Adobe Gamma Loader = C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE (Adobe Systems, Inc. )
HKLM->StartUpFolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^blueyonder Instant Support Tool.lnk - blueyonder Instant Support Tool = C:\PROGRA~1\BLUEYO~1\bin\matcli.exe -boot (Motive Communications, Inc. )
HKLM->StartUpFolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MemTurbo.lnk - MemTurbo = C:\PROGRA~1\SILICO~1\MemTurbo\memturbo.exe /starthidden (SharewareOnline.com, Inc. )
HKLM->StartUpFolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk - Microsoft Office = C:\PROGRA~1\MICROS~4\Office10\OSA.EXE -b -l (File not found))
HKLM->StartUpFolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Ulead Photo Express 3.0 SE Calendar Checker.lnk - Ulead Photo Express 3.0 SE Calendar Checker = C:\PROGRA~1\ULEADS~1\ULEADP~1.0SE\CalCheck.exe (Ulead Systems, Inc. )
HKLM->StartUpFolder\C:^Documents and Settings^FAMILEY^Start Menu^Programs^Startup^DNSKong.lnk - DNSKong = C:\PROGRA~1\Pyrenean\DNSKong\DNSKong.exe (Pyrenean )
HKLM->StartUpFolder\C:^Documents and Settings^FAMILEY^Start Menu^Programs^Startup^ShortKeys Lite.lnk - ShortKeys Lite = C:\PROGRA~1\shortkey\SHORTKEY.EXE ( )
HKLM->StartUpReg\3Degrees - threedegrees = C:\Program Files\threedegrees\threedegrees.exe (File not found))
HKLM->StartUpReg\Adobe Photo Downloader - apdproxy = "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" (Adobe Systems Incorporated )
HKLM->StartUpReg\Advanced Tools Check - ADVCHK = C:\PROGRA~1\NORTON~2\AdvTools\ADVCHK.EXE (File not found))
HKLM->StartUpReg\AIM - aim = C:\PROGRA~1\AIM\aim.exe -cnetwait.odl (File not found))
HKLM->StartUpReg\ATIPTA - atiptaxx = C:\ATI Technologies\ATI Control Panel\atiptaxx.exe (File not found))
HKLM->StartUpReg\avnort - msmbw = C:\WINDOWS\msmbw.exe (File not found))
HKLM->StartUpReg\BigDogPath - VM_STI = C:\WINDOWS\VM_STI.EXE Pro Cam (VM. )
HKLM->StartUpReg\Configuration Loading - svchos1 = svchos1.exe (File not found))
HKLM->StartUpReg\EPSON Stylus Photo RX600 - E_S4I0M2 = C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0M2.EXE /P24 "EPSON Stylus Photo RX600" /O6 "USB002" /M "Stylus Photo RX600" (SEIKO EPSON CORPORATION )
HKLM->StartUpReg\htmthunk - site byte cast = C:\PROGRA~1\ObjEq\site byte cast.exe (File not found))
HKLM->StartUpReg\iTunesHelper - iTunesHelper = C:\Program Files\iTunes\iTunesHelper.exe (Apple Computer, Inc. )
HKLM->StartUpReg\kdx - KHost = C:\WINDOWS\kdx\KHost.exe (File not found))
HKLM->StartUpReg\lpr - lpr123 = C:\windows\mmkt\lpr123.exe (File not found))
HKLM->StartUpReg\ltwob - formatsys = C:\WINDOWS\System32\formatsys.exe (File not found))
HKLM->StartUpReg\Microsoft Works Update Detection - WkUFind = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe (Microsoft® Corporation )
HKLM->StartUpReg\Mixer - wincrt32 = wincrt32.exe (File not found))
HKLM->StartUpReg\MOD - muamgr = C:\Program Files\Microangelo\muamgr.exe (File not found))
HKLM->StartUpReg\NeroCheck - NeroCheck = C:\WINDOWS\System32\\NeroCheck.exe (Ahead Software Gmbh )
HKLM->StartUpReg\NeroFilterCheck - NeroCheck = C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh )
HKLM->StartUpReg\New.net Startup - NEWDOT~2 = rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup (File not found))
HKLM->StartUpReg\Open Site - opnste = C:\Program Files\Open Site\opnste.exe (File not found))
HKLM->StartUpReg\QuickTime Task - qttask = "C:\Program Files\QuickTime\qttask.exe" -atboottime (Apple Computer, Inc. )
HKLM->StartUpReg\RealTray - RealPlay = C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER (RealNetworks, Inc. )
HKLM->StartUpReg\saap - saap = "C:\Program Files\Rosoft\Audio Tools\saap.exe" /did=154 (File not found))
HKLM->StartUpReg\ScrabbleSetup.exe - worms = C:\DOCUME~1\FAMILEY\Desktop\JAMES'~1\worms.exe /r (File not found))
HKLM->StartUpReg\serpe - formatsys = C:\WINDOWS\System32\formatsys.exe (File not found))
HKLM->StartUpReg\Skype - Skype = "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized ( )
HKLM->StartUpReg\SUService - SUService = C:\WINDOWS\system32\SUService.exe (File not found))
HKLM->StartUpReg\Synchronization Agent - syncagent = "C:\Program Files\Sync Manager Demo\agent\syncagent.exe" (File not found))
HKLM->StartUpReg\TimeSink Ad Client - TsAdBot = "C:\Program Files\TimeSink\AdGateway\TsAdBot.exe" (File not found))
HKLM->StartUpReg\TkBellExe - realsched = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot (RealNetworks, Inc. )
HKLM->StartUpReg\Update Service - update = "C:\Program Files\Common Files\Teknum Systems\update.exe" /startup (File not found))
HKLM->StartUpReg\VCSPlayer - vcsplay = "C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe" (H+H Software GmbH )
HKLM->StartUpReg\WebSavingsfromEbates - WebSavingsfromEbates" = wjview /cp:p "C:\Program Files\WebSavingsfromEbates\System\Code" Main lp: "C:\Program Files\WebSavingsfromEbates" (File not found))
HKLM->StartUpReg\win_spool2 - win_spool2 = C:\WINDOWS\System32\win_spool2.exe (File not found))
HKLM->StartUpReg\WinampAgent - winampa = C:\Program Files\Winamp\winampa.exe ( )
HKLM->StartUpReg\Windows update - explore = explore.exe (File not found))
HKLM->StartUpReg\Yahoo! Pager - ypager = C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet ( )
HKLM->StartUpReg\Zone Labs Client - zlclient = C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe (File not found))

User Agent Post Platform
HKLM->Post Platform\\{46456B93-16B8-38F1-0656-60273043BD68} - Reg Data missing or invalid = Reg Data missing or invalid (File not found))

AppInit DLLs
HKLM->Windows\\AppInit_DLLs - (File not found))

Image File Execution Options
HKLM->Image File Execution Options\Your Image File Name Here without a path - Debugger = ntsd -d

Shell Service Object Delay Load
HKLM->ShellServiceObjectDelayLoad\\CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation )
HKLM->ShellServiceObjectDelayLoad\\PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation )
HKLM->ShellServiceObjectDelayLoad\\SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll (Microsoft Corporation )
HKLM->ShellServiceObjectDelayLoad\\WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll (Microsoft Corporation )

Shell Execute Hooks
HKLM->ShellExecuteHooks\\{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - Microsoft AntiMalware ShellExecuteHook = C:\PROGRA~1\WIFD1F~1\MpShHook.dll (Microsoft Corporation )
HKLM->ShellExecuteHooks\\{57B86673-276A-48B2-BAE7-C6DBB3020EB8} - CShellExecuteHookImpl Object = C:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll (Anti-Malware Development a.s. )
HKLM->ShellExecuteHooks\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} - URL Exec Hook = shell32.dll (Microsoft Corporation )

Shared Task Scheduler
HKLM->SharedTaskScheduler\\{438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader = %SystemRoot%\System32\browseui.dll (Microsoft Corporation )
HKLM->SharedTaskScheduler\\{8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon = %SystemRoot%\System32\browseui.dll (Microsoft Corporation )

Winlogon
HKLM->Winlogon\\UserInit - C:\WINDOWS\system32\userinit.exe, (Microsoft Corporation )
HKLM->Winlogon\\Shell - Explorer.exe (Microsoft Corporation )
HKLM->Winlogon\\System - (File not found))
HKLM->Winlogon\Notify\AtiExtEvent - Ati2evxx.dll (ATI Technologies Inc. )
HKLM->Winlogon\Notify\crypt32chain - crypt32.dll (Microsoft Corporation )
HKLM->Winlogon\Notify\cryptnet - cryptnet.dll (Microsoft Corporation )
HKLM->Winlogon\Notify\cscdll - cscdll.dll (Microsoft Corporation )
HKLM->Winlogon\Notify\ScCertProp - wlnotify.dll (Microsoft Corporation )
HKLM->Winlogon\Notify\Schedule - wlnotify.dll (Microsoft Corporation )
HKLM->Winlogon\Notify\sclgntfy - sclgntfy.dll (Microsoft Corporation )
HKLM->Winlogon\Notify\SensLogn - WlNotify.dll (Microsoft Corporation )
HKLM->Winlogon\Notify\sstqn - C:\WINDOWS\system32\sstqn.dll ( )
HKLM->Winlogon\Notify\termsrv - wlnotify.dll (Microsoft Corporation )
HKLM->Winlogon\Notify\wlballoon - wlnotify.dll (Microsoft Corporation )

DNS Name Servers
HKLM->Interfaces\{7886A85E-35DA-4DC2-AFFB-B384A8B4079E} - (1394 Net Adapter)
HKLM->Interfaces\{BAF61F22-0FB1-401E-9A68-8FDB074C5189} - ()
HKLM->Interfaces\{D9DAE42C-B7C0-472B-8C95-3FC5DC370D1F} - (Realtek RTL8139/810x Family Fast Ethernet NIC)

All Winsock2 Catalogs
HKLM->WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation )
HKLM->WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 - %SystemRoot%\System32\winrnr.dll (Microsoft Corporation )
HKLM->WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation )
HKLM->WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004 - %SystemRoot%\System32\nwprovau.dll (Microsoft Corporation )
HKLM->WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
HKLM->WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
HKLM->WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
HKLM->WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004 - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation )
HKLM->WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005 - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation )
HKLM->WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
HKLM->WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
HKLM->WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
HKLM->WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
HKLM->WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
HKLM->WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
HKLM->WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
HKLM->WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
HKLM->WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
HKLM->WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
HKLM->WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000016 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
HKLM->WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000017 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
HKLM->WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000018 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )

All Protocol Handlers
HKLM->PROTOCOLS\Handler\about - %SystemRoot%\System32\mshtml.dll (Microsoft Corporation )
HKLM->PROTOCOLS\Handler\about (HKCU CLSID) - (File not found))
HKLM->PROTOCOLS\Handler\cdl - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation )
HKLM->PROTOCOLS\Handler\cdl (HKCU CLSID) - (File not found))
HKLM->PROTOCOLS\Handler\cdo - (File not found))
HKLM->PROTOCOLS\Handler\cdo (HKCU CLSID) - (File not found))
HKLM->PROTOCOLS\Handler\dvd - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation )
HKLM->PROTOCOLS\Handler\dvd (HKCU CLSID) - (File not found))
HKLM->PROTOCOLS\Handler\file - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation )
HKLM->PROTOCOLS\Handler\file (HKCU CLSID) - (File not found))
HKLM->PROTOCOLS\Handler\ftp - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation )
HKLM->PROTOCOLS\Handler\ftp (HKCU CLSID) - (File not found))
HKLM->PROTOCOLS\Handler\gopher - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation )
HKLM->PROTOCOLS\Handler\gopher (HKCU CLSID) - (File not found))
HKLM->PROTOCOLS\Handler\http - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation )
HKLM->PROTOCOLS\Handler\http\0x00000001 - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation )
HKLM->PROTOCOLS\Handler\http\0x00000001 (HKCU CLSID) - (File not found))
HKLM->PROTOCOLS\Handler\http\oledb - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation )
HKLM->PROTOCOLS\Handler\http\oledb (HKCU CLSID) - (File not found))
HKLM->PROTOCOLS\Handler\http (HKCU CLSID) - (File not found))
HKLM->PROTOCOLS\Handler\http\0x00000001 - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation )
HKLM->PROTOCOLS\Handler\http\0x00000001 (HKCU CLSID) - (File not found))
HKLM->PROTOCOLS\Handler\http\oledb - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation )
HKLM->PROTOCOLS\Handler\http\oledb (HKCU CLSID) - (File not found))
HKLM->PROTOCOLS\Handler\https - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation )
HKLM->PROTOCOLS\Handler\https\0x00000001 - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation )
HKLM->PROTOCOLS\Handler\https\0x00000001 (HKCU CLSID) - (File not found))
HKLM->PROTOCOLS\Handler\https\oledb - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation )
HKLM->PROTOCOLS\Handler\https\oledb (HKCU CLSID) - (File not found))
HKLM->PROTOCOLS\Handler\https (HKCU CLSID) - (File not found))
HKLM->PROTOCOLS\Handler\https\0x00000001 - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation )
HKLM->PROTOCOLS\Handler\https\0x00000001 (HKCU CLSID) - (File not found))
HKLM->PROTOCOLS\Handler\https\oledb - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation )
HKLM->PROTOCOLS\Handler\https\oledb (HKCU CLSID) - (File not found))
HKLM->PROTOCOLS\Handler\ipp - (File not found))
HKLM->PROTOCOLS\Handler\ipp\0x00000001 - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation )
HKLM->PROTOCOLS\Handler\ipp\0x00000001 (HKCU CLSID) - (File not found))
HKLM->PROTOCOLS\Handler\ipp (HKCU CLSID) - (File not found))
HKLM->PROTOCOLS\Handler\ipp\0x00000001 - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation )
HKLM->PROTOCOLS\Handler\ipp\0x00000001 (HKCU CLSID) - (File not found))
HKLM->PROTOCOLS\Handler\its - C:\WINDOWS\System32\itss.dll (Microsoft Corporation )
HKLM->PROTOCOLS\Handler\its (HKCU CLSID) - (File not found))
HKLM->PROTOCOLS\Handler\javascript - %SystemRoot%\System32\mshtml.dll (Microsoft Corporation )
HKLM->PROTOCOLS\Handler\javascript (HKCU CLSID) - (File not found))
HKLM->PROTOCOLS\Handler\lid - C:\WINDOWS\System32\msvidctl.dll (Microsoft Corporation )
HKLM->PROTOCOLS\Handler\lid (HKCU CLSID) - (File not found))
HKLM->PROTOCOLS\Handler\local - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation )
HKLM->PROTOCOLS\Handler\local (HKCU CLSID) - (File not found))
HKLM->PROTOCOLS\Handler\mailto - %SystemRoot%\System32\mshtml.dll (Microsoft Corporation )
HKLM->PROTOCOLS\Handler\mailto (HKCU CLSID) - (File not found))
HKLM->PROTOCOLS\Handler\mhtml - %SystemRoot%\System32\inetcomm.dll (Microsoft Corporation )
HKLM->PROTOCOLS\Handler\mhtml (HKCU CLSID) - (File not found))
HKLM->PROTOCOLS\Handler\mk - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation )
HKLM->PROTOCOLS\Handler\mk (HKCU CLSID) - (File not found))
HKLM->PROTOCOLS\Handler\msdaipp - (File not found))
HKLM->PROTOCOLS\Handler\msdaipp\0x00000001 - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation )
HKLM->PROTOCOLS\Handler\msdaipp\0x00000001 (HKCU CLSID) - (File not found))
HKLM->PROTOCOLS\Handler\msdaipp\oledb - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation )
HKLM->PROTOCOLS\Handler\msdaipp\oledb (HKCU CLSID) - (File not found))
HKLM->PROTOCOLS\Handler\msdaipp (HKCU CLSID) - (File not found))
HKLM->PROTOCOLS\Handler\msdaipp\0x00000001 - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation )
HKLM->PROTOCOLS\Handler\msdaipp\0x00000001 (HKCU CLSID) - (File not found))
HKLM->PROTOCOLS\Handler\msdaipp\oledb - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation )
HKLM->PROTOCOLS\Handler\msdaipp\oledb (HKCU CLSID) - (File not found))
HKLM->PROTOCOLS\Handler\ms-its - C:\WINDOWS\System32\itss.dll (Microsoft Corporation )
HKLM->PROTOCOLS\Handler\ms-its (HKCU CLSID) - (File not found))
HKLM->PROTOCOLS\Handler\ms-itss - (File not found))
HKLM->PROTOCOLS\Handler\ms-itss (HKCU CLSID) - (File not found))
HKLM->PROTOCOLS\Handler\msnim - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (Microsoft Corporation )
HKLM->PROTOCOLS\Handler\msnim (HKCU CLSID) - (File not found))
HKLM->PROTOCOLS\Handler\mso-offdap - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL (Microsoft Corporation )
HKLM->PROTOCOLS\Handler\mso-offdap (HKCU CLSID) - (File not found))
HKLM->PROTOCOLS\Handler\mso-offdap11 - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL (Microsoft Corporation )
HKLM->PROTOCOLS\Handler\mso-offdap11 (HKCU CLSID) - (File not found))
HKLM->PROTOCOLS\Handler\res - %SystemRoot%\System32\mshtml.dll (Microsoft Corporation )
HKLM->PROTOCOLS\Handler\res (HKCU CLSID) - (File not found))
HKLM->PROTOCOLS\Handler\sysimage - %SystemRoot%\System32\mshtml.dll (Microsoft Corporation )
HKLM->PROTOCOLS\Handler\sysimage (HKCU CLSID) - (File not found))
HKLM->PROTOCOLS\Handler\tv - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation )
HKLM->PROTOCOLS\Handler\tv (HKCU CLSID) - (File not found))
HKLM->PROTOCOLS\Handler\vbscript - %SystemRoot%\System32\mshtml.dll (Microsoft Corporation )
HKLM->PROTOCOLS\Handler\vbscript (HKCU CLSID) - (File not found))
HKLM->PROTOCOLS\Handler\wia - C:\WINDOWS\System32\wiascr.dll (Microsoft Corporation )
HKLM->PROTOCOLS\Handler\wia (HKCU CLSID) - (File not found))

All Protocol Filters
HKLM->PROTOCOLS\Filter\application/octet-stream - mscoree.dll (Microsoft Corporation )
HKLM->PROTOCOLS\Filter\application/octet-stream (HKCU CLSID) - (File not found))
HKLM->PROTOCOLS\Filter\application/x-complus - mscoree.dll (Microsoft Corporation )
HKLM->PROTOCOLS\Filter\application/x-complus (HKCU CLSID) - (File not found))
HKLM->PROTOCOLS\Filter\application/x-msdownload - mscoree.dll (Microsoft Corporation )
HKLM->PROTOCOLS\Filter\application/x-msdownload (HKCU CLSID) - (File not found))
HKLM->PROTOCOLS\Filter\Class Install Handler - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation )
HKLM->PROTOCOLS\Filter\Class Install Handler (HKCU CLSID) - (File not found))
HKLM->PROTOCOLS\Filter\deflate - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation )
HKLM->PROTOCOLS\Filter\deflate (HKCU CLSID) - (File not found))
HKLM->PROTOCOLS\Filter\gzip - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation )
HKLM->PROTOCOLS\Filter\gzip (HKCU CLSID) - (File not found))
HKLM->PROTOCOLS\Filter\lzdhtml - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation )
HKLM->PROTOCOLS\Filter\lzdhtml (HKCU CLSID) - (File not found))
HKLM->PROTOCOLS\Filter\text/webviewhtml - %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation )
HKLM->PROTOCOLS\Filter\text/webviewhtml (HKCU CLSID) - (File not found))
HKLM->PROTOCOLS\Filter\text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation )
HKLM->PROTOCOLS\Filter\text/xml (HKCU CLSID) - (File not found))

<Services>
AntiVir PersonalEdition Classic Scheduler - AntiVirScheduler - Automatic - Running - Win32, running in it's own process - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe (Avira GmbH )
AntiVir PersonalEdition Classic Guard - AntiVirService - Automatic - Running - Win32, running in it's own process - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe (AVIRA GmbH )
Ati HotKey Poller - Ati HotKey Poller - Automatic - Running - Win32, running in it's own process - C:\WINDOWS\system32\Ati2evxx.exe (ATI Technologies Inc. )
Crypkey License - Crypkey License - Automatic - Running - Win32, running in it's own process - crypserv.exe (Kenonic Controls Ltd. )
DCOM Server Process Launcher - DcomLaunch - Automatic - Running - Win32, running in a shared process - C:\WINDOWS\system32\svchost -k DcomLaunch (Microsoft Corporation )
DNS Client - Dnscache - Automatic - Running - Win32, running in a shared process - C:\WINDOWS\System32\svchost.exe -k NetworkService (Microsoft Corporation )
EPSON Printer Status Agent2 - EPSONStatusAgent2 - Automatic - Running - Win32, running in it's own process - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe (SEIKO EPSON CORPORATION )
Event Log - Eventlog - Automatic - Running - Win32, running in a shared process - C:\WINDOWS\system32\services.exe (Microsoft Corporation )
COM+ Event System - EventSystem - On Demand - Running - Win32, running in a shared process - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )
ewido anti-spyware 4.0 guard - ewido anti-spyware 4.0 guard - Automatic - Running - Win32, running in it's own process - C:\Program Files\ewido anti-spyware 4.0\guard.exe (Anti-Malware Development a.s. )
Firebird Guardian - DefaultInstance - FirebirdGuardianDefaultInstance - Automatic - Running - Win32, running in it's own process - C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe -s (The Firebird Project )
Firebird Server - DefaultInstance - FirebirdServerDefaultInstance - On Demand - Running - Win32, running in it's own process - C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe -s (The Firebird Project )
Help and Support - helpsvc - Automatic - Running - Win32, running in a shared process - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )
TCP/IP NetBIOS Helper - LmHosts - Automatic - Running - Win32, running in a shared process - C:\WINDOWS\System32\svchost.exe -k LocalService (Microsoft Corporation )
Network Connections - Netman - On Demand - Running - Win32, running in a shared process - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )
Network Location Awareness (NLA) - Nla - On Demand - Running - Win32, running in a shared process - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )
NMSAccess - NMSAccess - Automatic - Running - Win32, running in it's own process - C:\Program Files\Cheetah Burner\Cheetah DVD Burner\NMSAccess.exe ( )
PDScheduler - PDSched - Automatic - Running - Win32, running in it's own process - "C:\Program Files\Raxco\PerfectDisk\PDSched.exe" (Raxco Software, Inc. )
Plug and Play - PlugPlay - Automatic - Running - Win32, running in a shared process - C:\WINDOWS\system32\services.exe (Microsoft Corporation )
IPSEC Services - PolicyAgent - Automatic - Running - Win32, running in a shared process - C:\WINDOWS\System32\lsass.exe (Microsoft Corporation )
Protected Storage - ProtectedStorage - Automatic - Running - Win32, running in a shared process - C:\WINDOWS\system32\lsass.exe (Microsoft Corporation )
Remote Access Connection Manager - RasMan - On Demand - Running - Win32, running in a shared process - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )
Remote Procedure Call (RPC) - RpcSs - Automatic - Running - Win32, running in a shared process - C:\WINDOWS\system32\svchost -k rpcss (Microsoft Corporation )
Security Accounts Manager - SamSs - Automatic - Running - Win32, running in a shared process - C:\WINDOWS\system32\lsass.exe (Microsoft Corporation )
System Event Notification - SENS - Automatic - Running - Win32, running in a shared process - C:\WINDOWS\system32\svchost.exe -k netsvcs (Microsoft Corporation )
SmartLinkService - SLService - Automatic - Running - Win32, running in it's own process - slserv.exe (Smart Link )
Print Spooler - Spooler - Automatic - Running - Win32, running in it's own process - C:\WINDOWS\system32\spoolsv.exe (Microsoft Corporation )
SSDP Discovery Service - SSDPSRV - On Demand - Running - Win32, running in a shared process - C:\WINDOWS\System32\svchost.exe -k LocalService (Microsoft Corporation )
Windows Image Acquisition (WIA) - stisvc - Automatic - Running - Win32, running in a shared process - C:\WINDOWS\System32\svchost.exe -k imgsvc (Microsoft Corporation )
Telephony - TapiSrv - On Demand - Running - Win32, running in a shared process - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )
Terminal Services - TermService - On Demand - Running - Win32, running in a shared process - C:\WINDOWS\System32\svchost -k DComLaunch (Microsoft Corporation )
Themes - Themes - Automatic - Running - Win32, running in a shared process - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )
TuneUp WinStyler Theme Service - TUWinStylerThemeSvc - Automatic - Running - Win32, running in it's own process - "C:\Program Files\TuneUp WinStyler\WinStylerThemeSvc.exe" (TuneUp Software GmbH )
Ulead Burning Helper - UleadBurningHelper - Automatic - Running - Win32, running in it's own process - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe (Ulead Systems, Inc. )
Windows User Mode Driver Framework - UMWdf - Automatic - Running - Win32, running in it's own process - C:\WINDOWS\system32\wdfmgr.exe (Microsoft Corporation )
Virtual CD v4 Security service (SDK - Version) - VCSSecS - Automatic - Running - Win32, running in it's own process - C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe (H+H Software GmbH )
Windows Time - W32Time - Automatic - Running - Win32, running in a shared process - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )
WebClient - WebClient - Automatic - Running - Win32, running in a shared process - C:\WINDOWS\System32\svchost.exe -k LocalService (Microsoft Corporation )
Windows Defender Service - WinDefend - Automatic - Running - Win32, running in it's own process - "C:\Program Files\Windows Defender\MsMpEng.exe" (Microsoft Corporation )
Windows Management Instrumentation - winmgmt - Automatic - Running - Win32, running in a shared process - C:\WINDOWS\system32\svchost.exe -k netsvcs (Microsoft Corporation )

<Files>

AllUsers ApplicationData Folder
C:\Documents and Settings\All Users\Application Data\addr_file.html - ( [Ver = | Size = 305 bytes | Date = 04/11/2006 09:33 | Attr = ])
C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache - ( [Ver = | Size = 1747 bytes | Date = 04/16/2006 18:40 | Attr = ])

CurrentUser ApplicationData Folder
C:\Documents and Settings\FAMILEY\Application Data\AdobeDLM.log - ( [Ver = | Size = 1765 bytes | Date = 05/11/2006 18:11 | Attr = ])
C:\Documents and Settings\FAMILEY\Application Data\desktop.ini - ( [Ver = | Size = 62 bytes | Date = 08/27/2002 12:51 | Attr = HS])
C:\Documents and Settings\FAMILEY\Application Data\dm.ini - ( [Ver = | Size = 0 bytes | Date = 05/11/2006 18:11 | Attr = ])
C:\Documents and Settings\FAMILEY\Application Data\GDIPFONTCACHEV1.DAT - ( [Ver = | Size = 178312 bytes | Date = 07/09/2004 22:35 | Attr = ])

DPF files
{00000075-9980-0010-8000-00AA00389B71} - - CodeBase = http://codecs.microsoft.com/codecs/i386/voxacm.CAB
{00B71CFB-6864-4346-A978-C0A14556272C} - Checkers Class - CodeBase = http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - QuickTime Object - CodeBase = http://www.apple.com/qtactivex/qtplugin.cab
{14B87622-7E19-4EA8-93B3-97215F77A6BC} - MessengerStatsClient Class - CodeBase = http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
{166B1BCA-3F9C-11CF-8075-444553540000} - Shockwave ActiveX Control - CodeBase = http://download.macromedia.com/pub/shockwa...director/sw.cab
{17492023-C23A-453E-A040-C7C580BBF700} - Windows Genuine Advantage Validation Tool - CodeBase = http://go.microsoft.com/fwlink/?linkid=39204
{2917297F-F02B-4B9D-81DF-494B6333150B} - Minesweeper Flags Class - CodeBase = http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
{2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - - CodeBase = http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
{30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - YInstStarter Class - CodeBase = C:\Program Files\Yahoo!\Common\yinsthelper.dll
{3F0EECCE-E138-11D1-8712-0060083D83F5} - LPViewer Class - CodeBase = http://www.mgisoft.com/ActiveX/LPControl.cab
{4F1E5B1A-2A80-42CA-8532-2D05CB959537} - MSN Photo Upload Tool - CodeBase = http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
{644E432F-49D3-41A1-8DD5-E099162EEEC5} - - CodeBase = http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
{665585FD-2068-4C5E-A6D3-53AC3270ECD4} - - CodeBase = http://appdirectory.messenger.msn.com/AppD...sharingctrl.cab
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - MUWebControl Class - CodeBase = http://update.microsoft.com/microsoftupdat...b?1137776560328
{79E0C1C0-316D-11D5-A72A-006097BFA1AC} - EPSON Web Printer-SelfTest Control Class - CodeBase = http://support.epson-europe.com/selftest/Prg/ESTPTest.cab
{8AD9C840-044E-11D1-B3E9-00805F499D93} - Java Plug-in 1.5.0_06 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab
{8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - MessengerStatsClient Class - CodeBase = http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
{9122D757-5A4F-4768-82C5-B4171D8556A7} - PhotoPickConvert Class - CodeBase = http://appdirectory.messenger.msn.com/AppD...ap/PhtPkMSN.cab
{9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - ActiveScan Installer Class - CodeBase = http://acs.pandasoftware.com/activescan/as5free/asinst.cab
{B8BE5E93-A60C-4D26-A2DC-220313175592} - ZoneIntro Class - CodeBase = http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
{BC01A402-4730-11D2-B36C-0000E8DF722B} - - CodeBase = http://www.digitalworkshop.co.uk/ilm450.cab
{CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} - Java Plug-in 1.4.2_05 - CodeBase = http://java.sun.com/products/plugin/autodl...indows-i586.cab
{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - Java Plug-in 1.5.0_04 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab
{CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - Java Plug-in 1.5.0_05 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab
{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - Java Plug-in 1.5.0_06 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - Java Plug-in 1.5.0_06 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab
{D27CDB6E-AE6D-11CF-96B8-444553540000} - Shockwave Flash Object - CodeBase = http://download.macromedia.com/pub/shockwa...ash/swflash.cab
{D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - iTunesDetector Class - CodeBase = http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
{E6187999-9FEC-46A1-A20F-F4CA977D5643} - ZoneChess Object - CodeBase = http://messenger.zone.msn.com/binary/Chess.cab31267.cab
{F6BF0D00-0B2A-4A75-BF7B-F385591623AF} - Solitaire Showdown Class - CodeBase = http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
{FA3662C3-B8E8-11D6-A667-0010B556D978} - IWinAmpActiveX Class - CodeBase = http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
Microsoft XML Parser for Java - - CodeBase = file://C:\WINDOWS\Java\classes\xmldso.cab

Hosts file = 734 bytes. Reading all entries. C:\WINDOWS\System32\drivers\etc\Hosts
# Copyright © 1993-1999 Microsoft Corp. -
# -
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows. -
# -
# This file contains the mappings of IP addresses to host names. Each -
# entry should be kept on an individual line. The IP address should -
# be placed in the first column followed by the corresponding host name. -
# The IP address and the host name should be separated by at least one -
# space. -
# -
# Additionally, comments (such as these) may be inserted on individual -
# lines or following the machine name denoted by a '#' symbol. -
# -
# For example: -
# -
# 102.54.94.97 rhino.acme.com # source server -
# 38.25.63.10 x.acme.com # x client host -
-
127.0.0.1 localhost -

<Add On's>

>>>>Output for AddOn file HKCU_IEDesktop.def<<<<

KEY - HKCU\Software\Microsoft\Internet Explorer\Desktop - Include SUBKEYS
HKCU\Software\Microsoft\Internet Explorer\Desktop -
Desktop\Components -
Desktop\Components\\DeskHtmlVersion - 272
Desktop\Components\\DeskHtmlMinorVersion - 5
Desktop\Components\\Settings - 1
Desktop\Components\\GeneralFlags - 1
Desktop\Components\0 -
Desktop\Components\0\\Source - About:Home
Desktop\Components\0\\SubscribedURL - About:Home
Desktop\Components\0\\FriendlyName - My Current Home Page
Desktop\Components\0\\Flags - 2
Desktop\Components\0\\Position - 2C 00 00 00 CC 00 00 00 00 00 00 00 34 03 00 00 E2 02 00 00 00 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00
Desktop\Components\0\\CurrentState - 04 00 00 40
Desktop\Components\0\\OriginalStateInfo - 18 00 00 00 CC 00 00 00 00 00 00 00 34 03 00 00 DE 02 00 00 04 00 00 C0
Desktop\Components\0\\RestoredStateInfo - 18 00 00 00 CC 00 00 00 00 00 00 00 34 03 00 00 DE 02 00 00 01 00 00 00
Desktop\General -
Desktop\General\\BackupWallpaper - %USERPROFILE%\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
Desktop\General\\WallpaperFileTime - 38 EE 1A 2C B0 92 C6 01
Desktop\General\\WallpaperLocalFileTime - 38 56 DF 8D B8 92 C6 01
Desktop\General\\TileWallpaper - 0
Desktop\General\\WallpaperStyle -
Desktop\General\\Wallpaper - %USERPROFILE%\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
Desktop\General\\ComponentsPositioned - 1
Desktop\Old WorkAreas -
Desktop\Old WorkAreas\\NoOfOldWorkAreas - 1
Desktop\Old WorkAreas\\OldWorkAreaRects - 00 00 00 00 00 00 00 00 20 03 00 00 3A 02 00 00
Desktop\SafeMode -
Desktop\SafeMode\Components -
Desktop\SafeMode\Components\\DeskHtmlVersion - 272
Desktop\SafeMode\Components\\DeskHtmlMinorVersion - 5
Desktop\SafeMode\Components\\Settings - 1
Desktop\SafeMode\Components\\GeneralFlags - 4
Desktop\SafeMode\General -
Desktop\SafeMode\General\\Wallpaper - %SystemRoot%\Web\SafeMode.htt
Desktop\SafeMode\General\\VisitGallery - 0
Desktop\Scheme -
Desktop\Scheme\\Edit -
Desktop\Scheme\\Display -

>>>>Output for AddOn file Policies.def<<<<

KEY - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies - Include SUBKEYS
HKLM\SOFTWARE\Microsoft\W

#10 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:02:08 AM

Posted 13 August 2006 - 06:10 PM

Hi PrittStick. Ok, that shows us what we were looking for.

Download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Put a check next to Run VundoFix as a task.
  • You will receive a message saying vundofix will close and re-open in a minute or less. Click OK.
  • When VundoFix re-opens, click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES.
  • Once you click YES, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
Now run a new WinPFind2 report.
  • Open the WinPFind2 folder and double-click on winpfind2.exe to start the program.
  • Keep the standard settings and then in the AddOn-Options box click the checkboxes for
    • HKCU_IEDesktop.def
    • Policies.def
    to select them.
  • Now click the Run All Scans button on the toolbar.
  • When the scans are complete click the Simple Report button in the lower right-hand corner to create a report file. Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button to post the WinPFind2 report along with the log file from VundoFix and details of any problems you encountered performing the above steps and I will review the information when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#11 PrittStick

PrittStick
  • Topic Starter

  • Members
  • 97 posts
  • OFFLINE
  •  
  • Location:Wolverhampton, England
  • Local time:06:08 AM

Posted 15 August 2006 - 09:51 AM

Hey, I had a problem using VundoFix at the beginning. After clicking the checkbox a prompt appeared as you said, I clicked OK and after about five minutes it still hadn't loaded so I tried another couple of times with no success. In the end I simply clicked the Scan for Vundo button without clicking the checkbox. After it had finished three files appeared, I recognised only one, C:\WINDOWS\system32\sstqn.dll. It turned out that that was the only one that Vundo couldn't delete. It said it would attempt to delete it after reboot but I'm not sure whether it did or not. I have checked in the folder to see if the file is still there and it is.

Thanks again...


P.S I could not find where the VundoFix log file is so I only posted the WinPFind2 one.






Logfile created on: 15/08/2006 15:50:38
WinPFind2 by OldTimer - Version 1.0.3 Folder = C:\Documents and Settings\FAMILEY\Desktop\WinPFind2\
Microsoft Windows XP (Version = Service Pack 2)
Internet Explorer (Version - 6.0.2900.2180)


<Processes>
ati2evxx.exe - c:\windows\system32\ati2evxx.exe - (ATI Technologies Inc. )
ati2evxx.exe - c:\windows\system32\ati2evxx.exe - (ATI Technologies Inc. )
avguard.exe - c:\program files\antivir personaledition classic\avguard.exe - (AVIRA GmbH )
crypserv.exe - c:\windows\system32\crypserv.exe - (Kenonic Controls Ltd. )
ctfmon.exe - c:\windows\system32\ctfmon.exe - (Microsoft Corporation )
explorer.exe - c:\windows\explorer.exe - (Microsoft Corporation )
fbguard.exe - c:\program files\firebird\firebird_1_5\bin\fbguard.exe - (The Firebird Project )
fbserver.exe - c:\program files\firebird\firebird_1_5\bin\fbserver.exe - (The Firebird Project )
firefox.exe - c:\program files\mozilla firefox\firefox.exe - (Mozilla Corporation )
guard.exe - c:\program files\ewido anti-spyware 4.0\guard.exe - (Anti-Malware Development a.s. )
jusched.exe - c:\program files\java\jre1.5.0_06\bin\jusched.exe - (Sun Microsystems, Inc. )
lsass.exe - c:\windows\system32\lsass.exe - (Microsoft Corporation )
memturbo.exe - c:\program files\silicon prairie software\memturbo\memturbo.exe - (SharewareOnline.com, Inc. )
msascui.exe - c:\program files\windows defender\msascui.exe - (Microsoft Corporation )
msgplus.exe - c:\program files\messengerplus! 3\msgplus.exe - (Patchou )
msmpeng.exe - c:\program files\windows defender\msmpeng.exe - (Microsoft Corporation )
msmsgs.exe - c:\program files\messenger\msmsgs.exe - (Microsoft Corporation )
msnmsgr.exe - c:\program files\msn messenger\msnmsgr.exe - (Microsoft Corporation )
nmsaccess.exe - c:\program files\cheetah burner\cheetah dvd burner\nmsaccess.exe - ( )
pdsched.exe - c:\program files\raxco\perfectdisk\pdsched.exe - (Raxco Software, Inc. )
sagent2.exe - c:\program files\common files\epson\ebapi\sagent2.exe - (SEIKO EPSON CORPORATION )
sched.exe - c:\program files\antivir personaledition classic\sched.exe - (Avira GmbH )
services.exe - c:\windows\system32\services.exe - (Microsoft Corporation )
slserv.exe - c:\windows\system32\slserv.exe - (Smart Link )
smss.exe - \systemroot\system32\smss.exe - (Microsoft Corporation )
spoolsv.exe - c:\windows\system32\spoolsv.exe - (Microsoft Corporation )
svchost.exe - c:\windows\system32\svchost.exe - (Microsoft Corporation )
svchost.exe - c:\windows\system32\svchost.exe - (Microsoft Corporation )
svchost.exe - c:\windows\system32\svchost.exe - (Microsoft Corporation )
ulcdrsvr.exe - c:\program files\common files\ulead systems\dvd\ulcdrsvr.exe - (Ulead Systems, Inc. )
vcssecs.exe - c:\program files\virtual cd v4 sdk\system\vcssecs.exe - (H+H Software GmbH )
winlogon.exe - \??\c:\windows\system32\winlogon.exe - (Microsoft Corporation )
winpfind2.exe - c:\documents and settings\familey\desktop\winpfind2\winpfind2.exe - (OldTimer Tools )
winstylerthemesvc.exe - c:\program files\tuneup winstyler\winstylerthemesvc.exe - (TuneUp Software GmbH )
wscntfy.exe - c:\windows\system32\wscntfy.exe - (Microsoft Corporation )
wuauclt.exe - c:\windows\system32\wuauclt.exe - (Microsoft Corporation )

<Registry Entries>

Version Info
WinPFind2 by OldTimer - Version 1.0.3 -
Microsoft Windows XP Version = Service Pack 2 -
Internet Explorer Version = 6.0.2900.2180 -

Internet Explorer Settings
HKLM->Main\\Start Page - about:blank
HKLM->Main\\Search Page - http://searchbar.findthewebsiteyouneed.com
HKLM->Main\\Default Page -
HKLM->Main\\Default Search -
HKLM->Main\\Local Page - C:\WINDOWS\system32\blank.htm
HKCU->Main\\Start Page - http://www.findthewebsiteyouneed.com
HKCU->Main\\Search Page - http://searchbar.findthewebsiteyouneed.com
HKCU->Main\\Local Page - C:\WINDOWS\system32\blank.htm
HKCU->Internet Settings\\ProxyEnable - 0
HKCU->Internet Settings\\ProxyOverride -

BHO's
HKLM->Browser Helper Objects\{5307A12C-FAA6-4850-8BB8-24014785B594} - = C:\WINDOWS\system32\sstqn.dll ( )
HKLM->Browser Helper Objects\{617D95B6-D1B0-425A-AD40-D6D966AC9D6C} - Reg Data missing or invalid = Reg Data missing or invalid (File not found))
HKLM->Browser Helper Objects\{7BFCC1EB-D72A-446F-9127-B1D9C37A292E} - Reg Data missing or invalid = Reg Data missing or invalid (File not found))

Internet Explorer Bars, Toolbars and Extensions
HKCU->Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD} - Reg Data missing or invalid = Reg Data missing or invalid (File not found))
HKCU->Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1} - File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation )
HKCU->Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E} - Favorites Band = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation )
HKCU->Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E} - Explorer Band = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation )
HKLM->Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD} - Reg Data missing or invalid = Reg Data missing or invalid (File not found))
HKLM->Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376} - &Tip of the Day = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation )
HKLM->Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - Real.com = C:\WINDOWS\System32\Shdocvw.dll (Microsoft Corporation )
HKCU->Toolbar\ShellBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\System32\browseui.dll (Microsoft Corporation )
HKCU->Toolbar\WebBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\System32\browseui.dll (Microsoft Corporation )
HKCU->Toolbar\WebBrowser\\{0CA29372-ED37-DBDA-B112-F235F398C0F1} - Reg Data missing or invalid = Reg Data missing or invalid (File not found))
HKCU->Toolbar\WebBrowser\\{0E5CBF21-D15F-11D0-8301-00AA005B4383} - &Links = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation )
HKCU->Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} - Reg Data missing or invalid = Reg Data missing or invalid (File not found))
HKCU->Toolbar\WebBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Reg Data missing or invalid = Reg Data missing or invalid (File not found))
HKCU->Toolbar\WebBrowser\\{CBCC61FA-0221-4CCC-B409-CEE865CACA3A} - Reg Data missing or invalid = Reg Data missing or invalid (File not found))
HKCU->Toolbar\WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Data missing or invalid = Reg Data missing or invalid (File not found))
HKCU->Extensions\CmdMapping\\{072F3B8A-2DA2-40e2-B841-88899F240200} - 8192 - Reg Data missing or invalid
HKCU->Extensions\CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - 8193 - Sun Java Console
HKCU->Extensions\CmdMapping\\{1D49B7D4-524D-4ac9-BC34-B4822CAE4BB1} - 8194 -
HKCU->Extensions\CmdMapping\\{2499216C-4BA5-11D5-BD9C-000103C116D5} - 8195 - Reg Data missing or invalid
HKCU->Extensions\CmdMapping\\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - 8196 - Reg Data missing or invalid
HKCU->Extensions\CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} - 8200 -
HKCU->Extensions\CmdMapping\\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - 8197 - Reg Data missing or invalid
HKCU->Extensions\CmdMapping\\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - 8198 - Reg Data missing or invalid
HKCU->Extensions\CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} - 8199 - Windows Messenger
HKCU->Extensions\CmdMapping\\NextId - 8201
HKLM->Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - MenuText: Sun Java Console = C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll (Sun Microsystems, Inc. )
HKLM->Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} (HKCU CLSID) - MenuText: Sun Java Console = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (Sun Microsystems, Inc. )
HKLM->Extensions\{1D49B7D4-524D-4ac9-BC34-B4822CAE4BB1} - ButtonText: Packard Bell = C:\Apps\IECustom\script.htm (File not found))
HKLM->Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263} - ButtonText: Research = (File not found))
HKLM->Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683} - ButtonText: Messenger = C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation )
HKCU->MenuExt\E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 (Microsoft Corporation )

Approved Shell Extensions (Non-Microsoft only)
HKLM->Shell Extensions\Approved\{0DF44EAA-FF21-4412-828E-260A8728E7F1} - Taskbar and Start Menu = Reg Data missing or invalid (File not found))
HKLM->Shell Extensions\Approved\{10970560-332E-4042-96C9-02AB2FDDD088} - HandyBits Zip&Go Menu = Reg Data missing or invalid (File not found))
HKLM->Shell Extensions\Approved\{32683183-48a0-441b-a342-7c2a440a9478} - Media Band = Reg Data missing or invalid (File not found))
HKLM->Shell Extensions\Approved\{357BE06B-49FE-43F6-9165-DBBF878B5E6A} - = Reg Data missing or invalid (File not found))
HKLM->Shell Extensions\Approved\{42071714-76d4-11d1-8b24-00a0c9068ff3} - Display Panning CPL Extension = Reg Data missing or invalid (File not found))
HKLM->Shell Extensions\Approved\{45AC2688-0253-4ED8-97DE-B5370FA7D48A} - Shell Extension for Malware scanning = C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll (H+BEDV Datentechnik GmbH )
HKLM->Shell Extensions\Approved\{661825E5-B9A4-4D3E-8B74-3B6B63C32A80} - Shell Extensions for Font Creator = Reg Data missing or invalid (File not found))
HKLM->Shell Extensions\Approved\{6EE51AA0-77A0-11D7-B4E1-000347126E46} - Window Washer Shell Shredding Utility = Reg Data missing or invalid (File not found))
HKLM->Shell Extensions\Approved\{764BF0E1-F219-11ce-972D-00AA00A14F56} - Shell extensions for file compression = Reg Data missing or invalid (File not found))
HKLM->Shell Extensions\Approved\{7A9D77BD-5403-11d2-8785-2E0420524153} - User Accounts = Reg Data missing or invalid (File not found))
HKLM->Shell Extensions\Approved\{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} - Encryption Context Menu = Reg Data missing or invalid (File not found))
HKLM->Shell Extensions\Approved\{88895560-9AA2-1069-930E-00AA0030EBC8} - HyperTerminal Icon Ext = C:\WINDOWS\System32\hticons.dll (Hilgraeve, Inc. )
HKLM->Shell Extensions\Approved\{89614271-D5D4-453F-BE13-E7A6E05BB7D6} - = Reg Data missing or invalid (File not found))
HKLM->Shell Extensions\Approved\{A0752120-6D75-D111-B5B1-0800095A2318} - HandyBits EasyCrypto Shell Extensions = C:\WINDOWS\System32\tsseCryp.dll ( )
HKLM->Shell Extensions\Approved\{A0752130-6D75-D111-B5B1-0800095A2318} - HandyBits File Shredder Virtual Folder = Reg Data missing or invalid (File not found))
HKLM->Shell Extensions\Approved\{B41DB860-8EE4-11D2-9906-E49FADC173CA} - WinRAR shell extension = C:\Program Files\WinRAR\rarext.dll ( )
HKLM->Shell Extensions\Approved\{B5FB6487-7E79-4816-B73B-8A65E41971DA} - BullGuard Antivirus v4 = Reg Data missing or invalid (File not found))
HKLM->Shell Extensions\Approved\{B8323370-FF27-11D2-97B6-204C4F4F5020} - SmartFTP Shell Extension DLL = C:\Program Files\SmartFTP\smarthook.dll (SmartFTP )
HKLM->Shell Extensions\Approved\{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} - iTunes = C:\Program Files\iTunes\iTunesMiniPlayer.dll (Apple Computer, Inc. )
HKLM->Shell Extensions\Approved\{D8A8853A-DB04-45D4-8732-A5CC49CE6107} - deskMenu2 Shell Extension = C:\WINDOWS\system32\deskMenu2.dll ( )
HKLM->Shell Extensions\Approved\{E0D79304-84BE-11CE-9641-444553540000} - WinZip = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc. )
HKLM->Shell Extensions\Approved\{E0D79305-84BE-11CE-9641-444553540000} - WinZip = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc. )
HKLM->Shell Extensions\Approved\{E0D79306-84BE-11CE-9641-444553540000} - WinZip = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc. )
HKLM->Shell Extensions\Approved\{E0D79307-84BE-11CE-9641-444553540000} - WinZip = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc. )
HKLM->Shell Extensions\Approved\{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} - Shell Extensions for RealOne Player = C:\Program Files\Real\RealPlayer\rpshell.dll (RealNetworks, Inc. )
HKCU->Shell Extensions\Approved\{BDEADF00-C265-11d0-BCED-00A0C90AB50F} - Web Folders = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL (Microsoft Corporation )

ContextMenuHandlers (Non-Microsoft only)
HKLM->* - deskMenu2 - {D8A8853A-DB04-45D4-8732-A5CC49CE6107} = C:\WINDOWS\system32\deskMenu2.dll ( )
HKLM->* - EasyCryptoMenu - {A0752120-6D75-D111-B5B1-0800095A2318} = C:\WINDOWS\System32\tsseCryp.dll ( )
HKLM->* - EncodeDivXExt - {E9F5B111-CACC-4FD4-81FD-4EB4FD6765A3} = C:\Program Files\DivX\Dr.DivX\EncodeDivXExt.dll ( )
HKLM->* - ewido anti-spyware - {8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll (Anti-Malware Development a.s. )
HKLM->* - SharedMenuHandler - {916F1ADF-2F02-46C2-B7D2-310468390750} = C:\WINDOWS\SYSTEM32\ssmenu.dll (Teknum Systems AS )
HKLM->* - Shell Extension for Malware scanning - {45AC2688-0253-4ED8-97DE-B5370FA7D48A} = C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll (H+BEDV Datentechnik GmbH )
HKLM->* - WinRAR - {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll ( )
HKLM->* - WinZip - {E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc. )
HKLM->Directory - EasyCryptoMenu - {A0752120-6D75-D111-B5B1-0800095A2318} = C:\WINDOWS\System32\tsseCryp.dll ( )
HKLM->Directory - ewido anti-spyware - {8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll (Anti-Malware Development a.s. )
HKLM->Directory - SharedMenuHandler - {916F1ADF-2F02-46C2-B7D2-310468390750} = C:\WINDOWS\SYSTEM32\ssmenu.dll (Teknum Systems AS )
HKLM->Directory - WinRAR - {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll ( )
HKLM->Directory - WinZip - {E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc. )
HKLM->Folder - BullGuard Antivirus v4 - {B5FB6487-7E79-4816-B73B-8A65E41971DA} = Reg Data missing or invalid (File not found))
HKLM->Folder - Shell Extension for Malware scanning - {45AC2688-0253-4ED8-97DE-B5370FA7D48A} = C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll (H+BEDV Datentechnik GmbH )
HKLM->Folder - WinRAR - {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll ( )
HKLM->Folder - WinZip - {E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc. )

ColumnHandlers (Non-Microsoft only)
HKLM->Folder - {F9DB5320-233E-11D1-9F84-707F02C10627} - PDF Shell Extension = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll (Adobe Systems, Inc. )

Registry Run Keys
HKLM->Run\\MessengerPlus3 - "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" (Patchou )
HKLM->Run\\QuickTime Task - "C:\Program Files\QuickTime\qttask.exe" -atboottime (Apple Computer, Inc. )
HKLM->Run\\SunJavaUpdateSched - C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe (Sun Microsystems, Inc. )
HKLM->Run\\UserFaultCheck - %systemroot%\system32\dumprep 0 -u (File not found))
HKLM->Run\\Windows Defender - "C:\Program Files\Windows Defender\MSASCui.exe" -hide (Microsoft Corporation )
HKLM->Run\OptionalComponents\IMAIL - Installed = 1
HKLM->Run\OptionalComponents\MAPI - Installed = 1
HKLM->Run\OptionalComponents\MSFS - Installed = 1
HKCU->Run\\ctfmon.exe - C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation )
HKCU->Run\\MessengerPlus3 - "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart (Patchou )
HKCU->Run\\msnmsgr - "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (Microsoft Corporation )
HKCU->Run\\Skype - "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized ( )
HKCU->Run\\Update Service - "C:\Program Files\Common Files\Teknum Systems\update.exe" /startup (File not found))

Startup Lnks
HKCU->Startup - desktop.ini - C:\Documents and Settings\FAMILEY\Start Menu\Programs\Startup\desktop.ini ( )
HKCU->Startup - MemTurbo.lnk - C:\Program Files\Silicon Prairie Software\MemTurbo\memturbo.exe (SharewareOnline.com, Inc. )

Disabled MSConfig Items
HKLM->StartUpFolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk - Adobe Gamma Loader = C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE (Adobe Systems, Inc. )
HKLM->StartUpFolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^blueyonder Instant Support Tool.lnk - blueyonder Instant Support Tool = C:\PROGRA~1\BLUEYO~1\bin\matcli.exe -boot (Motive Communications, Inc. )
HKLM->StartUpFolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MemTurbo.lnk - MemTurbo = C:\PROGRA~1\SILICO~1\MemTurbo\memturbo.exe /starthidden (SharewareOnline.com, Inc. )
HKLM->StartUpFolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk - Microsoft Office = C:\PROGRA~1\MICROS~4\Office10\OSA.EXE -b -l (File not found))
HKLM->StartUpFolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Ulead Photo Express 3.0 SE Calendar Checker.lnk - Ulead Photo Express 3.0 SE Calendar Checker = C:\PROGRA~1\ULEADS~1\ULEADP~1.0SE\CalCheck.exe (Ulead Systems, Inc. )
HKLM->StartUpFolder\C:^Documents and Settings^FAMILEY^Start Menu^Programs^Startup^DNSKong.lnk - DNSKong = C:\PROGRA~1\Pyrenean\DNSKong\DNSKong.exe (Pyrenean )
HKLM->StartUpFolder\C:^Documents and Settings^FAMILEY^Start Menu^Programs^Startup^ShortKeys Lite.lnk - ShortKeys Lite = C:\PROGRA~1\shortkey\SHORTKEY.EXE ( )
HKLM->StartUpReg\3Degrees - threedegrees = C:\Program Files\threedegrees\threedegrees.exe (File not found))
HKLM->StartUpReg\Adobe Photo Downloader - apdproxy = "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" (Adobe Systems Incorporated )
HKLM->StartUpReg\Advanced Tools Check - ADVCHK = C:\PROGRA~1\NORTON~2\AdvTools\ADVCHK.EXE (File not found))
HKLM->StartUpReg\AIM - aim = C:\PROGRA~1\AIM\aim.exe -cnetwait.odl (File not found))
HKLM->StartUpReg\ATIPTA - atiptaxx = C:\ATI Technologies\ATI Control Panel\atiptaxx.exe (File not found))
HKLM->StartUpReg\avnort - msmbw = C:\WINDOWS\msmbw.exe (File not found))
HKLM->StartUpReg\BigDogPath - VM_STI = C:\WINDOWS\VM_STI.EXE Pro Cam (VM. )
HKLM->StartUpReg\Configuration Loading - svchos1 = svchos1.exe (File not found))
HKLM->StartUpReg\EPSON Stylus Photo RX600 - E_S4I0M2 = C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0M2.EXE /P24 "EPSON Stylus Photo RX600" /O6 "USB002" /M "Stylus Photo RX600" (SEIKO EPSON CORPORATION )
HKLM->StartUpReg\htmthunk - site byte cast = C:\PROGRA~1\ObjEq\site byte cast.exe (File not found))
HKLM->StartUpReg\iTunesHelper - iTunesHelper = C:\Program Files\iTunes\iTunesHelper.exe (Apple Computer, Inc. )
HKLM->StartUpReg\kdx - KHost = C:\WINDOWS\kdx\KHost.exe (File not found))
HKLM->StartUpReg\lpr - lpr123 = C:\windows\mmkt\lpr123.exe (File not found))
HKLM->StartUpReg\ltwob - formatsys = C:\WINDOWS\System32\formatsys.exe (File not found))
HKLM->StartUpReg\Microsoft Works Update Detection - WkUFind = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe (Microsoft® Corporation )
HKLM->StartUpReg\Mixer - wincrt32 = wincrt32.exe (File not found))
HKLM->StartUpReg\MOD - muamgr = C:\Program Files\Microangelo\muamgr.exe (File not found))
HKLM->StartUpReg\NeroCheck - NeroCheck = C:\WINDOWS\System32\\NeroCheck.exe (Ahead Software Gmbh )
HKLM->StartUpReg\NeroFilterCheck - NeroCheck = C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh )
HKLM->StartUpReg\New.net Startup - NEWDOT~2 = rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup (File not found))
HKLM->StartUpReg\Open Site - opnste = C:\Program Files\Open Site\opnste.exe (File not found))
HKLM->StartUpReg\QuickTime Task - qttask = "C:\Program Files\QuickTime\qttask.exe" -atboottime (Apple Computer, Inc. )
HKLM->StartUpReg\RealTray - RealPlay = C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER (RealNetworks, Inc. )
HKLM->StartUpReg\saap - saap = "C:\Program Files\Rosoft\Audio Tools\saap.exe" /did=154 (File not found))
HKLM->StartUpReg\ScrabbleSetup.exe - worms = C:\DOCUME~1\FAMILEY\Desktop\JAMES'~1\worms.exe /r (File not found))
HKLM->StartUpReg\serpe - formatsys = C:\WINDOWS\System32\formatsys.exe (File not found))
HKLM->StartUpReg\Skype - Skype = "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized ( )
HKLM->StartUpReg\SUService - SUService = C:\WINDOWS\system32\SUService.exe (File not found))
HKLM->StartUpReg\Synchronization Agent - syncagent = "C:\Program Files\Sync Manager Demo\agent\syncagent.exe" (File not found))
HKLM->StartUpReg\TimeSink Ad Client - TsAdBot = "C:\Program Files\TimeSink\AdGateway\TsAdBot.exe" (File not found))
HKLM->StartUpReg\TkBellExe - realsched = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot (RealNetworks, Inc. )
HKLM->StartUpReg\Update Service - update = "C:\Program Files\Common Files\Teknum Systems\update.exe" /startup (File not found))
HKLM->StartUpReg\VCSPlayer - vcsplay = "C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe" (H+H Software GmbH )
HKLM->StartUpReg\WebSavingsfromEbates - WebSavingsfromEbates" = wjview /cp:p "C:\Program Files\WebSavingsfromEbates\System\Code" Main lp: "C:\Program Files\WebSavingsfromEbates" (File not found))
HKLM->StartUpReg\win_spool2 - win_spool2 = C:\WINDOWS\System32\win_spool2.exe (File not found))
HKLM->StartUpReg\WinampAgent - winampa = C:\Program Files\Winamp\winampa.exe ( )
HKLM->StartUpReg\Windows update - explore = explore.exe (File not found))
HKLM->StartUpReg\Yahoo! Pager - ypager = C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet ( )
HKLM->StartUpReg\Zone Labs Client - zlclient = C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe (File not found))

User Agent Post Platform
HKLM->Post Platform\\{46456B93-16B8-38F1-0656-60273043BD68} - Reg Data missing or invalid = Reg Data missing or invalid (File not found))

AppInit DLLs
HKLM->Windows\\AppInit_DLLs - (File not found))

Image File Execution Options
HKLM->Image File Execution Options\Your Image File Name Here without a path - Debugger = ntsd -d

Shell Service Object Delay Load
HKLM->ShellServiceObjectDelayLoad\\CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation )
HKLM->ShellServiceObjectDelayLoad\\PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation )
HKLM->ShellServiceObjectDelayLoad\\SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll (Microsoft Corporation )
HKLM->ShellServiceObjectDelayLoad\\WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll (Microsoft Corporation )

Shell Execute Hooks
HKLM->ShellExecuteHooks\\{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - Microsoft AntiMalware ShellExecuteHook = C:\PROGRA~1\WIFD1F~1\MpShHook.dll (Microsoft Corporation )
HKLM->ShellExecuteHooks\\{57B86673-276A-48B2-BAE7-C6DBB3020EB8} - CShellExecuteHookImpl Object = C:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll (Anti-Malware Development a.s. )
HKLM->ShellExecuteHooks\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} - URL Exec Hook = shell32.dll (Microsoft Corporation )

Shared Task Scheduler
HKLM->SharedTaskScheduler\\{438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader = %SystemRoot%\System32\browseui.dll (Microsoft Corporation )
HKLM->SharedTaskScheduler\\{8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon = %SystemRoot%\System32\browseui.dll (Microsoft Corporation )

Winlogon
HKLM->Winlogon\\UserInit - C:\WINDOWS\system32\userinit.exe, (Microsoft Corporation )
HKLM->Winlogon\\Shell - Explorer.exe (Microsoft Corporation )
HKLM->Winlogon\\System - (File not found))
HKLM->Winlogon\Notify\AtiExtEvent - Ati2evxx.dll (ATI Technologies Inc. )
HKLM->Winlogon\Notify\crypt32chain - crypt32.dll (Microsoft Corporation )
HKLM->Winlogon\Notify\cryptnet - cryptnet.dll (Microsoft Corporation )
HKLM->Winlogon\Notify\cscdll - cscdll.dll (Microsoft Corporation )
HKLM->Winlogon\Notify\ScCertProp - wlnotify.dll (Microsoft Corporation )
HKLM->Winlogon\Notify\Schedule - wlnotify.dll (Microsoft Corporation )
HKLM->Winlogon\Notify\sclgntfy - sclgntfy.dll (Microsoft Corporation )
HKLM->Winlogon\Notify\SensLogn - WlNotify.dll (Microsoft Corporation )
HKLM->Winlogon\Notify\sstqn - C:\WINDOWS\system32\sstqn.dll ( )
HKLM->Winlogon\Notify\termsrv - wlnotify.dll (Microsoft Corporation )
HKLM->Winlogon\Notify\wlballoon - wlnotify.dll (Microsoft Corporation )

DNS Name Servers
HKLM->Interfaces\{7886A85E-35DA-4DC2-AFFB-B384A8B4079E} - (1394 Net Adapter)
HKLM->Interfaces\{BAF61F22-0FB1-401E-9A68-8FDB074C5189} - ()
HKLM->Interfaces\{D9DAE42C-B7C0-472B-8C95-3FC5DC370D1F} - (Realtek RTL8139/810x Family Fast Ethernet NIC)

Winsock2 Catalogs (Non-Microsoft only)

Protocol Handlers (Non-Microsoft only)
HKLM->PROTOCOLS\Handler\cdo - (File not found))
HKLM->PROTOCOLS\Handler\cdo (HKCU CLSID) - (File not found))
HKLM->PROTOCOLS\Handler\ipp - (File not found))
HKLM->PROTOCOLS\Handler\ipp (HKCU CLSID) - (File not found))
HKLM->PROTOCOLS\Handler\msdaipp - (File not found))
HKLM->PROTOCOLS\Handler\msdaipp (HKCU CLSID) - (File not found))
HKLM->PROTOCOLS\Handler\ms-itss - (File not found))
HKLM->PROTOCOLS\Handler\ms-itss (HKCU CLSID) - (File not found))

Protocol Filters (Non-Microsoft only)

<Services>
AntiVir PersonalEdition Classic Scheduler - AntiVirScheduler - Automatic - Running - Win32, running in it's own process - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe (Avira GmbH )
AntiVir PersonalEdition Classic Guard - AntiVirService - Automatic - Running - Win32, running in it's own process - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe (AVIRA GmbH )
Ati HotKey Poller - Ati HotKey Poller - Automatic - Running - Win32, running in it's own process - C:\WINDOWS\system32\Ati2evxx.exe (ATI Technologies Inc. )
Crypkey License - Crypkey License - Automatic - Running - Win32, running in it's own process - crypserv.exe (Kenonic Controls Ltd. )
DCOM Server Process Launcher - DcomLaunch - Automatic - Running - Win32, running in a shared process - C:\WINDOWS\system32\svchost -k DcomLaunch (Microsoft Corporation )
DNS Client - Dnscache - Automatic - Running - Win32, running in a shared process - C:\WINDOWS\System32\svchost.exe -k NetworkService (Microsoft Corporation )
EPSON Printer Status Agent2 - EPSONStatusAgent2 - Automatic - Running - Win32, running in it's own process - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe (SEIKO EPSON CORPORATION )
Event Log - Eventlog - Automatic - Running - Win32, running in a shared process - C:\WINDOWS\system32\services.exe (Microsoft Corporation )
COM+ Event System - EventSystem - On Demand - Running - Win32, running in a shared process - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )
ewido anti-spyware 4.0 guard - ewido anti-spyware 4.0 guard - Automatic - Running - Win32, running in it's own process - C:\Program Files\ewido anti-spyware 4.0\guard.exe (Anti-Malware Development a.s. )
Firebird Guardian - DefaultInstance - FirebirdGuardianDefaultInstance - Automatic - Running - Win32, running in it's own process - C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe -s (The Firebird Project )
Firebird Server - DefaultInstance - FirebirdServerDefaultInstance - On Demand - Running - Win32, running in it's own process - C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe -s (The Firebird Project )
Help and Support - helpsvc - Automatic - Running - Win32, running in a shared process - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )
TCP/IP NetBIOS Helper - LmHosts - Automatic - Running - Win32, running in a shared process - C:\WINDOWS\System32\svchost.exe -k LocalService (Microsoft Corporation )
Network Connections - Netman - On Demand - Running - Win32, running in a shared process - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )
Network Location Awareness (NLA) - Nla - On Demand - Running - Win32, running in a shared process - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )
NMSAccess - NMSAccess - Automatic - Running - Win32, running in it's own process - C:\Program Files\Cheetah Burner\Cheetah DVD Burner\NMSAccess.exe ( )
PDScheduler - PDSched - Automatic - Running - Win32, running in it's own process - "C:\Program Files\Raxco\PerfectDisk\PDSched.exe" (Raxco Software, Inc. )
Plug and Play - PlugPlay - Automatic - Running - Win32, running in a shared process - C:\WINDOWS\system32\services.exe (Microsoft Corporation )
IPSEC Services - PolicyAgent - Automatic - Running - Win32, running in a shared process - C:\WINDOWS\System32\lsass.exe (Microsoft Corporation )
Protected Storage - ProtectedStorage - Automatic - Running - Win32, running in a shared process - C:\WINDOWS\system32\lsass.exe (Microsoft Corporation )
Remote Access Connection Manager - RasMan - On Demand - Running - Win32, running in a shared process - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )
Remote Procedure Call (RPC) - RpcSs - Automatic - Running - Win32, running in a shared process - C:\WINDOWS\system32\svchost -k rpcss (Microsoft Corporation )
Security Accounts Manager - SamSs - Automatic - Running - Win32, running in a shared process - C:\WINDOWS\system32\lsass.exe (Microsoft Corporation )
System Event Notification - SENS - Automatic - Running - Win32, running in a shared process - C:\WINDOWS\system32\svchost.exe -k netsvcs (Microsoft Corporation )
SmartLinkService - SLService - Automatic - Running - Win32, running in it's own process - slserv.exe (Smart Link )
Print Spooler - Spooler - Automatic - Running - Win32, running in it's own process - C:\WINDOWS\system32\spoolsv.exe (Microsoft Corporation )
SSDP Discovery Service - SSDPSRV - On Demand - Running - Win32, running in a shared process - C:\WINDOWS\System32\svchost.exe -k LocalService (Microsoft Corporation )
Windows Image Acquisition (WIA) - stisvc - Automatic - Running - Win32, running in a shared process - C:\WINDOWS\System32\svchost.exe -k imgsvc (Microsoft Corporation )
Telephony - TapiSrv - On Demand - Running - Win32, running in a shared process - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )
Terminal Services - TermService - On Demand - Running - Win32, running in a shared process - C:\WINDOWS\System32\svchost -k DComLaunch (Microsoft Corporation )
Themes - Themes - Automatic - Running - Win32, running in a shared process - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )
TuneUp WinStyler Theme Service - TUWinStylerThemeSvc - Automatic - Running - Win32, running in it's own process - "C:\Program Files\TuneUp WinStyler\WinStylerThemeSvc.exe" (TuneUp Software GmbH )
Ulead Burning Helper - UleadBurningHelper - Automatic - Running - Win32, running in it's own process - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe (Ulead Systems, Inc. )
Windows User Mode Driver Framework - UMWdf - Automatic - Running - Win32, running in it's own process - C:\WINDOWS\system32\wdfmgr.exe (Microsoft Corporation )
Virtual CD v4 Security service (SDK - Version) - VCSSecS - Automatic - Running - Win32, running in it's own process - C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe (H+H Software GmbH )
Windows Time - W32Time - Automatic - Running - Win32, running in a shared process - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )
WebClient - WebClient - Automatic - Running - Win32, running in a shared process - C:\WINDOWS\System32\svchost.exe -k LocalService (Microsoft Corporation )
Windows Defender Service - WinDefend - Automatic - Running - Win32, running in it's own process - "C:\Program Files\Windows Defender\MsMpEng.exe" (Microsoft Corporation )
Windows Management Instrumentation - winmgmt - Automatic - Running - Win32, running in a shared process - C:\WINDOWS\system32\svchost.exe -k netsvcs (Microsoft Corporation )

<Files>

AllUsers ApplicationData Folder
C:\Documents and Settings\All Users\Application Data\addr_file.html - ( [Ver = | Size = 305 bytes | Date = 11/04/2006 09:33:04 | Attr = ])
C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache - ( [Ver = | Size = 1747 bytes | Date = 16/04/2006 18:40:04 | Attr = ])

CurrentUser ApplicationData Folder
C:\Documents and Settings\FAMILEY\Application Data\AdobeDLM.log - ( [Ver = | Size = 1765 bytes | Date = 11/05/2006 18:11:48 | Attr = ])
C:\Documents and Settings\FAMILEY\Application Data\desktop.ini - ( [Ver = | Size = 62 bytes | Date = 27/08/2002 12:51:48 | Attr = HS])
C:\Documents and Settings\FAMILEY\Application Data\dm.ini - ( [Ver = | Size = 0 bytes | Date = 11/05/2006 18:11:48 | Attr = ])
C:\Documents and Settings\FAMILEY\Application Data\GDIPFONTCACHEV1.DAT - ( [Ver = | Size = 178312 bytes | Date = 09/07/2004 22:35:36 | Attr = ])

DPF files
{00000075-9980-0010-8000-00AA00389B71} - - CodeBase = http://codecs.microsoft.com/codecs/i386/voxacm.CAB
{00B71CFB-6864-4346-A978-C0A14556272C} - Checkers Class - CodeBase = http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - QuickTime Object - CodeBase = http://www.apple.com/qtactivex/qtplugin.cab
{14B87622-7E19-4EA8-93B3-97215F77A6BC} - MessengerStatsClient Class - CodeBase = http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
{166B1BCA-3F9C-11CF-8075-444553540000} - Shockwave ActiveX Control - CodeBase = http://download.macromedia.com/pub/shockwa...director/sw.cab
{17492023-C23A-453E-A040-C7C580BBF700} - Windows Genuine Advantage Validation Tool - CodeBase = http://go.microsoft.com/fwlink/?linkid=39204
{2917297F-F02B-4B9D-81DF-494B6333150B} - Minesweeper Flags Class - CodeBase = http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
{2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - - CodeBase = http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
{30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - YInstStarter Class - CodeBase = C:\Program Files\Yahoo!\Common\yinsthelper.dll
{3F0EECCE-E138-11D1-8712-0060083D83F5} - LPViewer Class - CodeBase = http://www.mgisoft.com/ActiveX/LPControl.cab
{4F1E5B1A-2A80-42CA-8532-2D05CB959537} - MSN Photo Upload Tool - CodeBase = http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
{644E432F-49D3-41A1-8DD5-E099162EEEC5} - - CodeBase = http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
{665585FD-2068-4C5E-A6D3-53AC3270ECD4} - - CodeBase = http://appdirectory.messenger.msn.com/AppD...sharingctrl.cab
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - MUWebControl Class - CodeBase = http://update.microsoft.com/microsoftupdat...b?1137776560328
{79E0C1C0-316D-11D5-A72A-006097BFA1AC} - EPSON Web Printer-SelfTest Control Class - CodeBase = http://support.epson-europe.com/selftest/Prg/ESTPTest.cab
{8AD9C840-044E-11D1-B3E9-00805F499D93} - Java Plug-in 1.5.0_06 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab
{8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - MessengerStatsClient Class - CodeBase = http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
{9122D757-5A4F-4768-82C5-B4171D8556A7} - PhotoPickConvert Class - CodeBase = http://appdirectory.messenger.msn.com/AppD...ap/PhtPkMSN.cab
{9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - ActiveScan Installer Class - CodeBase = http://acs.pandasoftware.com/activescan/as5free/asinst.cab
{B8BE5E93-A60C-4D26-A2DC-220313175592} - ZoneIntro Class - CodeBase = http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
{BC01A402-4730-11D2-B36C-0000E8DF722B} - - CodeBase = http://www.digitalworkshop.co.uk/ilm450.cab
{CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} - Java Plug-in 1.4.2_05 - CodeBase = http://java.sun.com/products/plugin/autodl...indows-i586.cab
{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - Java Plug-in 1.5.0_04 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab
{CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - Java Plug-in 1.5.0_05 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab
{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - Java Plug-in 1.5.0_06 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - Java Plug-in 1.5.0_06 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab
{D27CDB6E-AE6D-11CF-96B8-444553540000} - Shockwave Flash Object - CodeBase = http://download.macromedia.com/pub/shockwa...ash/swflash.cab
{D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - iTunesDetector Class - CodeBase = http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
{E6187999-9FEC-46A1-A20F-F4CA977D5643} - ZoneChess Object - CodeBase = http://messenger.zone.msn.com/binary/Chess.cab31267.cab
{F6BF0D00-0B2A-4A75-BF7B-F385591623AF} - Solitaire Showdown Class - CodeBase = http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
{FA3662C3-B8E8-11D6-A667-0010B556D978} - IWinAmpActiveX Class - CodeBase = http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
Microsoft XML Parser for Java - - CodeBase = file://C:\WINDOWS\Java\classes\xmldso.cab

Hosts file = 734 bytes. Reading all entries. C:\WINDOWS\System32\drivers\etc\Hosts
# Copyright © 1993-1999 Microsoft Corp. -
# -
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows. -
# -
# This file contains the mappings of IP addresses to host names. Each -
# entry should be kept on an individual line. The IP address should -
# be placed in the first column followed by the corresponding host name. -
# The IP address and the host name should be separated by at least one -
# space. -
# -
# Additionally, comments (such as these) may be inserted on individual -
# lines or following the machine name denoted by a '#' symbol. -
# -
# For example: -
# -
# 102.54.94.97 rhino.acme.com # source server -
# 38.25.63.10 x.acme.com # x client host -
-
127.0.0.1 localhost -

<Add On's>

>>>>Output for AddOn file HKCU_IEDesktop.def<<<<

KEY - HKCU\Software\Microsoft\Internet Explorer\Desktop - Include SUBKEYS
HKCU\Software\Microsoft\Internet Explorer\Desktop -
Desktop\Components -
Desktop\Components\\DeskHtmlVersion - 272
Desktop\Components\\DeskHtmlMinorVersion - 5
Desktop\Components\\Settings - 1
Desktop\Components\\GeneralFlags - 1
Desktop\Components\0 -
Desktop\Components\0\\Source - About:Home
Desktop\Components\0\\SubscribedURL - About:Home
Desktop\Components\0\\FriendlyName - My Current Home Page
Desktop\Components\0\\Flags - 2
Desktop\Components\0\\Position - 2C 00 00 00 00 02 00 00 00 00 00 00 00 02 00 00 E2 02 00 00 00 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00
Desktop\Components\0\\CurrentState - 04 00 00 40
Desktop\Components\0\\OriginalStateInfo - 18 00 00 00 CC 00 00 00 00 00 00 00 34 03 00 00 DE 02 00 00 04 00 00 C0
Desktop\Components\0\\RestoredStateInfo - 18 00 00 00 CC 00 00 00 00 00 00 00 34 03 00 00 DE 02 00 00 01 00 00 00
Desktop\General -
Desktop\General\\BackupWallpaper - %USERPROFILE%\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
Desktop\General\\WallpaperFileTime - 38 EE 1A 2C B0 92 C6 01
Desktop\General\\WallpaperLocalFileTime - 38 56 DF 8D B8 92 C6 01
Desktop\General\\TileWallpaper - 0
Desktop\General\\WallpaperStyle -
Desktop\General\\Wallpaper - %USERPROFILE%\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
Desktop\General\\ComponentsPositioned - 1
Desktop\Old WorkAreas -
Desktop\Old WorkAreas\\NoOfOldWorkAreas - 1
Desktop\Old WorkAreas\\OldWorkAreaRects - 00 00 00 00 00 00 00 00 20 03 00 00 3A 02 00 00
Desktop\SafeMode -
Desktop\SafeMode\Components -
Desktop\SafeMode\Components\\DeskHtmlVersion - 272
Desktop\SafeMode\Components\\DeskHtmlMinorVersion - 5
Desktop\SafeMode\Components\\Settings - 1
Desktop\SafeMode\Components\\GeneralFlags - 4
Desktop\SafeMode\General -
Desktop\SafeMode\General\\Wallpaper - %SystemRoot%\Web\SafeMode.htt
Desktop\SafeMode\General\\VisitGallery - 0
Desktop\Scheme -
Desktop\Scheme\\Edit -
Desktop\Scheme\\Display -

>>>>Output for AddOn file Policies.def<<<<

KEY - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies - Include SUBKEYS
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies -
policies\Attachments -
policies\Attachments\\ScanWithAntiVirus - 2
policies\Explorer -
policies\Explorer\\NoDrives - 57344
policies\Explorer\\NoDriveAutoRun - 57344
policies\Explorer\\NoCDBurning - 0
policies\Explorer\Run -
policies\Explorer\Run\\ltwob - C:\WINDOWS\System32\formatsys.exe
policies\Explorer\Run\\avnort - C:\WINDOWS\msmbw.exe
policies\Explorer\Run\\serpe - C:\WINDOWS\System32\formatsys.exe
policies\NonEnum -
policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} - 1
policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} - 1073741857
policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} - 32
policies\Ratings -
policies\Ratings\PICSRules -
policies\Ratings\PICSRules\.Default -
policies\Ratings\PICSRules\.Default\\NumSys - 0
policies\Ratings\PICSRules\.Default\0 -
policies\Ratings\PICSRules\.Default\0\\dwFlags - 0
policies\Ratings\PICSRules\.Default\0\\errLine - 0
policies\Ratings\PICSRules\.Default\0\PRPolicy -
policies\Ratings\PICSRules\.Default\0\PRPolicy\\PRNumPolicy - 3
policies\Ratings\PICSRules\.Default\0\PRPolicy\0 -
policies\Ratings\PICSRules\.Default\0\PRPolicy\0\\PRPPolicyAttribute - 2
policies\Ratings\PICSRules\.Default\0\PRPolicy\0\PRPPolicySub -
policies\Ratings\PICSRules\.Default\0\PRPolicy\0\PRPPolicySub\\PRNumURLExpressions - 1
policies\Ratings\PICSRules\.Default\0\PRPolicy\0\PRPPolicySub\0 -
policies\Ratings\PICSRules\.Default\0\PRPolicy\0\PRPPolicySub\0\\PRBUInternetPattern - 1
policies\Ratings\PICSRules\.Default\0\PRPolicy\0\PRPPolicySub\0\\PRBUNonWild - 12
policies\Ratings\PICSRules\.Default\0\PRPolicy\0\PRPPolicySub\0\\PRBUSpecified - 31
policies\Ratings\PICSRules\.Default\0\PRPolicy\0\PRPPolicySub\0\\PRBUHost - www.habbohotel.co.uk
policies\Ratings\PICSRules\.Default\0\PRPolicy\0\PRPPolicySub\0\\PRBUPort - 80
policies\Ratings\PICSRules\.Default\0\PRPolicy\0\PRPPolicySub\0\\PRBUUrl - www.habbohotel.co.uk
policies\Ratings\PICSRules\.Default\0\PRPolicy\1 -
policies\Ratings\PICSRules\.Default\0\PRPolicy\1\\PRPPolicyAttribute - 2
policies\Ratings\PICSRules\.Default\0\PRPolicy\1\PRPPolicySub -
policies\Ratings\PICSRules\.Default\0\PRPolicy\1\PRPPolicySub\\PRNumURLExpressions - 1
policies\Ratings\PICSRules\.Default\0\PRPolicy\1\PRPPolicySub\0 -
policies\Ratings\PICSRules\.Default\0\PRPolicy\1\PRPPolicySub\0\\PRBUInternetPattern - 1
policies\Ratings\PICSRules\.Default\0\PRPolicy\1\PRPPolicySub\0\\PRBUNonWild - 12
policies\Ratings\PICSRules\.Default\0\PRPolicy\1\PRPPolicySub\0\\PRBUSpecified - 31
policies\Ratings\PICSRules\.Default\0\PRPolicy\1\PRPPolicySub\0\\PRBUHost - www.google.com
policies\Ratings\PICSRules\.Default\0\PRPolicy\1\PRPPolicySub\0\\PRBUPort - 80
policies\Ratings\PICSRules\.Default\0\PRPolicy\1\PRPPolicySub\0\\PRBUUrl - www.google.com
policies\Ratings\PICSRules\.Default\0\PRPolicy\2 -
policies\Ratings\PICSRules\.Default\0\PRPolicy\2\\PRPPolicyAttribute - 2
policies\Ratings\PICSRules\.Default\0\PRPolicy\2\PRPPolicySub -
policies\Ratings\PICSRules\.Default\0\PRPolicy\2\PRPPolicySub\\PRNumURLExpressions - 1
policies\Ratings\PICSRules\.Default\0\PRPolicy\2\PRPPolicySub\0 -
policies\Ratings\PICSRules\.Default\0\PRPolicy\2\PRPPolicySub\0\\PRBUInternetPattern - 1
policies\Ratings\PICSRules\.Default\0\PRPolicy\2\PRPPolicySub\0\\PRBUNonWild - 12
policies\Ratings\PICSRules\.Default\0\PRPolicy\2\PRPPolicySub\0\\PRBUSpecified - 31
policies\Ratings\PICSRules\.Default\0\PRPolicy\2\PRPPolicySub\0\\PRBUHost - www.google.co.uk
policies\Ratings\PICSRules\.Default\0\PRPolicy\2\PRPPolicySub\0\\PRBUPort - 80
policies\Ratings\PICSRules\.Default\0\PRPolicy\2\PRPPolicySub\0\\PRBUUrl - www.google.co.uk
policies\system -
policies\system\\dontdisplaylastusername - 0
policies\system\\legalnoticecaption -
policies\system\\legalnoticetext -
policies\system\\shutdownwithoutlogon - 1
policies\system\\undockwithoutlogon - 1

KEY - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies - Include SUBKEYS
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies -
policies\Explorer -
policies\Explorer\\NoDriveTypeAutoRun - 145
policies\Explorer\\ForceActiveDesktopOn - 0
policies\Explorer\Run -
policies\Explorer\Run\\ltwob - C:\WINDOWS\System32\formatsys.exe
policies\Explorer\Run\\avnort - C:\WINDOWS\msmbw.exe
policies\Explorer\Run\\serpe - C:\WINDOWS\System32\formatsys.exe
policies\Explorer\Run\\{14595C67-0A5F-1033-1022-02020916002c} - "C:\Program Files\Common Files\{14595C67-0A5F-1033-1022-02020916002c}\Update.exe" mc-110-12-0000193
policies\System -
policies\System\\DisableTaskMgr - 0
policies\System\\DisableRegistryTools - 0

Edited by PrittStick, 15 August 2006 - 10:01 AM.


#12 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:02:08 AM

Posted 16 August 2006 - 04:37 AM

Hey PrittStick. Ok, let's try this.

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
  • Open the WinPFind2 folder and double-click on winpfind2.exe to start the program.
  • Keep the standard settings and then in the AddOn-Options box click the checkboxes for
    • Policies.def
    to select it.
  • Now click the Run All Scans button on the toolbar.
  • Click the Registry tab and locate the following items. Click the chekbox in front of each item to select it:HKCU->Toolbar\WebBrowser\\{0CA29372-ED37-DBDA-B112-F235F398C0F1} - Reg Data missing or invalid = Reg Data missing or invalid (File not found))
    HKLM->Browser Helper Objects\{5307A12C-FAA6-4850-8BB8-24014785B594} - = C:\WINDOWS\system32\sstqn.dll ( )
    HKLM->Browser Helper Objects\{617D95B6-D1B0-425A-AD40-D6D966AC9D6C} - Reg Data missing or invalid = Reg Data missing or invalid (File not found))
    HKLM->Browser Helper Objects\{7BFCC1EB-D72A-446F-9127-B1D9C37A292E} - Reg Data missing or invalid = Reg Data missing or invalid (File not found))
    HKCU->Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD} - Reg Data missing or invalid = Reg Data missing or invalid (File not found))
    HKLM->Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD} - Reg Data missing or invalid = Reg Data missing or invalid (File not found))
    HKCU->Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} - Reg Data missing or invalid = Reg Data missing or invalid (File not found))
    HKCU->Toolbar\WebBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Reg Data missing or invalid = Reg Data missing or invalid (File not found))
    HKCU->Toolbar\WebBrowser\\{CBCC61FA-0221-4CCC-B409-CEE865CACA3A} - Reg Data missing or invalid = Reg Data missing or invalid (File not found))
    HKCU->Toolbar\WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Data missing or invalid = Reg Data missing or invalid (File not found))
    HKCU->Extensions\CmdMapping\\{072F3B8A-2DA2-40e2-B841-88899F240200} - 8192 - Reg Data missing or invalid
    HKCU->Extensions\CmdMapping\\{2499216C-4BA5-11D5-BD9C-000103C116D5} - 8195 - Reg Data missing or invalid
    HKCU->Extensions\CmdMapping\\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - 8196 - Reg Data missing or invalid
    HKCU->Extensions\CmdMapping\\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - 8197 - Reg Data missing or invalid
    HKCU->Extensions\CmdMapping\\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - 8198 - Reg Data missing or invalid
    HKLM->Shell Extensions\Approved\{357BE06B-49FE-43F6-9165-DBBF878B5E6A} - = Reg Data missing or invalid (File not found))
    HKLM->Shell Extensions\Approved\{89614271-D5D4-453F-BE13-E7A6E05BB7D6} - = Reg Data missing or invalid (File not found))
    HKLM->Post Platform\\{46456B93-16B8-38F1-0656-60273043BD68} - Reg Data missing or invalid = Reg Data missing or invalid (File not found))
    HKLM->Winlogon\Notify\sstqn - C:\WINDOWS\system32\sstqn.dll ( )

    When finished click the Delete Entries button in the top right-hand corner.
  • Now click the AddOn's tab and loate the following items. click the checkbox in front of each item listed below to select it:policies\Explorer\Run\\ltwob - C:\WINDOWS\System32\formatsys.exe
    policies\Explorer\Run\\avnort - C:\WINDOWS\msmbw.exe
    policies\Explorer\Run\\serpe - C:\WINDOWS\System32\formatsys.exe
    policies\Explorer\Run\\ltwob - C:\WINDOWS\System32\formatsys.exe
    policies\Explorer\Run\\avnort - C:\WINDOWS\msmbw.exe
    policies\Explorer\Run\\serpe - C:\WINDOWS\System32\formatsys.exe
    policies\Explorer\Run\\{14595C67-0A5F-1033-1022-02020916002c} - "C:\Program Files\Common Files\{14595C67-0A5F-1033-1022-02020916002c}\Update.exe" mc-110-12-0000193

    When finished click the Delete Items button in the top right-hand corner.
  • Close WinPFind2 and reboot normally.
Now run VundoFix again.
  • Double-click VundoFix.exe to run it.
  • Put a check next to Run VundoFix as a task.
  • You will receive a message saying vundofix will close and re-open in a minute or less. Click OK.
  • When VundoFix re-opens, click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES.
  • Once you click YES, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on and boot normally.
Run a new WinPFind2 report.
  • Open the WinPFind2 folder and double-click on winpfind2.exe to start the program.
  • Keep the standard settings and then in the AddOn-Options box click the checkboxes for
    • Policies.def
    to select it.
  • Now click the Run All Scans button on the toolbar.
  • When the scans are complete click the Simple Report button in the lower right-hand corner to create a report file. Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button to post the information back here and I will review it when it comes in.

Edited by OldTimer, 16 August 2006 - 07:11 AM.

I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#13 PrittStick

PrittStick
  • Topic Starter

  • Members
  • 97 posts
  • OFFLINE
  •  
  • Location:Wolverhampton, England
  • Local time:06:08 AM

Posted 21 August 2006 - 07:56 AM

Hi OldTimer. I have attempted everything with a few problems. Firstly, when I was removing various files using WinPFind2 I could not find the file HKLM->Browser Helper Objects\{5307A12C-FAA6-4850-8BB8-2401485B594} = C:\WINDOWS\system32\sstqn.dll. However, I thought I should note that the only Browser Helper Object left in that section was HKLM->Browser Helper Objects\{C39D2A8D-D6E3-4370-B15-02F9898B17CF}. I will note that I did this in Safe Mode with Networking because I can use the internet for longer because it doesn't take as long to load up the PC.

After restarting the PC into normal mode I ran VundoFix and ticked the box. VundoFix closed but did not reopen after about five minutes so I opened it manually and clicked Scan for Vundo without having ticked the box beforehand. VundoFix found three files, one of which was C:\WINDOWS\system32\sstqn.dll. All three of the files were found in C:\WINDOWS\system32 but I only noted the one down because of what happend after I clicked Remove Vundo. When the scan was finished and I clicked Remove Vundo it did what was expected except when it finished it gave me a prompt saying "C:\WINDOWS\system32\sstqn.dll could not be deleted, VundoFix will attempt to delete it on reboot.. I PC was then restarted, once again into normal mode. I think that I should note on reboot a blue screen appeared with a pale blue bar at the top and at the bottom (saying Windows XP) and it noted in the dark blue screen in white writing a file name then said SKIPPING AUTO HECK. The computer then continued to load up as normal. Once the PC had successfully loaded I quickly checked C:\WINDOWS\system32\sstqn.dll to see if it had been deleted or not and unsurprisingly, it hadn't. I then continued with your tutorial. I then ran the WinPFind2 report as asked and that worked successfully.

As you know none of my three browsers have been able to connect to the internet for more than five minutes at the start of every PC session so I have written this up in Notepad and intend to restart my PC into Safe Mode with Networking and quickly post it into the topic.


Thank you,
Ben



Logfile created on: 08/21/2006 13:28
WinPFind2 by OldTimer - Version 1.0.3 Folder = C:\Documents and Settings\FAMILEY\Desktop\WinPFind2\
Microsoft Windows XP (Version = Service Pack 2)
Internet Explorer (Version - 6.0.2900.2180)


<Processes>
ati2evxx.exe - c:\windows\system32\ati2evxx.exe - (ATI Technologies Inc. )
ati2evxx.exe - c:\windows\system32\ati2evxx.exe - (ATI Technologies Inc. )
avguard.exe - c:\program files\antivir personaledition classic\avguard.exe - (AVIRA GmbH )
crypserv.exe - c:\windows\system32\crypserv.exe - (Kenonic Controls Ltd. )
ctfmon.exe - c:\windows\system32\ctfmon.exe - (Microsoft Corporation )
explorer.exe - c:\windows\explorer.exe - (Microsoft Corporation )
fbguard.exe - c:\program files\firebird\firebird_1_5\bin\fbguard.exe - (The Firebird Project )
fbserver.exe - c:\program files\firebird\firebird_1_5\bin\fbserver.exe - (The Firebird Project )
guard.exe - c:\program files\ewido anti-spyware 4.0\guard.exe - (Anti-Malware Development a.s. )
jusched.exe - c:\program files\java\jre1.5.0_06\bin\jusched.exe - (Sun Microsystems, Inc. )
lsass.exe - c:\windows\system32\lsass.exe - (Microsoft Corporation )
memturbo.exe - c:\program files\silicon prairie software\memturbo\memturbo.exe - (SharewareOnline.com, Inc. )
msascui.exe - c:\program files\windows defender\msascui.exe - (Microsoft Corporation )
msgplus.exe - c:\program files\messengerplus! 3\msgplus.exe - (Patchou )
msmpeng.exe - c:\program files\windows defender\msmpeng.exe - (Microsoft Corporation )
msmsgs.exe - c:\program files\messenger\msmsgs.exe - (Microsoft Corporation )
msnmsgr.exe - c:\program files\msn messenger\msnmsgr.exe - (Microsoft Corporation )
nmsaccess.exe - c:\program files\cheetah burner\cheetah dvd burner\nmsaccess.exe - ( )
pdsched.exe - c:\program files\raxco\perfectdisk\pdsched.exe - (Raxco Software, Inc. )
sagent2.exe - c:\program files\common files\epson\ebapi\sagent2.exe - (SEIKO EPSON CORPORATION )
sched.exe - c:\program files\antivir personaledition classic\sched.exe - (Avira GmbH )
services.exe - c:\windows\system32\services.exe - (Microsoft Corporation )
skype.exe - c:\program files\skype\phone\skype.exe - ( )
slserv.exe - c:\windows\system32\slserv.exe - (Smart Link )
smss.exe - \systemroot\system32\smss.exe - (Microsoft Corporation )
spoolsv.exe - c:\windows\system32\spoolsv.exe - (Microsoft Corporation )
svchost.exe - c:\windows\system32\svchost.exe - (Microsoft Corporation )
svchost.exe - c:\windows\system32\svchost.exe - (Microsoft Corporation )
ulcdrsvr.exe - c:\program files\common files\ulead systems\dvd\ulcdrsvr.exe - (Ulead Systems, Inc. )
winlogon.exe - \??\c:\windows\system32\winlogon.exe - (Microsoft Corporation )
winpfind2.exe - c:\documents and settings\familey\desktop\winpfind2\winpfind2.exe - (OldTimer Tools )
winstylerthemesvc.exe - c:\program files\tuneup winstyler\winstylerthemesvc.exe - (TuneUp Software GmbH )
wscntfy.exe - c:\windows\system32\wscntfy.exe - (Microsoft Corporation )

<Registry Entries>

Version Info
WinPFind2 by OldTimer - Version 1.0.3 -
Microsoft Windows XP Version = Service Pack 2 -
Internet Explorer Version = 6.0.2900.2180 -

Internet Explorer Settings
HKLM->Main\\Start Page - about:blank
HKLM->Main\\Search Page - http://searchbar.findthewebsiteyouneed.com
HKLM->Main\\Default Page -
HKLM->Main\\Default Search -
HKLM->Main\\Local Page - C:\WINDOWS\system32\blank.htm
HKCU->Main\\Start Page - http://www.findthewebsiteyouneed.com
HKCU->Main\\Search Page - http://searchbar.findthewebsiteyouneed.com
HKCU->Main\\Local Page - C:\WINDOWS\system32\blank.htm
HKCU->Internet Settings\\ProxyEnable - 0
HKCU->Internet Settings\\ProxyOverride -

BHO's
HKLM->Browser Helper Objects\{7D7E9F53-5CD1-4934-8A47-5C201325C710} - = C:\WINDOWS\system32\sstqn.dll ( )

Internet Explorer Bars, Toolbars and Extensions
HKCU->Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1} - File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation )
HKCU->Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E} - Favorites Band = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation )
HKCU->Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E} - Explorer Band = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation )
HKLM->Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376} - &Tip of the Day = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation )
HKLM->Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - Real.com = C:\WINDOWS\System32\Shdocvw.dll (Microsoft Corporation )
HKCU->Toolbar\ShellBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\System32\browseui.dll (Microsoft Corporation )
HKCU->Toolbar\WebBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\System32\browseui.dll (Microsoft Corporation )
HKCU->Toolbar\WebBrowser\\{0E5CBF21-D15F-11D0-8301-00AA005B4383} - &Links = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation )
HKCU->Extensions\CmdMapping\\{072F3B8A-2DA2-40e2-B841-88899F240200} - 8201 - Reg Data missing or invalid
HKCU->Extensions\CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - 8193 - Sun Java Console
HKCU->Extensions\CmdMapping\\{1D49B7D4-524D-4ac9-BC34-B4822CAE4BB1} - 8194 -
HKCU->Extensions\CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} - 8200 -
HKCU->Extensions\CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} - 8199 - Windows Messenger
HKCU->Extensions\CmdMapping\\NextId - 8202
HKLM->Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - MenuText: Sun Java Console = C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll (Sun Microsystems, Inc. )
HKLM->Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} (HKCU CLSID) - MenuText: Sun Java Console = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (Sun Microsystems, Inc. )
HKLM->Extensions\{1D49B7D4-524D-4ac9-BC34-B4822CAE4BB1} - ButtonText: Packard Bell = C:\Apps\IECustom\script.htm (File not found))
HKLM->Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263} - ButtonText: Research = (File not found))
HKLM->Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683} - ButtonText: Messenger = C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation )
HKCU->MenuExt\E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 (Microsoft Corporation )

Approved Shell Extensions (Non-Microsoft only)
HKLM->Shell Extensions\Approved\{0DF44EAA-FF21-4412-828E-260A8728E7F1} - Taskbar and Start Menu = Reg Data missing or invalid (File not found))
HKLM->Shell Extensions\Approved\{10970560-332E-4042-96C9-02AB2FDDD088} - HandyBits Zip&Go Menu = Reg Data missing or invalid (File not found))
HKLM->Shell Extensions\Approved\{32683183-48a0-441b-a342-7c2a440a9478} - Media Band = Reg Data missing or invalid (File not found))
HKLM->Shell Extensions\Approved\{357BE06B-49FE-43F6-9165-DBBF878B5E6A} - = Reg Data missing or invalid (File not found))
HKLM->Shell Extensions\Approved\{42071714-76d4-11d1-8b24-00a0c9068ff3} - Display Panning CPL Extension = Reg Data missing or invalid (File not found))
HKLM->Shell Extensions\Approved\{45AC2688-0253-4ED8-97DE-B5370FA7D48A} - Shell Extension for Malware scanning = C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll (H+BEDV Datentechnik GmbH )
HKLM->Shell Extensions\Approved\{661825E5-B9A4-4D3E-8B74-3B6B63C32A80} - Shell Extensions for Font Creator = Reg Data missing or invalid (File not found))
HKLM->Shell Extensions\Approved\{6EE51AA0-77A0-11D7-B4E1-000347126E46} - Window Washer Shell Shredding Utility = Reg Data missing or invalid (File not found))
HKLM->Shell Extensions\Approved\{764BF0E1-F219-11ce-972D-00AA00A14F56} - Shell extensions for file compression = Reg Data missing or invalid (File not found))
HKLM->Shell Extensions\Approved\{7A9D77BD-5403-11d2-8785-2E0420524153} - User Accounts = Reg Data missing or invalid (File not found))
HKLM->Shell Extensions\Approved\{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} - Encryption Context Menu = Reg Data missing or invalid (File not found))
HKLM->Shell Extensions\Approved\{88895560-9AA2-1069-930E-00AA0030EBC8} - HyperTerminal Icon Ext = C:\WINDOWS\System32\hticons.dll (Hilgraeve, Inc. )
HKLM->Shell Extensions\Approved\{89614271-D5D4-453F-BE13-E7A6E05BB7D6} - = Reg Data missing or invalid (File not found))
HKLM->Shell Extensions\Approved\{A0752120-6D75-D111-B5B1-0800095A2318} - HandyBits EasyCrypto Shell Extensions = C:\WINDOWS\System32\tsseCryp.dll ( )
HKLM->Shell Extensions\Approved\{A0752130-6D75-D111-B5B1-0800095A2318} - HandyBits File Shredder Virtual Folder = Reg Data missing or invalid (File not found))
HKLM->Shell Extensions\Approved\{B41DB860-8EE4-11D2-9906-E49FADC173CA} - WinRAR shell extension = C:\Program Files\WinRAR\rarext.dll ( )
HKLM->Shell Extensions\Approved\{B5FB6487-7E79-4816-B73B-8A65E41971DA} - BullGuard Antivirus v4 = Reg Data missing or invalid (File not found))
HKLM->Shell Extensions\Approved\{B8323370-FF27-11D2-97B6-204C4F4F5020} - SmartFTP Shell Extension DLL = C:\Program Files\SmartFTP\smarthook.dll (SmartFTP )
HKLM->Shell Extensions\Approved\{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} - iTunes = C:\Program Files\iTunes\iTunesMiniPlayer.dll (Apple Computer, Inc. )
HKLM->Shell Extensions\Approved\{D8A8853A-DB04-45D4-8732-A5CC49CE6107} - deskMenu2 Shell Extension = C:\WINDOWS\system32\deskMenu2.dll ( )
HKLM->Shell Extensions\Approved\{E0D79304-84BE-11CE-9641-444553540000} - WinZip = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc. )
HKLM->Shell Extensions\Approved\{E0D79305-84BE-11CE-9641-444553540000} - WinZip = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc. )
HKLM->Shell Extensions\Approved\{E0D79306-84BE-11CE-9641-444553540000} - WinZip = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc. )
HKLM->Shell Extensions\Approved\{E0D79307-84BE-11CE-9641-444553540000} - WinZip = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc. )
HKLM->Shell Extensions\Approved\{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} - Shell Extensions for RealOne Player = C:\Program Files\Real\RealPlayer\rpshell.dll (RealNetworks, Inc. )
HKCU->Shell Extensions\Approved\{BDEADF00-C265-11d0-BCED-00A0C90AB50F} - Web Folders = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL (Microsoft Corporation )

ContextMenuHandlers (Non-Microsoft only)
HKLM->* - deskMenu2 - {D8A8853A-DB04-45D4-8732-A5CC49CE6107} = C:\WINDOWS\system32\deskMenu2.dll ( )
HKLM->* - EasyCryptoMenu - {A0752120-6D75-D111-B5B1-0800095A2318} = C:\WINDOWS\System32\tsseCryp.dll ( )
HKLM->* - EncodeDivXExt - {E9F5B111-CACC-4FD4-81FD-4EB4FD6765A3} = C:\Program Files\DivX\Dr.DivX\EncodeDivXExt.dll ( )
HKLM->* - ewido anti-spyware - {8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll (Anti-Malware Development a.s. )
HKLM->* - SharedMenuHandler - {916F1ADF-2F02-46C2-B7D2-310468390750} = C:\WINDOWS\SYSTEM32\ssmenu.dll (Teknum Systems AS )
HKLM->* - Shell Extension for Malware scanning - {45AC2688-0253-4ED8-97DE-B5370FA7D48A} = C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll (H+BEDV Datentechnik GmbH )
HKLM->* - WinRAR - {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll ( )
HKLM->* - WinZip - {E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc. )
HKLM->Directory - EasyCryptoMenu - {A0752120-6D75-D111-B5B1-0800095A2318} = C:\WINDOWS\System32\tsseCryp.dll ( )
HKLM->Directory - ewido anti-spyware - {8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll (Anti-Malware Development a.s. )
HKLM->Directory - SharedMenuHandler - {916F1ADF-2F02-46C2-B7D2-310468390750} = C:\WINDOWS\SYSTEM32\ssmenu.dll (Teknum Systems AS )
HKLM->Directory - WinRAR - {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll ( )
HKLM->Directory - WinZip - {E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc. )
HKLM->Folder - BullGuard Antivirus v4 - {B5FB6487-7E79-4816-B73B-8A65E41971DA} = Reg Data missing or invalid (File not found))
HKLM->Folder - Shell Extension for Malware scanning - {45AC2688-0253-4ED8-97DE-B5370FA7D48A} = C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll (H+BEDV Datentechnik GmbH )
HKLM->Folder - WinRAR - {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll ( )
HKLM->Folder - WinZip - {E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc. )

ColumnHandlers (Non-Microsoft only)
HKLM->Folder - {F9DB5320-233E-11D1-9F84-707F02C10627} - PDF Shell Extension = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll (Adobe Systems, Inc. )

Registry Run Keys
HKLM->Run\\MessengerPlus3 - "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" (Patchou )
HKLM->Run\\QuickTime Task - "C:\Program Files\QuickTime\qttask.exe" -atboottime (Apple Computer, Inc. )
HKLM->Run\\SunJavaUpdateSched - C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe (Sun Microsystems, Inc. )
HKLM->Run\\UserFaultCheck - %systemroot%\system32\dumprep 0 -u (File not found))
HKLM->Run\\Windows Defender - "C:\Program Files\Windows Defender\MSASCui.exe" -hide (Microsoft Corporation )
HKLM->Run\OptionalComponents\IMAIL - Installed = 1
HKLM->Run\OptionalComponents\MAPI - Installed = 1
HKLM->Run\OptionalComponents\MSFS - Installed = 1
HKCU->Run\\ctfmon.exe - C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation )
HKCU->Run\\MessengerPlus3 - "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart (Patchou )
HKCU->Run\\msnmsgr - "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (Microsoft Corporation )
HKCU->Run\\Skype - "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized ( )
HKCU->Run\\Update Service - "C:\Program Files\Common Files\Teknum Systems\update.exe" /startup (File not found))

Startup Lnks
HKCU->Startup - desktop.ini - C:\Documents and Settings\FAMILEY\Start Menu\Programs\Startup\desktop.ini ( )
HKCU->Startup - MemTurbo.lnk - C:\Program Files\Silicon Prairie Software\MemTurbo\memturbo.exe (SharewareOnline.com, Inc. )

Disabled MSConfig Items
HKLM->StartUpFolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk - Adobe Gamma Loader = C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE (Adobe Systems, Inc. )
HKLM->StartUpFolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^blueyonder Instant Support Tool.lnk - blueyonder Instant Support Tool = C:\PROGRA~1\BLUEYO~1\bin\matcli.exe -boot (Motive Communications, Inc. )
HKLM->StartUpFolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MemTurbo.lnk - MemTurbo = C:\PROGRA~1\SILICO~1\MemTurbo\memturbo.exe /starthidden (SharewareOnline.com, Inc. )
HKLM->StartUpFolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk - Microsoft Office = C:\PROGRA~1\MICROS~4\Office10\OSA.EXE -b -l (File not found))
HKLM->StartUpFolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Ulead Photo Express 3.0 SE Calendar Checker.lnk - Ulead Photo Express 3.0 SE Calendar Checker = C:\PROGRA~1\ULEADS~1\ULEADP~1.0SE\CalCheck.exe (Ulead Systems, Inc. )
HKLM->StartUpFolder\C:^Documents and Settings^FAMILEY^Start Menu^Programs^Startup^DNSKong.lnk - DNSKong = C:\PROGRA~1\Pyrenean\DNSKong\DNSKong.exe (Pyrenean )
HKLM->StartUpFolder\C:^Documents and Settings^FAMILEY^Start Menu^Programs^Startup^ShortKeys Lite.lnk - ShortKeys Lite = C:\PROGRA~1\shortkey\SHORTKEY.EXE ( )
HKLM->StartUpReg\3Degrees - threedegrees = C:\Program Files\threedegrees\threedegrees.exe (File not found))
HKLM->StartUpReg\Adobe Photo Downloader - apdproxy = "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" (Adobe Systems Incorporated )
HKLM->StartUpReg\Advanced Tools Check - ADVCHK = C:\PROGRA~1\NORTON~2\AdvTools\ADVCHK.EXE (File not found))
HKLM->StartUpReg\AIM - aim = C:\PROGRA~1\AIM\aim.exe -cnetwait.odl (File not found))
HKLM->StartUpReg\ATIPTA - atiptaxx = C:\ATI Technologies\ATI Control Panel\atiptaxx.exe (File not found))
HKLM->StartUpReg\avnort - msmbw = C:\WINDOWS\msmbw.exe (File not found))
HKLM->StartUpReg\BigDogPath - VM_STI = C:\WINDOWS\VM_STI.EXE Pro Cam (VM. )
HKLM->StartUpReg\Configuration Loading - svchos1 = svchos1.exe (File not found))
HKLM->StartUpReg\EPSON Stylus Photo RX600 - E_S4I0M2 = C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0M2.EXE /P24 "EPSON Stylus Photo RX600" /O6 "USB002" /M "Stylus Photo RX600" (SEIKO EPSON CORPORATION )
HKLM->StartUpReg\htmthunk - site byte cast = C:\PROGRA~1\ObjEq\site byte cast.exe (File not found))
HKLM->StartUpReg\iTunesHelper - iTunesHelper = C:\Program Files\iTunes\iTunesHelper.exe (Apple Computer, Inc. )
HKLM->StartUpReg\kdx - KHost = C:\WINDOWS\kdx\KHost.exe (File not found))
HKLM->StartUpReg\lpr - lpr123 = C:\windows\mmkt\lpr123.exe (File not found))
HKLM->StartUpReg\ltwob - formatsys = C:\WINDOWS\System32\formatsys.exe (File not found))
HKLM->StartUpReg\Microsoft Works Update Detection - WkUFind = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe (Microsoft® Corporation )
HKLM->StartUpReg\Mixer - wincrt32 = wincrt32.exe (File not found))
HKLM->StartUpReg\MOD - muamgr = C:\Program Files\Microangelo\muamgr.exe (File not found))
HKLM->StartUpReg\NeroCheck - NeroCheck = C:\WINDOWS\System32\\NeroCheck.exe (Ahead Software Gmbh )
HKLM->StartUpReg\NeroFilterCheck - NeroCheck = C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh )
HKLM->StartUpReg\New.net Startup - NEWDOT~2 = rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup (File not found))
HKLM->StartUpReg\Open Site - opnste = C:\Program Files\Open Site\opnste.exe (File not found))
HKLM->StartUpReg\QuickTime Task - qttask = "C:\Program Files\QuickTime\qttask.exe" -atboottime (Apple Computer, Inc. )
HKLM->StartUpReg\RealTray - RealPlay = C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER (RealNetworks, Inc. )
HKLM->StartUpReg\saap - saap = "C:\Program Files\Rosoft\Audio Tools\saap.exe" /did=154 (File not found))
HKLM->StartUpReg\ScrabbleSetup.exe - worms = C:\DOCUME~1\FAMILEY\Desktop\JAMES'~1\worms.exe /r (File not found))
HKLM->StartUpReg\serpe - formatsys = C:\WINDOWS\System32\formatsys.exe (File not found))
HKLM->StartUpReg\Skype - Skype = "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized ( )
HKLM->StartUpReg\SUService - SUService = C:\WINDOWS\system32\SUService.exe (File not found))
HKLM->StartUpReg\Synchronization Agent - syncagent = "C:\Program Files\Sync Manager Demo\agent\syncagent.exe" (File not found))
HKLM->StartUpReg\TimeSink Ad Client - TsAdBot = "C:\Program Files\TimeSink\AdGateway\TsAdBot.exe" (File not found))
HKLM->StartUpReg\TkBellExe - realsched = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot (RealNetworks, Inc. )
HKLM->StartUpReg\Update Service - update = "C:\Program Files\Common Files\Teknum Systems\update.exe" /startup (File not found))
HKLM->StartUpReg\VCSPlayer - vcsplay = "C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe" (H+H Software GmbH )
HKLM->StartUpReg\WebSavingsfromEbates - WebSavingsfromEbates" = wjview /cp:p "C:\Program Files\WebSavingsfromEbates\System\Code" Main lp: "C:\Program Files\WebSavingsfromEbates" (File not found))
HKLM->StartUpReg\win_spool2 - win_spool2 = C:\WINDOWS\System32\win_spool2.exe (File not found))
HKLM->StartUpReg\WinampAgent - winampa = C:\Program Files\Winamp\winampa.exe ( )
HKLM->StartUpReg\Windows update - explore = explore.exe (File not found))
HKLM->StartUpReg\Yahoo! Pager - ypager = C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet ( )
HKLM->StartUpReg\Zone Labs Client - zlclient = C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe (File not found))

User Agent Post Platform

AppInit DLLs
HKLM->Windows\\AppInit_DLLs - (File not found))

Image File Execution Options
HKLM->Image File Execution Options\Your Image File Name Here without a path - Debugger = ntsd -d

Shell Service Object Delay Load
HKLM->ShellServiceObjectDelayLoad\\CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation )
HKLM->ShellServiceObjectDelayLoad\\PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation )
HKLM->ShellServiceObjectDelayLoad\\SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll (Microsoft Corporation )
HKLM->ShellServiceObjectDelayLoad\\WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll (Microsoft Corporation )

Shell Execute Hooks
HKLM->ShellExecuteHooks\\{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - Microsoft AntiMalware ShellExecuteHook = C:\PROGRA~1\WIFD1F~1\MpShHook.dll (Microsoft Corporation )
HKLM->ShellExecuteHooks\\{57B86673-276A-48B2-BAE7-C6DBB3020EB8} - CShellExecuteHookImpl Object = C:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll (Anti-Malware Development a.s. )
HKLM->ShellExecuteHooks\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} - URL Exec Hook = shell32.dll (Microsoft Corporation )

Shared Task Scheduler
HKLM->SharedTaskScheduler\\{438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader = %SystemRoot%\System32\browseui.dll (Microsoft Corporation )
HKLM->SharedTaskScheduler\\{8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon = %SystemRoot%\System32\browseui.dll (Microsoft Corporation )

Winlogon
HKLM->Winlogon\\UserInit - C:\WINDOWS\system32\userinit.exe, (Microsoft Corporation )
HKLM->Winlogon\\Shell - Explorer.exe (Microsoft Corporation )
HKLM->Winlogon\\System - (File not found))
HKLM->Winlogon\Notify\AtiExtEvent - Ati2evxx.dll (ATI Technologies Inc. )
HKLM->Winlogon\Notify\crypt32chain - crypt32.dll (Microsoft Corporation )
HKLM->Winlogon\Notify\cryptnet - cryptnet.dll (Microsoft Corporation )
HKLM->Winlogon\Notify\cscdll - cscdll.dll (Microsoft Corporation )
HKLM->Winlogon\Notify\ScCertProp - wlnotify.dll (Microsoft Corporation )
HKLM->Winlogon\Notify\Schedule - wlnotify.dll (Microsoft Corporation )
HKLM->Winlogon\Notify\sclgntfy - sclgntfy.dll (Microsoft Corporation )
HKLM->Winlogon\Notify\SensLogn - WlNotify.dll (Microsoft Corporation )
HKLM->Winlogon\Notify\sstqn - C:\WINDOWS\system32\sstqn.dll ( )
HKLM->Winlogon\Notify\termsrv - wlnotify.dll (Microsoft Corporation )
HKLM->Winlogon\Notify\wlballoon - wlnotify.dll (Microsoft Corporation )

DNS Name Servers
HKLM->Interfaces\{7886A85E-35DA-4DC2-AFFB-B384A8B4079E} - (1394 Net Adapter)
HKLM->Interfaces\{BAF61F22-0FB1-401E-9A68-8FDB074C5189} - ()
HKLM->Interfaces\{D9DAE42C-B7C0-472B-8C95-3FC5DC370D1F} - (Realtek RTL8139/810x Family Fast Ethernet NIC)

Winsock2 Catalogs (Non-Microsoft only)

Protocol Handlers (Non-Microsoft only)
HKLM->PROTOCOLS\Handler\cdo - (File not found))
HKLM->PROTOCOLS\Handler\cdo (HKCU CLSID) - (File not found))
HKLM->PROTOCOLS\Handler\ipp - (File not found))
HKLM->PROTOCOLS\Handler\ipp (HKCU CLSID) - (File not found))
HKLM->PROTOCOLS\Handler\msdaipp - (File not found))
HKLM->PROTOCOLS\Handler\msdaipp (HKCU CLSID) - (File not found))
HKLM->PROTOCOLS\Handler\ms-itss - (File not found))
HKLM->PROTOCOLS\Handler\ms-itss (HKCU CLSID) - (File not found))

Protocol Filters (Non-Microsoft only)

<Services>
AntiVir PersonalEdition Classic Scheduler - AntiVirScheduler - Automatic - Running - Win32, running in it's own process - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe (Avira GmbH )
AntiVir PersonalEdition Classic Guard - AntiVirService - Automatic - Running - Win32, running in it's own process - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe (AVIRA GmbH )
Ati HotKey Poller - Ati HotKey Poller - Automatic - Running - Win32, running in it's own process - C:\WINDOWS\system32\Ati2evxx.exe (ATI Technologies Inc. )
Crypkey License - Crypkey License - Automatic - Running - Win32, running in it's own process - crypserv.exe (Kenonic Controls Ltd. )
DCOM Server Process Launcher - DcomLaunch - Automatic - Running - Win32, running in a shared process - C:\WINDOWS\system32\svchost -k DcomLaunch (Microsoft Corporation )
DNS Client - Dnscache - Automatic - Running - Win32, running in a shared process - C:\WINDOWS\System32\svchost.exe -k NetworkService (Microsoft Corporation )
EPSON Printer Status Agent2 - EPSONStatusAgent2 - Automatic - Running - Win32, running in it's own process - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe (SEIKO EPSON CORPORATION )
Event Log - Eventlog - Automatic - Running - Win32, running in a shared process - C:\WINDOWS\system32\services.exe (Microsoft Corporation )
COM+ Event System - EventSystem - On Demand - Running - Win32, running in a shared process - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )
ewido anti-spyware 4.0 guard - ewido anti-spyware 4.0 guard - Automatic - Running - Win32, running in it's own process - C:\Program Files\ewido anti-spyware 4.0\guard.exe (Anti-Malware Development a.s. )
Firebird Guardian - DefaultInstance - FirebirdGuardianDefaultInstance - Automatic - Running - Win32, running in it's own process - C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe -s (The Firebird Project )
Firebird Server - DefaultInstance - FirebirdServerDefaultInstance - On Demand - Running - Win32, running in it's own process - C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe -s (The Firebird Project )
Help and Support - helpsvc - Automatic - Running - Win32, running in a shared process - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )
TCP/IP NetBIOS Helper - LmHosts - Automatic - Running - Win32, running in a shared process - C:\WINDOWS\System32\svchost.exe -k LocalService (Microsoft Corporation )
Network Connections - Netman - On Demand - Running - Win32, running in a shared process - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )
Network Location Awareness (NLA) - Nla - On Demand - Running - Win32, running in a shared process - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )
NMSAccess - NMSAccess - Automatic - Running - Win32, running in it's own process - C:\Program Files\Cheetah Burner\Cheetah DVD Burner\NMSAccess.exe ( )
PDScheduler - PDSched - Automatic - Running - Win32, running in it's own process - "C:\Program Files\Raxco\PerfectDisk\PDSched.exe" (Raxco Software, Inc. )
Plug and Play - PlugPlay - Automatic - Running - Win32, running in a shared process - C:\WINDOWS\system32\services.exe (Microsoft Corporation )
IPSEC Services - PolicyAgent - Automatic - Running - Win32, running in a shared process - C:\WINDOWS\System32\lsass.exe (Microsoft Corporation )
Protected Storage - ProtectedStorage - Automatic - Running - Win32, running in a shared process - C:\WINDOWS\system32\lsass.exe (Microsoft Corporation )
Remote Procedure Call (RPC) - RpcSs - Automatic - Running - Win32, running in a shared process - C:\WINDOWS\system32\svchost -k rpcss (Microsoft Corporation )
Security Accounts Manager - SamSs - Automatic - Running - Win32, running in a shared process - C:\WINDOWS\system32\lsass.exe (Microsoft Corporation )
System Event Notification - SENS - Automatic - Running - Win32, running in a shared process - C:\WINDOWS\system32\svchost.exe -k netsvcs (Microsoft Corporation )
SmartLinkService - SLService - Automatic - Running - Win32, running in it's own process - slserv.exe (Smart Link )
Print Spooler - Spooler - Automatic - Running - Win32, running in it's own process - C:\WINDOWS\system32\spoolsv.exe (Microsoft Corporation )
SSDP Discovery Service - SSDPSRV - On Demand - Running - Win32, running in a shared process - C:\WINDOWS\System32\svchost.exe -k LocalService (Microsoft Corporation )
Terminal Services - TermService - On Demand - Running - Win32, running in a shared process - C:\WINDOWS\System32\svchost -k DComLaunch (Microsoft Corporation )
TuneUp WinStyler Theme Service - TUWinStylerThemeSvc - Automatic - Running - Win32, running in it's own process - "C:\Program Files\TuneUp WinStyler\WinStylerThemeSvc.exe" (TuneUp Software GmbH )
Ulead Burning Helper - UleadBurningHelper - Automatic - Running - Win32, running in it's own process - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe (Ulead Systems, Inc. )
Windows User Mode Driver Framework - UMWdf - Automatic - Running - Win32, running in it's own process - C:\WINDOWS\system32\wdfmgr.exe (Microsoft Corporation )
WebClient - WebClient - Automatic - Running - Win32, running in a shared process - C:\WINDOWS\System32\svchost.exe -k LocalService (Microsoft Corporation )
Windows Defender Service - WinDefend - Automatic - Running - Win32, running in it's own process - "C:\Program Files\Windows Defender\MsMpEng.exe" (Microsoft Corporation )

<Files>

AllUsers ApplicationData Folder
C:\Documents and Settings\All Users\Application Data\addr_file.html - ( [Ver = | Size = 305 bytes | Date = 04/11/2006 09:33 | Attr = ])
C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache - ( [Ver = | Size = 1747 bytes | Date = 04/16/2006 18:40 | Attr = ])

CurrentUser ApplicationData Folder
C:\Documents and Settings\FAMILEY\Application Data\AdobeDLM.log - ( [Ver = | Size = 1765 bytes | Date = 05/11/2006 18:11 | Attr = ])
C:\Documents and Settings\FAMILEY\Application Data\desktop.ini - ( [Ver = | Size = 62 bytes | Date = 08/27/2002 12:51 | Attr = HS])
C:\Documents and Settings\FAMILEY\Application Data\dm.ini - ( [Ver = | Size = 0 bytes | Date = 05/11/2006 18:11 | Attr = ])
C:\Documents and Settings\FAMILEY\Application Data\GDIPFONTCACHEV1.DAT - ( [Ver = | Size = 178312 bytes | Date = 07/09/2004 22:35 | Attr = ])

DPF files
{00000075-9980-0010-8000-00AA00389B71} - - CodeBase = http://codecs.microsoft.com/codecs/i386/voxacm.CAB
{00B71CFB-6864-4346-A978-C0A14556272C} - Checkers Class - CodeBase = http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - QuickTime Object - CodeBase = http://www.apple.com/qtactivex/qtplugin.cab
{14B87622-7E19-4EA8-93B3-97215F77A6BC} - MessengerStatsClient Class - CodeBase = http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
{166B1BCA-3F9C-11CF-8075-444553540000} - Shockwave ActiveX Control - CodeBase = http://download.macromedia.com/pub/shockwa...director/sw.cab
{17492023-C23A-453E-A040-C7C580BBF700} - Windows Genuine Advantage Validation Tool - CodeBase = http://go.microsoft.com/fwlink/?linkid=39204
{2917297F-F02B-4B9D-81DF-494B6333150B} - Minesweeper Flags Class - CodeBase = http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
{2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - - CodeBase = http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
{30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - YInstStarter Class - CodeBase = C:\Program Files\Yahoo!\Common\yinsthelper.dll
{3F0EECCE-E138-11D1-8712-0060083D83F5} - LPViewer Class - CodeBase = http://www.mgisoft.com/ActiveX/LPControl.cab
{4F1E5B1A-2A80-42CA-8532-2D05CB959537} - MSN Photo Upload Tool - CodeBase = http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
{644E432F-49D3-41A1-8DD5-E099162EEEC5} - - CodeBase = http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
{665585FD-2068-4C5E-A6D3-53AC3270ECD4} - - CodeBase = http://appdirectory.messenger.msn.com/AppD...sharingctrl.cab
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - MUWebControl Class - CodeBase = http://update.microsoft.com/microsoftupdat...b?1137776560328
{79E0C1C0-316D-11D5-A72A-006097BFA1AC} - EPSON Web Printer-SelfTest Control Class - CodeBase = http://support.epson-europe.com/selftest/Prg/ESTPTest.cab
{8AD9C840-044E-11D1-B3E9-00805F499D93} - Java Plug-in 1.5.0_06 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab
{8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - MessengerStatsClient Class - CodeBase = http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
{9122D757-5A4F-4768-82C5-B4171D8556A7} - PhotoPickConvert Class - CodeBase = http://appdirectory.messenger.msn.com/AppD...ap/PhtPkMSN.cab
{9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - ActiveScan Installer Class - CodeBase = http://acs.pandasoftware.com/activescan/as5free/asinst.cab
{B8BE5E93-A60C-4D26-A2DC-220313175592} - ZoneIntro Class - CodeBase = http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
{BC01A402-4730-11D2-B36C-0000E8DF722B} - - CodeBase = http://www.digitalworkshop.co.uk/ilm450.cab
{CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} - Java Plug-in 1.4.2_05 - CodeBase = http://java.sun.com/products/plugin/autodl...indows-i586.cab
{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - Java Plug-in 1.5.0_04 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab
{CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - Java Plug-in 1.5.0_05 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab
{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - Java Plug-in 1.5.0_06 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - Java Plug-in 1.5.0_06 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab
{D27CDB6E-AE6D-11CF-96B8-444553540000} - Shockwave Flash Object - CodeBase = http://download.macromedia.com/pub/shockwa...ash/swflash.cab
{D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - iTunesDetector Class - CodeBase = http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
{E6187999-9FEC-46A1-A20F-F4CA977D5643} - ZoneChess Object - CodeBase = http://messenger.zone.msn.com/binary/Chess.cab31267.cab
{F6BF0D00-0B2A-4A75-BF7B-F385591623AF} - Solitaire Showdown Class - CodeBase = http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
{FA3662C3-B8E8-11D6-A667-0010B556D978} - IWinAmpActiveX Class - CodeBase = http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
Microsoft XML Parser for Java - - CodeBase = file://C:\WINDOWS\Java\classes\xmldso.cab

Hosts file = 734 bytes. Reading all entries. C:\WINDOWS\System32\drivers\etc\Hosts
# Copyright © 1993-1999 Microsoft Corp. -
# -
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows. -
# -
# This file contains the mappings of IP addresses to host names. Each -
# entry should be kept on an individual line. The IP address should -
# be placed in the first column followed by the corresponding host name. -
# The IP address and the host name should be separated by at least one -
# space. -
# -
# Additionally, comments (such as these) may be inserted on individual -
# lines or following the machine name denoted by a '#' symbol. -
# -
# For example: -
# -
# 102.54.94.97 rhino.acme.com # source server -
# 38.25.63.10 x.acme.com # x client host -
-
127.0.0.1 localhost -

<Add On's>

>>>>Output for AddOn file Policies.def<<<<

KEY - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies - Include SUBKEYS
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies -
policies\Attachments -
policies\Attachments\\ScanWithAntiVirus - 2
policies\Explorer -
policies\Explorer\\NoDrives - 57344
policies\Explorer\\NoDriveAutoRun - 57344
policies\Explorer\\NoCDBurning - 0
policies\Explorer\Run -
policies\NonEnum -
policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} - 1
policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} - 1073741857
policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} - 32
policies\Ratings -
policies\Ratings\PICSRules -
policies\Ratings\PICSRules\.Default -
policies\Ratings\PICSRules\.Default\\NumSys - 0
policies\Ratings\PICSRules\.Default\0 -
policies\Ratings\PICSRules\.Default\0\\dwFlags - 0
policies\Ratings\PICSRules\.Default\0\\errLine - 0
policies\Ratings\PICSRules\.Default\0\PRPolicy -
policies\Ratings\PICSRules\.Default\0\PRPolicy\\PRNumPolicy - 3
policies\Ratings\PICSRules\.Default\0\PRPolicy\0 -
policies\Ratings\PICSRules\.Default\0\PRPolicy\0\\PRPPolicyAttribute - 2
policies\Ratings\PICSRules\.Default\0\PRPolicy\0\PRPPolicySub -
policies\Ratings\PICSRules\.Default\0\PRPolicy\0\PRPPolicySub\\PRNumURLExpressions - 1
policies\Ratings\PICSRules\.Default\0\PRPolicy\0\PRPPolicySub\0 -
policies\Ratings\PICSRules\.Default\0\PRPolicy\0\PRPPolicySub\0\\PRBUInternetPattern - 1
policies\Ratings\PICSRules\.Default\0\PRPolicy\0\PRPPolicySub\0\\PRBUNonWild - 12
policies\Ratings\PICSRules\.Default\0\PRPolicy\0\PRPPolicySub\0\\PRBUSpecified - 31
policies\Ratings\PICSRules\.Default\0\PRPolicy\0\PRPPolicySub\0\\PRBUHost - www.habbohotel.co.uk
policies\Ratings\PICSRules\.Default\0\PRPolicy\0\PRPPolicySub\0\\PRBUPort - 80
policies\Ratings\PICSRules\.Default\0\PRPolicy\0\PRPPolicySub\0\\PRBUUrl - www.habbohotel.co.uk
policies\Ratings\PICSRules\.Default\0\PRPolicy\1 -
policies\Ratings\PICSRules\.Default\0\PRPolicy\1\\PRPPolicyAttribute - 2
policies\Ratings\PICSRules\.Default\0\PRPolicy\1\PRPPolicySub -
policies\Ratings\PICSRules\.Default\0\PRPolicy\1\PRPPolicySub\\PRNumURLExpressions - 1
policies\Ratings\PICSRules\.Default\0\PRPolicy\1\PRPPolicySub\0 -
policies\Ratings\PICSRules\.Default\0\PRPolicy\1\PRPPolicySub\0\\PRBUInternetPattern - 1
policies\Ratings\PICSRules\.Default\0\PRPolicy\1\PRPPolicySub\0\\PRBUNonWild - 12
policies\Ratings\PICSRules\.Default\0\PRPolicy\1\PRPPolicySub\0\\PRBUSpecified - 31
policies\Ratings\PICSRules\.Default\0\PRPolicy\1\PRPPolicySub\0\\PRBUHost - www.google.com
policies\Ratings\PICSRules\.Default\0\PRPolicy\1\PRPPolicySub\0\\PRBUPort - 80
policies\Ratings\PICSRules\.Default\0\PRPolicy\1\PRPPolicySub\0\\PRBUUrl - www.google.com
policies\Ratings\PICSRules\.Default\0\PRPolicy\2 -
policies\Ratings\PICSRules\.Default\0\PRPolicy\2\\PRPPolicyAttribute - 2
policies\Ratings\PICSRules\.Default\0\PRPolicy\2\PRPPolicySub -
policies\Ratings\PICSRules\.Default\0\PRPolicy\2\PRPPolicySub\\PRNumURLExpressions - 1
policies\Ratings\PICSRules\.Default\0\PRPolicy\2\PRPPolicySub\0 -
policies\Ratings\PICSRules\.Default\0\PRPolicy\2\PRPPolicySub\0\\PRBUInternetPattern - 1
policies\Ratings\PICSRules\.Default\0\PRPolicy\2\PRPPolicySub\0\\PRBUNonWild - 12
policies\Ratings\PICSRules\.Default\0\PRPolicy\2\PRPPolicySub\0\\PRBUSpecified - 31
policies\Ratings\PICSRules\.Default\0\PRPolicy\2\PRPPolicySub\0\\PRBUHost - www.google.co.uk
policies\Ratings\PICSRules\.Default\0\PRPolicy\2\PRPPolicySub\0\\PRBUPort - 80
policies\Ratings\PICSRules\.Default\0\PRPolicy\2\PRPPolicySub\0\\PRBUUrl - www.google.co.uk
policies\system -
policies\system\\dontdisplaylastusername - 0
policies\system\\legalnoticecaption -
policies\system\\legalnoticetext -
policies\system\\shutdownwithoutlogon - 1
policies\system\\undockwithoutlogon - 1

KEY - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies - Include SUBKEYS
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies -
policies\Explorer -
policies\Explorer\\NoDriveTypeAutoRun - 145
policies\Explorer\\ForceActiveDesktopOn - 0
policies\Explorer\Run -
policies\System -
policies\System\\DisableTaskMgr - 0
policies\System\\DisableRegistryTools - 0

#14 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:02:08 AM

Posted 23 August 2006 - 03:51 AM

Ok, let's get rid of this thing.

Please print these instructions out, or write them down, as you can't read them during the fix.
  • 1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract Avenger.exe to your desktop.
2. Copy all the text in bold contained in the quotebox below to a blank notepad file:

Files to delete:
C:\WINDOWS\system32\sstqn.dll
C:\WINDOWS\system32\nqtss.dll



Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to the notepad file into this window
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
The Avenger will automatically do the following:
  • Restarts your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it briefly opens a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste all the contents of avenger.txt into your reply along with a fresh WinPFind2 log by using Add Reply.
Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#15 PrittStick

PrittStick
  • Topic Starter

  • Members
  • 97 posts
  • OFFLINE
  •  
  • Location:Wolverhampton, England
  • Local time:06:08 AM

Posted 07 September 2006 - 01:27 PM

Hey OldTimer, I am using the internet in normal mode to post this reply so all seems to be going well so far. Here are the two logs that you asked for:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\tmeixtlh

*******************

Script file located at: \??\C:\Program Files\qfexjryu.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\sstqn.dll deleted successfully.


File C:\WINDOWS\system32\nqtss.dll not found!
Deletion of file C:\WINDOWS\system32\nqtss.dll failed!

Could not process line:
C:\WINDOWS\system32\nqtss.dll
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.






Logfile created on: 09/07/2006 19:25
WinPFind2 by OldTimer - Version 1.0.3 Folder = C:\Documents and Settings\FAMILEY\Desktop\WinPFind2\
Microsoft Windows XP (Version = Service Pack 2)
Internet Explorer (Version - 6.0.2900.2180)


<Processes>
ati2evxx.exe - c:\windows\system32\ati2evxx.exe - (ATI Technologies Inc. )
ati2evxx.exe - c:\windows\system32\ati2evxx.exe - (ATI Technologies Inc. )
avguard.exe - c:\program files\antivir personaledition classic\avguard.exe - (AVIRA GmbH )
crypserv.exe - c:\windows\system32\crypserv.exe - (Kenonic Controls Ltd. )
ctfmon.exe - c:\windows\system32\ctfmon.exe - (Microsoft Corporation )
explorer.exe - c:\windows\explorer.exe - (Microsoft Corporation )
fbguard.exe - c:\program files\firebird\firebird_1_5\bin\fbguard.exe - (The Firebird Project )
fbserver.exe - c:\program files\firebird\firebird_1_5\bin\fbserver.exe - (The Firebird Project )
firefox.exe - c:\program files\mozilla firefox\firefox.exe - (Mozilla Corporation )
guard.exe - c:\program files\ewido anti-spyware 4.0\guard.exe - (Anti-Malware Development a.s. )
jusched.exe - c:\program files\java\jre1.5.0_06\bin\jusched.exe - (Sun Microsystems, Inc. )
lsass.exe - c:\windows\system32\lsass.exe - (Microsoft Corporation )
memturbo.exe - c:\program files\silicon prairie software\memturbo\memturbo.exe - (SharewareOnline.com, Inc. )
msascui.exe - c:\program files\windows defender\msascui.exe - (Microsoft Corporation )
msgplus.exe - c:\program files\messengerplus! 3\msgplus.exe - (Patchou )
msmpeng.exe - c:\program files\windows defender\msmpeng.exe - (Microsoft Corporation )
msnmsgr.exe - c:\program files\msn messenger\msnmsgr.exe - (Microsoft Corporation )
nmsaccess.exe - c:\program files\cheetah burner\cheetah dvd burner\nmsaccess.exe - ( )
notepad.exe - c:\windows\system32\notepad.exe - (Microsoft Corporation )
pdsched.exe - c:\program files\raxco\perfectdisk\pdsched.exe - (Raxco Software, Inc. )
qttask.exe - c:\program files\quicktime\qttask.exe - (Apple Computer, Inc. )
sagent2.exe - c:\program files\common files\epson\ebapi\sagent2.exe - (SEIKO EPSON CORPORATION )
sched.exe - c:\program files\antivir personaledition classic\sched.exe - (Avira GmbH )
services.exe - c:\windows\system32\services.exe - (Microsoft Corporation )
skype.exe - c:\program files\skype\phone\skype.exe - ( )
slserv.exe - c:\windows\system32\slserv.exe - (Smart Link )
smss.exe - \systemroot\system32\smss.exe - (Microsoft Corporation )
spoolsv.exe - c:\windows\system32\spoolsv.exe - (Microsoft Corporation )
svchost.exe - c:\windows\system32\svchost.exe - (Microsoft Corporation )
svchost.exe - c:\windows\system32\svchost.exe - (Microsoft Corporation )
svchost.exe - c:\windows\system32\svchost.exe - (Microsoft Corporation )
ulcdrsvr.exe - c:\program files\common files\ulead systems\dvd\ulcdrsvr.exe - (Ulead Systems, Inc. )
vcssecs.exe - c:\program files\virtual cd v4 sdk\system\vcssecs.exe - (H+H Software GmbH )
winlogon.exe - \??\c:\windows\system32\winlogon.exe - (Microsoft Corporation )
winpfind2.exe - c:\documents and settings\familey\desktop\winpfind2\winpfind2.exe - (OldTimer Tools )
winstylerthemesvc.exe - c:\program files\tuneup winstyler\winstylerthemesvc.exe - (TuneUp Software GmbH )
wuauclt.exe - c:\windows\system32\wuauclt.exe - (Microsoft Corporation )

<Registry Entries>

Version Info
WinPFind2 by OldTimer - Version 1.0.3 -
Microsoft Windows XP Version = Service Pack 2 -
Internet Explorer Version = 6.0.2900.2180 -

Internet Explorer Settings
HKLM->Main\\Start Page - about:blank
HKLM->Main\\Search Page - http://searchbar.findthewebsiteyouneed.com
HKLM->Main\\Default Page -
HKLM->Main\\Default Search -
HKLM->Main\\Local Page - C:\WINDOWS\system32\blank.htm
HKCU->Main\\Start Page - http://www.findthewebsiteyouneed.com
HKCU->Main\\Search Page - http://searchbar.findthewebsiteyouneed.com
HKCU->Main\\Local Page - C:\WINDOWS\system32\blank.htm
HKCU->Internet Settings\\ProxyEnable - 0
HKCU->Internet Settings\\ProxyOverride -

BHO's
HKLM->Browser Helper Objects\{8F4465FC-0866-4A61-A4E9-93A4B892B489} - = C:\WINDOWS\system32\sstqn.dll (File not found))

Internet Explorer Bars, Toolbars and Extensions
HKCU->Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1} - File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation )
HKCU->Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E} - Favorites Band = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation )
HKCU->Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E} - Explorer Band = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation )
HKLM->Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376} - &Tip of the Day = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation )
HKLM->Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - Real.com = C:\WINDOWS\System32\Shdocvw.dll (Microsoft Corporation )
HKCU->Toolbar\ShellBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\System32\browseui.dll (Microsoft Corporation )
HKCU->Toolbar\WebBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\System32\browseui.dll (Microsoft Corporation )
HKCU->Toolbar\WebBrowser\\{0E5CBF21-D15F-11D0-8301-00AA005B4383} - &Links = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation )
HKCU->Extensions\CmdMapping\\{072F3B8A-2DA2-40e2-B841-88899F240200} - 8201 - Reg Data missing or invalid
HKCU->Extensions\CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - 8193 - Sun Java Console
HKCU->Extensions\CmdMapping\\{1D49B7D4-524D-4ac9-BC34-B4822CAE4BB1} - 8194 -
HKCU->Extensions\CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} - 8200 -
HKCU->Extensions\CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} - 8199 - Windows Messenger
HKCU->Extensions\CmdMapping\\NextId - 8202
HKLM->Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - MenuText: Sun Java Console = C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll (Sun Microsystems, Inc. )
HKLM->Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} (HKCU CLSID) - MenuText: Sun Java Console = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (Sun Microsystems, Inc. )
HKLM->Extensions\{1D49B7D4-524D-4ac9-BC34-B4822CAE4BB1} - ButtonText: Packard Bell = C:\Apps\IECustom\script.htm (File not found))
HKLM->Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263} - ButtonText: Research = (File not found))
HKLM->Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683} - ButtonText: Messenger = C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation )
HKCU->MenuExt\E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 (Microsoft Corporation )

Approved Shell Extensions (Non-Microsoft only)
HKLM->Shell Extensions\Approved\{0DF44EAA-FF21-4412-828E-260A8728E7F1} - Taskbar and Start Menu = Reg Data missing or invalid (File not found))
HKLM->Shell Extensions\Approved\{10970560-332E-4042-96C9-02AB2FDDD088} - HandyBits Zip&Go Menu = Reg Data missing or invalid (File not found))
HKLM->Shell Extensions\Approved\{32683183-48a0-441b-a342-7c2a440a9478} - Media Band = Reg Data missing or invalid (File not found))
HKLM->Shell Extensions\Approved\{357BE06B-49FE-43F6-9165-DBBF878B5E6A} - = Reg Data missing or invalid (File not found))
HKLM->Shell Extensions\Approved\{42071714-76d4-11d1-8b24-00a0c9068ff3} - Display Panning CPL Extension = Reg Data missing or invalid (File not found))
HKLM->Shell Extensions\Approved\{45AC2688-0253-4ED8-97DE-B5370FA7D48A} - Shell Extension for Malware scanning = C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll (H+BEDV Datentechnik GmbH )
HKLM->Shell Extensions\Approved\{661825E5-B9A4-4D3E-8B74-3B6B63C32A80} - Shell Extensions for Font Creator = Reg Data missing or invalid (File not found))
HKLM->Shell Extensions\Approved\{6EE51AA0-77A0-11D7-B4E1-000347126E46} - Window Washer Shell Shredding Utility = Reg Data missing or invalid (File not found))
HKLM->Shell Extensions\Approved\{764BF0E1-F219-11ce-972D-00AA00A14F56} - Shell extensions for file compression = Reg Data missing or invalid (File not found))
HKLM->Shell Extensions\Approved\{7A9D77BD-5403-11d2-8785-2E0420524153} - User Accounts = Reg Data missing or invalid (File not found))
HKLM->Shell Extensions\Approved\{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} - Encryption Context Menu = Reg Data missing or invalid (File not found))
HKLM->Shell Extensions\Approved\{88895560-9AA2-1069-930E-00AA0030EBC8} - HyperTerminal Icon Ext = C:\WINDOWS\System32\hticons.dll (Hilgraeve, Inc. )
HKLM->Shell Extensions\Approved\{89614271-D5D4-453F-BE13-E7A6E05BB7D6} - = Reg Data missing or invalid (File not found))
HKLM->Shell Extensions\Approved\{A0752120-6D75-D111-B5B1-0800095A2318} - HandyBits EasyCrypto Shell Extensions = C:\WINDOWS\System32\tsseCryp.dll ( )
HKLM->Shell Extensions\Approved\{A0752130-6D75-D111-B5B1-0800095A2318} - HandyBits File Shredder Virtual Folder = Reg Data missing or invalid (File not found))
HKLM->Shell Extensions\Approved\{B41DB860-8EE4-11D2-9906-E49FADC173CA} - WinRAR shell extension = C:\Program Files\WinRAR\rarext.dll ( )
HKLM->Shell Extensions\Approved\{B5FB6487-7E79-4816-B73B-8A65E41971DA} - BullGuard Antivirus v4 = Reg Data missing or invalid (File not found))
HKLM->Shell Extensions\Approved\{B8323370-FF27-11D2-97B6-204C4F4F5020} - SmartFTP Shell Extension DLL = C:\Program Files\SmartFTP\smarthook.dll (SmartFTP )
HKLM->Shell Extensions\Approved\{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} - iTunes = C:\Program Files\iTunes\iTunesMiniPlayer.dll (Apple Computer, Inc. )
HKLM->Shell Extensions\Approved\{D8A8853A-DB04-45D4-8732-A5CC49CE6107} - deskMenu2 Shell Extension = C:\WINDOWS\system32\deskMenu2.dll ( )
HKLM->Shell Extensions\Approved\{E0D79304-84BE-11CE-9641-444553540000} - WinZip = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc. )
HKLM->Shell Extensions\Approved\{E0D79305-84BE-11CE-9641-444553540000} - WinZip = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc. )
HKLM->Shell Extensions\Approved\{E0D79306-84BE-11CE-9641-444553540000} - WinZip = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc. )
HKLM->Shell Extensions\Approved\{E0D79307-84BE-11CE-9641-444553540000} - WinZip = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc. )
HKLM->Shell Extensions\Approved\{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} - Shell Extensions for RealOne Player = C:\Program Files\Real\RealPlayer\rpshell.dll (RealNetworks, Inc. )
HKCU->Shell Extensions\Approved\{BDEADF00-C265-11d0-BCED-00A0C90AB50F} - Web Folders = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL (Microsoft Corporation )

ContextMenuHandlers (Non-Microsoft only)
HKLM->* - deskMenu2 - {D8A8853A-DB04-45D4-8732-A5CC49CE6107} = C:\WINDOWS\system32\deskMenu2.dll ( )
HKLM->* - EasyCryptoMenu - {A0752120-6D75-D111-B5B1-0800095A2318} = C:\WINDOWS\System32\tsseCryp.dll ( )
HKLM->* - EncodeDivXExt - {E9F5B111-CACC-4FD4-81FD-4EB4FD6765A3} = C:\Program Files\DivX\Dr.DivX\EncodeDivXExt.dll ( )
HKLM->* - ewido anti-spyware - {8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll (Anti-Malware Development a.s. )
HKLM->* - SharedMenuHandler - {916F1ADF-2F02-46C2-B7D2-310468390750} = C:\WINDOWS\SYSTEM32\ssmenu.dll (Teknum Systems AS )
HKLM->* - Shell Extension for Malware scanning - {45AC2688-0253-4ED8-97DE-B5370FA7D48A} = C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll (H+BEDV Datentechnik GmbH )
HKLM->* - WinRAR - {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll ( )
HKLM->* - WinZip - {E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc. )
HKLM->Directory - EasyCryptoMenu - {A0752120-6D75-D111-B5B1-0800095A2318} = C:\WINDOWS\System32\tsseCryp.dll ( )
HKLM->Directory - ewido anti-spyware - {8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll (Anti-Malware Development a.s. )
HKLM->Directory - SharedMenuHandler - {916F1ADF-2F02-46C2-B7D2-310468390750} = C:\WINDOWS\SYSTEM32\ssmenu.dll (Teknum Systems AS )
HKLM->Directory - WinRAR - {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll ( )
HKLM->Directory - WinZip - {E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc. )
HKLM->Folder - BullGuard Antivirus v4 - {B5FB6487-7E79-4816-B73B-8A65E41971DA} = Reg Data missing or invalid (File not found))
HKLM->Folder - Shell Extension for Malware scanning - {45AC2688-0253-4ED8-97DE-B5370FA7D48A} = C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll (H+BEDV Datentechnik GmbH )
HKLM->Folder - WinRAR - {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll ( )
HKLM->Folder - WinZip - {E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc. )

ColumnHandlers (Non-Microsoft only)
HKLM->Folder - {F9DB5320-233E-11D1-9F84-707F02C10627} - PDF Shell Extension = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll (Adobe Systems, Inc. )

Registry Run Keys
HKLM->Run\\MessengerPlus3 - "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" (Patchou )
HKLM->Run\\QuickTime Task - "C:\Program Files\QuickTime\qttask.exe" -atboottime (Apple Computer, Inc. )
HKLM->Run\\SunJavaUpdateSched - C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe (Sun Microsystems, Inc. )
HKLM->Run\\UserFaultCheck - %systemroot%\system32\dumprep 0 -u (File not found))
HKLM->Run\\Windows Defender - "C:\Program Files\Windows Defender\MSASCui.exe" -hide (Microsoft Corporation )
HKLM->Run\OptionalComponents\IMAIL - Installed = 1
HKLM->Run\OptionalComponents\MAPI - Installed = 1
HKLM->Run\OptionalComponents\MSFS - Installed = 1
HKCU->Run\\ctfmon.exe - C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation )
HKCU->Run\\MessengerPlus3 - "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart (Patchou )
HKCU->Run\\msnmsgr - "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (Microsoft Corporation )
HKCU->Run\\Skype - "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized ( )
HKCU->Run\\Update Service - "C:\Program Files\Common Files\Teknum Systems\update.exe" /startup (File not found))

Startup Lnks
HKCU->Startup - desktop.ini - C:\Documents and Settings\FAMILEY\Start Menu\Programs\Startup\desktop.ini ( )
HKCU->Startup - MemTurbo.lnk - C:\Program Files\Silicon Prairie Software\MemTurbo\memturbo.exe (SharewareOnline.com, Inc. )

Disabled MSConfig Items
HKLM->StartUpFolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk - Adobe Gamma Loader = C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE (Adobe Systems, Inc. )
HKLM->StartUpFolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^blueyonder Instant Support Tool.lnk - blueyonder Instant Support Tool = C:\PROGRA~1\BLUEYO~1\bin\matcli.exe -boot (Motive Communications, Inc. )
HKLM->StartUpFolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MemTurbo.lnk - MemTurbo = C:\PROGRA~1\SILICO~1\MemTurbo\memturbo.exe /starthidden (SharewareOnline.com, Inc. )
HKLM->StartUpFolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk - Microsoft Office = C:\PROGRA~1\MICROS~4\Office10\OSA.EXE -b -l (File not found))
HKLM->StartUpFolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Ulead Photo Express 3.0 SE Calendar Checker.lnk - Ulead Photo Express 3.0 SE Calendar Checker = C:\PROGRA~1\ULEADS~1\ULEADP~1.0SE\CalCheck.exe (Ulead Systems, Inc. )
HKLM->StartUpFolder\C:^Documents and Settings^FAMILEY^Start Menu^Programs^Startup^DNSKong.lnk - DNSKong = C:\PROGRA~1\Pyrenean\DNSKong\DNSKong.exe (Pyrenean )
HKLM->StartUpFolder\C:^Documents and Settings^FAMILEY^Start Menu^Programs^Startup^ShortKeys Lite.lnk - ShortKeys Lite = C:\PROGRA~1\shortkey\SHORTKEY.EXE ( )
HKLM->StartUpReg\3Degrees - threedegrees = C:\Program Files\threedegrees\threedegrees.exe (File not found))
HKLM->StartUpReg\Adobe Photo Downloader - apdproxy = "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" (Adobe Systems Incorporated )
HKLM->StartUpReg\Advanced Tools Check - ADVCHK = C:\PROGRA~1\NORTON~2\AdvTools\ADVCHK.EXE (File not found))
HKLM->StartUpReg\AIM - aim = C:\PROGRA~1\AIM\aim.exe -cnetwait.odl (File not found))
HKLM->StartUpReg\ATIPTA - atiptaxx = C:\ATI Technologies\ATI Control Panel\atiptaxx.exe (File not found))
HKLM->StartUpReg\avnort - msmbw = C:\WINDOWS\msmbw.exe (File not found))
HKLM->StartUpReg\BigDogPath - VM_STI = C:\WINDOWS\VM_STI.EXE Pro Cam (VM. )
HKLM->StartUpReg\Configuration Loading - svchos1 = svchos1.exe (File not found))
HKLM->StartUpReg\EPSON Stylus Photo RX600 - E_S4I0M2 = C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0M2.EXE /P24 "EPSON Stylus Photo RX600" /O6 "USB002" /M "Stylus Photo RX600" (SEIKO EPSON CORPORATION )
HKLM->StartUpReg\htmthunk - site byte cast = C:\PROGRA~1\ObjEq\site byte cast.exe (File not found))
HKLM->StartUpReg\iTunesHelper - iTunesHelper = C:\Program Files\iTunes\iTunesHelper.exe (Apple Computer, Inc. )
HKLM->StartUpReg\kdx - KHost = C:\WINDOWS\kdx\KHost.exe (File not found))
HKLM->StartUpReg\lpr - lpr123 = C:\windows\mmkt\lpr123.exe (File not found))
HKLM->StartUpReg\ltwob - formatsys = C:\WINDOWS\System32\formatsys.exe (File not found))
HKLM->StartUpReg\Microsoft Works Update Detection - WkUFind = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe (Microsoft® Corporation )
HKLM->StartUpReg\Mixer - wincrt32 = wincrt32.exe (File not found))
HKLM->StartUpReg\MOD - muamgr = C:\Program Files\Microangelo\muamgr.exe (File not found))
HKLM->StartUpReg\NeroCheck - NeroCheck = C:\WINDOWS\System32\\NeroCheck.exe (Ahead Software Gmbh )
HKLM->StartUpReg\NeroFilterCheck - NeroCheck = C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh )
HKLM->StartUpReg\New.net Startup - NEWDOT~2 = rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup (File not found))
HKLM->StartUpReg\Open Site - opnste = C:\Program Files\Open Site\opnste.exe (File not found))
HKLM->StartUpReg\QuickTime Task - qttask = "C:\Program Files\QuickTime\qttask.exe" -atboottime (Apple Computer, Inc. )
HKLM->StartUpReg\RealTray - RealPlay = C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER (RealNetworks, Inc. )
HKLM->StartUpReg\saap - saap = "C:\Program Files\Rosoft\Audio Tools\saap.exe" /did=154 (File not found))
HKLM->StartUpReg\ScrabbleSetup.exe - worms = C:\DOCUME~1\FAMILEY\Desktop\JAMES'~1\worms.exe /r (File not found))
HKLM->StartUpReg\serpe - formatsys = C:\WINDOWS\System32\formatsys.exe (File not found))
HKLM->StartUpReg\Skype - Skype = "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized ( )
HKLM->StartUpReg\SUService - SUService = C:\WINDOWS\system32\SUService.exe (File not found))
HKLM->StartUpReg\Synchronization Agent - syncagent = "C:\Program Files\Sync Manager Demo\agent\syncagent.exe" (File not found))
HKLM->StartUpReg\TimeSink Ad Client - TsAdBot = "C:\Program Files\TimeSink\AdGateway\TsAdBot.exe" (File not found))
HKLM->StartUpReg\TkBellExe - realsched = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot (RealNetworks, Inc. )
HKLM->StartUpReg\Update Service - update = "C:\Program Files\Common Files\Teknum Systems\update.exe" /startup (File not found))
HKLM->StartUpReg\VCSPlayer - vcsplay = "C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe" (H+H Software GmbH )
HKLM->StartUpReg\WebSavingsfromEbates - WebSavingsfromEbates" = wjview /cp:p "C:\Program Files\WebSavingsfromEbates\System\Code" Main lp: "C:\Program Files\WebSavingsfromEbates" (File not found))
HKLM->StartUpReg\win_spool2 - win_spool2 = C:\WINDOWS\System32\win_spool2.exe (File not found))
HKLM->StartUpReg\WinampAgent - winampa = C:\Program Files\Winamp\winampa.exe ( )
HKLM->StartUpReg\Windows update - explore = explore.exe (File not found))
HKLM->StartUpReg\Yahoo! Pager - ypager = C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet ( )
HKLM->StartUpReg\Zone Labs Client - zlclient = C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe (File not found))

User Agent Post Platform

AppInit DLLs
HKLM->Windows\\AppInit_DLLs - (File not found))

Image File Execution Options
HKLM->Image File Execution Options\Your Image File Name Here without a path - Debugger = ntsd -d

Shell Service Object Delay Load
HKLM->ShellServiceObjectDelayLoad\\CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation )
HKLM->ShellServiceObjectDelayLoad\\PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation )
HKLM->ShellServiceObjectDelayLoad\\SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll (Microsoft Corporation )
HKLM->ShellServiceObjectDelayLoad\\WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll (Microsoft Corporation )

Shell Execute Hooks
HKLM->ShellExecuteHooks\\{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - Microsoft AntiMalware ShellExecuteHook = C:\PROGRA~1\WIFD1F~1\MpShHook.dll (Microsoft Corporation )
HKLM->ShellExecuteHooks\\{57B86673-276A-48B2-BAE7-C6DBB3020EB8} - CShellExecuteHookImpl Object = C:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll (Anti-Malware Development a.s. )
HKLM->ShellExecuteHooks\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} - URL Exec Hook = shell32.dll (Microsoft Corporation )

Shared Task Scheduler
HKLM->SharedTaskScheduler\\{438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader = %SystemRoot%\System32\browseui.dll (Microsoft Corporation )
HKLM->SharedTaskScheduler\\{8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon = %SystemRoot%\System32\browseui.dll (Microsoft Corporation )

Winlogon
HKLM->Winlogon\\UserInit - C:\WINDOWS\system32\userinit.exe, (Microsoft Corporation )
HKLM->Winlogon\\Shell - Explorer.exe (Microsoft Corporation )
HKLM->Winlogon\\System - (File not found))
HKLM->Winlogon\Notify\AtiExtEvent - Ati2evxx.dll (ATI Technologies Inc. )
HKLM->Winlogon\Notify\crypt32chain - crypt32.dll (Microsoft Corporation )
HKLM->Winlogon\Notify\cryptnet - cryptnet.dll (Microsoft Corporation )
HKLM->Winlogon\Notify\cscdll - cscdll.dll (Microsoft Corporation )
HKLM->Winlogon\Notify\ScCertProp - wlnotify.dll (Microsoft Corporation )
HKLM->Winlogon\Notify\Schedule - wlnotify.dll (Microsoft Corporation )
HKLM->Winlogon\Notify\sclgntfy - sclgntfy.dll (Microsoft Corporation )
HKLM->Winlogon\Notify\SensLogn - WlNotify.dll (Microsoft Corporation )
HKLM->Winlogon\Notify\sstqn - C:\WINDOWS\system32\sstqn.dll (File not found))
HKLM->Winlogon\Notify\termsrv - wlnotify.dll (Microsoft Corporation )
HKLM->Winlogon\Notify\wlballoon - wlnotify.dll (Microsoft Corporation )

DNS Name Servers
HKLM->Interfaces\{7886A85E-35DA-4DC2-AFFB-B384A8B4079E} - (1394 Net Adapter)
HKLM->Interfaces\{BAF61F22-0FB1-401E-9A68-8FDB074C5189} - ()
HKLM->Interfaces\{D9DAE42C-B7C0-472B-8C95-3FC5DC370D1F} - (Realtek RTL8139/810x Family Fast Ethernet NIC)

Winsock2 Catalogs (Non-Microsoft only)

Protocol Handlers (Non-Microsoft only)
HKLM->PROTOCOLS\Handler\cdo - (File not found))
HKLM->PROTOCOLS\Handler\cdo (HKCU CLSID) - (File not found))
HKLM->PROTOCOLS\Handler\ipp - (File not found))
HKLM->PROTOCOLS\Handler\ipp (HKCU CLSID) - (File not found))
HKLM->PROTOCOLS\Handler\msdaipp - (File not found))
HKLM->PROTOCOLS\Handler\msdaipp (HKCU CLSID) - (File not found))
HKLM->PROTOCOLS\Handler\ms-itss - (File not found))
HKLM->PROTOCOLS\Handler\ms-itss (HKCU CLSID) - (File not found))

Protocol Filters (Non-Microsoft only)

<Services>
IPv6 Helper Service - 6to4 - Automatic - Running - Win32, running in a shared process - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )
AntiVir PersonalEdition Classic Scheduler - AntiVirScheduler - Automatic - Running - Win32, running in it's own process - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe (Avira GmbH )
AntiVir PersonalEdition Classic Guard - AntiVirService - Automatic - Running - Win32, running in it's own process - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe (AVIRA GmbH )
Ati HotKey Poller - Ati HotKey Poller - Automatic - Running - Win32, running in it's own process - C:\WINDOWS\system32\Ati2evxx.exe (ATI Technologies Inc. )
Windows Audio - AudioSrv - Automatic - Running - Win32, running in a shared process - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )
Crypkey License - Crypkey License - Automatic - Running - Win32, running in it's own process - crypserv.exe (Kenonic Controls Ltd. )
Cryptographic Services - CryptSvc - Automatic - Running - Win32, running in a shared process - C:\WINDOWS\system32\svchost.exe -k netsvcs (Microsoft Corporation )
DCOM Server Process Launcher - DcomLaunch - Automatic - Running - Win32, running in a shared process - C:\WINDOWS\system32\svchost -k DcomLaunch (Microsoft Corporation )
DHCP Client - Dhcp - Automatic - Running - Win32, running in a shared process - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )
DNS Client - Dnscache - Automatic - Running - Win32, running in a shared process - C:\WINDOWS\System32\svchost.exe -k NetworkService (Microsoft Corporation )
EPSON Printer Status Agent2 - EPSONStatusAgent2 - Automatic - Running - Win32, running in it's own process - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe (SEIKO EPSON CORPORATION )
Error Reporting Service - ERSvc - Automatic - Running - Win32, running in a shared process - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )
Event Log - Eventlog - Automatic - Running - Win32, running in a shared process - C:\WINDOWS\system32\services.exe (Microsoft Corporation )
COM+ Event System - EventSystem - On Demand - Running - Win32, running in a shared process - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )
ewido anti-spyware 4.0 guard - ewido anti-spyware 4.0 guard - Automatic - Running - Win32, running in it's own process - C:\Program Files\ewido anti-spyware 4.0\guard.exe (Anti-Malware Development a.s. )
Fast User Switching Compatibility - FastUserSwitchingCompatibility - On Demand - Running - Win32, running in a shared process - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )
Firebird Guardian - DefaultInstance - FirebirdGuardianDefaultInstance - Automatic - Running - Win32, running in it's own process - C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe -s (The Firebird Project )
Firebird Server - DefaultInstance - FirebirdServerDefaultInstance - On Demand - Running - Win32, running in it's own process - C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe -s (The Firebird Project )
Help and Support - helpsvc - Automatic - Running - Win32, running in a shared process - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )
Server - lanmanserver - Automatic - Running - Win32, running in a shared process - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )
Workstation - lanmanworkstation - Automatic - Running - Win32, running in a shared process - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )
TCP/IP NetBIOS Helper - LmHosts - Automatic - Running - Win32, running in a shared process - C:\WINDOWS\System32\svchost.exe -k LocalService (Microsoft Corporation )
Network Connections - Netman - On Demand - Running - Win32, running in a shared process - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )
Network Location Awareness (NLA) - Nla - On Demand - Running - Win32, running in a shared process - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )
NMSAccess - NMSAccess - Automatic - Running - Win32, running in it's own process - C:\Program Files\Cheetah Burner\Cheetah DVD Burner\NMSAccess.exe ( )
PDScheduler - PDSched - Automatic - Running - Win32, running in it's own process - "C:\Program Files\Raxco\PerfectDisk\PDSched.exe" (Raxco Software, Inc. )
Plug and Play - PlugPlay - Automatic - Running - Win32, running in a shared process - C:\WINDOWS\system32\services.exe (Microsoft Corporation )
IPSEC Services - PolicyAgent - Automatic - Running - Win32, running in a shared process - C:\WINDOWS\System32\lsass.exe (Microsoft Corporation )
Protected Storage - ProtectedStorage - Automatic - Running - Win32, running in a shared process - C:\WINDOWS\system32\lsass.exe (Microsoft Corporation )
Remote Access Connection Manager - RasMan - On Demand - Running - Win32, running in a shared process - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )
Remote Procedure Call (RPC) - RpcSs - Automatic - Running - Win32, running in a shared process - C:\WINDOWS\system32\svchost -k rpcss (Microsoft Corporation )
Security Accounts Manager - SamSs - Automatic - Running - Win32, running in a shared process - C:\WINDOWS\system32\lsass.exe (Microsoft Corporation )
Task Scheduler - Schedule - Automatic - Running - Win32, running in a shared process - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )
Secondary Logon - seclogon - Automatic - Running - Win32, running in a shared process - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )
System Event Notification - SENS - Automatic - Running - Win32, running in a shared process - C:\WINDOWS\system32\svchost.exe -k netsvcs (Microsoft Corporation )
Shell Hardware Detection - ShellHWDetection - Automatic - Running - Win32, running in a shared process - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )
SmartLinkService - SLService - Automatic - Running - Win32, running in it's own process - slserv.exe (Smart Link )
Print Spooler - Spooler - Automatic - Running - Win32, running in it's own process - C:\WINDOWS\system32\spoolsv.exe (Microsoft Corporation )
System Restore Service - srservice - Automatic - Running - Win32, running in a shared process - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )
SSDP Discovery Service - SSDPSRV - On Demand - Running - Win32, running in a shared process - C:\WINDOWS\System32\svchost.exe -k LocalService (Microsoft Corporation )
Windows Image Acquisition (WIA) - stisvc - Automatic - Running - Win32, running in a shared process - C:\WINDOWS\System32\svchost.exe -k imgsvc (Microsoft Corporation )
Telephony - TapiSrv - On Demand - Running - Win32, running in a shared process - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )
Terminal Services - TermService - On Demand - Running - Win32, running in a shared process - C:\WINDOWS\System32\svchost -k DComLaunch (Microsoft Corporation )
Themes - Themes - Automatic - Running - Win32, running in a shared process - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )
Distributed Link Tracking Client - TrkWks - Automatic - Running - Win32, running in a shared process - C:\WINDOWS\system32\svchost.exe -k netsvcs (Microsoft Corporation )
TuneUp WinStyler Theme Service - TUWinStylerThemeSvc - Automatic - Running - Win32, running in it's own process - "C:\Program Files\TuneUp WinStyler\WinStylerThemeSvc.exe" (TuneUp Software GmbH )
Ulead Burning Helper - UleadBurningHelper - Automatic - Running - Win32, running in it's own process - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe (Ulead Systems, Inc. )
Windows User Mode Driver Framework - UMWdf - Automatic - Running - Win32, running in it's own process - C:\WINDOWS\system32\wdfmgr.exe (Microsoft Corporation )
Virtual CD v4 Security service (SDK - Version) - VCSSecS - Automatic - Running - Win32, running in it's own process - C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe (H+H Software GmbH )
Windows Time - W32Time - Automatic - Running - Win32, running in a shared process - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )
WebClient - WebClient - Automatic - Running - Win32, running in a shared process - C:\WINDOWS\System32\svchost.exe -k LocalService (Microsoft Corporation )
Windows Defender Service - WinDefend - Automatic - Running - Win32, running in it's own process - "C:\Program Files\Windows Defender\MsMpEng.exe" (Microsoft Corporation )
Windows Management Instrumentation - winmgmt - Automatic - Running - Win32, running in a shared process - C:\WINDOWS\system32\svchost.exe -k netsvcs (Microsoft Corporation )
Security Center - wscsvc - Automatic - Running - Win32, running in a shared process - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )
Automatic Updates - wuauserv - Automatic - Running - Win32, running in a shared process - C:\WINDOWS\system32\svchost.exe -k netsvcs (Microsoft Corporation )
Wireless Zero Configuration - WZCSVC - Automatic - Running - Win32, running in a shared process - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation )

<Files>

AllUsers ApplicationData Folder
C:\Documents and Settings\All Users\Application Data\addr_file.html - ( [Ver = | Size = 305 bytes | Date = 04/11/2006 09:33 | Attr = ])
C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache - ( [Ver = | Size = 1747 bytes | Date = 04/16/2006 18:40 | Attr = ])

CurrentUser ApplicationData Folder
C:\Documents and Settings\FAMILEY\Application Data\AdobeDLM.log - ( [Ver = | Size = 1765 bytes | Date = 05/11/2006 18:11 | Attr = ])
C:\Documents and Settings\FAMILEY\Application Data\desktop.ini - ( [Ver = | Size = 62 bytes | Date = 08/27/2002 12:51 | Attr = HS])
C:\Documents and Settings\FAMILEY\Application Data\dm.ini - ( [Ver = | Size = 0 bytes | Date = 05/11/2006 18:11 | Attr = ])
C:\Documents and Settings\FAMILEY\Application Data\GDIPFONTCACHEV1.DAT - ( [Ver = | Size = 178312 bytes | Date = 07/09/2004 22:35 | Attr = ])

DPF files
{00000075-9980-0010-8000-00AA00389B71} - - CodeBase = http://codecs.microsoft.com/codecs/i386/voxacm.CAB
{00B71CFB-6864-4346-A978-C0A14556272C} - Checkers Class - CodeBase = http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - QuickTime Object - CodeBase = http://www.apple.com/qtactivex/qtplugin.cab
{14B87622-7E19-4EA8-93B3-97215F77A6BC} - MessengerStatsClient Class - CodeBase = http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
{166B1BCA-3F9C-11CF-8075-444553540000} - Shockwave ActiveX Control - CodeBase = http://download.macromedia.com/pub/shockwa...director/sw.cab
{17492023-C23A-453E-A040-C7C580BBF700} - Windows Genuine Advantage Validation Tool - CodeBase = http://go.microsoft.com/fwlink/?linkid=39204
{2917297F-F02B-4B9D-81DF-494B6333150B} - Minesweeper Flags Class - CodeBase = http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
{2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - - CodeBase = http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
{30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - YInstStarter Class - CodeBase = C:\Program Files\Yahoo!\Common\yinsthelper.dll
{3F0EECCE-E138-11D1-8712-0060083D83F5} - LPViewer Class - CodeBase = http://www.mgisoft.com/ActiveX/LPControl.cab
{4F1E5B1A-2A80-42CA-8532-2D05CB959537} - MSN Photo Upload Tool - CodeBase = http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
{644E432F-49D3-41A1-8DD5-E099162EEEC5} - - CodeBase = http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
{665585FD-2068-4C5E-A6D3-53AC3270ECD4} - - CodeBase = http://appdirectory.messenger.msn.com/AppD...sharingctrl.cab
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - MUWebControl Class - CodeBase = http://update.microsoft.com/microsoftupdat...b?1137776560328
{79E0C1C0-316D-11D5-A72A-006097BFA1AC} - EPSON Web Printer-SelfTest Control Class - CodeBase = http://support.epson-europe.com/selftest/Prg/ESTPTest.cab
{8AD9C840-044E-11D1-B3E9-00805F499D93} - Java Plug-in 1.5.0_06 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab
{8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - MessengerStatsClient Class - CodeBase = http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
{9122D757-5A4F-4768-82C5-B4171D8556A7} - PhotoPickConvert Class - CodeBase = http://appdirectory.messenger.msn.com/AppD...ap/PhtPkMSN.cab
{9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - ActiveScan Installer Class - CodeBase = http://acs.pandasoftware.com/activescan/as5free/asinst.cab
{B8BE5E93-A60C-4D26-A2DC-220313175592} - ZoneIntro Class - CodeBase = http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
{BC01A402-4730-11D2-B36C-0000E8DF722B} - - CodeBase = http://www.digitalworkshop.co.uk/ilm450.cab
{CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} - Java Plug-in 1.4.2_05 - CodeBase = http://java.sun.com/products/plugin/autodl...indows-i586.cab
{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - Java Plug-in 1.5.0_04 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab
{CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - Java Plug-in 1.5.0_05 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab
{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - Java Plug-in 1.5.0_06 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - Java Plug-in 1.5.0_06 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab
{D27CDB6E-AE6D-11CF-96B8-444553540000} - Shockwave Flash Object - CodeBase = http://download.macromedia.com/pub/shockwa...ash/swflash.cab
{D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - iTunesDetector Class - CodeBase = http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
{E6187999-9FEC-46A1-A20F-F4CA977D5643} - ZoneChess Object - CodeBase = http://messenger.zone.msn.com/binary/Chess.cab31267.cab
{F6BF0D00-0B2A-4A75-BF7B-F385591623AF} - Solitaire Showdown Class - CodeBase = http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
{FA3662C3-B8E8-11D6-A667-0010B556D978} - IWinAmpActiveX Class - CodeBase = http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
Microsoft XML Parser for Java - - CodeBase = file://C:\WINDOWS\Java\classes\xmldso.cab

Hosts file = 734 bytes. Reading all entries. C:\WINDOWS\System32\drivers\etc\Hosts
# Copyright © 1993-1999 Microsoft Corp. -
# -
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows. -
# -
# This file contains the mappings of IP addresses to host names. Each -
# entry should be kept on an individual line. The IP address should -
# be placed in the first column followed by the corresponding host name. -
# The IP address and the host name should be separated by at least one -
# space. -
# -
# Additionally, comments (such as these) may be inserted on individual -
# lines or following the machine name denoted by a '#' symbol. -
# -
# For example: -
# -
# 102.54.94.97 rhino.acme.com # source server -
# 38.25.63.10 x.acme.com # x client host -
-
127.0.0.1 localhost -

<Add On's>

>>>>Output for AddOn file Policies.def<<<<

KEY - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies - Include SUBKEYS
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies -
policies\Attachments -
policies\Attachments\\ScanWithAntiVirus - 2
policies\Explorer -
policies\Explorer\\NoDrives - 57344
policies\Explorer\\NoDriveAutoRun - 57344
policies\Explorer\\NoCDBurning - 0
policies\Explorer\Run -
policies\NonEnum -
policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} - 1
policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} - 1073741857
policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} - 32
policies\Ratings -
policies\Ratings\PICSRules -
policies\Ratings\PICSRules\.Default -
policies\Ratings\PICSRules\.Default\\NumSys - 0
policies\Ratings\PICSRules\.Default\0 -
policies\Ratings\PICSRules\.Default\0\\dwFlags - 0
policies\Ratings\PICSRules\.Default\0\\errLine - 0
policies\Ratings\PICSRules\.Default\0\PRPolicy -
policies\Ratings\PICSRules\.Default\0\PRPolicy\\PRNumPolicy - 3
policies\Ratings\PICSRules\.Default\0\PRPolicy\0 -
policies\Ratings\PICSRules\.Default\0\PRPolicy\0\\PRPPolicyAttribute - 2
policies\Ratings\PICSRules\.Default\0\PRPolicy\0\PRPPolicySub -
policies\Ratings\PICSRules\.Default\0\PRPolicy\0\PRPPolicySub\\PRNumURLExpressions - 1
policies\Ratings\PICSRules\.Default\0\PRPolicy\0\PRPPolicySub\0 -
policies\Ratings\PICSRules\.Default\0\PRPolicy\0\PRPPolicySub\0\\PRBUInternetPattern - 1
policies\Ratings\PICSRules\.Default\0\PRPolicy\0\PRPPolicySub\0\\PRBUNonWild - 12
policies\Ratings\PICSRules\.Default\0\PRPolicy\0\PRPPolicySub\0\\PRBUSpecified - 31
policies\Ratings\PICSRules\.Default\0\PRPolicy\0\PRPPolicySub\0\\PRBUHost - www.habbohotel.co.uk
policies\Ratings\PICSRules\.Default\0\PRPolicy\0\PRPPolicySub\0\\PRBUPort - 80
policies\Ratings\PICSRules\.Default\0\PRPolicy\0\PRPPolicySub\0\\PRBUUrl - www.habbohotel.co.uk
policies\Ratings\PICSRules\.Default\0\PRPolicy\1 -
policies\Ratings\PICSRules\.Default\0\PRPolicy\1\\PRPPolicyAttribute - 2
policies\Ratings\PICSRules\.Default\0\PRPolicy\1\PRPPolicySub -
policies\Ratings\PICSRules\.Default\0\PRPolicy\1\PRPPolicySub\\PRNumURLExpressions - 1
policies\Ratings\PICSRules\.Default\0\PRPolicy\1\PRPPolicySub\0 -
policies\Ratings\PICSRules\.Default\0\PRPolicy\1\PRPPolicySub\0\\PRBUInternetPattern - 1
policies\Ratings\PICSRules\.Default\0\PRPolicy\1\PRPPolicySub\0\\PRBUNonWild - 12
policies\Ratings\PICSRules\.Default\0\PRPolicy\1\PRPPolicySub\0\\PRBUSpecified - 31
policies\Ratings\PICSRules\.Default\0\PRPolicy\1\PRPPolicySub\0\\PRBUHost - www.google.com
policies\Ratings\PICSRules\.Default\0\PRPolicy\1\PRPPolicySub\0\\PRBUPort - 80
policies\Ratings\PICSRules\.Default\0\PRPolicy\1\PRPPolicySub\0\\PRBUUrl - www.google.com
policies\Ratings\PICSRules\.Default\0\PRPolicy\2 -
policies\Ratings\PICSRules\.Default\0\PRPolicy\2\\PRPPolicyAttribute - 2
policies\Ratings\PICSRules\.Default\0\PRPolicy\2\PRPPolicySub -
policies\Ratings\PICSRules\.Default\0\PRPolicy\2\PRPPolicySub\\PRNumURLExpressions - 1
policies\Ratings\PICSRules\.Default\0\PRPolicy\2\PRPPolicySub\0 -
policies\Ratings\PICSRules\.Default\0\PRPolicy\2\PRPPolicySub\0\\PRBUInternetPattern - 1
policies\Ratings\PICSRules\.Default\0\PRPolicy\2\PRPPolicySub\0\\PRBUNonWild - 12
policies\Ratings\PICSRules\.Default\0\PRPolicy\2\PRPPolicySub\0\\PRBUSpecified - 31
policies\Ratings\PICSRules\.Default\0\PRPolicy\2\PRPPolicySub\0\\PRBUHost - www.google.co.uk
policies\Ratings\PICSRules\.Default\0\PRPolicy\2\PRPPolicySub\0\\PRBUPort - 80
policies\Ratings\PICSRules\.Default\0\PRPolicy\2\PRPPolicySub\0\\PRBUUrl - www.google.co.uk
policies\system -
policies\system\\dontdisplaylastusername - 0
policies\system\\legalnoticecaption -
policies\system\\legalnoticetext -
policies\system\\shutdownwithoutlogon - 1
policies\system\\undockwithoutlogon - 1

KEY - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies - Include SUBKEYS
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies -
policies\Explorer -
policies\Explorer\\NoDriveTypeAutoRun - 145
policies\Explorer\\ForceActiveDesktopOn - 0
policies\Explorer\Run -
policies\System -
policies\System\\DisableTaskMgr - 0
policies\System\\DisableRegistryTools - 0




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users