We'd like to remind Forumites to please avoid political debate on the Forum... Read More »
We're aware that some users are experiencing technical issues which the team are working to resolve. See the Community Noticeboard for more info. Thank you for your patience.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Real hassle from virus/spyware
Options
Comments
-
Both of those user accounts above are clean as far as what HJT shows.
Just a few beasties to go on Ros' account from the Panda scan.
Double-click killbox.exe
Click Tools > Delete Temp Files.
Click the drop down menu in the middle and select C:\Documents and Settings\Ros from the list.
Now check/tick the boxes beside the following options above the drop down menu:
[x] Temporary Internet Files
[x] Temp Files
[x] Cookies
[x] XP Prefetch
[x] Recent
[x] History
Then click the Delete Selected Temp Files button.
Back on the main Killbox menu now, select the option "Delete on reboot" and then click the All Files button.
Now highlight and 'copy' (Ctrl + C) the entire list of filepaths below:
c:\windows\hh.ico
c:\windows\180Solutions
C:\Documents and Settings\All Users\Application Data\Four Book Grim Noun
Click 'File' on the killbox menu at the top and choose 'Paste from clipboard'.
Then press the red button with a white X in it.
Killbox will tell you that all listed files will be deleted on next reboot and ask if you wish to reboot now, click Yes.
If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.
==========
WinPFind2 does not need to be run in Safe Mode.
0 -
Thanks, will do this and the windows thing and post right back. Will this remove the Virus Burst fromMichael's too?0
-
This won't touch anything on Michael's account but let's get this one cleaned up first. Adding other user accounts at this stage will only confuse matters.0
-
Hello,
I have used the killbox on the four book noun - the other two files were not there ( I thnk they may have been deleted by ewido ). After this I can run another Panda scan to check. Here's the win find2 report ( it is too long so I will post in bits )
Logfile created on: 09/24/2006 17:49
WinPFind2 by OldTimer - Version 1.0.10 Folder = C:\Documents and Settings\Ros\Desktop\winpfind2\WinPFind2\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 6.0.2900.2180)
< All Processes >
\systemroot\system32\smss.exe - (Microsoft Corporation )
\??\c:\windows\system32\csrss.exe - (Microsoft Corporation )
\??\c:\windows\system32\winlogon.exe - (Microsoft Corporation )
c:\windows\system32\services.exe - (Microsoft Corporation )
c:\windows\system32\lsass.exe - (Microsoft Corporation )
c:\windows\system32\ati2evxx.exe - (ATI Technologies Inc. )
c:\windows\system32\svchost.exe [C:\WINDOWS\SYSTEM32\SVCHOST -K DCOMLAUNCH] - (Microsoft Corporation )
(DcomLaunch) C:\WINDOWS\system32\rpcss.dll - (Microsoft Corporation )
(TermService) C:\WINDOWS\System32\termsrv.dll - (Microsoft Corporation )
(TermService) C:\WINDOWS\System32\termsrv.dll - (Microsoft Corporation )
(TermService) C:\WINDOWS\System32\termsrv.dll - (Microsoft Corporation )
(Wmi) - (File not found))
c:\windows\system32\svchost.exe [C:\WINDOWS\SYSTEM32\SVCHOST -K RPCSS] - (Microsoft Corporation )
(RpcSs) C:\WINDOWS\system32\rpcss.dll - (Microsoft Corporation )
(Wmi) - (File not found))
c:\windows\system32\svchost.exe [C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS] - (Microsoft Corporation )
(AppMgmt) C:\WINDOWS\System32\appmgmts.dll - (File not found))
(AudioSrv) C:\WINDOWS\System32\audiosrv.dll - (Microsoft Corporation )
(BITS) C:\WINDOWS\System32\qmgr.dll - (Microsoft Corporation )
(Browser) C:\WINDOWS\System32\browser.dll - (Microsoft Corporation )
(CryptSvc) C:\WINDOWS\System32\cryptsvc.dll - (Microsoft Corporation )
(Dhcp) C:\WINDOWS\System32\dhcpcsvc.dll - (Microsoft Corporation )
(dmserver) C:\WINDOWS\System32\dmserver.dll - (Microsoft Corp. )
(ERSvc) C:\WINDOWS\System32\ersvc.dll - (Microsoft Corporation )
(EventSystem) C:\WINDOWS\System32\es.dll - (Microsoft Corporation )
(FastUserSwitchingCompatibility) C:\WINDOWS\System32\shsvcs.dll - (Microsoft Corporation )
(helpsvc) %WINDIR%\PCHealth\HelpCtr\Binaries\pchsvc.dll - (File not found))
(HidServ) C:\WINDOWS\System32\hidserv.dll - (Microsoft Corporation )
(lanmanserver) C:\WINDOWS\System32\srvsvc.dll - (Microsoft Corporation )
(lanmanworkstation) C:\WINDOWS\System32\wkssvc.dll - (Microsoft Corporation )
(Messenger) C:\WINDOWS\System32\msgsvc.dll - (Microsoft Corporation )
(Netman) C:\WINDOWS\System32\netman.dll - (Microsoft Corporation )
(Nla) C:\WINDOWS\System32\mswsock.dll - (Microsoft Corporation )
(NtmsSvc) C:\WINDOWS\system32\ntmssvc.dll - (Microsoft Corporation )
(RasAuto) C:\WINDOWS\System32\rasauto.dll - (Microsoft Corporation )
(RasMan) C:\WINDOWS\System32\rasmans.dll - (Microsoft Corporation )
(RemoteAccess) C:\WINDOWS\System32\mprdim.dll - (Microsoft Corporation )
(Schedule) C:\WINDOWS\system32\schedsvc.dll - (Microsoft Corporation )
(seclogon) C:\WINDOWS\System32\seclogon.dll - (Microsoft Corporation )
(SENS) C:\WINDOWS\system32\sens.dll - (Microsoft Corporation )
(SharedAccess) C:\WINDOWS\System32\ipnathlp.dll - (Microsoft Corporation )
(ShellHWDetection) C:\WINDOWS\System32\shsvcs.dll - (Microsoft Corporation )
(srservice) C:\WINDOWS\System32\srsvc.dll - (Microsoft Corporation )
(TapiSrv) C:\WINDOWS\System32\tapisrv.dll - (Microsoft Corporation )
(Themes) C:\WINDOWS\System32\shsvcs.dll - (Microsoft Corporation )
(TrkWks) C:\WINDOWS\system32\trkwks.dll - (Microsoft Corporation )
(W32Time) C:\WINDOWS\System32\w32time.dll - (Microsoft Corporation )
(winmgmt) C:\WINDOWS\system32\wbem\WMIsvc.dll - (Microsoft Corporation )
(WmdmPmSN) C:\WINDOWS\system32\MsPMSNSv.dll - (Microsoft Corporation )
(wscsvc) C:\WINDOWS\system32\wscsvc.dll - (Microsoft Corporation )
(wuauserv) C:\WINDOWS\system32\wuauserv.dll - (Microsoft Corporation )
(WZCSVC) C:\WINDOWS\System32\wzcsvc.dll - (Microsoft Corporation )
(xmlprov) C:\WINDOWS\System32\xmlprov.dll - (Microsoft Corporation )
(Wmi) - (File not found))
c:\windows\system32\svchost.exe [C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETWORKSERVICE] - (Microsoft Corporation )
(Dnscache) C:\WINDOWS\System32\dnsrslvr.dll - (Microsoft Corporation )
(Wmi) - (File not found))
c:\windows\system32\svchost.exe [C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K LOCALSERVICE] - (Microsoft Corporation )
(Alerter) C:\WINDOWS\system32\alrsvc.dll - (Microsoft Corporation )
(LmHosts) C:\WINDOWS\System32\lmhsvc.dll - (Microsoft Corporation )
(SSDPSRV) C:\WINDOWS\System32\ssdpsrv.dll - (Microsoft Corporation )
(upnphost) C:\WINDOWS\System32\upnphost.dll - (Microsoft Corporation )
(WebClient) C:\WINDOWS\System32\webclnt.dll - (Microsoft Corporation )
(Wmi) - (File not found))
c:\windows\system32\spoolsv.exe - (Microsoft Corporation )
c:\windows\system32\scardsvr.exe - (Microsoft Corporation )
c:\program files\common files\aol\acs\aolacsd.exe - (America Online, Inc. )
c:\progra~1\grisoft\avgfre~1\avgamsvr.exe - (GRISOFT, s.r.o. )
c:\progra~1\grisoft\avgfre~1\avgupsvc.exe - (GRISOFT, s.r.o. )
c:\windows\system32\svchost.exe [C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K BTHSVCS] - (Microsoft Corporation )
(BthServ) C:\WINDOWS\System32\bthserv.dll - (Microsoft Corporation )
(Wmi) - (File not found))
c:\program files\ewido anti-spyware 4.0\guard.exe - (Anti-Malware Development a.s. )
c:\program files\common files\microsoft shared\vs7debug\mdm.exe - (Microsoft Corporation )
c:\progra~1\mcafee.com\person~1\mpfservice.exe - (McAfee Corporation )
c:\windows\system32\wdfmgr.exe - (Microsoft Corporation )
c:\windows\wanmpsvc.exe - (America Online, Inc. )
c:\windows\system32\ati2evxx.exe - (ATI Technologies Inc. )
c:\windows\explorer.exe - (Microsoft Corporation )
c:\windows\system32\alg.exe - (Microsoft Corporation )
c:\progra~1\mcafee.com\person~1\mpfagent.exe - (McAfee Security )
c:\program files\common files\aol\acs\aoldial.exe - (America Online, Inc )
c:\progra~1\grisoft\avgfre~1\avgcc.exe - (GRISOFT, s.r.o. )
c:\progra~1\grisoft\avgfre~1\avgemc.exe - (GRISOFT, s.r.o. )
c:\windows\sointgr.exe - ( )
c:\program files\quicktime\qttask.exe - (Apple Computer, Inc. )
c:\program files\common files\real\update_ob\realsched.exe - (RealNetworks, Inc. )
c:\windows\system32\spool\drivers\w32x86\3\e_s4i0s2.exe - (SEIKO EPSON CORPORATION )
c:\windows\system32\rundll32.exe - (Microsoft Corporation )
c:\program files\voyagertest\fts.exe - (Friendly Technologies )
c:\program files\bt voyager 105 adsl modem\dslstat.exe - (GlobespanVirata, Inc. )
c:\program files\bt voyager 105 adsl modem\dslagent.exe - ( )
c:\program files\common files\microsoft shared\works shared\wkufind.exe - (Microsoft® Corporation )
c:\windows\twain_32\slimu2ta\hotkey.exe - (Pmx. Electronics Ltd. )
c:\windows\system32\wbem\wmiprvse.exe - (Microsoft Corporation )
c:\windows\system32\wuauclt.exe - (Microsoft Corporation )
c:\program files\ewido anti-spyware 4.0\ewido.exe - (Anti-Malware Development a.s. )
c:\program files\home cinema\powercinema\pcmservice.exe - ( )
c:\progra~1\mcafee.com\person~1\mpftray.exe - (McAfee Security )
c:\program files\musicmatch\musicmatch jukebox\mmtask.exe - (TODO: <Company name> )
c:\progra~1\common~1\x10\common\x10nets.exe - (X10 )
c:\windows\cnyhkey.exe - (Chicony )
c:\windows\system32\spool\drivers\w32x86\3\e_s10ic2.exe - (SEIKO EPSON CORPORATION )
c:\windows\dit.exe - (ICSI Technology Ltd. )
c:\windows\system32\rundll32.exe - (Microsoft Corporation )
c:\windows\mhotkey.exe - (Chicony )
c:\windows\system32\ctfmon.exe - (Microsoft Corporation )
c:\program files\skype\phone\skype.exe - ( )
c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe - (Adobe Systems Incorporated )
c:\program files\aol 9.0\aoltray.exe - (America Online, Inc. )
c:\program files\aol\broadband checkup\bin\mpbtn.exe - ( )
c:\documents and settings\ros\desktop\winpfind2\winpfind2\winpfind2.exe - (OldTimer Tools )
< Registry Entries >
[>> Internet Explorer Settings <<]
HKLM->Main\\Start Page - http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
HKLM->Main\\Search Page - http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM->Main\\Default_Page_URL - http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKLM->Main\\Default_Search_URL - http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM->Main\\Local Page - C:\windows\system32\blank.htm
HKCU->Main\\Start Page - http://www.google.co.uk/
HKCU->Main\\Search Page - http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKCU->Main\\Default_Search_URL - http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKCU->Main\\Local Page - C:\windows\system32\blank.htm
HKLM->Search\\CustomizeSearch - http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
HKLM->Search\\SearchAssistant - http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKCU->URLSearchHooks\\{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Microsoft Url Search Hook = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation )
HKCU->Internet Settings\\ProxyEnable - 0
HKCU->Internet Settings\\ProxyOverride - 127.0.0.1
[>> BHO's <<]
!!02478D38-C3F9-4efb-9B51-7695ECA05670} - Yahoo! Companion BHO = C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll (Yahoo! Inc. )
!!06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - Adobe PDF Reader Link Helper = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated )
!!53707962-6F74-2D53-2644-206D7942484F} - = C:\PROGRA~1\SPYBOT~1\SDHelper.dll (Safer Networking Limited )
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - MSN Search Toolbar Helper = C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll (Microsoft Corporation )
{E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - EpsonToolBandKicker Class = C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll (SEIKO EPSON CORPORATION )
[>> Internet Explorer Bars, Toolbars and Extensions <<]
[HKLM-> Internet Explorer Bars]
!!4D5C8C25-D075-11d0-B416-00C04FB90376} - &Tip of the Day = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation )
[HKCU-> Internet Explorer Bars]
!!32683183-48a0-441b-a342-7c2a440a9478} - Reg Data missing or invalid = Reg Data missing or invalid (File not found))
{EFA24E61-B078-11D0-89E4-00C04FC9E26E} - Favorites Band = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation )
{EFA24E64-B078-11D0-89E4-00C04FC9E26E} - Explorer Band = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation )
[HKLM-> Internet Explorer ToolBars]
{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - MSN Search Toolbar = C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll (Microsoft Corporation )
{EE5D279F-081B-4404-994D-C6B60AAEBA6D} - EPSON Web-To-Page = C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll (SEIKO EPSON CORPORATION )
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Companion = C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll (Yahoo! Inc. )
[HKCU-> Internet Explorer ToolBars]
ShellBrowser\\!!01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\System32\browseui.dll (Microsoft Corporation )
ShellBrowser\\{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - MSN Search Toolbar = C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll (Microsoft Corporation )
WebBrowser\\!!01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\System32\browseui.dll (Microsoft Corporation )
WebBrowser\\!!0E5CBF21-D15F-11D0-8301-00AA005B4383} - &Links = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation )
WebBrowser\\{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - MSN Search Toolbar = C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll (Microsoft Corporation )
WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Companion = C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll (Yahoo! Inc. )
[HKCU-> Internet Explorer CmdMapping]
{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - 8193 - Reg Data missing or invalid
{FB5F1910-F110-11d2-BB9E-00C04F795683} - 8194 - Windows Messenger
NextId - 8195
[HKLM-> Internet Explorer Extensions]
{FB5F1910-F110-11d2-BB9E-00C04F795683} - ButtonText: Messenger = C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation )
[HKCU-> Internet Explorer Menu Extensions]
&MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll/search.htm (File not found))
Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-gb\msntabres.dll/229?baf4cc0bf14f4849937c1031a101 (Microsoft Corporation )
Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-gb\msntabres.dll/230?baf4cc0bf14f4849937c1031a101 (Microsoft Corporation )
[HKLM-> Internet Explorer Plugins]
.spop - Reg Data missing or invalid = C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll (InterTrust Technologies Corporation, Inc. )
[>> Approved Shell Extensions (Non-Microsoft only) <<]
[HKLM-> Approved Shell Extensions]
!!0DF44EAA-FF21-4412-828E-260A8728E7F1} - Taskbar and Start Menu = Reg Data missing or invalid (File not found))
!!32683183-48a0-441b-a342-7c2a440a9478} - Media Band = Reg Data missing or invalid (File not found))
!!42071714-76d4-11d1-8b24-00a0c9068ff3} - Display Panning CPL Extension = deskpan.dll (File not found))
!!764BF0E1-F219-11ce-972D-00AA00A14F56} - Shell extensions for file compression = Reg Data missing or invalid (File not found))
!!7A9D77BD-5403-11d2-8785-2E0420524153} - User Accounts = Reg Data missing or invalid (File not found))
!!853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} - Encryption Context Menu = Reg Data missing or invalid (File not found))
!!88895560-9AA2-1069-930E-00AA0030EBC8} - HyperTerminal Icon Ext = C:\WINDOWS\System32\hticons.dll (Hilgraeve, Inc. )
!!8FF88D21-7BD0-11D1-BFB7-00AA00262A11} - WinAce Archiver 2.61 Context Menu Shell Extension = Reg Data missing or invalid (File not found))
!!8FF88D23-7BD0-11D1-BFB7-00AA00262A11} - WinAce Archiver 2.61 Property Sheet Shell Extension = Reg Data missing or invalid (File not found))
!!8FF88D25-7BD0-11D1-BFB7-00AA00262A11} - WinAce Archiver 2.61 DragDrop Shell Extension = Reg Data missing or invalid (File not found))
!!8FF88D27-7BD0-11D1-BFB7-00AA00262A11} - WinAce Archiver 2.61 Context Menu Shell Extension = Reg Data missing or invalid (File not found))
!!9F97547E-4609-42C5-AE0C-81C61FFAEBC3} - AVG7 Shell Extension = C:\Program Files\Grisoft\AVG Free\avgse.dll (GRISOFT, s.r.o. )
!!9F97547E-460A-42C5-AE0C-81C61FFAEBC3} - AVG7 Find Extension = C:\Program Files\Grisoft\AVG Free\avgse.dll (GRISOFT, s.r.o. )
{DCED20BE-3645-11D4-BC95-00C04F0E0588} - InoShell = C:\Program Files\CA\eTrust Antivirus\InoShell.dll (Computer Associates International, Inc. )
{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} - Shell Extensions for RealOne Player = C:\Program Files\Real\RealPlayer\rpshellext.dll (RealNetworks )
[HKCU-> Approved Shell Extensions]
{BDEADF00-C265-11d0-BCED-00A0C90AB50F} - Web Folders = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL (Microsoft Corporation )
[>> ContextMenuHandlers (Non-Microsoft only) <<]
[HKLM-> ContextMenuHandlers]
* - AVG7 Shell Extension - !!9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll (GRISOFT, s.r.o. )
* - ewido anti-spyware - !!8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll (Anti-Malware Development a.s. )
* - InoShell - {DCED20BE-3645-11D4-BC95-00C04F0E0588} = C:\Program Files\CA\eTrust Antivirus\InoShell.dll (Computer Associates International, Inc. )
* - WinRAR - Reg Data missing or invalid = Reg Data missing or invalid (File not found))
* - ZONERMenu - !!7B793D33-DB64-11D0-8720-0020AF158EA5} = C:\Program Files\Zoner\Draw 3\Program\FShEx30.dll (ZONER software, Ltd. )
Directory - ewido anti-spyware - !!8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll (Anti-Malware Development a.s. )
Directory - InoShell - {DCED20BE-3645-11D4-BC95-00C04F0E0588} = C:\Program Files\CA\eTrust Antivirus\InoShell.dll (Computer Associates International, Inc. )
Directory - WinRAR - Reg Data missing or invalid = Reg Data missing or invalid (File not found))
Directory - ZONERMenu - !!7B793D33-DB64-11D0-8720-0020AF158EA5} = C:\Program Files\Zoner\Draw 3\Program\FShEx30.dll (ZONER software, Ltd. )
Folder - AVG7 Shell Extension - !!9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll (GRISOFT, s.r.o. )
Folder - WinRAR - Reg Data missing or invalid = Reg Data missing or invalid (File not found))
Folder - ZONERMenu - !!7B793D33-DB64-11D0-8720-0020AF158EA5} = C:\Program Files\Zoner\Draw 3\Program\FShEx30.dll (ZONER software, Ltd. )
[>> ColumnHandlers (Non-Microsoft only) <<]
[HKLM-> ColumnHandlers]
Folder - {F9DB5320-233E-11D1-9F84-707F02C10627} - PDF Shell Extension = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll (Adobe Systems, Inc. )
[>> File Associations Keys <<]
HKLM->SOFTWARE\Classes\.bat\\'' - batfile
HKLM->SOFTWARE\Classes\batfile\shell\open\command\\'' - "%1" %*
HKLM->SOFTWARE\Classes\.cmd\\'' - cmdfile
HKLM->SOFTWARE\Classes\cmdfile\shell\open\command\\'' - "%1" %*
HKLM->SOFTWARE\Classes\.com\\'' - comfile
HKLM->SOFTWARE\Classes\comfile\shell\open\command\\'' - "%1" %*
HKLM->SOFTWARE\Classes\.exe\\'' - exefile
HKLM->SOFTWARE\Classes\exefile\shell\open\command\\'' - "%1" %*
HKLM->SOFTWARE\Classes\.hta\\'' - htafile
HKLM->SOFTWARE\Classes\htafile\shell\open\command\\'' - C:\WINDOWS\System32\mshta.exe "%1" %*
HKLM->SOFTWARE\Classes\.js\\'' - JSFile
HKLM->SOFTWARE\Classes\jsfile\shell\open\command\\'' - %SystemRoot%\System32\WScript.exe "%1" %*
HKLM->SOFTWARE\Classes\.jse\\'' - JSEFile
HKLM->SOFTWARE\Classes\jsefile\shell\open\command\\'' - %SystemRoot%\System32\WScript.exe "%1" %*
HKLM->SOFTWARE\Classes\.scr\\'' - scrfile
HKLM->SOFTWARE\Classes\scrfile\shell\open\command\\'' - "%1" /S
HKLM->SOFTWARE\Classes\.vbe\\'' - VBEFile
HKLM->SOFTWARE\Classes\vbefile\shell\open\command\\'' - %SystemRoot%\System32\WScript.exe "%1" %*
HKLM->SOFTWARE\Classes\.vbs\\'' - VBSFile
HKLM->SOFTWARE\Classes\vbsfile\shell\open\command\\'' - %SystemRoot%\System32\WScript.exe "%1" %*
HKLM->SOFTWARE\Classes\.wsf\\'' - WSFFile
HKLM->SOFTWARE\Classes\wsffile\shell\open\command\\'' - %SystemRoot%\System32\WScript.exe "%1" %*
HKLM->SOFTWARE\Classes\.wsh\\'' - WSHFile
HKLM->SOFTWARE\Classes\wshfile\shell\open\command\\'' - %SystemRoot%\System32\WScript.exe "%1" %*
HKLM->SOFTWARE\Classes\.txt\\'' - txtfile
HKLM->SOFTWARE\Classes\txtfile\shell\open\command\\'' - %SystemRoot%\system32\NOTEPAD.EXE %1
[>> Registry Run Keys <<]
HKLM->Run\\!ewido - "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized (Anti-Malware Development a.s. )
HKLM->Run\\%FP%Friendly fts.exe - "C:\Program Files\VoyagerTest\fts.exe" (Friendly Technologies )
HKLM->Run\\AOLDialer - C:\Program Files\Common Files\AOL\ACS\AOLDial.exe (America Online, Inc )
HKLM->Run\\ATIPTA - C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe (ATI Technologies, Inc. )
HKLM->Run\\AVG7_CC - C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP (GRISOFT, s.r.o. )
HKLM->Run\\AVG7_EMC - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe (GRISOFT, s.r.o. )
HKLM->Run\\BluetoothAuthenticationAgent - rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent (Microsoft Corporation )
HKLM->Run\\CHotkey - mHotkey.exe (Chicony )
HKLM->Run\\Cmaudio - RunDll32 cmicnfg.cpl,CMICtrlWnd (File not found))
HKLM->Run\\Dit - Dit.exe (ICSI Technology Ltd. )
HKLM->Run\\DSLAGENTEXE - C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe ( )
HKLM->Run\\DSLSTATEXE - C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon (GlobespanVirata, Inc. )
HKLM->Run\\EPSON Stylus C64 Series - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C64 Series" /O6 "USB001" /M "Stylus C64" (SEIKO EPSON CORPORATION )
HKLM->Run\\EPSON Stylus C66 Series - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0S2.EXE /P23 "EPSON Stylus C66 Series" /O6 "USB002" /M "Stylus C66" (SEIKO EPSON CORPORATION )
HKLM->Run\\HotKey - C:\WINDOWS\Twain_32\SlimU2TA\HotKey.exe (Pmx. Electronics Ltd. )
HKLM->Run\\ledpointer - CNYHKey.exe (Chicony )
HKLM->Run\\Microsoft Works Update Detection - C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe (Microsoft® Corporation )
HKLM->Run\\mmtask - C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe (TODO: <Company name> )
HKLM->Run\\MPFExe - C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe (McAfee Security )
HKLM->Run\\NeroFilterCheck - C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh )
HKLM->Run\\PCMService - "C:\Program Files\Home Cinema\PowerCinema\PCMService.exe" ( )
HKLM->Run\\QuickTime Task - "C:\Program Files\QuickTime\qttask.exe" -atboottime (Apple Computer, Inc. )
HKLM->Run\\SO5 Integrator Pass Two - C:\WINDOWS\SOINTGR.EXE ( )
HKLM->Run\\TkBellExe - "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot (RealNetworks, Inc. )
HKLM->Run\OptionalComponents\IMAIL - Installed = 1
HKLM->Run\OptionalComponents\MAPI - Installed = 1
HKLM->Run\OptionalComponents\MSFS - Installed = 1
HKCU->Run\\ctfmon.exe - C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation )
HKCU->Run\\MoneyAgent - "C:\Program Files\Microsoft Money\System\mnyexpr.exe" (Microsoft Corp. )
HKCU->Run\\Skype - "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized ( )0 -
[>> Miscellaneous Startup Keys <<]
[AppInit DLLs]
AppInit_DLL - (File not found))
[Image File Execution Options]
Your Image File Name Here without a path - De!!!!!! = ntsd -d
[Shell Service Object Delay Load]
CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation )
PostBootReminder - !!7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation )
SysTray - !!35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll (Microsoft Corporation )
WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll (Microsoft Corporation )
[Shell Execute Hooks]
!!57B86673-276A-48B2-BAE7-C6DBB3020EB8} - CShellExecuteHookImpl Object = C:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll (Anti-Malware Development a.s. )
{AEB6717E-7E19-11d0-97EE-00C04FD91972} - URL Exec Hook = shell32.dll (Microsoft Corporation )
[Shared Task Scheduler]
!!438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader = %SystemRoot%\System32\browseui.dll (Microsoft Corporation )
!!8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon = %SystemRoot%\System32\browseui.dll (Microsoft Corporation )
[SafeBoot Option]
[HKLM Command Processor AutoRun]
HKLM->Command Processor\\AutoRun -
[HKCU Command Processor AutoRun]
[Security Providers]
SecurityProviders\\SecurityProviders - msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll
[BootExecute]
Session Manager\\BootExecute - autocheck autochk *;
[PendingFileRenameOperations]
[FileRenameOperations]
[ExcludeFromKnownDlls]
Session Manager\\ExcludeFromKnownDlls -
[>> Disabled MSConfig Items <<]
[>> User Agent Post Platform <<]
SV1 -
[>> Winlogon <<]
HMLM->UserInit - C:\WINDOWS\system32\userinit.exe, (Microsoft Corporation )
HKLM->Shell - Explorer.exe (Microsoft Corporation )
HKLM->System - (File not found))
HKLM->VMApplet - rundll32 shell32,Control_RunDLL "sysdm.cpl"
Notify\AtiExtEvent - Ati2evxx.dll (ATI Technologies Inc. )
Notify\crypt32chain - crypt32.dll (Microsoft Corporation )
Notify\cryptnet - cryptnet.dll (Microsoft Corporation )
Notify\cscdll - cscdll.dll (Microsoft Corporation )
Notify\ScCertProp - wlnotify.dll (Microsoft Corporation )
Notify\Schedule - wlnotify.dll (Microsoft Corporation )
Notify\sclgntfy - sclgntfy.dll (Microsoft Corporation )
Notify\SensLogn - WlNotify.dll (Microsoft Corporation )
Notify\termsrv - wlnotify.dll (Microsoft Corporation )
Notify\WgaLogon - WgaLogon.dll (Microsoft Corporation )
Notify\wlballoon - wlnotify.dll (Microsoft Corporation )
[>> DNS Name Servers <<]
!!0450D048-DBFB-47F8-B03B-7F4E0A7D9EBC} - (PRISM 802.11g Wireless Adapter)
!!39323544-2667-4BEB-BD7B-6BBF285BFC78} - (VIA VT6105 Rhine III Fast Ethernet Adapter)
!!584633EB-3C3F-4E95-9DEE-CDD68BB89B4D} - (GlobeSpan USB ADSL LAN Modem)
{BB0E1D11-3E23-40B8-9510-A8AEADFA946A} - (1394 Net Adapter)
{D202B4AB-4CA1-41A3-8636-D13D283FEE5E} - ()
{D3C8B693-89BE-4B0E-8591-C73DDEBAB50D} - ()
{E5B01D0B-CC0F-4B33-921B-AB9C28F7489B} - (1394 Net Adapter)
[>> All Winsock2 Catalogs <<]
NameSpace_Catalog5\Catalog_Entries\000000000001 - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation )
NameSpace_Catalog5\Catalog_Entries\000000000002 - %SystemRoot%\System32\winrnr.dll (Microsoft Corporation )
NameSpace_Catalog5\Catalog_Entries\000000000003 - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation )
NameSpace_Catalog5\Catalog_Entries\000000000004 - %SystemRoot%\system32\wshbth.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000001 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000002 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000003 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000004 - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000005 - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000006 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000007 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000008 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000009 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000010 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000011 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000012 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000013 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000014 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000015 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000016 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000017 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000018 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000019 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000020 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000021 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000022 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000023 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000024 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000025 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000026 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
[>> Protocol Handlers (Non-Microsoft only) <<]
ipp - (File not found))
msdaipp - (File not found))
[>> Protocol Filters (Non-Microsoft only) <<]
< All Services >
Application Layer Gateway Service (ALG) - C:\WINDOWS\System32\alg.exe (Microsoft Corporation ) [On Demand - Running - Win32, running in it's own process]
AOL Connectivity Service (AOL ACS) - "C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe" (America Online, Inc. ) [Automatic - Running - Win32, running in it's own process]
Ati HotKey Poller (Ati HotKey Poller) - C:\WINDOWS\system32\Ati2evxx.exe (ATI Technologies Inc. ) [Automatic - Running - Win32, running in it's own process]
Windows Audio (AudioSrv) - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
AVG7 Alert Manager Server (Avg7Alrt) - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (GRISOFT, s.r.o. ) [Automatic - Running - Win32, running in it's own process]
AVG7 Update Service (Avg7UpdSvc) - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe (GRISOFT, s.r.o. ) [Automatic - Running - Win32, running in it's own process]
Background Intelligent Transfer Service (BITS) - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Bluetooth Support Service (BthServ) - C:\WINDOWS\system32\svchost.exe -k bthsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Cryptographic Services (CryptSvc) - C:\WINDOWS\system32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
DCOM Server Process Launcher (DcomLaunch) - C:\WINDOWS\system32\svchost -k DcomLaunch (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
DHCP Client (Dhcp) - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
DNS Client (Dnscache) - C:\WINDOWS\System32\svchost.exe -k NetworkService (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Error Reporting Service (ERSvc) - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Event Log (Eventlog) - C:\WINDOWS\system32\services.exe (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
COM+ Event System (EventSystem) - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [On Demand - Running - Win32, running in a shared process]
ewido anti-spyware 4.0 guard (ewido anti-spyware 4.0 guard) - C:\Program Files\ewido anti-spyware 4.0\guard.exe (Anti-Malware Development a.s. ) [Automatic - Running - Win32, running in it's own process]
Fast User Switching Compatibility (FastUserSwitchingCompatibility) - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [On Demand - Running - Win32, running in a shared process]
Help and Support (helpsvc) - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
HID Input Service (HidServ) - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Server (lanmanserver) - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Workstation (lanmanworkstation) - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
TCP/IP NetBIOS Helper (LmHosts) - C:\WINDOWS\System32\svchost.exe -k LocalService (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Machine Debug Manager (MDM) - "C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe" (Microsoft Corporation ) [Automatic - Running - Win32, running in it's own process]
McAfee Personal Firewall Service (MpfService) - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe (McAfee Corporation ) [Automatic - Running - Win32, running in it's own process]
Network Connections (Netman) - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [On Demand - Running - Win32, running in a shared process]
Network Location Awareness (NLA) (Nla) - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [On Demand - Running - Win32, running in a shared process]
Plug and Play (PlugPlay) - C:\WINDOWS\system32\services.exe (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
IPSEC Services (PolicyAgent) - C:\WINDOWS\System32\lsass.exe (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Protected Storage (ProtectedStorage) - C:\WINDOWS\system32\lsass.exe (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Remote Access Connection Manager (RasMan) - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [On Demand - Running - Win32, running in a shared process]
Remote Procedure Call (RPC) (RpcSs) - C:\WINDOWS\system32\svchost -k rpcss (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Security Accounts Manager (SamSs) - C:\WINDOWS\system32\lsass.exe (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Smart Card (SCardSvr) - C:\WINDOWS\System32\SCardSvr.exe (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Task Scheduler (Schedule) - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Secondary Logon (seclogon) - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
System Event Notification (SENS) - C:\WINDOWS\system32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Windows Firewall/Internet Connection Sharing (ICS) (SharedAccess) - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Shell Hardware Detection (ShellHWDetection) - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Print Spooler (Spooler) - C:\WINDOWS\system32\spoolsv.exe (Microsoft Corporation ) [Automatic - Running - Win32, running in it's own process]
System Restore Service (srservice) - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
SSDP Discovery Service (SSDPSRV) - C:\WINDOWS\System32\svchost.exe -k LocalService (Microsoft Corporation ) [On Demand - Running - Win32, running in a shared process]
Telephony (TapiSrv) - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [On Demand - Running - Win32, running in a shared process]
Terminal Services (TermService) - C:\WINDOWS\System32\svchost -k DComLaunch (Microsoft Corporation ) [On Demand - Running - Win32, running in a shared process]
Themes (Themes) - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Distributed Link Tracking Client (TrkWks) - C:\WINDOWS\system32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Windows User Mode Driver Framework (UMWdf) - C:\WINDOWS\system32\wdfmgr.exe (Microsoft Corporation ) [Automatic - Running - Win32, running in it's own process]
Windows Time (W32Time) - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
WAN Miniport (ATW) Service (WANMiniportService) - "C:\WINDOWS\wanmpsvc.exe" (America Online, Inc. ) [Automatic - Running - Win32, running in it's own process]
WebClient (WebClient) - C:\WINDOWS\System32\svchost.exe -k LocalService (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Windows Management Instrumentation (winmgmt) - C:\WINDOWS\system32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Security Center (wscsvc) - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Automatic Updates (wuauserv) - C:\WINDOWS\system32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Wireless Zero Configuration (WZCSVC) - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
X10 Device Network Service (x10nets) - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe (X10 ) [On Demand - Running - Win32, running in it's own process]
< Files >
%SystemDrive%
%ProgramFilesDir%
%WinDir%
C:\WINDOWS\spoolsvt.exe - UPX! ( [Ver = 1, 0, 0, 1 | Size = 7681 bytes | Date = 01/06/2005 01:13 | Attr = ])
%System%
C:\WINDOWS\SYSTEM32\dfrg.msc - PEC2 ( [Ver = | Size = 41397 bytes | Date = 08/29/2002 13:00 | Attr = ])
C:\WINDOWS\SYSTEM32\divxdec.ax - FSG! (DivXNetworks, Inc. [Ver = 5.1.1.1031 | Size = 236544 bytes | Date = 12/10/2003 16:36 | Attr = ])
C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL - PTech (Microsoft Corporation [Ver = 1.5.0708.0 | Size = 1484592 bytes | Date = 08/07/2006 09:50 | Attr = ])
C:\WINDOWS\SYSTEM32\MRT.exe - PECompact2 (Microsoft Corporation [Ver = 1.20.1625.0 | Size = 8960936 bytes | Date = 09/11/2006 18:37 | Attr = ])
C:\WINDOWS\SYSTEM32\MRT.exe - aspack (Microsoft Corporation [Ver = 1.20.1625.0 | Size = 8960936 bytes | Date = 09/11/2006 18:37 | Attr = ])
C:\WINDOWS\SYSTEM32\ntbackup.exe - WSUD (Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 1135616 bytes | Date = 08/18/2001 07:36 | Attr = ])
C:\WINDOWS\SYSTEM32\ntdll.dll - aspack (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 708096 bytes | Date = 08/04/2004 08:56 | Attr = ])
C:\WINDOWS\SYSTEM32\nusrmgr.cpl - WSUD (Microsoft Corporation [Ver = 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Size = 257024 bytes | Date = 08/04/2004 08:56 | Attr = ])
C:\WINDOWS\SYSTEM32\rasdlg.dll - Umonitor (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 657920 bytes | Date = 08/04/2004 08:56 | Attr = ])
C:\WINDOWS\SYSTEM32\SrchSTS.exe - UPX! (S!Ri [Ver = | Size = 288417 bytes | Date = 09/24/2006 11:20 | Attr = ])
C:\WINDOWS\SYSTEM32\swreg.exe - UPX! (SteelWerX [Ver = 2.0.1.0 | Size = 135168 bytes | Date = 09/24/2006 11:20 | Attr = ])
C:\WINDOWS\SYSTEM32\swsc.exe - UPX! ( [Ver = | Size = 40960 bytes | Date = 09/24/2006 11:20 | Attr = ])
C:\WINDOWS\SYSTEM32\wbdbase.deu - winsync ( [Ver = | Size = 1309184 bytes | Date = 08/29/2002 13:00 | Attr = ])
C:\WINDOWS\SYSTEM32\WgaTray.exe - PTech (Microsoft Corporation [Ver = 1.5.0540.0 | Size = 304944 bytes | Date = 06/19/2006 16:19 | Attr = ])
%System%\Drivers folder and sub-folders
C:\WINDOWS\SYSTEM32\drivers\avg7core.sys - UPX! (GRISOFT, s.r.o. [Ver = 7,1,0,402 | Size = 777472 bytes | Date = 08/09/2006 09:44 | Attr = ])
C:\WINDOWS\SYSTEM32\drivers\avg7core.sys - FSG! (GRISOFT, s.r.o. [Ver = 7,1,0,402 | Size = 777472 bytes | Date = 08/09/2006 09:44 | Attr = ])
C:\WINDOWS\SYSTEM32\drivers\avg7core.sys - PEC2 (GRISOFT, s.r.o. [Ver = 7,1,0,402 | Size = 777472 bytes | Date = 08/09/2006 09:44 | Attr = ])
C:\WINDOWS\SYSTEM32\drivers\avg7core.sys - aspack (GRISOFT, s.r.o. [Ver = 7,1,0,402 | Size = 777472 bytes | Date = 08/09/2006 09:44 | Attr = ])
C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys - PTech (Smart Link [Ver = 3.80.01MC15 | Size = 1309184 bytes | Date = 08/04/2004 06:41 | Attr = ])0 -
%windir% + sub-dirs for System or Hidden files less than 60 days old
C:\WINDOWS\bootstat.dat - ( [Ver = | Size = 2048 bytes | Date = 09/24/2006 17:42 | Attr = S])
C:\WINDOWS\QTFont.qfn - ( [Ver = | Size = 54156 bytes | Date = 09/20/2006 10:17 | Attr = H ])
C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB918899.cat - ( [Ver = | Size = 23751 bytes | Date = 07/28/2006 13:16 | Attr = S])
C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB920214.cat - ( [Ver = | Size = 10337 bytes | Date = 07/27/2006 15:00 | Attr = S])
C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB922582.cat - ( [Ver = | Size = 11749 bytes | Date = 08/21/2006 14:00 | Attr = S])
C:\WINDOWS\system32\config\default.LOG - ( [Ver = | Size = 1024 bytes | Date = 09/24/2006 17:43 | Attr = H ])
C:\WINDOWS\system32\config\SAM.LOG - ( [Ver = | Size = 1024 bytes | Date = 09/24/2006 17:42 | Attr = H ])
C:\WINDOWS\system32\config\SECURITY.LOG - ( [Ver = | Size = 1024 bytes | Date = 09/24/2006 17:43 | Attr = H ])
C:\WINDOWS\system32\config\software.LOG - ( [Ver = | Size = 1024 bytes | Date = 09/24/2006 17:45 | Attr = H ])
C:\WINDOWS\system32\config\system.LOG - ( [Ver = | Size = 1024 bytes | Date = 09/24/2006 17:44 | Attr = H ])
C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG - ( [Ver = | Size = 1024 bytes | Date = 09/12/2006 23:31 | Attr = H ])
C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - ( [Ver = | Size = 1024 bytes | Date = 09/22/2006 23:33 | Attr = H ])
C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\9e0a17b5-b14c-44c8-8e58-8d192d36658b - ( [Ver = | Size = 388 bytes | Date = 08/17/2006 21:47 | Attr = HS])
C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\Preferred - ( [Ver = | Size = 24 bytes | Date = 08/17/2006 21:47 | Attr = HS])
C:\WINDOWS\Tasks\SA.DAT - ( [Ver = | Size = 6 bytes | Date = 09/24/2006 17:42 | Attr = H ])
CPL files -
C:\WINDOWS\SYSTEM32\access.cpl - (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 68608 bytes | Date = 08/04/2004 08:56 | Attr = ])
C:\WINDOWS\SYSTEM32\appwiz.cpl - (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 549888 bytes | Date = 08/04/2004 08:56 | Attr = ])
C:\WINDOWS\SYSTEM32\bdeadmin.cpl - ( [Ver = | Size = 183808 bytes | Date = 11/12/1999 06:11 | Attr = ])
C:\WINDOWS\SYSTEM32\bthprops.cpl - (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 110592 bytes | Date = 08/04/2004 08:56 | Attr = ])
C:\WINDOWS\SYSTEM32\desk.cpl - (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 135168 bytes | Date = 08/04/2004 08:56 | Attr = ])
C:\WINDOWS\SYSTEM32\firewall.cpl - (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 80384 bytes | Date = 08/04/2004 08:56 | Attr = ])
C:\WINDOWS\SYSTEM32\hdwwiz.cpl - (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 155136 bytes | Date = 08/04/2004 08:56 | Attr = ])
C:\WINDOWS\SYSTEM32\inetcpl.cpl - (Microsoft Corporation [Ver = 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Size = 358400 bytes | Date = 08/04/2004 08:56 | Attr = ])
C:\WINDOWS\SYSTEM32\intl.cpl - (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 129536 bytes | Date = 08/04/2004 08:56 | Attr = ])
C:\WINDOWS\SYSTEM32\irprops.cpl - (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 380416 bytes | Date = 08/04/2004 08:56 | Attr = ])
C:\WINDOWS\SYSTEM32\joy.cpl - (Microsoft Corporation [Ver = 5.03.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 68608 bytes | Date = 08/04/2004 08:56 | Attr = ])
C:\WINDOWS\SYSTEM32\main.cpl - (Microsoft Corporation [Ver = 5.1.2403.1 | Size = 187904 bytes | Date = 08/29/2002 13:00 | Attr = ])
C:\WINDOWS\SYSTEM32\mmsys.cpl - (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 618496 bytes | Date = 08/04/2004 08:56 | Attr = ])
C:\WINDOWS\SYSTEM32\ncpa.cpl - (Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 35840 bytes | Date = 08/29/2002 13:00 | Attr = ])
C:\WINDOWS\SYSTEM32\netsetup.cpl - (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 25600 bytes | Date = 08/04/2004 08:56 | Attr = ])
C:\WINDOWS\SYSTEM32\nusrmgr.cpl - (Microsoft Corporation [Ver = 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Size = 257024 bytes | Date = 08/04/2004 08:56 | Attr = ])
C:\WINDOWS\SYSTEM32\odbccp32.cpl - (Microsoft Corporation [Ver = 3.525.1117.0 (xpsp_sp2_rtm.040803-2158) | Size = 32768 bytes | Date = 08/04/2004 08:56 | Attr = ])
C:\WINDOWS\SYSTEM32\pmxusb.cpl - ( [Ver = | Size = 14336 bytes | Date = 07/30/1998 06:44 | Attr = R ])
C:\WINDOWS\SYSTEM32\powercfg.cpl - (Microsoft Corporation [Ver = 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Size = 114688 bytes | Date = 08/04/2004 08:56 | Attr = ])
C:\WINDOWS\SYSTEM32\QuickTime.cpl - (Apple Computer, Inc. [Ver = 6.5.1 | Size = 323072 bytes | Date = 04/08/2004 15:12 | Attr = ])
C:\WINDOWS\SYSTEM32\sysdm.cpl - (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 298496 bytes | Date = 08/04/2004 08:56 | Attr = ])
C:\WINDOWS\SYSTEM32\telephon.cpl - (Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 28160 bytes | Date = 08/29/2002 13:00 | Attr = ])
C:\WINDOWS\SYSTEM32\timedate.cpl - (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 94208 bytes | Date = 08/04/2004 08:56 | Attr = ])
C:\WINDOWS\SYSTEM32\wscui.cpl - (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 148480 bytes | Date = 08/04/2004 08:56 | Attr = ])
C:\WINDOWS\SYSTEM32\wuaucpl.cpl - (Microsoft Corporation [Ver = 5.8.0.2469 built by: lab01_n(wmbla) | Size = 174360 bytes | Date = 05/26/2005 04:16 | Attr = ])
C:\WINDOWS\SYSTEM32\dllcache\main.cpl - (Microsoft Corporation [Ver = 5.1.2403.1 | Size = 187904 bytes | Date = 08/29/2002 13:00 | Attr = ])
C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl - (Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 35840 bytes | Date = 08/29/2002 13:00 | Attr = ])
C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl - (Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 28160 bytes | Date = 08/29/2002 13:00 | Attr = ])
C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl - (Microsoft Corporation [Ver = 5.8.0.2469 built by: lab01_n(wmbla) | Size = 174360 bytes | Date = 05/26/2005 04:16 | Attr = ])
Auto-Start Folders
HKLM->Explorer\Shell Folders\\Common Startup = C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated [Ver = 7.0.5.2005092300 | Size = 29696 bytes | Date = 09/23/2005 22:05 | Attr = ])
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL 9.0 Tray Icon.lnk - C:\Program Files\AOL 9.0\aoltray.exe (America Online, Inc. [Ver = 9.00.001 | Size = 156784 bytes | Date = 05/10/2004 19:29 | Attr = H ])
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL Broadband Check-Up.lnk - C:\Program Files\AOL\Broadband CheckUp\bin\matcli.exe (Motive Communications, Inc. [Ver = 5.8.1.asst_classic.asst_matcli.20040316_162000 | Size = 217088 bytes | Date = 03/16/2004 18:49 | Attr = ])
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini - ( [Ver = | Size = 84 bytes | Date = 02/26/2004 18:23 | Attr = HS])
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation [Ver = 9.0.3720 | Size = 65588 bytes | Date = 01/21/2000 09:15 | Attr = ])
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Desktop Search.lnk - C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-gb\bin\WindowsSearch.exe (Microsoft Corporation [Ver = 02.05.0001.1119 | Size = 238080 bytes | Date = 09/20/2005 18:10 | Attr = ])
HKLM->Explorer\User Shell Folders\\Common Startup = %ALLUSERSPROFILE%\Start Menu\Programs\Startup
HKLM->Explorer\Shell Folders\\Startup = C:\Documents and Settings\Ros\Start Menu\Programs\Startup
C:\Documents and Settings\Ros\Start Menu\Programs\Startup\desktop.ini - ( [Ver = | Size = 84 bytes | Date = 02/26/2004 18:23 | Attr = HS])
HKCU->Explorer\User Shell Folders\\Startup = %USERPROFILE%\Start Menu\Programs\Startup
Miscellaneous Auto-Start Files
System.ini->[Boot]\\Shell - Explorer.exe
Config.nt: Line 1 - REM Windows MS-DOS Startup File
Config.nt: Line 2 - REM
Config.nt: Line 3 - REM CONFIG.SYS vs CONFIG.NT
Config.nt: Line 4 - REM CONFIG.SYS is not used to initialize the MS-DOS environment.
Config.nt: Line 5 - REM CONFIG.NT is used to initialize the MS-DOS environment unless a
Config.nt: Line 6 - REM different startup file is specified in an application's PIF.
Config.nt: Line 7 - REM
Config.nt: Line 8 - REM ECHOCONFIG
Config.nt: Line 9 - REM By default, no information is displayed when the MS-DOS environment
Config.nt: Line 10 - REM is initialized. To display CONFIG.NT/AUTOEXEC.NT information, add
Config.nt: Line 11 - REM the command echoconfig to CONFIG.NT or other startup file.
Config.nt: Line 12 - REM
Config.nt: Line 13 - REM NTCMDPROMPT
Config.nt: Line 14 - REM When you return to the command prompt from a TSR or while running an
Config.nt: Line 15 - REM MS-DOS-based application, Windows runs COMMAND.COM. This allows the
Config.nt: Line 16 - REM TSR to remain active. To run CMD.EXE, the Windows command prompt,
Config.nt: Line 17 - REM rather than COMMAND.COM, add the command ntcmdprompt to CONFIG.NT or
Config.nt: Line 18 - REM other startup file.
Config.nt: Line 19 - REM
Config.nt: Line 20 - REM DOSONLY
Config.nt: Line 21 - REM By default, you can start any type of application when running
Config.nt: Line 22 - REM COMMAND.COM. If you start an application other than an MS-DOS-based
Config.nt: Line 23 - REM application, any running TSR may be disrupted. To ensure that only
Config.nt: Line 24 - REM MS-DOS-based applications can be started, add the command dosonly to
Config.nt: Line 25 - REM CONFIG.NT or other startup file.
Config.nt: Line 26 - REM
Config.nt: Line 27 - REM EMM
Config.nt: Line 28 - REM You can use EMM command line to configure EMM(Expanded Memory Manager).
Config.nt: Line 29 - REM The syntax is:
Config.nt: Line 30 - REM
Config.nt: Line 31 - REM EMM = [A=AltRegSets] [RAM]
Config.nt: Line 32 - REM
Config.nt: Line 33 - REM AltRegSets
Config.nt: Line 34 - REM specifies the total Alternative Mapping Register Sets you
Config.nt: Line 35 - REM want the system to support. 1 <= AltRegSets <= 255. The
Config.nt: Line 36 - REM default value is 8.
Config.nt: Line 37 - REM BaseSegment
Config.nt: Line 38 - REM specifies the starting segment address in the Dos conventional
Config.nt: Line 39 - REM memory you want the system to allocate for EMM page frames.
Config.nt: Line 40 - REM The value must be given in Hexdecimal.
Config.nt: Line 41 - REM 0x1000 <= BaseSegment <= 0x4000. The value is rounded down to
Config.nt: Line 42 - REM 16KB boundary. The default value is 0x4000
Config.nt: Line 43 - REM RAM
Config.nt: Line 44 - REM specifies that the system should only allocate 64Kb address
Config.nt: Line 45 - REM space from the Upper Memory Block(UMB) area for EMM page frames
Config.nt: Line 46 - REM and leave the rests(if available) to be used by DOS to support
Config.nt: Line 47 - REM loadhigh and devicehigh commands. The system, by default, would
Config.nt: Line 48 - REM allocate all possible and available UMB for page frames.
Config.nt: Line 49 - REM
Config.nt: Line 50 - REM The EMM size is determined by pif file(either the one associated
Config.nt: Line 51 - REM with your application or _default.pif). If the size from PIF file
Config.nt: Line 52 - REM is zero, EMM will be disabled and the EMM line will be ignored.
Config.nt: Line 53 - REM
Config.nt: Line 54 - dos=high, umb
Config.nt: Line 55 - device=%SystemRoot%\system32\himem.sys
Config.nt: Line 56 - files=40
AutoExec.nt: Line 1 - @echo off
AutoExec.nt: Line 3 - REM AUTOEXEC.BAT is not used to initialize the MS-DOS environment.
AutoExec.nt: Line 4 - REM AUTOEXEC.NT is used to initialize the MS-DOS environment unless a
AutoExec.nt: Line 5 - REM different startup file is specified in an application's PIF.
AutoExec.nt: Line 7 - REM Install CD ROM extensions
AutoExec.nt: Line 8 - lh %SystemRoot%\system32\mscdexnt.exe
AutoExec.nt: Line 10 - REM Install network redirector (load before dosx.exe)
AutoExec.nt: Line 11 - lh %SystemRoot%\system32\redir
AutoExec.nt: Line 13 - REM Install DPMI support
AutoExec.nt: Line 14 - lh %SystemRoot%\system32\dosx
AutoExec.nt: Line 16 - REM The following line enables Sound Blaster 2.0 support on NTVDM.
AutoExec.nt: Line 17 - REM The command for setting the BLASTER environment is as follows:
AutoExec.nt: Line 18 - REM SET BLASTER=A220 I5 D1 P330
AutoExec.nt: Line 19 - REM where:
AutoExec.nt: Line 20 - REM A specifies the sound blaster's base I/O port
AutoExec.nt: Line 21 - REM I specifies the interrupt request line
AutoExec.nt: Line 22 - REM D specifies the 8-bit DMA channel
AutoExec.nt: Line 23 - REM P specifies the MPU-401 base I/O port
AutoExec.nt: Line 24 - REM T specifies the type of sound blaster card
AutoExec.nt: Line 25 - REM 1 - Sound Blaster 1.5
AutoExec.nt: Line 26 - REM 2 - Sound Blaster Pro I
AutoExec.nt: Line 27 - REM 3 - Sound Blaster 2.0
AutoExec.nt: Line 28 - REM 4 - Sound Blaster Pro II
AutoExec.nt: Line 29 - REM 6 - SOund Blaster 16/AWE 32/32/64
AutoExec.nt: Line 30 - REM
AutoExec.nt: Line 31 - REM The default value is A220 I5 D1 T3 and P330. If any of the switches is
AutoExec.nt: Line 32 - REM left unspecified, the default value will be used. (NOTE, since all the
AutoExec.nt: Line 33 - REM ports are virtualized, the information provided here does not have to
AutoExec.nt: Line 34 - REM match the real hardware setting.) NTVDM supports Sound Blaster 2.0 only.
AutoExec.nt: Line 35 - REM The T switch must be set to 3, if specified.
AutoExec.nt: Line 36 - SET BLASTER=A220 I5 D1 P330 T3
AutoExec.nt: Line 38 - REM To disable the sound blaster 2.0 support on NTVDM, specify an invalid
AutoExec.nt: Line 39 - REM SB base I/O port address. For example:
AutoExec.nt: Line 40 - REM SET BLASTER=A0
Miscellaneous Folders
AllUsers ApplicationData Folder
C:\Documents and Settings\All Users\Application Data\desktop.ini - ( [Ver = | Size = 62 bytes | Date = 02/26/2004 10:19 | Attr = HS])
CurrentUser ApplicationData Folder
C:\Documents and Settings\Ros\Application Data\desktop.ini - ( [Ver = | Size = 62 bytes | Date = 02/26/2004 10:19 | Attr = HS])
C:\Documents and Settings\Ros\Application Data\GDIPFONTCACHEV1.DAT - ( [Ver = | Size = 76248 bytes | Date = 03/27/2006 19:02 | Attr = ])
C:\Documents and Settings\Ros\Application Data\wklnhst.dat - ( [Ver = | Size = 53656 bytes | Date = 09/18/2006 18:56 | Attr = ])
Program Files Folder
Common Files Folder
DPF files
!!00B71CFB-6864-4346-A978-C0A14556272C} - Checkers Class - CodeBase = http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
!!14B87622-7E19-4EA8-93B3-97215F77A6BC} - MessengerStatsClient Class - CodeBase = http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab30149.cab
!!166B1BCA-3F9C-11CF-8075-444553540000} - Shockwave ActiveX Control - CodeBase = http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
!!17492023-C23A-453E-A040-C7C580BBF700} - Windows Genuine Advantage Validation Tool - CodeBase = http://go.microsoft.com/fwlink/?LinkID=39204
!!193C772A-87BE-4B19-A7BB-445B226FE9A1} - ewidoOnlineScan Control - CodeBase = http://download.ewido.net/ewidoOnlineScan.cab
!!2917297F-F02B-4B9D-81DF-494B6333150B} - Minesweeper Flags Class - CodeBase = http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
!!39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - FilePlanet Download Control Class - CodeBase = http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
!!3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - Office Update Installation Engine - CodeBase = http://office.microsoft.com/officeupdate/content/opuc.cab
!!4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - QDiagAOLCCUpdateObj Class - CodeBase = http://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab
!!4F1E5B1A-2A80-42CA-8532-2D05CB959537} - MSN Photo Upload Tool - CodeBase = http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
!!8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - MessengerStatsClient Class - CodeBase = http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
!!9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - ActiveScan Installer Class - CodeBase = http://acs.pandasoftware.com/activescan/as5free/asinst.cab
!!9F1C11AA-197B-4942-BA54-47A8489BB47F} - - CodeBase = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38043.1555092593
{B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - MsnMessengerSetupDownloadControl Class - CodeBase = http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
{B8BE5E93-A60C-4D26-A2DC-220313175592} - ZoneIntro Class - CodeBase = http://messenger.zone.msn.com/binary/ZIntro.cab30149.cab
{D27CDB6E-AE6D-11CF-96B8-444553540000} - Shockwave Flash Object - CodeBase = http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
{E6187999-9FEC-46A1-A20F-F4CA977D5643} - ZoneChess Object - CodeBase = http://messenger.zone.msn.com/binary/Chess.cab30149.cab
{F6BF0D00-0B2A-4A75-BF7B-F385591623AF} - Solitaire Showdown Class - CodeBase = http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
DirectAnimation Java Classes - - CodeBase = file://C:\WINDOWS\Java\classes\dajava.cab
Microsoft XML Parser for Java - - CodeBase = file://C:\WINDOWS\Java\classes\xmldso.cab
Hosts file = 734 bytes. Reading all entries. C:\WINDOWS\System32\drivers\etc\Hosts
# Copyright (c) 1993-1999 Microsoft Corp. -
# -
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows. -
# -
# This file contains the mappings of IP addresses to host names. Each -
# entry should be kept on an individual line. The IP address should -
# be placed in the first column followed by the corresponding host name. -
# The IP address and the host name should be separated by at least one -
# space. -
# -
# Additionally, comments (such as these) may be inserted on individual -
# lines or following the machine name denoted by a '#' symbol. -
# -
# For example: -
# -
# 102.54.94.97 rhino.acme.com # source server -
# 38.25.63.10 x.acme.com # x client host -
-
127.0.0.1 localhost -
< Add On's >
>>>>Output for AddOn file HKCU_IEDesktop.def<<<<
KEY - HKCU\Software\Microsoft\Internet Explorer\Desktop - Include SUBKEYS
HKCU\Software\Microsoft\Internet Explorer\Desktop -
Desktop\Components -
Desktop\Components\\DeskHtmlVersion - 272
Desktop\Components\\DeskHtmlMinorVersion - 5
Desktop\Components\\Settings - 1
Desktop\Components\\GeneralFlags - 4
Desktop\General -
Desktop\General\\BackupWallpaper - %USERPROFILE%\My Documents\My Pictures\Ravello.BMP
Desktop\General\\WallpaperFileTime - 0A 5A EA CA 50 1B C4 01
Desktop\General\\WallpaperLocalFileTime - 0A C2 AE 2C 59 1B C4 01
Desktop\General\\TileWallpaper - 0
Desktop\General\\WallpaperStyle - 2
Desktop\General\\Wallpaper - %USERPROFILE%\My Documents\My Pictures\Ravello.BMP
Desktop\General\\ComponentsPositioned - 1
Desktop\Old WorkAreas -
Desktop\Old WorkAreas\\NoOfOldWorkAreas - 1
Desktop\Old WorkAreas\\OldWorkAreaRects - 00 00 00 00 00 00 00 00 00 04 00 00 E2 02 00 00
Desktop\SafeMode -
Desktop\SafeMode\General -
Desktop\SafeMode\General\\Wallpaper - %SystemRoot%\Web\SafeMode.htt
Desktop\SafeMode\General\\VisitGallery - 0
Desktop\Scheme -
Desktop\Scheme\\Edit -
Desktop\Scheme\\Display -
>>>>Output for AddOn file Policies.def<<<<
KEY - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies - Include SUBKEYS
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies -
policies\explorer -
policies\explorer\run -
policies\NonEnum -
policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} - 1
policies\NonEnum\\!!6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} - 1073741857
policies\NonEnum\\!!0DF44EAA-FF21-4412-828E-260A8728E7F1} - 32
policies\Ratings -
policies\system -
policies\system\\dontdisplaylastusername - 0
policies\system\\legalnoticecaption -
policies\system\\legalnoticetext -
policies\system\\shutdownwithoutlogon - 1
policies\system\\undockwithoutlogon - 1
KEY - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies - Include SUBKEYS
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies -
policies\ActiveDesktop -
policies\Explorer -
policies\Explorer\\NoDriveTypeAutoRun - 145
policies\System -
policies\System\\DisableRegistryTools - 0
< End of report >0 -
Everything looks fine apart from one suspect file.
Go to VirusTotal's Online File scanner.
Paste the filepath below into the open field at the top of the page to the left of the browse button.
C:\WINDOWS\spoolsvt.exe
Then hit the Send button to upload it for analysis:
Copy and paste the results back here please. 0 -
Here is the result from the Virus scan
Antivirus Version Update Result
AntiVir 7.2.0.18 09.24.2006 no virus found
Authentium 4.93.8 09.23.2006 no virus found
Avast 4.7.844.0 09.22.2006 no virus found
AVG 386 09.22.2006 no virus found
BitDefender 7.2 09.24.2006 no virus found
CAT-QuickHeal 8.00 09.22.2006 no virus found
ClamAV devel-20060426 09.24.2006 no virus found
DrWeb 4.33 09.22.2006 no virus found
eTrust-InoculateIT 23.73.4 09.24.2006 no virus found
eTrust-Vet 30.3.3093 09.22.2006 no virus found
Ewido 4.0 09.24.2006 no virus found
Fortinet 2.82.0.0 09.24.2006 no virus found
F-Prot 3.16f 09.23.2006 no virus found
F-Prot4 4.2.1.29 09.23.2006 no virus found
Ikarus 0.2.65.0 09.23.2006 no virus found
Kaspersky 4.0.2.24 09.24.2006 no virus found
McAfee 4858 09.22.2006 Generic StartPage.j
Microsoft 1.1560 09.24.2006 no virus found
NOD32v2 1.1771 09.23.2006 no virus found
Norman 5.90.23 09.22.2006 no virus found
Panda 9.0.0.4 09.24.2006 Suspicious file
Sophos 4.09.0 09.24.2006 no virus found
Symantec 8.0 09.24.2006 no virus found
TheHacker 6.0.1.078 09.24.2006 no virus found
UNA 1.83 09.22.2006 no virus found
VBA32 3.11.1 09.24.2006 no virus found
VirusBuster 4.3.7:9 09.24.2006 no virus found
Aditional Information
File size: 7681 bytes
MD5: 52fbbdc928d954b3eff431065c4297aa
SHA1: 2047d73d727860e562222f20b1ac6e720855eb3a
packers: UPX0 -
Thanks for that. I think we need to take a closer look at that file.
Please click here and go to the uploads forum. Start a new topic and upload the file. Mark it for the attention of Captain Spyware please.0 -
Sorry I'm being dozy now, I have read the instructions on uploading the file - can I ask, do I post a link to this whole thread or just to the last post with the virus scan results? And how do I get the file on my PC? ( Internet explorer? )Thanks
Edited to add - ignore this - think I managed it!0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 350.9K Banking & Borrowing
- 253.1K Reduce Debt & Boost Income
- 453.5K Spending & Discounts
- 243.9K Work, Benefits & Business
- 598.8K Mortgages, Homes & Bills
- 176.9K Life & Family
- 257.2K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.1K Discuss & Feedback
- 37.6K Read-Only Boards