Free Malware Removal Forum

by **ihatemalware** » September 15th, 2005, 11:53 pm

Here is my hijack this log. could someone tell me if im clean.

Logfile of HijackThis v1.99.1
Scan saved at 11:03:44 PM, on 15/09/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PccGuide.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\wtwh\aruc.exe
C:\WINDOWS\system32\??sks\netdde.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\3web\system\launcher.exe
C:\Program Files\3web\system\cydial95.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ben\Desktop\Freeware\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [CM-SmWizard] C:\WINDOWS\System\SmWizard.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Rnta] C:\Program Files\wtwh\aruc.exe
O4 - HKCU\..\Run: [Hbcoay] C:\WINDOWS\system32\??sks\netdde.exe

Also i have this popup...i printed screen. after u close the first the second one always follows. ne one know what this is?

by **askey127** » September 16th, 2005, 2:54 pm

ihatemalware,

I will be glad to help you with your log.
Would you please paste the entire log into a reply so I can look at the whole thing?
When you have the log in Notepad, you can hit Ctrl-A to highlight ALL, then Ctrl-C to copy to clipboard, and then Ctrl-V to paste after you click postreply here.

askey127

by **ihatemalware** » September 16th, 2005, 6:53 pm

Logfile of HijackThis v1.99.1
Scan saved at 11:03:44 PM, on 15/09/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PccGuide.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\wtwh\aruc.exe
C:\WINDOWS\system32\??sks\netdde.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\3web\system\launcher.exe
C:\Program Files\3web\system\cydial95.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ben\Desktop\Freeware\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [CM-SmWizard] C:\WINDOWS\System\SmWizard.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Rnta] C:\Program Files\wtwh\aruc.exe
O4 - HKCU\..\Run: [Hbcoay] C:\WINDOWS\system32\??sks\netdde.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{E1AAF0FA-69AB-4EF0-80EF-F51FB94F5B29}: NameServer = 209.195.95.95 209.197.128.2
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe

there is the log, plus if u could check out the link in the previous post, its a pop up im getting, please take a look at that. thank you

by **askey127** » September 16th, 2005, 9:15 pm

Ihatemalware,
-----------------------------------------------------------
Disable Microsoft Anti-Spyware
- Open Microsoft AntiSpyware. Click on Tools, Settings.
- In the left pane, Click on Real-time Protection.
- Under Startup Options, Uncheck Enable the Microsoft AntiSpyware Security Agents on startup (recommended).
- Under Real-time spyware threat protection, Uncheck Enable real-time spyware threat protection (recommended).
- Click on the Save button and close Microsoft AntiSpyware.
- Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware.
- Reboot your machine for the changes to take effect.
-----------------------------------------------------------
Set Your Computer to Show All Files
Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. In addition, if you have Windows XP, go to Start, Search. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.
-----------------------------------------------------------
Download the Pocket Killbox from http://forum.malwareremoval.com/viewtopic.php?t=320 and see the instructions as well.
-----------------------------------------------------------
Download and install CCleaner from here.
Don't run CCleaner yet.
-----------------------------------------------------------
If you don't have it already, Download Ad-Aware SE Personal from here. Don't install the AdWatch feature at start (free version doesn't have it anyway) until your machine is completely clean, as it may interfere with fixes. Install, Check for Updates.
Run Ad-Aware and Click on the Scan Now Button
* Choose Perform Full System Scan
* DESELECT Search for negligible risk entries, as negligible risk entries (MRU's) are not considered to be a threat. (make it show a red X)
Click Next to begin the scan. When the scan is completed, the Performing System Scan screen will change its name to Scan Complete.
Click the Next Button to get to the Scanning Results Window where more information about the objects detected is available. Click the Critical Objects Tab. In general all of the items listed will be bad. To fix all the bad critical objects, right click on one of them, click the Select All entry in the pop-up menu to mark all entries. Click Next and then OK in the dialog box to confirm the removal.
1. Make a note of the items found by Ad-aware.

Reboot to complete the removal of what Ad-Aware SE found.

2.Are you familiar with Cyberus Online and Cybersurf.com? Your ISP?

3. Tell me what you know about this folder:
C:\Program Files\wtwh\
I don't see any research info on aruc.exe in that folder, which usually means it's a bad guy. If you don't know what it is, right click the file, select properties, and tell me what it says.

4. Please also look at the properties of this file and tell me what it says. netdde.exe is normally a Microsoft file, but that folder name doesn't look right.
C:\WINDOWS\system32\??sks\netdde.exe

(The MS file by that name is usually in C:\windows\system32\
The latest version is 5.1.2600.2180, size is 111,104 bytes, )

Please let me know what you get, and we will proceed.
We will get to that link.

askey127

by **ihatemalware** » September 17th, 2005, 1:26 pm

This 1 item was found from Ad-aware...

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Pageabout:blank

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "about:blank"
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet Explorer\Main
Value : Start Page
Data : "about:blank"

i had never heard anything of cyberus online or cybersurf. My ISP is 3web in Canada. However i google searched the too and there may be a connection between the two. so i really dont know what to tell you about cybersurf.
Folder wtwh contains aruc.exe and a sub-folder owoo the subfolder seems to contain nothing...
Size of aruc.exe - 67,072 bytes
Read only file
Created on July 2 2005
Mod september 14 2005
Accessed sep 17, 2005

As for netdde i also have no idea lol. using search for files and folders i found two files called netdde. both applications.
Both have description - Network DDE - DDE Communication.
1rst file location- C:\WINDOWS\ServicePackFiles\i386
1rst file size - 111,104 bytes
2nd file location - C:\WINDOWS\system32
file size and everything else is identical to other file.

by **askey127** » September 17th, 2005, 6:03 pm

Ihatemalware,
-----------------------------------------------------------
Please download, install, and update the free trial version of Ewido trojan scanner: from here : http://www.ewido.net/en/download/
* Install ewido security suite
* When installing, under "Additional Options", Uncheck "Install background guard" and Uncheck "Install scan via context menu".
* Launch ewido, there should now be an icon on your desktop. Double-click it.
* The program will go to its main screen
* On the left hand side of the main screen click Update.
* Then click on Start Update.
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can also use the same download link http://www.ewido.net/en/download/ to manually update ewido.
-----------------------------------------------------------
Start Your Computer in Safe Mode.
Reboot into Safe Mode by hitting the F8 key repeatedly as the machine boots, until a menu shows up. Choose Safe Mode from the list.
In some systems, this may be the F5 key, so try that if F8 doesn't work.
Extra instructions are here if you need them.
-----------------------------------------------------------
Close all open windows/programs/folders. Have Nothing else open while ewido performs its scan!.
It's extremely important not to open any windows while the scan is in progress.
Now Run Ewido
* Click on scanner
* Click on Settings
* Under "How to scan" all boxes should be selected
* Under "Possibly unwanted software" all boxes should be selected
* Under "What to scan" select scan every file
* Click OK
* Click on Complete system scan
* Let the program scan the machine
* If ewido finds anything, it will pop up a notification.
* Let it fix whatever it finds
Once the scan has completed, there will be a button located on the bottom of the screen named Save report.
* Click Save report
* Save the report to your desktop
* Exit ewido
-----------------------------------------------------------
Remove log items with HighjackThis. Start HijackThis. If the opening screen shows, choose None of the above, just start the program.
Click Scan. When the Scan is complete, Check the following entries:
(Some of these lines may be missing)

O4 - HKCU\..\Run: [Rnta] C:\Program Files\wtwh\aruc.exe

Make sure all other windows except HJT are closed, and Click Fix Checked.
Exit HJT
-----------------------------------------------------------
Folder Deletion.
Take one more look at the file aruc.exe in C:\Program Files\wtwh\ Right click the file, select properties, Uncheck Read Only, click Apply and OK
If no company is listed in properties menu that you recognize, proceed with this deletion:
In Windows Explorer(My Computer), Find and Delete these folder(s), if present:
C:\Program Files\wtwh\
Note any folder you cannot delete.
You may have to delete all the underlying files and folders before a target folder can be deleted.
If you have any problem deleting a file, right click the file and check Properties to see if it's read-only. Uncheck the read-only box, click Apply and OK. Then retry Delete.
Note the name and location of any file you cannot delete.
-----------------------------------------------------------
Post a New HJT Log
Reboot your computer (Normal Mode). Start HijackThis. Click Do System Scan and Save a Log File.
When the Scan is complete, select the whole log (Ctrl-A), copy and paste the log contents in a reply. Please also paste the entire Ewido log report into your reply.

askey127

by **ihatemalware** » September 18th, 2005, 10:09 pm

Logfile of HijackThis v1.99.1
Scan saved at 10:01:21 PM, on 18/09/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Ewido\Security Suite\ewidoctrl.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
C:\WINDOWS\system32\??sks\netdde.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TSC.EXE
C:\Documents and Settings\Ben\Desktop\Freeware\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [CM-SmWizard] C:\WINDOWS\System\SmWizard.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Hbcoay] C:\WINDOWS\system32\??sks\netdde.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\Ewido\Security Suite\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:51:23 PM, 18/09/2005
+ Report-Checksum: DA9A63F4

+ Scan result:

C:\WINDOWS\Downloaded Program Files\HDPlugin1101.dll -> Adware.Gator : Cleaned with backup
C:\Documents and Settings\Ben\Cookies\ben@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Ben\Cookies\ben@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\Ben\Cookies\ben@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Ben\Cookies\ben@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Ben\Cookies\ben@bluestreak[2].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\Ben\Cookies\ben@hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Ben\Cookies\ben@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Ben\Cookies\ben@ehg-dig.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\wtwh\aruc.exe -> TrojanDownloader.PurityScan.ah : Cleaned with backup
C:\System Volume Information\_restore{F546D7E1-7E55-4550-AE10-D84A56937DAE}\RP425\A0075575.exe -> Spyware.PurityScan : Cleaned with backup

::Report End

P.S. As i post this reply im still getting the pop up. i see ewido found a the aruc trojan but either its not gone or thats not whats giving me the pop-ups. oh and i was just wondering, did u look at the photos of the popups im getting in the link i posted in my first post?

by **askey127** » September 19th, 2005, 7:44 am

Ihatemalware,

I'm not forgetting about the Registry cleaner popup at all.
We need to find out what's calling it.
-----------------------------------------------------------
Download L2mfix from one of these two locations:
http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe
Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop.
Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or two, Notepad will open with a log. Copy the contents of that log and paste it into this thread.
IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder unless you are asked to do so!
We need to see the log contents before proceeding with any fixes.
-----------------------------------------------------------
Download F-Secure's trial Blacklight program :
http://www.f-secure.com/blacklight/try.shtml
Print out the help page for guidance.
Ok the license.
Check scan through Windows Explorer
Click Scan
When animated graphics disappears, click Next
Note any files and their locations that appear in the output summary.
-----------------------------------------------------------

askey127

by **ihatemalware** » September 19th, 2005, 8:26 pm

blacklight found nothing.
12mfix log...

L2MFIX find log 1.04a
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}"="nView Desktop Context Menu"
"{59850401-6664-101B-B21C-00AA004BA90B}"="Microsoft Office Binder Unbind"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{48F45200-91E6-11CE-8A4F-0080C81A28D4}"="TMD Shell Extension"
"{771A9DA0-731A-11CE-993C-00AA004ADB6C}"="VBPropSheet"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"

**********************************************************************************
HKEY ROOT CLASSIDS:
**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
wininet.dll Sat Jul 2 2005 10:11:30p A.... 658,432 643.00 K
urlmon.dll Sat Jul 2 2005 10:11:30p A.... 607,744 593.50 K
shlwapi.dll Sat Jul 2 2005 10:11:30p A.... 473,600 462.50 K
shdocvw.dll Sat Jul 2 2005 10:11:30p A.... 1,483,776 1.41 M
pngfilt.dll Sat Jul 2 2005 10:11:30p A.... 39,424 38.50 K
msrating.dll Sat Jul 2 2005 10:11:30p A.... 146,432 143.00 K
mshtmled.dll Sat Jul 2 2005 10:11:30p A.... 448,512 438.00 K
mshtml.dll Tue Jul 19 2005 10:00:30p A.... 3,014,144 2.87 M
inseng.dll Sat Jul 2 2005 10:11:28p A.... 96,256 94.00 K
iepeers.dll Sat Jul 2 2005 10:11:28p A.... 251,392 245.50 K
cdfview.dll Sat Jul 2 2005 10:11:28p A.... 151,040 147.50 K
browseui.dll Sat Jul 2 2005 10:11:28p A.... 1,019,904 996.00 K
hashlib.dll Tue Jul 12 2005 3:35:14p A.... 117,976 115.21 K
mscms.dll Tue Jun 28 2005 9:46:00p A.... 74,240 72.50 K
tapisrv.dll Fri Jul 8 2005 12:27:56p A.... 249,344 243.50 K
icm32.dll Tue Jun 28 2005 9:46:00p A.... 254,976 249.00 K
gcunco~1.dll Tue Jul 12 2005 3:35:10p A.... 95,448 93.21 K
gccoll~1.dll Tue Jul 12 2005 3:35:14p A.... 126,680 123.71 K
legitc~1.dll Tue Jul 12 2005 6:04:22p A.... 520,456 508.26 K
gwfspi~1.dll Tue Jul 12 2005 6:04:22p A.... 23,304 22.76 K
umpnpmgr.dll Wed Jun 29 2005 10:02:40p A.... 118,272 115.50 K

21 items found: 21 files, 0 directories.
Total of file sizes: 9,971,352 bytes 9.51 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C is SYSTEM
Volume Serial Number is 30D6-628D

Directory of C:\WINDOWS\System32

07/01/2004 09:49 PM <DIR> Microsoft
07/01/2004 08:50 PM <DIR> dllcache
0 File(s) 0 bytes
2 Dir(s) 681,598,976 bytes free

by **askey127** » September 19th, 2005, 10:38 pm

ihatemalware,

Download Silent Runners from here : http://www.silentrunners.org/
Doubleclick on SilentRunners.vbs
Save the output and post in your next reply.

Your AV may complain about running a script.
If a 'malicious script' or other flag appears (there is no malicious or dangerous script here), give all permissions necessary to run.

askey127

by **ihatemalware** » September 20th, 2005, 9:54 am

am i going to use the killbox???

"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Hbcoay" = (value not set)

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Cmaudio" = "RunDll32 cmicnfg.cpl,CMICtrlWnd" [MS]
"CM-SmWizard" = "C:\WINDOWS\System\SmWizard.exe" ["C-Media Electronics Inc."]
"pccguide.exe" = ""C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"" ["Trend Micro Incorporated."]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe" ["Sun Microsystems, Inc."]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"gcasServ" = ""C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"" [MS]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{59850401-6664-101B-B21C-00AA004BA90B}" = "Microsoft Office Binder Unbind"
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\Office\1036\UNBIND.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\Office\OLKFSTUB.DLL" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]
"{48F45200-91E6-11CE-8A4F-0080C81A28D4}" = "TMD Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Trend Micro\Internet Security 2005\Tmdshell.dll" ["Trend Micro Incorporated."]
"{771A9DA0-731A-11CE-993C-00AA004ADB6C}" = "VBPropSheet"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Trend Micro\Internet Security 2005\VBProp.dll" ["Trend Micro Incorporated."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{9EF34FF2-3396-4527-9D27-04C8C1C67806}" = "Microsoft AntiSpyware Service Hook"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft AntiSpyware\shellextension.dll" [MS]
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Ewido\Security Suite\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]

Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Ben\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Startup items in "Ben" & "All Users" startup folders:
-----------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Microsoft Office" -> shortcut to: "D:\Program Files\Office\OSA9.EXE -b -l" [MS]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\msjava.dll" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

ewido security suite control, ewido security suite control, "D:\Program Files\Ewido\Security Suite\ewidoctrl.exe" ["ewido networks"]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]
Trend Micro Central Control Component, PcCtlCom, "C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe" ["Trend Micro Incorporated."]
Trend Micro Personal Firewall, TmPfw, "C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe" ["Trend Micro Inc."]
Trend Micro Proxy Service, tmproxy, "C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe" ["Trend Micro Inc."]
Trend Micro Real-time Service, Tmntsrv, "C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe" ["Trend Micro Incorporated."]

----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 72 seconds, including 8 seconds for message boxes)

by **askey127** » September 20th, 2005, 5:13 pm

ihatemalware,

Download the purityscan uninstaller from here and run it.
http://www.purityscan.com/uninstall.html

Press Ctrl-Alt-Del to bring up Task Manager
Check whether there are any entries that resemble "adware.livechat"
If so, click "End Process"
-----------------------------------------------------------
Remove log items with HighjackThis. Start HijackThis. If the opening screen shows, choose None of the above, just start the program.
Click Scan. When the Scan is complete, Check the following entries:
(Some of these lines may be missing)
O4 - HKCU\..\Run: [Hbcoay] C:\WINDOWS\system32\??sks\netdde.exe
Make sure all other windows except HJT are closed, and Click Fix Checked.
-----------------------------------------------------------
Set Your Computer to Show All Files
Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. In addition, if you have Windows XP, go to Start, Search. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.
-----------------------------------------------------------
Folder Deletion.
In Windows Explorer, Find and Delete this folder(s), if present:
C:\Program Files\PurityScan\
You may have to delete all the underlying files and folders before a target folder can be deleted.
If you have any problem deleting a file, right click the file and check Properties to see if it's read-only. Uncheck the read-only box, click Apply and OK. Then retry Delete.
-----------------------------------------------------------
Search for the folder corresponding to C:\WINDOWS\system32\??sks\ and write out its exact full name
-----------------------------------------------------------
Start Killbox, Use standard file kill.(default settings).
Type the following into the box: C:\WINDOWS\system32\??sks\netbbe.exe
except use the full name of the \??sks\ folder you looked up. Don't use the question marks. <edit> (only use the question marks if they are actually in the name of the folder)<edit>.

Click the red highlighted 'X' button and say yes to any prompt, then click OK.

If a file cannot be deleted, check delete on reboot for that file, and try it again.
When finished exit Killbox and restart your PC.
-----------------------------------------------------------
Run CCleaner. Make sure the Cleaner block on the left is selected. Choose the Windows tab. Check everything EXCEPT cookies, and Autocomplete Form History and the Advanced part of the Menu. Choose Run Cleaner. This process could take a while. When CCleaner shows how much has been removed, cleaning is finished.
Click the Tools button. Click the "Uninstall" box, and the "Save Text File" button.
Paste the contants of the text file into your next reply.
-----------------------------------------------------------
Post a New HJT Log
Start HijackThis. Click Do System Scan and Save a Log File.
When the Scan is complete, select the whole log (Ctrl-A), copy and paste the log contents in a reply. Please do not use Word Wrap when you paste in the reply.
Please include the uninstall list from CCleaner.

askey127

by **ihatemalware** » September 20th, 2005, 8:06 pm

that folder could not be found using hijack this or windows explorer or killbox
CLEANING COMPLETE - (9.010 secs)
------------------------------------------------------------------------------------------
26.6MB removed.

Details of files deleted
------------------------------------------------------------------------------------------
IE Temporary Internet Files (496 files) 3.52MB
C:\Documents and Settings\Ben\Local Settings\History\History.IE5\desktop.ini 113 bytes
Marked for deletion: C:\Documents and Settings\Ben\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Marked for deletion: C:\Documents and Settings\Ben\Cookies\index.dat
Marked for deletion: C:\Documents and Settings\Ben\Local Settings\History\History.IE5\index.dat
C:\DOCUME~1\Ben\LOCALS~1\Temp\Utre\TC.tmp 224 bytes
C:\DOCUME~1\Ben\LOCALS~1\Temp\Utre\index.dat 2.93KB
C:\DOCUME~1\Ben\LOCALS~1\Temp\Utre\TF.tmp 3.16KB
C:\DOCUME~1\Ben\LOCALS~1\Temp\Utre\T10.tmp 1.26KB
C:\DOCUME~1\Ben\LOCALS~1\Temp\Utre\T11.tmp 1.45KB
C:\DOCUME~1\Ben\LOCALS~1\Temp\Utre\T12.tmp 25.50KB
C:\DOCUME~1\Ben\LOCALS~1\Temp\Utre\T13.tmp 20.65KB
C:\DOCUME~1\Ben\LOCALS~1\Temp\Utre\T14.tmp 27.76KB
C:\DOCUME~1\Ben\LOCALS~1\Temp\Utre\T15.tmp 25.23KB
C:\DOCUME~1\Ben\LOCALS~1\Temp\Utre\T16.tmp 24.80KB
C:\DOCUME~1\Ben\LOCALS~1\Temp\Utre\T17.tmp 35.15KB
C:\DOCUME~1\Ben\LOCALS~1\Temp\Utre\T19.tmp 27.14KB
C:\DOCUME~1\Ben\LOCALS~1\Temp\Utre\T1A.tmp 35.08KB
C:\DOCUME~1\Ben\LOCALS~1\Temp\Utre\T1B.tmp 23.91KB
C:\DOCUME~1\Ben\LOCALS~1\Temp\Utre\T29.tmp 24.36KB
C:\DOCUME~1\Ben\LOCALS~1\Temp\Utre\T2A.tmp 23.03KB
C:\DOCUME~1\Ben\LOCALS~1\Temp\Utre\T2B.tmp 22.84KB
C:\DOCUME~1\Ben\LOCALS~1\Temp\Utre\T2C.tmp 29.99KB
C:\DOCUME~1\Ben\LOCALS~1\Temp\Utre\T2D.tmp 38.30KB
C:\DOCUME~1\Ben\LOCALS~1\Temp\Utre\T2E.tmp 30.67KB
C:\DOCUME~1\Ben\LOCALS~1\Temp\Utre\T2F.tmp 18.70KB
C:\DOCUME~1\Ben\LOCALS~1\Temp\Utre\T30.tmp 24.53KB
C:\DOCUME~1\Ben\LOCALS~1\Temp\Utre\T31.tmp 31.65KB
C:\DOCUME~1\Ben\LOCALS~1\Temp\Utre\T32.tmp 24.31KB
C:\DOCUME~1\Ben\LOCALS~1\Temp\Utre\T33.tmp 21.24KB
C:\DOCUME~1\Ben\LOCALS~1\Temp\Utre\T34.tmp 16.72KB
C:\DOCUME~1\Ben\LOCALS~1\Temp\Utre\T35.tmp 87.40KB
C:\DOCUME~1\Ben\LOCALS~1\Temp\Utre\T36.tmp 23.16KB
C:\DOCUME~1\Ben\LOCALS~1\Temp\Utre\T37.tmp 31.82KB
C:\DOCUME~1\Ben\LOCALS~1\Temp\jusched.log 2.21KB
C:\DOCUME~1\Ben\LOCALS~1\Temp\~DF69B6.tmp 32.00KB
C:\DOCUME~1\Ben\LOCALS~1\Temp\~DF4014.tmp 32.00KB
C:\DOCUME~1\Ben\LOCALS~1\Temp\CacheInfo.dnl 0 bytes
C:\DOCUME~1\Ben\LOCALS~1\Temp\~DFF86C.tmp 0.13MB
C:\DOCUME~1\Ben\LOCALS~1\Temp\~DFB009.tmp 32.00KB
C:\DOCUME~1\Ben\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\desktop.ini 67 bytes
C:\DOCUME~1\Ben\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\GDMRSX23\desktop.ini 67 bytes
C:\DOCUME~1\Ben\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\U5MX4X8F\desktop.ini 67 bytes
C:\DOCUME~1\Ben\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\SH2V49UZ\desktop.ini 67 bytes
C:\DOCUME~1\Ben\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\C1MB4T6N\desktop.ini 67 bytes
C:\DOCUME~1\Ben\LOCALS~1\Temp\History\History.IE5\desktop.ini 113 bytes
C:\DOCUME~1\Ben\LOCALS~1\Temp\NDr61.tmp.html 445 bytes
C:\DOCUME~1\Ben\LOCALS~1\Temp\~DF5826.tmp 32.00KB
C:\DOCUME~1\Ben\LOCALS~1\Temp\~DFA9CB.tmp 32.00KB
C:\DOCUME~1\Ben\LOCALS~1\Temp\~DF55A2.tmp 32.00KB
C:\DOCUME~1\Ben\LOCALS~1\Temp\~DF7317.tmp 32.00KB
C:\DOCUME~1\Ben\LOCALS~1\Temp\TFR1F.tmp 37.00KB
C:\DOCUME~1\Ben\LOCALS~1\Temp\~DFEE5F.tmp 32.00KB
C:\DOCUME~1\Ben\LOCALS~1\Temp\TFR20.tmp 66.40KB
C:\DOCUME~1\Ben\LOCALS~1\Temp\TFR21.tmp 34.74KB
C:\DOCUME~1\Ben\LOCALS~1\Temp\NDr6C.tmp.html 445 bytes
C:\DOCUME~1\Ben\LOCALS~1\Temp\NDr3C.tmp.html 445 bytes
C:\DOCUME~1\Ben\LOCALS~1\Temp\control.xml 12.86KB
C:\DOCUME~1\Ben\LOCALS~1\Temp\~DF8653.tmp 32.00KB
C:\DOCUME~1\Ben\LOCALS~1\Temp\TFR3F.tmp 65.98KB
C:\DOCUME~1\Ben\LOCALS~1\Temp\TFR23.tmp 9.99KB
C:\DOCUME~1\Ben\LOCALS~1\Temp\Word8.0\MSForms.exd 0.16MB
C:\DOCUME~1\Ben\LOCALS~1\Temp\TFR24.tmp 61.28KB
C:\DOCUME~1\Ben\LOCALS~1\Temp\TFR25.tmp 22.88KB
C:\DOCUME~1\Ben\LOCALS~1\Temp\TFR26.tmp 20.63KB
C:\DOCUME~1\Ben\LOCALS~1\Temp\TFR27.tmp 22.72KB
C:\DOCUME~1\Ben\LOCALS~1\Temp\~DF75F2.tmp 32.00KB
C:\DOCUME~1\Ben\LOCALS~1\Temp\NDr21.tmp.html 445 bytes
C:\DOCUME~1\Ben\LOCALS~1\Temp\NDr1C.tmp.html 445 bytes
C:\DOCUME~1\Ben\LOCALS~1\Temp\kb.log 72 bytes
C:\DOCUME~1\Ben\LOCALS~1\Temp\NDr32.tmp.html 445 bytes
C:\WINDOWS\system32\wbem\Logs\FrameWork.log 16.61KB
C:\WINDOWS\system32\wbem\Logs\setup.log 5.46KB
C:\WINDOWS\system32\wbem\Logs\mofcomp.log 12.06KB
C:\WINDOWS\system32\wbem\Logs\wbemcore.log 120 bytes
C:\WINDOWS\system32\wbem\Logs\WinMgmt.log 45.77KB
C:\WINDOWS\system32\wbem\Logs\WBEMSNMP.log 2 bytes
C:\WINDOWS\system32\wbem\Logs\NTEVT.log 2 bytes
C:\WINDOWS\system32\wbem\Logs\wbemprox.log 23.72KB
C:\WINDOWS\system32\wbem\Logs\wmiprov.log 48.34KB
C:\WINDOWS\system32\wbem\Logs\wmiadap.log 2.08KB
C:\WINDOWS\system32\wbem\Logs\replog.log 400 bytes
C:\WINDOWS\system32\wbem\Logs\wbemess.log 25.73KB
C:\WINDOWS\system32\wbem\Logs\wmiprov.lo_ 64.05KB
C:\WINDOWS\system32\wbem\Logs\wbemess.lo_ 64.03KB
C:\WINDOWS\cmsetacl.log 200 bytes
C:\WINDOWS\KB885492.log 13.90KB
C:\WINDOWS\KB837001.log 9.07KB
C:\WINDOWS\KB896423.log 0.20MB
C:\WINDOWS\spupdsvc.log 30.49KB
C:\WINDOWS\setupact.log 0.17MB
C:\WINDOWS\KB899588.log 0.19MB
C:\WINDOWS\KB890046.log 0.19MB
C:\WINDOWS\DtcInstall.log 360 bytes
C:\WINDOWS\KB894391.log 12.66KB
C:\WINDOWS\wmsetup.log 0.26MB
C:\WINDOWS\regopt.log 1.59KB
C:\WINDOWS\ocgen.log 0.30MB
C:\WINDOWS\FaxSetup.log 0.55MB
C:\WINDOWS\iis6.log 0.65MB
C:\WINDOWS\comsetup.log 0.16MB
C:\WINDOWS\ntdtcsetup.log 96.63KB
C:\WINDOWS\tsoc.log 0.26MB
C:\WINDOWS\msmqinst.log 0.18MB
C:\WINDOWS\msgsocm.log 28.93KB
C:\WINDOWS\tabletoc.log 29.38KB
C:\WINDOWS\MedCtrOC.log 41.43KB
C:\WINDOWS\netfxocm.log 101.51KB
C:\WINDOWS\ocmsn.log 18.01KB
C:\WINDOWS\sessmgr.setup.log 1.25KB
C:\WINDOWS\KB821253.log 8.44KB
C:\WINDOWS\KB820291.log 10.80KB
C:\WINDOWS\Windows Update.log 0.12MB
C:\WINDOWS\KB887742.log 11.63KB
C:\WINDOWS\KB896727.log 15.38KB
C:\WINDOWS\0.log 0 bytes
C:\WINDOWS\KB885250.log 13.23KB
C:\WINDOWS\KB828028.log 3.60KB
C:\WINDOWS\yacs.log 25.19KB
C:\WINDOWS\xpsp1hfm.log 7.14KB
C:\WINDOWS\KB828035.log 7.21KB
C:\WINDOWS\KB825119.log 6.64KB
C:\WINDOWS\KB835732.log 10.20KB
C:\WINDOWS\KB826939.log 18.97KB
C:\WINDOWS\KB896358.log 0.19MB
C:\WINDOWS\KB887472.log 9.41KB
C:\WINDOWS\KB840315.log 3.53KB
C:\WINDOWS\KB824105.log 14.84KB
C:\WINDOWS\KB823182.log 14.78KB
C:\WINDOWS\KB824141.log 16.65KB
C:\WINDOWS\KB828741.log 14.79KB
C:\WINDOWS\KB824146.log 16.34KB
C:\WINDOWS\KB840374.log 16.66KB
C:\WINDOWS\dahotfix.log 19.12KB
C:\WINDOWS\Q819696.log 16.70KB
C:\WINDOWS\vminst.log 2.01KB
C:\WINDOWS\KB898461.log 6.71KB
C:\WINDOWS\KB842773.log 4.79KB
C:\WINDOWS\KB841873.log 5.70KB
C:\WINDOWS\Q828026.log 23.25KB
C:\WINDOWS\KB839645.log 7.15KB
C:\WINDOWS\KB840987.log 16.53KB
C:\WINDOWS\DirectX.log 89.81KB
C:\WINDOWS\Q814995.log 5.49KB
C:\WINDOWS\KB899587.log 0.19MB
C:\WINDOWS\KB901214.log 0.19MB
C:\WINDOWS\KB841356.log 13.30KB
C:\WINDOWS\KB841533.log 12.90KB
C:\WINDOWS\Q327979.log 6.49KB
C:\WINDOWS\KB873376.log 12.78KB
C:\WINDOWS\KB873339.log 0.19MB
C:\WINDOWS\KB885835.log 0.19MB
C:\WINDOWS\KB885836.log 0.19MB
C:\WINDOWS\KB871250.log 18.91KB
C:\WINDOWS\TMFilter.log 4.87KB
C:\WINDOWS\KB890175.log 0.19MB
C:\WINDOWS\KB891711.log 19.06KB
C:\WINDOWS\KB833987.log 15.32KB
C:\WINDOWS\KB896428.log 0.19MB
C:\WINDOWS\KB896426.log 14.75KB
C:\WINDOWS\KB893756.log 0.19MB
C:\WINDOWS\KB899591.log 0.19MB
C:\WINDOWS\KB896422.log 0.19MB
C:\WINDOWS\KB886185.log 7.57KB
C:\WINDOWS\KB839643-DirectX9.log 2.65KB
C:\WINDOWS\KB839643-DirectX9Uninst.log 1.54KB
C:\WINDOWS\KB889293-IE6SP1-20041111.235619.log 11.83KB
C:\WINDOWS\KB890923-IE6SP1-20050225.103456.log 13.05KB
C:\WINDOWS\KB897715-OE6SP1-20050503.210336.log 3.57KB
C:\WINDOWS\KB893803v2.log 16.09KB
C:\WINDOWS\KB896727-IE6SP1-20050719.165959.log 6.84KB
C:\WINDOWS\setuperr.log 0 bytes
C:\WINDOWS\setupapi.log 0.22MB
C:\WINDOWS\KB888302.log 0.18MB
C:\WINDOWS\KB891781.log 0.18MB
C:\WINDOWS\KB888113.log 0.18MB
C:\WINDOWS\KB873333.log 0.19MB
C:\WINDOWS\KB893086.log 0.19MB
C:\WINDOWS\KB892944.log 14.41KB
C:\WINDOWS\KB893066.log 0.20MB
C:\WINDOWS\KB890859.log 0.20MB
C:\WINDOWS\updspapi.log 18.76KB
C:\WINDOWS\svcpack.log 0.42MB
C:\WINDOWS\imsins.log 1.34KB
C:\WINDOWS\OEWABLog.txt 1.15KB
C:\WINDOWS\ntbtlog.txt 0.24MB
C:\WINDOWS\setuplog.txt 11.96KB
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\drwtsn32.log 8.29MB
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp 21.27KB
C:\WINDOWS\Debug\NetSetup.LOG 1.37MB
C:\WINDOWS\Debug\blastcln.log 286 bytes
C:\WINDOWS\Debug\DCPROMO.LOG 0.33MB
C:\WINDOWS\Debug\mrt.log 2.39KB
C:\WINDOWS\Debug\UserMode\userenv.log 0.12MB
C:\WINDOWS\security\logs\scesetup.log 0.14MB
C:\WINDOWS\security\logs\SceRoot.log 218 bytes
C:\WINDOWS\security\logs\backup.log 2.66KB
C:\WINDOWS\security\logs\update.log 6.73KB
C:\WINDOWS\security\logs\scecomp.old 1.52KB
C:\Documents and Settings\Ben\Application Data\Macromedia\Flash Player\#SharedObjects\PWQKA2T5\207.181.114.100\ticker\secondline.swf\secondline.sol 135 bytes
C:\Documents and Settings\Ben\Application Data\Macromedia\Flash Player\#SharedObjects\PWQKA2T5\207.181.114.100\ticker\ticker4.swf\score.sol 140 bytes
C:\Documents and Settings\Ben\Application Data\Macromedia\Flash Player\#SharedObjects\PWQKA2T5\207.181.114.100\ticker\bug.swf\bug.sol 124 bytes
C:\Documents and Settings\Ben\Application Data\Macromedia\Flash Player\#SharedObjects\PWQKA2T5\mlb.com\flash\video\y2005\mlb_video.swf\mlbAdController.sol 63 bytes
C:\Documents and Settings\Ben\Application Data\Macromedia\Flash Player\#SharedObjects\PWQKA2T5\www.rbk.com\us\main.swf\RBKHome.sol 41 bytes
C:\Documents and Settings\Ben\Application Data\Macromedia\Flash Player\#SharedObjects\PWQKA2T5\media.g4tv.com\images\swf\fvp.swf\g4_so.sol 50 bytes
C:\Documents and Settings\Ben\Application Data\Macromedia\Flash Player\#SharedObjects\PWQKA2T5\audiovu.com\CLIENTS\NewLifeStyles2\vuer_11.swf\playonce.sol 46 bytes
C:\Documents and Settings\Ben\Application Data\Macromedia\Flash Player\#SharedObjects\PWQKA2T5\66.244.249.3\ticker\secondline.swf\secondline.sol 147 bytes
C:\Documents and Settings\Ben\Application Data\Macromedia\Flash Player\#SharedObjects\PWQKA2T5\66.244.249.3\ticker\bug2.swf\bug.sol 124 bytes
C:\Documents and Settings\Ben\Application Data\Macromedia\Flash Player\#SharedObjects\PWQKA2T5\66.244.249.3\ticker\ticker7.swf\score.sol 286 bytes
C:\Documents and Settings\Ben\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#nike.com\settings.sol 78 bytes
C:\Documents and Settings\Ben\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#thescore.ca\settings.sol 81 bytes
C:\Documents and Settings\Ben\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#207.181.114.100\settings.sol 85 bytes
C:\Documents and Settings\Ben\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#mlb.com\settings.sol 77 bytes
C:\Documents and Settings\Ben\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.rbk.com\settings.sol 81 bytes
C:\Documents and Settings\Ben\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#media.g4tv.com\settings.sol 84 bytes
C:\Documents and Settings\Ben\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#audiovu.com\settings.sol 81 bytes
C:\Documents and Settings\Ben\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#userplane.com\settings.sol 83 bytes
C:\Documents and Settings\Ben\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#66.244.249.3\settings.sol 82 bytes
C:\Documents and Settings\Ben\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol 457 bytes
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Update downloads.log 4.29KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.050718-1938.log 243 bytes
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.050718-1938.txt 1.00KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.050718-1939.log 243 bytes
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.050718-1939.txt 1.00KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.050718-1940.log 922 bytes
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.050718-1940.txt 3.96KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.050718-1941.log 243 bytes
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.050718-1941.txt 1.00KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.050722-0818.log 238 bytes
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.050722-0824.txt 1.10KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.050723-2345.log 746 bytes
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.050723-2355.txt 1.58KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Fixes.050723-2356.txt 1.53KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.050724-2258.log 244 bytes
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.050724-2309.txt 1.05KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.050728-1806.log 243 bytes
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.050728-1812.txt 1.05KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.050728-1925.log 412 bytes
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.050728-1933.txt 1.15KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Fixes.050728-1934.txt 1.14KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.050810-2253.log 244 bytes
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.050810-2302.txt 1.05KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.050811-1520.log 243 bytes
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.050811-1527.txt 1.05KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.050811-1638.log 193 bytes
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.050814-2304.log 244 bytes
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.050814-2313.txt 1.05KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.050818-1949.log 326 bytes
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.050818-2000.txt 1.07KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Fixes.050818-2001.txt 1.06KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.050828-1656.log 357 bytes
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.050828-1703.txt 1011 bytes
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.050828-1703.log 193 bytes
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.050828-1710.txt 1011 bytes
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.050828-1711.log 193 bytes
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.050828-1716.txt 1011 bytes
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.050829-1800.log 193 bytes
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.050829-1808.txt 1011 bytes
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.050901-0055.log 295 bytes
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.050901-0108.txt 1.03KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Fixes.050901-0109.txt 1.03KB
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.050902-2350.log 194 bytes
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.050902-2357.txt 976 bytes
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.050915-2244.log 194 bytes
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.050915-2251.txt 976 bytes
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Statistics.ini 601 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\adcontroller2.jar-548c5379-7e4dd110.idx 174 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\adcontroller2.jar-548c5379-7e4dd110.zip 0.18MB
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\irc.jar-528e8c08-586a10b8.idx 12.50KB
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\irc.jar-528e8c08-586a10b8.zip 0.25MB
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\pixx.jar-202a59a3-6aef8274.idx 155 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\pixx.jar-202a59a3-6aef8274.zip 0.13MB
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\pt0.jar-3c384e01-34deb1f0.idx 110 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\pt0.jar-3c384e01-34deb1f0.zip 8.07KB
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\draft306.jar-1b5e63b2-5c65c2c8.idx 106 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\draft306.jar-1b5e63b2-5c65c2c8.zip 0.13MB
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cs3fu.zip-4c8e6ad1-50330b18.idx 75 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cs3fu.zip-4c8e6ad1-50330b18.zip 0.34MB
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\msjld.jar-5fa973e1-7f1cd522.idx 151 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-92a91d4-231344ac.idx 159 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cbe6cl.jar-7ee89682-794fd662.idx 195 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cbe6cl.jar-7ee89682-794fd662.zip 0.30MB
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\irc.jar-668dde9e-11bfe35c.idx 17.30KB
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\irc.jar-668dde9e-11bfe35c.zip 0.27MB
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\pixx.jar-7bad6c8d-274ab3c7.idx 186 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\pixx.jar-7bad6c8d-274ab3c7.zip 0.14MB
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\upload.jar-1189ebb-1bdc0b5c.idx 1.82KB
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\upload.jar-1189ebb-1bdc0b5c.zip 99.51KB
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\ConsultScroll.class-2df39c98-6bf343de.idx 289 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\ConsultScroll.class-2df39c98-6bf343de.class 17.30KB
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\0.class-8f4a53b-3eb751b4.idx 250 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\0.class-8f4a53b-3eb751b4.class 1.07KB
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\1.class-3ddae07c-3ff84999.idx 249 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\1.class-3ddae07c-3ff84999.class 512 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Time.class-7e0a00da-21dee5a0.idx 347 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Time.class-7e0a00da-21dee5a0.class 3.08KB
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\TimeAndDateFormatter.class-30f0535f-2c37b847.idx 363 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\TimeAndDateFormatter.class-30f0535f-2c37b847.class 2.10KB
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\tfg_applet.class-66d631e2-243c529e.idx 353 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\tfg_applet.class-66d631e2-243c529e.class 5.85KB
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\acn-background.gif-1e7f2522-24da758d.idx 311 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\acn-background.gif-1e7f2522-24da758d.gif 63 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\sourire.gif-b34464e-7f568144.idx 309 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\sourire.gif-b34464e-7f568144.gif 123 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\langue.gif-7fdf3a5d-299da162.idx 308 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\langue.gif-7fdf3a5d-299da162.gif 125 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\clin-oeuil.gif-546d8162-6b8f90d6.idx 312 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\clin-oeuil.gif-546d8162-6b8f90d6.gif 123 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\content.gif-25337c04-54e0263e.idx 309 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\content.gif-25337c04-54e0263e.gif 123 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\OH-3.gif-278efc9e-446fbe25.idx 306 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\OH-3.gif-278efc9e-446fbe25.gif 128 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\triste.gif-6c663078-14ebaa91.idx 308 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\triste.gif-6c663078-14ebaa91.gif 125 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\pleure.gif-6883e3be-50fe0648.idx 308 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\pleure.gif-6883e3be-50fe0648.gif 132 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\bong.au-5572600a-5d43cc1e.idx 254 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\bong.au-5572600a-5d43cc1e.au 12.20KB
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\moo.au-4631e15b-1e3ff623.idx 252 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\moo.au-4631e15b-1e3ff623.au 8.66KB
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\music.au-30e94443-24d23d2c.idx 255 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\music.au-30e94443-24d23d2c.au 46.95KB
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\whistle.au-29dfb0f6-115301a0.idx 257 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\whistle.au-29dfb0f6-115301a0.au 12.33KB
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\msg.au-46669c67-4c85907f.idx 252 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\msg.au-46669c67-4c85907f.au 7.39KB
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\gong.au-5df1884f-14dac22b.idx 254 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\gong.au-5df1884f-14dac22b.au 41.08KB
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\horn.au-1313502d-6b3ded2a.idx 254 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\horn.au-1313502d-6b3ded2a.au 23.80KB
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\banner_blue.jpg-6ba156eb-7f575775.idx 255 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\banner_blue.jpg-6ba156eb-7f575775.jpg 8.60KB
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\noway.au-6f3769f7-3683970e.idx 249 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\noway.au-6f3769f7-3683970e.au 6.20KB
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\a01.gif-abfa8e3-619be477.idx 246 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\a01.gif-abfa8e3-619be477.gif 1.57KB
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\a02.gif-acdc064-5049a07a.idx 246 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\a02.gif-acdc064-5049a07a.gif 1.03KB
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\a03.gif-adbd7e5-79b50c26.idx 245 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\a03.gif-adbd7e5-79b50c26.gif 947 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\a04.gif-ae9ef66-14a81bfa.idx 245 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\a04.gif-ae9ef66-14a81bfa.gif 925 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\yahoo.au-68752605-609f23d6.idx 249 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\yahoo.au-68752605-609f23d6.au 7.65KB
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\a05.gif-af806e7-3230f760.idx 245 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\a05.gif-af806e7-3230f760.gif 992 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\a06.gif-b061e68-311a4586.idx 245 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\a06.gif-b061e68-311a4586.gif 849 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\a07.gif-b1435e9-65dd934e.idx 245 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\a07.gif-b1435e9-65dd934e.gif 435 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\a08.gif-b224d6a-2f39fd5b.idx 246 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\a08.gif-b224d6a-2f39fd5b.gif 1.33KB
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\yell.au-5e20d2c1-1475a21d.idx 248 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\yell.au-5e20d2c1-1475a21d.au 9.57KB
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\a09.gif-b3064eb-7b8409ce.idx 246 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\a09.gif-b3064eb-7b8409ce.gif 1.01KB
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\a10.gif-c666a01-6735349b.idx 246 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\a10.gif-c666a01-6735349b.gif 1.34KB
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\a11.gif-c748182-671b5ce9.idx 245 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\a11.gif-c748182-671b5ce9.gif 847 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\a12.gif-c829903-1ed4c61e.idx 245 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\a12.gif-c829903-1ed4c61e.gif 892 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\ding1.au-13de7a72-17d62639.idx 249 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\ding1.au-13de7a72-17d62639.au 9.34KB
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\01tongue.gif-260f79fe-56890d05.idx 251 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\01tongue.gif-260f79fe-56890d05.gif 1.46KB
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\02cry.gif-2621f769-489925f7.idx 247 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\02cry.gif-2621f769-489925f7.gif 442 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\03sad.gif-3e3c8834-33d8e6ce.idx 247 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\03sad.gif-3e3c8834-33d8e6ce.gif 446 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\04smile.gif-7a436345-4999c290.idx 249 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\04smile.gif-7a436345-4999c290.gif 384 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\hi.au-72e4102c-64efc5f2.idx 246 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\hi.au-72e4102c-64efc5f2.au 3.49KB
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\05cross.gif-7bc85d9c-69e5de9c.idx 249 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\05cross.gif-7bc85d9c-69e5de9c.gif 447 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\06huh.gif-5254cd76-72d8b493.idx 248 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\06huh.gif-5254cd76-72d8b493.gif 1.37KB
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\07blur.gif-379e5b27-5970f3fc.idx 249 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\07blur.gif-379e5b27-5970f3fc.gif 1.42KB
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\08black.gif-54c3b138-1e269aa0.idx 249 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\08black.gif-54c3b138-1e269aa0.gif 527 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\drumroll.au-6cbe91ca-22e49f27.idx 253 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\drumroll.au-6cbe91ca-22e49f27.au 10.12KB
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\09wink.gif-3a98a4d1-74a0229f.idx 248 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\09wink.gif-3a98a4d1-74a0229f.gif 378 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\10puzzled.gif-152a5a28-60d7ea14.idx 251 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\10puzzled.gif-152a5a28-60d7ea14.gif 394 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\11laugh.gif-384b71a2-15220486.idx 249 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\11laugh.gif-384b71a2-15220486.gif 505 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\12blush.gif-6d0fa1c0-3ed29f55.idx 249 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\12blush.gif-6d0fa1c0-3ed29f55.gif 377 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\throat.au-4faa0a9-38b51498.idx 250 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\throat.au-4faa0a9-38b51498.au 5.75KB
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\beep.au-1d10acdf-78aae645.idx 249 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\beep.au-1d10acdf-78aae645.au 17.17KB
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\closedr.au-313104ff-3b035545.idx 251 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\closedr.au-313104ff-3b035545.au 5.25KB
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\opendr.au-2d715f75-47274102.idx 250 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\opendr.au-2d715f75-47274102.au 6.40KB
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\clin-oeuil.gif-63bd2fcc-36ccc334.idx 269 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\clin-oeuil.gif-63bd2fcc-36ccc334.gif 123 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\sourire.gif-72a002e4-474fca18.idx 266 bytes
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\sourire.gif-72a002e4-474fca18.gif 123 bytes
C:\Program Files\Microsoft AntiSpyware\errors.log 13.28KB
C:\Program Files\Microsoft AntiSpyware\cleaner.log 18.20KB
------------------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 8:03:27 PM, on 20/09/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
D:\Program Files\Ewido\Security Suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\3web\system\launcher.exe
C:\Program Files\3web\system\cydial95.exe
C:\Program Files\CCleaner\ccleaner.exe
C:\Documents and Settings\Ben\Desktop\Freeware\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [CM-SmWizard] C:\WINDOWS\System\SmWizard.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{E1AAF0FA-69AB-4EF0-80EF-F51FB94F5B29}: NameServer = 209.195.95.95 209.197.128.2
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\Ewido\Security Suite\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe

by **askey127** » September 20th, 2005, 9:08 pm

ihatemalware,

We are just about done. Your log looks better.
I see you have installed Limewire. I would suggest removing it. It has a history of purveying adware. Maybe you don't want to come back here so soon. If you MUST do file sharing, please look at the P2P info site below, and use a "safe" site.
Of course, the site is only part of it. The transfer of undocumented files means you are likely to get infections on a regular basis.

Removing LimeWire
To properly remove LimeWire you should use the uninstaller that comes with program.
1. Open the LimeWire folder.(C:\Program Files\Limewire)
2. Double click on the folder UninstallerData.
3. Double click on the Uninstall LimeWire 18c icon.
4. Follow the instructions on the screen to remove the program.

Please note that as long as you're using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur.
Once upon a time, P2P file sharing was fairly safe. That is no longer true. You may continue to use P2P sharing at your own risk; however, please keep in mind that this practice may be the source of your current malware infestation. Additional information on the safety of Peer to Peer Networks is here : http://www.spywareinfo.com/articles/p2p/ -(from NonSuch)
-----------------------------------------------------------
If you open CCleaner, then click on the Tools button on the left, then click "Uninstall", it brings up the list of installed programs.
If you then click on the button in the lower right labeled "Save as Text file", and exit, you will find a file called "install.txt" in the CCleaner folder. It is usually installed in C:\Program Files\CCleaner\

Would you paste the contents of THAT file into a reply, along with a final (I hope) HJT log.
Thanks
askey127

by **ihatemalware** » September 21st, 2005, 5:25 pm

Logfile of HijackThis v1.99.1
Scan saved at 5:21:20 PM, on 21/09/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Ewido\Security Suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\3web\system\launcher.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\3web\system\cydial95.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\pcclient.exe
D:\Program Files\Office\WINWORD.EXE
C:\PROGRA~1\TRENDM~1\INTERN~2\TmoAgent.exe
C:\Documents and Settings\Ben\Desktop\Freeware\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [CM-SmWizard] C:\WINDOWS\System\SmWizard.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{E1AAF0FA-69AB-4EF0-80EF-F51FB94F5B29}: NameServer = 209.195.95.95 209.197.128.2
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\Ewido\Security Suite\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe

Programs....I recognize everything except for OIN if u could inform me..

3web 2.9
Ad-aware 6 Personal
Adobe Download Manager 1.2 (Remove Only)
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader 6.0.1
C-Media WDM Audio Driver
CCleaner (remove only)
CleanUp!
Creative WebCam Control
Creative WebCam Driver (1.02.08.0807)
ewido security suite
HijackThis 1.99.1
J2SE Runtime Environment 5.0 Update 2
Java 2 Runtime Environment, SE v1.4.1_01
LimeWire 4.9.30
Macromedia Shockwave Player
Microsoft AntiSpyware
Microsoft Data Access Components KB870669
Microsoft Office 2000 Professional
MSN Messenger 7.0
Nero Media Player
Nero OEM
Network Play System (Patching)
NVIDIA Display Driver
OIN
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB901214)
Spybot - Search & Destroy 1.4
Trend Micro PC-cillin Internet Security 2005
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
WebCam Monitor
Windows Installer 3.1 (KB893803)
Windows Media Player 9 Hotfix [See KB885492 for more information]
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinRAR archiver

Free Malware Removal Forum

Hijack this log, registry editor pop up - please help

Hijack this log, registry editor pop up - please help

Who is online