Hijack this log

adlamb · Jan 2, 2007

I love the way knowledgeable types come to the assistance of the uneducated with problems like this. Thanks in advance.
Andrew

Logfile of HijackThis v1.99.1
Scan saved at 19:24:59, on 02/01/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\PROGRA~1\AVG7\avgamsvr.exe
C:\PROGRA~1\AVG7\avgupsvc.exe
C:\Program Files\Bluetooth Dongle\BTNtService.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\MATLAB\webserver\bin\win32\matlabserver.exe
C:\WINDOWS\System32\niSvcLoc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\G-VGA.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Karen's Replicator\PTReplicator.exe
C:\Program Files\SpeedFan\speedfan.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\Rar$EX00.360\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [VGAUtil] C:\WINDOWS\System32\G-VGA.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\System32\mawghfmy.dll",setvm
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Replicator.LNK = C:\Program Files\Karen's Replicator\PTReplicator.exe
O4 - Startup: Speed Fan.lnk = C:\Program Files\SpeedFan\speedfan.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1128292154203
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://212.159.113.37:1206/tsweb/msrdp.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANSYS FLEXlm license manager - Macrovision Corporation - C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\lmgrd.exe
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG7\avgupsvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\pcAnywhere\awhost32.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\Bluetooth Dongle\BTNtService.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB\webserver\bin\win32\matlabserver.exe
O23 - Service: NILM License manager - Macrovision Corporation - C:\Program Files\Macromedia\Dreamweaver MX\Configuration\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments - C:\WINDOWS\System32\niSvcLoc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Cheeseball81 · Jan 2, 2007

Download WinPFind

Right Click the Zip Folder and Select "Extract All"
Extract it somewhere you will remember like the Desktop
Dont do anything with it yet!

Click here for info on how to boot to safe mode if you don't already know how.

Reboot into Safe Mode.

Double click WinPFind.exe

Click "Start Scan"
It will scan the entire System, so please be patient and let it complete.

Reboot back to Normal Mode!

Go to the WinPFind folder
Locate WinPFind.txt
Copy and paste WinPFind.txt in your next post here please.

adlamb · Jan 5, 2007

All completed. Dead easy.

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows sometimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Logfile created on: 05/01/2007 00:03:14
WinPFind v1.5.0 Folder = C:\Documents and Settings\Andrew Lamb\My Documents\WinPFind\WinPFind\
Microsoft Windows XP Service Pack 1 (Version = 5.1.2600)
Internet Explorer (Version = 6.0.2800.1106)

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 24/07/2006 00:38:26 26112 C:\WINDOWS\nircmd.exe (NirSoft)
UPX! 24/07/2006 00:39:12 25088 C:\WINDOWS\nircmdc.exe (NirSoft)

Checking %System% folder...
WSUD 15/08/2003 07:37:10 10435072 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL (Realtek Semiconductor Corp.)
PEC2 23/08/2001 12:00:00 41397 C:\WINDOWS\SYSTEM32\dfrg.msc ()
aspack 05/09/2006 10:01:14 1212928 C:\WINDOWS\SYSTEM32\Incinerator.dll ()
PTech 12/07/2005 17:04:22 520456 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll (Microsoft® Corporation)
UPX! 18/12/2006 08:32:00 118804 C:\WINDOWS\SYSTEM32\mawghfmy.dll ()
PECompact2 07/12/2006 23:13:44 10716584 C:\WINDOWS\SYSTEM32\MRT.exe (Microsoft Corporation)
aspack 07/12/2006 23:13:44 10716584 C:\WINDOWS\SYSTEM32\MRT.exe (Microsoft Corporation)
WSUD 23/08/2001 12:00:00 1135616 C:\WINDOWS\SYSTEM32\ntbackup.exe (Microsoft Corporation)
WSUD 23/08/2001 12:00:00 256000 C:\WINDOWS\SYSTEM32\nusrmgr.cpl (Microsoft Corporation)
UPX! 18/12/2006 08:32:06 44052 C:\WINDOWS\SYSTEM32\qrndfrcu.dll ()
Umonitor 29/08/2002 03:41:10 631808 C:\WINDOWS\SYSTEM32\rasdlg.dll (Microsoft Corporation)
UPX! 19/12/2004 23:00:00 111104 C:\WINDOWS\SYSTEM32\Uharc.exe ()
winsync 23/08/2001 12:00:00 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu ()

Checking %System%\Drivers folder and sub-folders...
UPX! 14/11/2006 14:07:28 816672 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys (GRISOFT, s.r.o.)
FSG! 14/11/2006 14:07:28 816672 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys (GRISOFT, s.r.o.)
PEC2 14/11/2006 14:07:28 816672 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys (GRISOFT, s.r.o.)
aspack 14/11/2006 14:07:28 816672 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys (GRISOFT, s.r.o.)
PEC2 05/11/2004 10:39:08 82148 C:\WINDOWS\SYSTEM32\drivers\VcommMgr.sys (IVT Corporation)

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
05/01/2007 00:00:54 S 2048 C:\WINDOWS\bootstat.dat ()
08/12/2006 09:41:58 H 54156 C:\WINDOWS\QTFont.qfn ()
26/11/2006 22:22:04 HS 622351 C:\WINDOWS\assembly\GAC\IIEHost\ssycr.bak1 ()
19/12/2006 08:36:06 HS 807085 C:\WINDOWS\assembly\GAC\IIEHost\ssycr.bak2 ()
05/01/2007 00:06:54 HS 823495 C:\WINDOWS\assembly\GAC\IIEHost\ssycr.ini ()
04/01/2007 01:36:48 HS 836901 C:\WINDOWS\assembly\GAC\IIEHost\ssycr.ini2 ()
14/11/2006 10:21:30 H 0 C:\WINDOWS\LastGood\INF\Iesetup.inf ()
14/11/2006 10:21:30 H 0 C:\WINDOWS\LastGood\INF\Iesetup.PNF ()
14/11/2006 10:21:30 H 0 C:\WINDOWS\LastGood\INF\oem76.inf ()
14/11/2006 10:21:30 H 0 C:\WINDOWS\LastGood\INF\oem76.PNF ()
04/12/2006 15:29:02 H 0 C:\WINDOWS\LastGood\INF\oem77.inf ()
04/12/2006 15:29:02 H 0 C:\WINDOWS\LastGood\INF\oem77.PNF ()
06/12/2006 14:19:28 H 0 C:\WINDOWS\LastGood\INF\oem78.inf ()
06/12/2006 14:19:28 H 0 C:\WINDOWS\LastGood\INF\oem78.PNF ()
06/12/2006 14:19:46 H 0 C:\WINDOWS\LastGood\INF\oem79.inf ()
06/12/2006 14:19:46 H 0 C:\WINDOWS\LastGood\INF\oem79.PNF ()
08/12/2006 12:11:22 H 0 C:\WINDOWS\LastGood\INF\oem80.inf ()
08/12/2006 12:11:22 H 0 C:\WINDOWS\LastGood\INF\oem80.PNF ()
11/11/2006 09:04:02 HS 6144 C:\WINDOWS\Resources\Themes\Windows Vista Visual Style\Wallpaper\Thumbs.db ()
14/11/2006 10:46:12 HS 19968 C:\WINDOWS\SideBar\sidebar\slide\Thumbs.db ()
04/01/2007 23:55:06 H 35865 C:\WINDOWS\system32\vsconfig.xml ()
04/01/2007 23:55:10 HS 2146 C:\WINDOWS\system32\ymfhgwam.ini ()
05/01/2007 00:00:52 H 8192 C:\WINDOWS\system32\config\default.LOG ()
05/01/2007 00:01:10 H 1024 C:\WINDOWS\system32\config\SAM.LOG ()
05/01/2007 00:00:56 H 16384 C:\WINDOWS\system32\config\SECURITY.LOG ()
05/01/2007 00:02:06 H 1024 C:\WINDOWS\system32\config\software.LOG ()
05/01/2007 00:01:16 H 1024 C:\WINDOWS\system32\config\system.LOG ()
18/12/2006 11:39:00 H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG ()
11/11/2006 00:41:38 H 262144 C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat ()
11/11/2006 00:41:24 H 1024 C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG ()
26/12/2006 08:36:18 HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\50f91f2a-8840-4c5e-9bf6-3f75df95769c ()
26/12/2006 08:36:18 HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred ()
04/01/2007 23:57:20 H 6 C:\WINDOWS\Tasks\SA.DAT ()

Checking for CPL files...
23/08/2001 12:00:00 66048 C:\WINDOWS\SYSTEM32\access.cpl (Microsoft Corporation)
15/08/2003 07:37:10 10435072 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL (Realtek Semiconductor Corp.)
29/08/2002 03:41:28 578560 C:\WINDOWS\SYSTEM32\appwiz.cpl (Microsoft Corporation)
29/08/2002 03:41:28 129024 C:\WINDOWS\SYSTEM32\desk.cpl (Microsoft Corporation)
23/08/2001 12:00:00 150016 C:\WINDOWS\SYSTEM32\hdwwiz.cpl (Microsoft Corporation)
29/08/2002 03:41:28 292352 C:\WINDOWS\SYSTEM32\inetcpl.cpl (Microsoft Corporation)
29/08/2002 03:41:28 121856 C:\WINDOWS\SYSTEM32\intl.cpl (Microsoft Corporation)
17/08/2001 22:37:02 48128 C:\WINDOWS\SYSTEM32\irprops.cpl (Microsoft Corporation)
29/08/2002 03:41:28 65536 C:\WINDOWS\SYSTEM32\joy.cpl (Microsoft Corporation)
03/06/2004 22:05:06 61555 C:\WINDOWS\SYSTEM32\jpicpl32.cpl (Sun Microsystems)
04/09/2004 06:45:56 172032 C:\WINDOWS\SYSTEM32\LClock.cpl ()
23/08/2001 12:00:00 161792 C:\WINDOWS\SYSTEM32\main.cpl (Microsoft Corporation)
23/08/2001 12:00:00 559616 C:\WINDOWS\SYSTEM32\mmsys.cpl (Microsoft Corporation)
23/08/2001 12:00:00 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl (Microsoft Corporation)
23/08/2001 12:00:00 256000 C:\WINDOWS\SYSTEM32\nusrmgr.cpl (Microsoft Corporation)
22/10/2006 12:22:00 69632 C:\WINDOWS\SYSTEM32\nvcpl.cpl (NVIDIA Corporation)
22/10/2006 12:22:00 73728 C:\WINDOWS\SYSTEM32\nvtuicpl.cpl ()
23/08/2001 12:00:00 36864 C:\WINDOWS\SYSTEM32\nwc.cpl (Microsoft Corporation)
23/08/2001 12:00:00 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl (Microsoft Corporation)
14/02/2003 01:34:12 205472 C:\WINDOWS\SYSTEM32\plotman.cpl (Autodesk, Inc.)
23/08/2001 12:00:00 109056 C:\WINDOWS\SYSTEM32\powercfg.cpl (Microsoft Corporation)
23/09/2004 18:57:40 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl (Apple Computer, Inc.)
14/02/2003 01:34:14 205472 C:\WINDOWS\SYSTEM32\styleman.cpl (Autodesk, Inc.)
29/08/2002 03:41:28 268288 C:\WINDOWS\SYSTEM32\sysdm.cpl (Microsoft Corporation)
23/08/2001 12:00:00 28160 C:\WINDOWS\SYSTEM32\telephon.cpl (Microsoft Corporation)
23/08/2001 12:00:00 90112 C:\WINDOWS\SYSTEM32\timedate.cpl (Microsoft Corporation)
26/05/2005 03:16:30 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl (Microsoft Corporation)
23/08/2001 12:00:00 161792 C:\WINDOWS\SYSTEM32\dllcache\main.cpl (Microsoft Corporation)
23/08/2001 12:00:00 256000 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl (Microsoft Corporation)
23/08/2001 12:00:00 90112 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl (Microsoft Corporation)
20/01/2005 02:11:46 R 73728 C:\WINDOWS\SYSTEM32\drivers\SCBaud.cpl (Socket Communications Inc.)
23/08/2001 12:00:00 187904 C:\WINDOWS\SYSTEM32\VITrans\main.cpl (Microsoft Corporation)
23/08/2001 12:00:00 256000 C:\WINDOWS\SYSTEM32\VITrans\nusrmgr.cpl (Microsoft Corporation)
23/08/2001 12:00:00 90112 C:\WINDOWS\SYSTEM32\VITrans\timedate.cpl (Microsoft Corporation)

Checking for Downloaded Program Files...
{00B71CFB-6864-4346-A978-C0A14556272C} - Checkers Class - CodeBase = http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
{2917297F-F02B-4B9D-81DF-494B6333150B} - Minesweeper Flags Class - CodeBase = http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
{6414512B-B978-451D-A0D8-FCFDF33E833C} - WUWebControl Class - CodeBase = http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1128292154203
{8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - MessengerStatsClient Class - CodeBase = http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
{9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} - Microsoft RDP Client Control (redist) - CodeBase = http://212.159.113.37:1206/tsweb/msrdp.cab
{D27CDB6E-AE6D-11CF-96B8-444553540000} - - CodeBase = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Microsoft XML Parser for Java - - CodeBase =

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
15/12/2004 08:53:48 HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini ()

Checking files in %ALLUSERSPROFILE%\Application Data folder...
15/12/2004 08:43:06 HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini ()
28/12/2005 17:36:46 2849 C:\Documents and Settings\All Users\Application Data\hpzinstall.log ()

Checking files in %USERPROFILE%\Startup folder...
15/12/2004 08:53:48 HS 84 C:\Documents and Settings\Andrew Lamb\Start Menu\Programs\Startup\desktop.ini ()
04/01/2005 11:42:54 806 C:\Documents and Settings\Andrew Lamb\Start Menu\Programs\Startup\Replicator.LNK ()
17/04/2005 20:24:52 662 C:\Documents and Settings\Andrew Lamb\Start Menu\Programs\Startup\Speed Fan.lnk ()

Checking files in %USERPROFILE%\Application Data folder...
07/03/2006 14:09:40 1061 C:\Documents and Settings\Andrew Lamb\Application Data\AdobeDLM.log ()
15/12/2004 08:43:06 HS 62 C:\Documents and Settings\Andrew Lamb\Application Data\desktop.ini ()
04/12/2005 13:36:04 0 C:\Documents and Settings\Andrew Lamb\Application Data\dm.ini ()

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

>>> Internet Explorer Settings <<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
\\Start Page - http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
\\Search Page - http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
\\Default_Page_URL - http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
\\Default_Search_URL - http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
\\Start Page - http://www.google.co.uk/
\\Search Page - http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
\\CustomizeSearch - http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
\\SearchAssistant - http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
\\{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Microsoft Url Search Hook = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation)

>>> BHO's <<<
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - Adobe PDF Reader Link Helper = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
\{241A673E-413A-4CFB-9145-ABC4251545CC} - = C:\WINDOWS\assembly\GAC\IIEHost\rcyss.dll ()
\{3FD6B99C-A275-46ea-8FD1-3D63986E51E4} - = C:\WINDOWS\System32\qrndfrcu.dll ()
\{A37CF33A-41C0-424A-B7B8-882DA07431CF} - = C:\WINDOWS\assembly\GAC\IIEHost\rcyss.dll ()
\{BDC28B5A-63A1-4B6D-A962-6D444AEB5A56} - = C:\WINDOWS\System32\kfnekjis.dll ()
\{C79A6DCB-557C-4BEE-BD98-717EFCCD1A7d} - = C:\WINDOWS\System32\kfnekjis.dll ()

>>> Internet Explorer Bars, Toolbars and Extensions <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
\{4D5C8C25-D075-11d0-B416-00C04FB90376} - &Tip of the Day = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
\{32683183-48a0-441b-a342-7c2a440a9478} - Media Band = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1} - File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
\{EFA24E64-B078-11D0-89E4-00C04FC9E26E} - Explorer Band = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
\\{8E718888-423F-11D2-876E-00A0C9082467} - &Radio = C:\WINDOWS\System32\msdxm.ocx ()

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
\ShellBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
\WebBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
\WebBrowser\\{0E5CBF21-D15F-11D0-8301-00AA005B4383} - &Links = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\CmdMapping]
\\NEXTID - 8195
\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} - 8193 =
\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - 8194 = Sun Java Console

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - MenuText: Sun Java Console = C:\WINDOWS\System32\msjava.dll (Microsoft Corporation)
\{92780B25-18CC-41C8-B9BE-3C9C571A8263} - ButtonText: Research =

>>> Approved Shell Extensions (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
\\{42071714-76d4-11d1-8b24-00a0c9068ff3} - Display Panning CPL Extension = deskpan.dll ()
\\{764BF0E1-F219-11ce-972D-00AA00A14F56} - Shell extensions for file compression = ()
\\{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} - Encryption Context Menu = ()
\\{88895560-9AA2-1069-930E-00AA0030EBC8} - HyperTerminal Icon Ext = C:\WINDOWS\System32\hticons.dll (Hilgraeve, Inc.)
\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} - Taskbar and Start Menu = ()
\\{7A9D77BD-5403-11d2-8785-2E0420524153} - User Accounts = ()
\\{1CDB2949-8F65-4355-8456-263E7C208A5D} - Desktop Explorer = C:\WINDOWS\System32\nvshell.dll ()
\\{1E9B04FB-F9E5-4718-997B-B8DA88302A47} - Desktop Explorer Menu = C:\WINDOWS\System32\nvshell.dll ()
\\{1E9B04FB-F9E5-4718-997B-B8DA88302A48} - nView Desktop Context Menu = C:\WINDOWS\System32\nvshell.dll ()
\\{B41DB860-8EE4-11D2-9906-E49FADC173CA} - WinRAR shell extension = C:\Program Files\WinRAR\rarext.dll ()
\\{506F4668-F13E-4AA1-BB04-B43203AB3CC0} - {506F4668-F13E-4AA1-BB04-B43203AB3CC0} = C:\Program Files\Microsoft Office\Visio11\VISSHE.DLL ()
\\{D66DC78C-4F61-447F-942B-3FB6980118CF} - {D66DC78C-4F61-447F-942B-3FB6980118CF} = C:\Program Files\Microsoft Office\Visio11\VISSHE.DLL ()
\\{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} - iTunes = C:\Program Files\iTunes\iTunesMiniPlayer.dll (Apple Computer, Inc.)
\\{32020A01-506E-484D-A2A8-BE3CF17601C3} - AlcoholShellEx = C:\PROGRA~1\Alcohol\ALCOHO~1\AXShlEx.dll (Alcohol Soft Development Team)
\\{36A21736-36C2-4C11-8ACB-D4136F2B57BD} - AutoCAD Digital Signatures Icon Overlay Handler = C:\WINDOWS\System32\AcSignIcon.dll (Autodesk)
\\{AC1DB655-4F9A-4c39-8AD2-A65324A4C446} - Autodesk Drawing Preview = C:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcThumbnail16.dll (Autodesk)
\\{A70C977A-BF00-412C-90B7-034C51DA2439} - NvCpl DesktopContext Class = C:\WINDOWS\System32\nvcpl.dll (NVIDIA Corporation)
\\{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} - Shell Extensions for RealOne Player = C:\Program Files\RealPlayer\rpshell.dll (RealNetworks, Inc.)
\\{51A881ED-45AD-414f-B513-C4FED5420BD8} - Nokia Phone Browser Common View = ()
\\{51A881ED-45AD-414f-B513-C4FED5420BD8} - Nokia Phone Browser Common View = C:\Program Files\Nokia PC Suite 5\CommonView.dll (Nokia)HKCU CLSID)
\\{40950107-FEA6-4d53-A65F-B2DCBA57DD58} - Nokia Phone Browser = C:\Program Files\Nokia PC Suite 5\NokiaPhoneBrowser.dll (Nokia)
\\{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} - AVG7 Shell Extension = C:\Program Files\AVG7\avgse.dll (GRISOFT, s.r.o.)
\\{9F97547E-460A-42C5-AE0C-81C61FFAEBC3} - AVG7 Find Extension = C:\Program Files\AVG7\avgse.dll (GRISOFT, s.r.o.)
\\{99F3B825-BDAB-4231-8EDB-5A369C2A2F80} - .LLB File Viewer and Icon Handler = C:\Program Files\Macromedia\Dreamweaver MX\Configuration\Shared\LabVIEW Run-Time\7.0\LVShellExt.dll (National Instruments)
\\ - = ()
\\{5EB5D616-DC17-4f5c-BB4F-73D99A0C7C32} - ScanSoft PDF Converter 3.0 Shell Extension = C:\Program Files\OmniPage15.0\PDFConverter3\ShellExt30.dll (ScanSoft, Inc.)
\\{FFB699E0-306A-11d3-8BD1-00104B6F7516} - Play on my TV helper = C:\WINDOWS\System32\nvcpl.dll (NVIDIA Corporation)
\\{6ff26905-5466-4722-a301-08e22f780280} - eFax Messenger - Shell Extension = C:\Program Files\eFax Messenger 4.2\J2GShell.dll (j2 Global Communications, Inc.)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

>>> Context Menu Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers]
\AVG7 Shell Extension - {9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\AVG7\avgse.dll (GRISOFT, s.r.o.)
\HotShellExt_40 - {6FF26905-5466-4722-A301-08E22F780280} = C:\Program Files\eFax Messenger 4.2\J2GShell.dll (j2 Global Communications, Inc.)
\MyPhoneExplorer - {2D30AAA2-9084-4686-B8B9-B9B62EEFFD4E} = C:\Program Files\MyPhoneExplorer\DLL\ShellMgr.dll (F.J. Wechselberger)
\WinRAR - {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll ()
\Zeon.ShellExt - {B8E8494C-9300-48AC-BD8E-EDED185E5A04} = C:\Program Files\OmniPage15.0\PDFCreate3\PDF Create! 3\Plugin\ZnShellExt.dll (ScanSoft, Inc.)

[HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers]

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\shellex\ContextMenuHandlers]
\WinRAR - {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll ()

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\BackGround\shellex\ContextMenuHandlers]
\00nView - {1E9B04FB-F9E5-4718-997B-B8DA88302A48} = C:\WINDOWS\System32\nvshell.dll ()
\NvCplDesktopContext - {A70C977A-BF00-412C-90B7-034C51DA2439} = C:\WINDOWS\System32\nvcpl.dll (NVIDIA Corporation)
\nView - {1E9B04FB-F9E5-4718-997B-B8DA88302A48} = C:\WINDOWS\System32\nvshell.dll ()

[HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers]
\AVG7 Shell Extension - {9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\AVG7\avgse.dll (GRISOFT, s.r.o.)
\WinRAR - {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll ()

>>> Column Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
\{F9DB5320-233E-11D1-9F84-707F02C10627} - PDF Column Info = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll (Adobe Systems, Inc.)

>>> Registry Run Keys <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
SoundMan - C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
NvCplDaemon - RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll ()
nwiz - C:\WINDOWS\SYSTEM32\nwiz.exe ()
VGAUtil - C:\WINDOWS\System32\G-VGA.exe ()
NeroFilterCheck - C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
Zone Labs Client - C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe (Zone Labs, LLC)
NvMediaCenter - RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll ()
QuickTime Task - C:\Program Files\QuickTime\qttask.exe (Apple Computer, Inc.)
eFax 4.2 - C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe (j2 Global Communications, Inc.)
DllRunning - rundll32.exe "C:\WINDOWS\System32\mawghfmy.dll ()
MSConfig - C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ctfmon.exe - C:\WINDOWS\System32\ctfmon.exe (Microsoft Corporation)
MSMSGS - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

>>> Startup Links <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\Common Startup]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini ()

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\Startup]
C:\Documents and Settings\Andrew Lamb\Start Menu\Programs\Startup\desktop.ini ()
C:\Documents and Settings\Andrew Lamb\Start Menu\Programs\Startup\Replicator.LNK - C:\Program Files\Karen's Replicator\PTReplicator.exe (Karen Kenworthy)
C:\Documents and Settings\Andrew Lamb\Start Menu\Programs\Startup\Speed Fan.lnk - C:\Program Files\SpeedFan\speedfan.exe (Almico Software (www.almico.com))

>>> MSConfig Disabled Items <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 2
services 0
startup 0

[All Users Startup Folder Disabled Items]

[Current User Startup Folder Disabled Items]

>>> User Agent Post Platform <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

adlamb · Jan 5, 2007

>>> AppInit Dll's <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs]

>>> Image File Execution Options <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
\Your Image File Name Here without a path - Debugger = ntsd -d

>>> Shell Service Object Delay Load <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
\\PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
\\CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
\\WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll (Microsoft Corporation)
\\SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll (Microsoft Corporation)

>>> Shell Execute Hooks <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} - URL Exec Hook = shell32.dll (Microsoft Corporation)

>>> Shared Task Scheduler <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
\\{438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
\\{8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)

>>> Winlogon <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
\\UserInit = C:\WINDOWS\system32\userinit.exe,
\\Shell = Explorer.exe
\\System =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
\crypt32chain - crypt32.dll = (Microsoft Corporation)
\cryptnet - cryptnet.dll = (Microsoft Corporation)
\cscdll - cscdll.dll = (Microsoft Corporation)
\PCANotify - PCANotify.dll = (Symantec Corporation)
\rcyss - C:\WINDOWS\assembly\GAC\IIEHost\rcyss.dll = ()
\ScCertProp - wlnotify.dll = (Microsoft Corporation)
\Schedule - wlnotify.dll = (Microsoft Corporation)
\sclgntfy - sclgntfy.dll = (Microsoft Corporation)
\SensLogn - WlNotify.dll = (Microsoft Corporation)
\termsrv - wlnotify.dll = (Microsoft Corporation)
\winepi32 - winepi32.dll = ()
\wlballoon - wlnotify.dll = (Microsoft Corporation)

>>> DNS Name Servers <<<
{16CFC9E7-63D4-41B4-AB44-67BA9BCF2065} - ()
{7FD6D2DE-7183-45C4-8EE7-27EB45F6E273} - ()
{8AD32376-BC8D-4566-A11D-59E7DA6774CB} - (Realtek RTL8139/810x Family Fast Ethernet NIC)
{E80A2FD9-04DE-4051-99AD-3334192BC4E0} - (Realtek RTL8139/810x Family Fast Ethernet NIC)

>>> All Winsock2 Catalogs <<<
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries]
\000000000001\\LibraryPath - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation)
\000000000002\\LibraryPath - %SystemRoot%\System32\winrnr.dll (Microsoft Corporation)
\000000000003\\LibraryPath - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries]
\000000000001\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000002\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000003\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000004\\PackedCatalogItem - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation)
\000000000005\\PackedCatalogItem - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation)
\000000000006\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000007\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000008\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000009\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000010\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000011\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000012\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000013\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000014\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000015\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000016\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000017\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000018\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)

>>> Protocol Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler]
\ipp - ()
\msdaipp - ()
\vnd.ms.radio - C:\WINDOWS\System32\msdxm.ocx ()

>>> Protocol Filters (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter]

>>> Selected AddOn's <<<

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Cheeseball81 · Jan 5, 2007

1. Please download The Avenger by Swandog46 to your Desktop.

Click on Avenger.zip to open the file
Extract avenger.exe to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINDOWS\SYSTEM32\mawghfmy.dll
C:\WINDOWS\SYSTEM32\qrndfrcu.dll
C:\WINDOWS\system32\ymfhgwam.ini
C:\WINDOWS\System32\kfnekjis.dll
C:\WINDOWS\System32\winepi32.dll
C:\WINDOWS\assembly\GAC\IIEHost\rcyss.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to clipboard into this window by pressing (Ctrl+V).
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avengers actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply.

adlamb · Jan 5, 2007

The process seemed to work ok:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ftbiwlin

*******************

Script file located at: \??\C:\WINDOWS\System32\bmefvatm.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\SYSTEM32\mawghfmy.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\qrndfrcu.dll deleted successfully.
File C:\WINDOWS\system32\ymfhgwam.ini deleted successfully.
File C:\WINDOWS\System32\kfnekjis.dll deleted successfully.

File C:\WINDOWS\System32\winepi32.dll not found!
Deletion of file C:\WINDOWS\System32\winepi32.dll failed!

Could not process line:
C:\WINDOWS\System32\winepi32.dll
Status: 0xc0000034

File C:\WINDOWS\assembly\GAC\IIEHost\rcyss.dll deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Cheeseball81 · Jan 5, 2007

Now post a new HJT log

adlamb · Jan 6, 2007

Things seem to have improved so far!.......

Logfile of HijackThis v1.99.1
Scan saved at 00:51:28, on 06/01/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\G-VGA.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Karen's Replicator\PTReplicator.exe
C:\Program Files\SpeedFan\speedfan.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\PROGRA~1\AVG7\avgamsvr.exe
C:\PROGRA~1\AVG7\avgupsvc.exe
C:\Program Files\Bluetooth Dongle\BTNtService.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\MATLAB\webserver\bin\win32\matlabserver.exe
C:\WINDOWS\System32\niSvcLoc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\inetsrv\DavCData.exe
C:\Program Files\Winamp\Winamp.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\Andrew Lamb\My Documents\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3FD6B99C-A275-46ea-8FD1-3D63986E51E4} - C:\WINDOWS\System32\qrndfrcu.dll (file missing)
O2 - BHO: (no name) - {80A3B0F2-2072-4E60-B3F1-E46F83BEC414} - C:\WINDOWS\assembly\GAC\IIEHost\rcyss.dll (file missing)
O2 - BHO: (no name) - {BDC28B5A-63A1-4B6D-A962-6D444AEB5A56} - C:\WINDOWS\System32\kfnekjis.dll (file missing)
O2 - BHO: (no name) - {C79A6DCB-557C-4BEE-BD98-717EFCCD1A7d} - C:\WINDOWS\System32\kfnekjis.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [VGAUtil] C:\WINDOWS\System32\G-VGA.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\System32\mawghfmy.dll",setvm
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Replicator.LNK = C:\Program Files\Karen's Replicator\PTReplicator.exe
O4 - Startup: Speed Fan.lnk = C:\Program Files\SpeedFan\speedfan.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1128292154203
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://212.159.113.37:1206/tsweb/msrdp.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O20 - Winlogon Notify: rcyss - C:\WINDOWS\assembly\GAC\IIEHost\rcyss.dll (file missing)
O20 - Winlogon Notify: winepi32 - winepi32.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANSYS FLEXlm license manager - Macrovision Corporation - C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\lmgrd.exe
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG7\avgupsvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\pcAnywhere\awhost32.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\Bluetooth Dongle\BTNtService.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB\webserver\bin\win32\matlabserver.exe
O23 - Service: NILM License manager - Macrovision Corporation - C:\Program Files\Macromedia\Dreamweaver MX\Configuration\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments - C:\WINDOWS\System32\niSvcLoc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Cheeseball81 · Jan 7, 2007

Rescan with Hijack This.
Close all browser windows except Hijack This.
Put a check mark beside these entries and click "Fix Checked".

O2 - BHO: (no name) - {3FD6B99C-A275-46ea-8FD1-3D63986E51E4} - C:\WINDOWS\System32\qrndfrcu.dll (file missing)

O2 - BHO: (no name) - {80A3B0F2-2072-4E60-B3F1-E46F83BEC414} - C:\WINDOWS\assembly\GAC\IIEHost\rcyss.dll (file missing)

O2 - BHO: (no name) - {BDC28B5A-63A1-4B6D-A962-6D444AEB5A56} - C:\WINDOWS\System32\kfnekjis.dll (file missing)

O2 - BHO: (no name) - {C79A6DCB-557C-4BEE-BD98-717EFCCD1A7d} - C:\WINDOWS\System32\kfnekjis.dll (file missing)

O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\System32\mawghfmy.dll",setvm

O20 - Winlogon Notify: rcyss - C:\WINDOWS\assembly\GAC\IIEHost\rcyss.dll (file missing)

O20 - Winlogon Notify: winepi32 - winepi32.dll (file missing)

Reboot, post a new log.

adlamb · Jan 8, 2007

Logfile of HijackThis v1.99.1
Scan saved at 02:43:08, on 08/01/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\G-VGA.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Karen's Replicator\PTReplicator.exe
C:\Program Files\SpeedFan\speedfan.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\PROGRA~1\AVG7\avgamsvr.exe
C:\PROGRA~1\AVG7\avgupsvc.exe
C:\Program Files\Bluetooth Dongle\BTNtService.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\MATLAB\webserver\bin\win32\matlabserver.exe
C:\WINDOWS\System32\niSvcLoc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Andrew Lamb\My Documents\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [VGAUtil] C:\WINDOWS\System32\G-VGA.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Replicator.LNK = C:\Program Files\Karen's Replicator\PTReplicator.exe
O4 - Startup: Speed Fan.lnk = C:\Program Files\SpeedFan\speedfan.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1128292154203
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://212.159.113.37:1206/tsweb/msrdp.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANSYS FLEXlm license manager - Macrovision Corporation - C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\lmgrd.exe
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG7\avgupsvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\pcAnywhere\awhost32.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\Bluetooth Dongle\BTNtService.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB\webserver\bin\win32\matlabserver.exe
O23 - Service: NILM License manager - Macrovision Corporation - C:\Program Files\Macromedia\Dreamweaver MX\Configuration\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments - C:\WINDOWS\System32\niSvcLoc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Cheeseball81 · Jan 8, 2007

How are things now?

adlamb · Feb 6, 2007

Sorry for the delay. Shortly after i was trying to sort my pc out, I moved to New Zealand and so was busy getting ready for that. Ive sorted out my internet connection here now and between then and now have not had the same problems with my computer. Thanks for all your help. The explorer problems have all gone and the system is much more reliable and stable. The only problem that I still have is the computer not shutting down all the time. It does it every time on the administrator account and more recently has been doing it every now and again on the other account. Do you have any ideas what this might be?

thanks

Andrew

Cheeseball81 · Feb 6, 2007

This may help: http://www.aumha.org/win5/a/shtdwnxp.php

Hijack this log

Top Contributors this Month