Avasts been hijack please help

Hi

main problem is something keeps tring to access the internet using window explorer not internet explorer

I’ve blocked it with sygate, but not sure as when i boot up it puts a reg key in which I remove

Microsoft.WindowsSecurityCenter.FirewallBypass: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\explorer.exe

Which I found out about with spybot.

Using Spyster these are trying to access the internet

ones now accessing
( 63.170.10.51:80 ) checkip.dyndns.org state SYN_SENT
(204.13.250.51:80) checkip.dyndns.org state SYN_SENT
(204.13.249.51:80) checkip.dyndns.org state SYN_SENT
(64.62.243.3:8081) 3.64-62-243.reverse.mccolo.com:8081 state SYN_SENT
(204.13.250.51:80) 3.64-62-243.reverse.mccolo.com:80 state SYN_SENT

when I noticed something was connecting to the net all the time so I opened Sygate Log and found these entries
copperbase.info (62.62.243.3 )
copperbase.info (63.62.243.3 )
copperbase.info (64.62.243.3 )
checkip.dyndns.org (204.13.249.51)

The ones below had been using avast which I’ve diabled now

gmail-smtp-in.i.google.com (66.249.93.114)
a.mx.mail.yahoo.com (209.191.118.103)
mxs.mail.ru (194.67.23.20 )
gsmtp183.google.com (64.233.183.27)
d.mx.mail.yahoo.com (216.39.53.2)

I think this is when avast got hijack using window event viewer

04/14/2007 16:13:26 Allowed 3 Outgoing TCP alt2.gmail-smtp-in.l.google.com [72.14.205.27] 00-0D-88-61-FD-19 25 192.168.0.2 B2-E6-AF-F7-8B-2A 1037 C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe Sean HOMEBASE Normal 1 04/14/2007 16:12:21 04/14/2007 16:12:21 GUI%GUICONFIG#SRULE@APPCONFIG-TCP#C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

REQUEST_METHOD = GET
REMOTE_HOST =
REMOTE_ADDR = 81.86.171.72
HTTP_REFERER= http://www.google.co.uk/search?hl=en&q=ip+checker&meta=
HTTP_USER_AGENT= Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)

I’ve tried all the spyware scanners and online ones

Heres my lastest hijackthis log

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 15:38:06, on 18/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\WINDOWS\StartupMonitor.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Spyster 1.0.19\Spyster.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HiJackThis_v2.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘LOCAL SERVICE’)
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: Download All Files by HiDownload - C:\Program Files\HiDownload\HDGetAll.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: UKPoker - {40B2063F-DB01-4962-BE63-59435C01283C} - C:\PROGRA~1\UKPoker\client.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra ‘Tools’ menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\Program Files\HiDownload\hidownload.exe
O15 - Trusted Zone: www.bleepingcomputer.com
O15 - Trusted Zone: http://www.bleepingcomputer.com
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/activex/TmHcmsX.CAB
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.co.uk/scan_uk/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki\KService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - Unknown owner - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe


End of file - 5351 bytes

StartupList report, 18/04/2007, 15:39:26
StartupList version: 1.52.2
Started from : C:\hijackthis\HiJackThis_v2.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)

  • Using default options
    ==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\WINDOWS\StartupMonitor.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Spyster 1.0.19\Spyster.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HiJackThis_v2.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe


Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,


Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

DU Meter = C:\Program Files\DU Meter\DUMeter.exe
SmcService = C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
ASUS Probe = C:\Program Files\ASUS\Probe\AsusProb.exe
nwiz = nwiz.exe /install
NvMediaCenter = RunDLL32.exe NvMCTray.dll,NvTaskbarInit
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
Run StartupMonitor = StartupMonitor.exe


File association entry for .TXT:
HKEY_CLASSES_ROOT\Gammadyne DocPad\shell\open\command

(Default) = “C:\Program Files\DocPad\docpad.exe” “%1”


Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=INI section not found
SCRNSAVE.EXE=INI section not found
drivers=INI section not found

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=Registry value not found
drivers=Registry value not found

Policies Shell key:

HKCU..\Policies: Shell=Registry value not found
HKLM..\Policies: Shell=Registry value not found


Enumerating Browser Helper Objects:

(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}
(no name) - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
(no name) - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll - {B56A7D7D-6927-48C8-A975-17DF180C71AC}


Enumerating Task Scheduler jobs:

XoftSpy.job


Enumerating Download Program Files:

[SentinelVE3D Class]
InProcServer32 = C:\Program Files\Virtual Earth 3D\SentinelVirtualEarth3D.dll
CODEBASE = http://download.microsoft.com/download/0/f/b/0fb0fab9-7f09-4bb6-86d8-8e791ba99ac5/VirtualEarth3D.cab

[TmHcmsX Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\TmHcmsX.ocx
CODEBASE = http://www.trendsecure.com/framework/control/activex/TmHcmsX.CAB

[BDSCANONLINE Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\oscan8.ocx
CODEBASE = http://www.bitdefender.co.uk/scan_uk/scan8/oscan8.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
CODEBASE = http://acs.pandasoftware.com/activescan/as5free/asinst.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9b.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll


End of report, 5,084 bytes
Report generated in 0.047 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

I see a couple minor issues with download managers that you may or may not want to keep, and an old version of Java, but your unexplained internet connections may be coming from KService.exe. This is an application that installs with Sky Broadband Service that allows you to download movies to your computer.

The problem is KService also acts as a P2P server, uploading the content you downloaded to other users who request it (saving Sky from supporting all that bandwidth, of course). Here’s a quote from their Terms and Conditions

http://www.skymovies.com/skybybroadband/termsandconditions#Terms

7. Uploading Content

If you download and save content to your computer system (a “File”), during the license period for the relevant File, we may upload parcels of content from the File from your computer system for the purpose of transferring Files to other users of the Service.

Apparently they don’t mention this when you install the service, and removing Sky does not automatically remove KService.

The privacy section is also dicey

8. Computer ID

During the installation process for the Sky by broadband Application, we will detect and store the machine name, KontikiNodeId, CPU, PC bios, videocard, network card and IDE Controller information specific to your computer system, for the purposes of identifying your computer system and your eligibility to access and use the Service each time you log-in to the Service. If three or more of these features of your computer system change at any time, you will no longer be able to access the Service via that computer system and you will have to contact the Sky by broadband call centre on +44 (0)870 6094508.

Since it installs as a service you could try setting it to manual or disabled to see if your unexplained connections end. If you decide to uninstall it there are directions here

http://www.skymovies.com/skybybroadband/articles/article04

hi mauserme thankyou for helping

I had disabled channel 4’s on demand

KService.exe and khost.exe

Since you post i’ve uninstalled channel 4 on demand and run KClean to get rid of all traces of Kontiki

from my computer to see if that was the problem and it wasnt.

Something has hijack WINDOW EXPLORER which is tying to connect to theses ip’s

( 63.170.10.51:80 ) checkip.dyndns.org state SYN_SENT
(204.13.250.51:80) checkip.dyndns.org state SYN_SENT
(204.13.249.51:80) checkip.dyndns.org state SYN_SENT
(64.62.243.3:8081) 3.64-62-243.reverse.mccolo.com:8081 state SYN_SENT
(204.13.250.51:80) 3.64-62-243.reverse.mccolo.com:80 state SYN_SENT

Also hijack AVAST which i’ve had to stop or AVAST try’s to send to these

gmail-smtp-in.i.google.com (66.249.93.114)
a.mx.mail.yahoo.com (209.191.118.103)
mxs.mail.ru (194.67.23.20 )
gsmtp183.google.com (64.233.183.27)
d.mx.mail.yahoo.com (216.39.53.2)

AVAST has never tried to send to these before ???

I’ve done online scans nothing

I’ve used all spyware scanners in safe mode

boot scan with AVAST
Lavasoft Ad-Aware SE Personal
SUPERAntiSpyware
AVG Anti-Spyware 7.5
CWShredder
CCleaner
Spybot - Search & Destroy
AVG Anti-Rootkit
hijackthis

lastest hijackthis

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 21:36:24, on 18/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\WINDOWS\StartupMonitor.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HiJackThis_v2.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘LOCAL SERVICE’)
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: Download All Files by HiDownload - C:\Program Files\HiDownload\HDGetAll.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: UKPoker - {40B2063F-DB01-4962-BE63-59435C01283C} - C:\PROGRA~1\UKPoker\client.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra ‘Tools’ menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\Program Files\HiDownload\hidownload.exe
O15 - Trusted Zone: img.bleepingcomputer.com
O15 - Trusted Zone: www.bleepingcomputer.com
O15 - Trusted Zone: http://www.bleepingcomputer.com
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/activex/TmHcmsX.CAB
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.co.uk/scan_uk/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - Unknown owner - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe


End of file - 5271 bytes

Also it’s strange that you said i got an old version of Java

when i downloaded and installed the lastest version on 13 April 2007 ?

from the sun java site : java 6u1-windows-i586-p.exe

Sorry - its OK. I read the 6 as a 5. It’s been a long day.

I’lll be away from a computer for several hours but will try to take a closer look later this evening.

In the mean time would you install AVG AntiRootKit and see if that turns up anything?

http://free.grisoft.com/doc/5390

EDIT: Also have Virus Total scan C:\WINDOWS\explorer.exe and post the log

http://www.virustotal.com/en/indexf.html

And I’m trying to make sense of some of those ip’s. Your ip is dynamic, right? Not static?

Do you see a lot of actiivity - like emails being sent possibly?

Also hijack AVAST which i've had to stop or AVAST try's to send to these

gmail-smtp-in.i.google.com (66.249.93.114)
a.mx.mail.yahoo.com (209.191.118.103)
mxs.mail.ru (194.67.23.20 )
gsmtp183.google.com (64.233.183.27)
d.mx.mail.yahoo.com (216.39.53.2)

AVAST has never tried to send to these before

Avast has on capacity to send emails what you may be seeing is avast’s email scanner scanning outgoing email because it intercepts email, scans it and passes it on.

One of the problems with Sygate is it is unable to tell the difference between a localhost proxy ‘ashMaiSv.exe’ and the application that is using the proxy. This is a known issue with Sygate (localhost loopback) and if you allow the proxy any traffic that uses it will also be allowed through.

So effectively Sygate isn’t protecting against outbound connections by applications that use the localhost proxies used by avast. I would seriously consider another firewall, since sygate is no longer being developed since the buy out.

I assume you’re saying ashMaiSv.exe has probably not been infected and I think you’re right. But the next logical question is why ashMaiSV.exe enters into this if UK_Sean was not sending email?

And then there’s these

( 63.170.10.51:80 ) checkip.dyndns.org state SYN_SENT
(204.13.250.51:80) checkip.dyndns.org state SYN_SENT
(204.13.249.51:80) checkip.dyndns.org state SYN_SENT
(64.62.243.3:8081) 3.64-62-243.reverse.mccolo.com:8081 state SYN_SENT
(204.13.250.51:80) 3.64-62-243.reverse.mccolo.com:80 state SYN_SENT

These sites seem dedicated to checking one’s own IP address which I originally thought was part of the way Kontiki functions if the user has a dynamic address. But Kontiki has been removed yet these continue.

@UK_Sean - Do you ever see that SYN/ACK is received or ACK sent? Or is it always only SYN sent?

Are you able to confirm that you were not sending email when you saw the ashMaiSV.exe connection? Do you use web based or client based email?

I am anxious to see the Virus Total results for C:\WINDOWS\explorer.exe

Hi Guy’s

I’ve not sent or received any mail since the infection.

Thats why I knew something was wrong when avast was sending to them ip’s
because i’d never seen it do it before.

Also Window Explorer trying to access the net to the other sites

STATUS: FINISHEDComplete scanning result of “explorer.exe”, received in VirusTotal at 04.19.2007, 11:54:09 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.4.19.1 04.19.2007 no virus found
AntiVir 7.3.1.53 04.19.2007 no virus found
Authentium 4.93.8 04.18.2007 no virus found
Avast 4.7.981.0 04.19.2007 no virus found
AVG 7.5.0.447 04.18.2007 no virus found
BitDefender 7.2 04.19.2007 no virus found
CAT-QuickHeal 9.00 04.18.2007 no virus found
ClamAV devel-20070416 04.19.2007 no virus found
DrWeb 4.33 04.19.2007 no virus found
eSafe 7.0.15.0 04.18.2007 no virus found
eTrust-Vet 30.7.3579 04.19.2007 no virus found
Ewido 4.0 04.19.2007 no virus found
FileAdvisor 1 04.19.2007 No threat detected
Fortinet 2.85.0.0 04.19.2007 no virus found
F-Prot 4.3.2.48 04.18.2007 no virus found
F-Secure 6.70.13030.0 04.19.2007 no virus found
Ikarus T3.1.1.5 04.19.2007 no virus found
Kaspersky 4.0.2.24 04.19.2007 no virus found
McAfee 5012 04.18.2007 no virus found
Microsoft 1.2405 04.19.2007 no virus found
NOD32v2 2203 04.19.2007 no virus found
Norman 5.80.02 04.19.2007 no virus found
Panda 9.0.0.4 04.19.2007 no virus found
Prevx1 V2 04.19.2007 no virus found
Sophos 4.16.0 04.17.2007 no virus found
Sunbelt 2.2.907.0 04.07.2007 no virus found
Symantec 10 04.19.2007 no virus found
TheHacker 6.1.6.088 04.09.2007 no virus found
VBA32 3.11.3 04.18.2007 no virus found
VirusBuster 4.3.7:9 04.18.2007 no virus found
Webwasher-Gateway 6.0.1 04.19.2007 no virus found

Aditional Information
File size: 1032192 bytes
MD5: a0732187050030ae399b241436565e64
SHA1: 69f33740413da112630be73ebb805a23b69f2f7f
Bit9 info: http://fileadvisor.bit9.com/services/extinfo.aspx?md5=a0732187050030ae399b241436565e64

Is there away to sent you some pictures to show you it’s window explorer trying to access web.

Using spyster, Process Explorer, and Active Ports monitor

Not exactly the results I’d hoped for.

Faststone Capture is a good screen capture program. Use the Additional Options … link when you post in order to attached the image.

http://www.faststone.org/download.htm

Also hijack AVAST which i've had to stop or AVAST try's to send to these

gmail-smtp-in.i.google.com (66.249.93.114)
a.mx.mail.yahoo.com (209.191.118.103)
mxs.mail.ru (194.67.23.20 )
gsmtp183.google.com (64.233.183.27)
d.mx.mail.yahoo.com (216.39.53.2)


Have you disabled all providers or just the Internet Mail provider? You need to keep the Standard Shield active at the very least.

If you’ve already disabled the Internet Mail provider (if you haven’t, briefly do so) and see if a different process is identified as sending email. Then turn it back on an set the heuristics to High.

I would also like you to run Deckard’s System Scanner. This will duplicate some of the information you already posted using a different version of HijackThis. It will also give us some information on file creation dates that might be useful.

Download Deckard’s System Scanner (DSS) to your Desktop.
[*]Close all applications and windows.
[*]Double-click on DSS.exe to run it, and follow the prompts.
[*]The scan may take a minute. When the scan is complete, a text file will open - Main.txt
Extra Note: When running DSS, some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so. Also, it may happen that your Antivirus flags DSS as suspicious. Please allow the Deckard’s System Scanner to run and don’t let your Antivirus delete it. (In this case, it may be better to temporary disable your Antivirus)

Post the main.txt from the C:\Deckard\System Scanner folder into your next reply.

Did you install Remote Packet Capture Protocol v.0?

Have you had a chance to run AVG AntiRootKit?

Even if your aren’t sending or receiving email if something else on your system and it is using the email port 25 then avast will scan it. So there may be a possibility something else is using the email ports. But it could be process injection, see below.

The explorer.exe file may be fine if there is some process injection then the version in memory would be the infected version, many of the latest firewalls detect and block (if you don’t authorise it) process injection.

Hopefully the DSS will sniff out the underlying application.

Sygate clearly isn’t containing this so it does make sense to try another firewall.

I’m partial to Comodo, but do you have any other recommendations?

hi again heres some more info

I’ve blocked window explorer in sygate, but when I ran spybot I saw this Registry value.

Microsoft.WindowsSecurityCenter.FirewallBypass: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\explorer.exe

Microsoft.WindowsSecurityCenter.FirewallBypass: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\explorer.exe

I deleted the two above with regedit, but when the computer restarts or reboots the first one comes back.
I delete it everytime i start the computer.

So i’m not sure if sygate is blocking these two below ?

04/19/2007 12:45:59 Blocked 3 Outgoing TCP copperbase.info [64.62.243.3] 00-0D-88-61-FD-19 8081 192.168.0.2 B2-E6-AF-F7-8B-2A 2378 C:\WINDOWS\explorer.exe Sean HOMEBASE Normal 13 04/19/2007 12:43:38 04/19/2007 12:45:58 GUI%GUICONFIG#SRULE@APPCONFIG-TCP#C:\WINDOWS\explorer.exe

04/19/2007 12:45:59 Blocked 3 Outgoing TCP checkip.dyndns.org [204.13.250.51] 00-0D-88-61-FD-19 80 192.168.0.2 B2-E6-AF-F7-8B-2A 2376 C:\WINDOWS\explorer.exe Sean HOMEBASE Normal 18 04/19/2007 12:42:28 04/19/2007 12:45:57 GUI%GUICONFIG#SRULE@APPCONFIG-TCP#C:\WINDOWS\explorer.exe

Here’s one of sygates entry for one of the mail ones

04/14/2007 16:13:26 Allowed 3 Outgoing TCP alt2.gmail-smtp-in.l.google.com [72.14.205.27] 00-0D-88-61-FD-19 25 192.168.0.2 B2-E6-AF-F7-8B-2A 1037 C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe Sean HOMEBASE Normal 1 04/14/2007 16:12:21 04/14/2007 16:12:21 GUI%GUICONFIG#SRULE@APPCONFIG-TCP#C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

REQUEST_METHOD = GET
REMOTE_HOST =
REMOTE_ADDR = 81.86.171.72
HTTP_REFERER= http://www.google.co.uk/search?hl=en&q=ip+checker&meta=
HTTP_USER_AGENT= Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)

Please post the DSS and AVG AntiRootKit logs.

Any luck identifying the process with the Internet Mail provider off?

I have been using Outpost pro for some years now with no major issues and its is very good on the Anti-leak and Component control. But it can be a bit overwhelming when first installed but Comodo (I’ve never used it) has good responses in the forums if it can handle process injection and the price can’t be beaten, free, gratis, nada, zilch ;D

hi
had problem with pics had to compress them

Did you install Remote Packet Capture Protocol v.0? yes but can’t remember why, going to uninstall it

Have you had a chance to run AVG AntiRootKit? yes and i did the in - depth scan and it didn’t find anything

heres the log you ask for

It won’t let me post all at once

Deckard’s System Scanner v20070411.38
Run by Sean on 2007-04-19 at 14:16:43
Computer is in Normal Mode.

– System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable…success.

– Last 1 Restore Point(s) –
1: 2007-04-19 13:16:49 UTC - RP1 - System Checkpoint

Backed up registry hives.

Performed disk cleanup.

– HijackThis (run as Sean.exe) ------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 14:17:34, on 19/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\WINDOWS\StartupMonitor.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\locator.exe
C:\Documents and Settings\Sean\Desktop\dss.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\HIJACK~1\Sean.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [Run StartupMonitor] StartupMonitor.exe
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: Download All Files by HiDownload - C:\Program Files\HiDownload\HDGetAll.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: UKPoker - {40B2063F-DB01-4962-BE63-59435C01283C} - C:\PROGRA~1\UKPoker\client.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra ‘Tools’ menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\Program Files\HiDownload\hidownload.exe
O15 - Trusted Zone: img.bleepingcomputer.com
O15 - Trusted Zone: www.bleepingcomputer.com
O15 - Trusted Zone: http://www.bleepingcomputer.com
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/activex/TmHcmsX.CAB
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.co.uk/scan_uk/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

– HijackThis Fixed Entries (C:\HIJACK~1\backups) -----------------------------

backup-20070412-234153-117 O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
backup-20070412-234153-142 O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
backup-20070412-234153-211 O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
backup-20070412-234153-875 O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
backup-20070412-234153-879 O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
backup-20070413-000143-106 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
backup-20070413-000143-160 O16 - DPF: Yahoo! Pool 2 - http://download2.games.yahoo.com/games/clients/y/poti_x.cab
backup-20070413-000143-169 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
backup-20070413-000143-257 O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
backup-20070413-000143-326 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
backup-20070413-000143-501 O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
backup-20070413-000143-606 O8 - Extra context menu item: Download by HiDownload - C:\Program Files\HiDownload\HDGet.htm
backup-20070413-000143-783 O8 - Extra context menu item: Download by GAS - C:\PROGRA~1\GETASF~1\ie_MenuExt.htm
backup-20070413-000143-828 O16 - DPF: Yahoo! Chess - http://download2.games.yahoo.com/games/clients/y/ct5_x.cab
backup-20070413-000143-926 O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
backup-20070413-032532-314 O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
backup-20070413-032532-524 O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
backup-20070413-032532-535 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
backup-20070413-032532-709 O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
backup-20070413-032532-856 O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL (file missing)
backup-20070413-103537-183 O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
backup-20070413-103537-256 O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
backup-20070413-103537-431 O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
backup-20070413-103537-653 O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
backup-20070413-153913-438 O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
backup-20070418-114259-775 O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘NETWORK SERVICE’)

– File Associations -----------------------------------------------------------

.js - JSFile - shell\open\command - “C:\Program Files\Macromedia\Dreamweaver MX 2004\Dreamweaver.exe” “%1”
.txt - Gammadyne DocPad - shell\open\command - “C:\Program Files\DocPad\docpad.exe” “%1”

– Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 Si3112r (Silicon Image SiI 3112 SATARaid Controller) - c:\windows\system32\drivers\si3112r.sys
R0 Teefer (Teefer for NT) - c:\windows\system32\drivers\teefer.sys
R1 ikhfile (File Security Kernel Anti-Spyware Driver) - c:\windows\system32\drivers\ikhfile.sys
R1 ikhlayer (Kernel Anti-Spyware Driver) - c:\windows\system32\drivers\ikhlayer.sys
R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
R1 SASKUTIL - c:\program files\superantispyware\saskutil.sys
R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys
R1 wpsdrvnt - c:\windows\system32\drivers\wpsdrvnt.sys
R2 aslm75 - c:\windows\system32\drivers\aslm75.sys
R2 irda (IrDA Protocol) - c:\windows\system32\drivers\irda.sys
R2 SocketLock (Raw Socket Lock Driver) - c:\windows\system32\socketlock.sys
R2 tmcomm - c:\windows\system32\drivers\tmcomm.sys
R2 wg3n (SyGate for NT, wg3n) - c:\windows\system32\drivers\wg3n.sys
R3 BridgeMP (MAC Bridge Miniport) - c:\windows\system32\drivers\bridge.sys
R3 HCF_MSFT - c:\windows\system32\drivers\hcf_msft.sys
R3 PhilCam8116 (Logitech QuickCam Pro 3000(PID_08B0)) - c:\windows\system32\drivers\camdrl21.sys
R3 Rasirda (WAN Miniport (IrDA)) - c:\windows\system32\drivers\rasirda.sys
R3 ROOTMODEM (Microsoft Legacy Modem Driver) - c:\windows\system32\drivers\rootmdm.sys
R3 SaiMini - c:\windows\system32\drivers\saimini.sys
R3 SaiNtBus - c:\windows\system32\drivers\saintbus.sys

S3 alcan5wn (Alcatel SpeedTouch USB ADSL PPP Networking Driver (NDISWAN)) - c:\windows\system32\drivers\alcan5wn.sys
S3 alcaudsl (Alcatel Speed Touch ADSL Modem ATM Transport) - c:\windows\system32\drivers\alcaudsl.sys
S3 AvFlt (Antivirus Filter Driver) - c:\windows\system32\drivers\av5flt.sys (file missing)
S3 Bridge (MAC Bridge) - c:\windows\system32\drivers\bridge.sys
S3 EagleNT - c:\windows\system32\drivers\eaglent.sys (file missing)
S3 ES-620 (Edisonsoft ES-620 USB Infrared Adapter) - c:\windows\system32\drivers\es-620.sys
S3 hidgame (Microsoft Hid to Joystick Port Enabler) - c:\windows\system32\drivers\hidgame.sys
S3 nm (Network Monitor Driver) - c:\windows\system32\drivers\nmnt.sys
S3 NPF (NetGroup Packet Filter Driver) - c:\windows\system32\drivers\npf.sys
S3 SaiNtHid - c:\windows\system32\drivers\sainthid.sys
S3 SaiNtSub - c:\windows\system32\drivers\saintsub.sys
S3 SASENUM - c:\program files\superantispyware\sasenum.sys

– Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Irmon (Infrared Monitor) - c:\windows\system32\svchost.exe -k netsvcs

S3 EPSONStatusAgent2 (EPSON Printer Status Agent2) - c:\program files\common files\epson\ebapi\sagent2.exe
S3 RichVideo (Cyberlink RichVideo Service(CRVS)) - “c:\program files\cyberlink\shared files\richvideo.exe”
S3 rpcapd (Remote Packet Capture Protocol v.0 (experimental)) - “c:\program files\winpcap\rpcapd.exe” -d -f “c:\program files\winpcap\rpcapd.ini”

– Scheduled Tasks -------------------------------------------------------------

2006-02-22 15:20:26 298 --a------ C:\WINDOWS\Tasks\XoftSpy.job

– Files created between 2007-03-19 and 2007-04-19 -----------------------------

2007-04-18 02:28:57 0 d-------- C:\SafeXP
2007-04-16 11:30:15 76560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-04-15 12:22:56 0 d-------- C:\A Startup Monitor and Startup Control Panel<ASTART~1>
2007-04-15 12:13:17 49664 --a------ C:\WINDOWS\unvise32.exe
2007-04-15 12:13:12 0 d-------- C:\Program Files\Active Ports<ACTIVE~1>
2007-04-15 12:11:43 0 d-------- C:\Active Ports monitor<ACTIVE~1>
2007-04-14 17:12:50 0 d-------- C:\WINDOWS\BDOSCAN8
2007-04-14 14:24:44 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com<SUPERA~1.COM>
2007-04-14 14:24:37 0 d-------- C:\Program Files\SUPERAntiSpyware<SUPERA~1>
2007-04-14 14:24:37 0 d-------- C:\Documents and Settings\Sean\Application Data\SUPERAntiSpyware.com<SUPERA~1.COM>
2007-04-13 22:26:53 43176 --ah----- C:\WINDOWS\system32\drivers\aswTdi.sys
2007-04-13 22:26:53 23352 --ah----- C:\WINDOWS\system32\drivers\aswRdr.sys
2007-04-13 22:26:52 31560 --ah----- C:\WINDOWS\system32\drivers\aavmker4.sys
2007-04-13 22:26:51 94424 --ah----- C:\WINDOWS\system32\drivers\aswmon2.sys
2007-04-13 22:26:51 85952 --ah----- C:\WINDOWS\system32\drivers\aswmon.sys
2007-04-13 22:26:46 90112 --ah----- C:\WINDOWS\system32\AVASTSS.scr
2007-04-13 22:26:46 689280 --ah----- C:\WINDOWS\system32\aswBoot.exe
2007-04-13 22:26:43 0 d-------- C:\Program Files\Alwil Software<ALWILS~1>
2007-04-13 13:13:58 3968 --ah----- C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-04-13 11:21:12 0 d-------- C:\Documents and Settings\Sean.housecall6.6<HOUSEC~1.6>
2007-04-13 11:19:42 0 d-------- C:\WINDOWS\Sun
2007-04-13 11:18:35 0 d-------- C:\Program Files\Java
2007-04-13 11:18:33 0 d-------- C:\Program Files\Common Files\Java
2007-04-13 11:17:07 0 d-------- C:\Documents and Settings\Sean\Application Data\Sun
2007-04-12 10:58:07 13631488 --a------ C:\Documents and Settings\Sean\ntuser.dat
2007-04-10 21:40:32 0 d-------- C:\Program Files\Lavasoft
2007-04-10 21:10:12 0 d-------- C:\Program Files\CCleaner
2007-04-08 21:12:34 0 d-------- C:\Program Files\Security Task Manager<SECURI~1>
2007-04-08 20:58:10 0 d-------- C:\Process Explorer<PROCES~1>
2007-04-08 20:07:40 0 d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan<SECTAS~1>
2007-04-08 15:32:15 0 d-------- C:\Documents and Settings\All Users\Application Data\Kontiki
2007-04-04 15:51:31 0 d-------- C:\Program Files\Virtual Earth 3D<VIRTUA~1>
2007-03-27 16:37:25 0 d-------- C:\Documents and Settings\Sean\Application Data\vlc
2007-03-27 16:17:48 17556 -----n— C:\initemp.dat
2007-03-27 16:14:31 0 d-------- C:\Program Files\TVUPlayer<TVUPLA~1>
2007-03-27 16:12:39 0 d-------- C:\WINDOWS\uninstall<UNINST~1>
2007-03-19 20:35:53 0 d-------- C:\Program Files\EA SPORTS<EASPOR~1>
2007-03-19 17:53:09 0 d-------- C:\Program Files\SCi

– Find3M Report ---------------------------------------------------------------

2007-04-19 00:20:12 0 d—s---- C:\Documents and Settings\Sean\Application Data\Microsoft<MICROS~1>
2007-04-18 02:54:42 0 d-------- C:\Program Files\DocPad
2007-04-15 17:19:06 0 d-------- C:\Documents and Settings\Sean\Application Data\uTorrent
2007-04-14 18:32:43 249856 -----n— C:\WINDOWS\Setup1.exe
2007-04-14 18:32:42 73216 --a------ C:\WINDOWS\ST6UNST.EXE
2007-04-14 17:56:44 0 d-------- C:\Program Files\The All-Seeing Eye<THEALL~1>
2007-04-14 14:24:20 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard<WISEIN~1>
2007-04-13 20:45:44 0 d-------- C:\Documents and Settings\Sean\Application Data\MailWasherPro<MAILWA~1>
2007-04-13 19:34:23 0 d-------- C:\Program Files\WinAce
2007-04-13 19:24:07 0 d-------- C:\Program Files\QuickSFV
2007-04-13 19:12:55 0 d-------- C:\Program Files\Common Files\Webroot Shared<WEBROO~1>
2007-04-12 21:59:23 0 d-------- C:\Program Files\XoftSpy
2007-04-11 23:22:24 0 d-------- C:\Program Files\HiDownload<HIDOWN~1>
2007-04-10 21:40:47 0 d-------- C:\Documents and Settings\Sean\Application Data\Lavasoft
2007-04-08 23:33:05 0 d-------- C:\Program Files\Quake III Arena<QUAKEI~1>
2007-03-27 17:29:55 0 d-------- C:\Program Files\Blaze Media Pro<BLAZEM~1>
2007-03-27 16:08:14 0 d-------- C:\Documents and Settings\Sean\Application Data{1B0CC100-80E7-4108-844F-6244F1FCFCC1}<{1B0CC~1>
2007-03-19 20:35:52 0 d–h----- C:\Program Files\InstallShield Installation Information<INSTAL~1>
2007-03-15 14:17:56 0 d-------- C:\Documents and Settings\Sean\Application Data\Skype
2007-03-10 16:16:06 43520 --ah----- C:\WINDOWS\system32\CmdLineExt03.dll<CMDLIN~2.DLL>
2007-03-08 15:09:54 98304 --ah----- C:\WINDOWS\system32\CmdLineExt.dll<CMDLIN~1.DLL>
2007-02-27 22:13:06 0 d-------- C:\Documents and Settings\Sean\Application Data\Sean UK<SEANUK~1>
2007-02-27 22:08:53 0 d-------- C:\Program Files\UKPoker
2007-02-22 15:43:47 0 d-------- C:\Documents and Settings\Sean\Application Data\5exy 8east<5EXY8E~1>
2007-02-02 17:55:42 331 --ah----- C:\WINDOWS\system32\zgrvbnzmrv_navps.dat<ZGRVBN~2.DAT>
2007-02-02 17:55:31 4528 --ah----- C:\WINDOWS\system32\zgrvbnzmrv.dat<ZGRVBN~1.DAT>
2007-02-02 17:47:05 264754 --ah----- C:\WINDOWS\system32\zgrvbnzmrv_nav.dat<ZGRVBN~3.DAT>
2007-01-19 13:53:04 51056 --ah----- C:\WINDOWS\system32\sirenacm.dll

– Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
“DU Meter”=“C:\Program Files\DU Meter\DUMeter.exe”
“SmcService”=“C:\PROGRA~1\Sygate\SPF\smc.exe -startgui”
“ASUS Probe”=“C:\Program Files\ASUS\Probe\AsusProb.exe”
“nwiz”=“nwiz.exe /install”
“NvMediaCenter”=“RunDLL32.exe NvMCTray.dll,NvTaskbarInit”
“NvCplDaemon”=“RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup”
“Run StartupMonitor”=“StartupMonitor.exe”

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
“Installed”=“1”

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
“Installed”=“1”
“NoChange”=“1”

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
“Installed”=“1”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
“path”=“C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk”
“backup”=“C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup”
“location”=“Common Startup”
“command”=“C:\PROGRA~1\MICROS~2\Office10\OSA.EXE -b -l”
“item”=“Microsoft Office”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Sean^Start Menu^Programs^Startup^Adobe Gamma.lnk]
“path”=“C:\Documents and Settings\Sean\Start Menu\Programs\Startup\Adobe Gamma.lnk”
“backup”=“C:\WINDOWS\pss\Adobe Gamma.lnkStartup”
“location”=“Startup”
“command”="C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE "
“item”=“Adobe Gamma”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4oD]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“KHost”
“hkey”=“HKLM”
“command”=“"C:\Program Files\Kontiki\KHost.exe" -all”
“inimapping”=“0”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASUS Probe]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“AsusProb”
“hkey”=“HKLM”
“command”=“C:\Program Files\ASUS\Probe\AsusProb.exe”
“inimapping”=“0”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“avgcc”
“hkey”=“HKLM”
“command”=“C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP”
“inimapping”=“0”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_EMC]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“avgemc”
“hkey”=“HKLM”
“command”=“C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe”
“inimapping”=“0”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“gcasServ”
“hkey”=“HKLM”
“command”=“"C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"”
“inimapping”=“0”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“KHost”
“hkey”=“HKCU”
“command”=“C:\Program Files\Kontiki\KHost.exe -all”
“inimapping”=“0”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechGalleryRepair]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“ISStart”
“hkey”=“HKLM”
“command”=“C:\Program Files\Logitech\ImageStudio\ISStart.exe”
“inimapping”=“0”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechImageStudioTray]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“LogiTray”
“hkey”=“HKLM”
“command”=“C:\Program Files\Logitech\ImageStudio\LogiTray.exe”
“inimapping”=“0”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMS]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“LVCOMS”
“hkey”=“HKLM”
“command”=“C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE”
“inimapping”=“0”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“msmsgs”
“hkey”=“HKCU”
“command”=“"C:\Program Files\Messenger\msmsgs.exe" /background”
“inimapping”=“0”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“NeroCheck”
“hkey”=“HKLM”
“command”=“C:\WINDOWS\system32\NeroCheck.exe”
“inimapping”=“0”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nForce Tray Options]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“sstray”
“hkey”=“HKLM”
“command”=“sstray.exe /r”
“inimapping”=“0”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“NvCpl”
“hkey”=“HKLM”
“command”=“RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup”
“inimapping”=“0”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“NvMcTray”
“hkey”=“HKLM”
“command”=“RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit”
“inimapping”=“0”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“nwiz”
“hkey”=“HKLM”
“command”=“nwiz.exe /install”
“inimapping”=“0”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Profiler]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“Profiler”
“hkey”=“HKLM”
“command”=“C:\Program Files\Saitek\Software\Profiler.exe”
“inimapping”=“0”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“qttask”
“hkey”=“HKLM”
“command”=“;"C:\Program Files\QuickTime\qttask.exe" -atboottime”
“inimapping”=“0”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SaiSmart]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“SaiSmart”
“hkey”=“HKLM”
“command”=“C:\Program Files\Saitek\Software\SaiSmart.exe”
“inimapping”=“0”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmcService]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“smc”
“hkey”=“HKLM”
“command”=“C:\PROGRA~1\Sygate\SPF\smc.exe -startgui”
“inimapping”=“0”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedTouch USB Diagnostics]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“Dragdiag”
“hkey”=“HKLM”
“command”=“"C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon”
“inimapping”=“0”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“”
“hkey”=“HKCU”
“command”=“”
“inimapping”=“0”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“MSASCui”
“hkey”=“HKLM”
“command”=“"C:\Program Files\Windows Defender\MSASCui.exe" -hide”
“inimapping”=“0”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
“wuauserv”=dword:00000002

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
“{57B86673-276A-48B2-BAE7-C6DBB3020EB8}”=“AVG Anti-Spyware 7.5”
“{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}”=“”

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
“DisableRegistryTools”=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
“LinkResolveIgnoreLinkInfo”=dword:00000000
“NoResolveSearch”=dword:00000001
“NoRecentDocsMenu”=dword:00000001
“NoFavoritesMenu”=dword:00000000
“NoSMMyDocs”=dword:00000000
“NoSMMyPictures”=dword:00000000
“NoStartMenuMyMusic”=dword:00000000
“NoRecentDocsHistory”=dword:00000001
“NoRecentDocsNetHood”=dword:00000000
“NoSMHelp”=dword:00000000
“NoRun”=dword:00000000
“NoInstrumentation”=dword:00000000
“NoSimpleStartMenu”=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
“NoRecentDocsMenu”=dword:00000001
“NoFavoritesMenu”=dword:00000000
“NoSMMyDocs”=dword:00000000
“NoSMMyPictures”=dword:00000000
“NoStartMenuMyMusic”=dword:00000000
“NoRecentDocsHistory”=dword:00000001
“ClearRecentDocsOnExit”=dword:00000001
“NoRecentDocsNetHood”=dword:00000000
“NoSMHelp”=dword:00000000
“NoRun”=dword:00000000
“NoUserNameInStartMenu”=dword:00000001
“NoInstrumentation”=dword:00000000
“NoStartMenuPinnedList”=dword:00000000
“ForceStartMenuLogoff”=dword:00000000
“NoSharedDocuments”=dword:00000001
“NoWindowsUpdate”=dword:00000001

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify!SASWinLogon

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
“SecurityProviders”=“msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll”

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0

– Hosts -----------------------------------------------------------------------

127.0.0.1 194.126.131.100
127.0.0.1 194.126.131.130
127.0.0.1 www.adserver2.adtech.de
127.0.0.1 3.64-62-243.reverse.mccolo.com:8081
127.0.0.1 checkip.sjc.dyndns.org:http
127.0.0.1 checkip.chi.dyndns.com:http
127.0.0.1 64.62.243.3
127.0.0.1 194.67.23.20
127.0.0.1 62.241.163.201
127.0.0.1 209.191.88.247

14616 more entries in hosts file.

– End of Deckard’s System Scanner: finished at 2007-04-19 at 14:17:59 ---------