This notebook constantly uses 100%resources. I ran a scan in safe mode with the restore off from Bit Defender online(the only scan that would work)and it said the PC was still infected with possibly the Win32.AV-Killer 3....it removed 5 viruses.
I can't run HJT because the resources are maxed out and the zip file can't be opened. I can't use spyware blaster, it says it can't load the temp file. Crap Cleaner just shoots up to 100% when I try to install it and freezes. I can't get any spyware progs to work. There is no restoration or xp CD with this unit.
Anyone have any ideas on how to get this notebook settled down so some tests can be run on it?
Thanks

Hopefully my advice will help you...Please post back with your results....thanks

What makes this so hard is that the AV companies do not have a standard for naming malware, they all name them different.

You will most likely have to do an OFF-LINE scan (no networking). The AV-Killers download programs using your browser, so doing an online scan is no help. The program just infects it again.

I believe these variants are called Trojan.KillAV.x by Symantec. These ususally have quite good info on how the trojan acts so a manual deletion can be attempted.

Search Engines Are Your Friends

Morpheus: There is a difference between knowing the path and walking the path. "The Matrix"

Thanks, I'll give that a try. Any idea why I can't even open hijackthis?
I'm finally uninstalling alot of software in safe mode which I couldn't do before.

Hopefully my advice will help you...Please post back with your results....thanks

I got to install most spyware programs in safe mode using administrator rights.
It wouldn't let me install the sygate firewall. When I boot up into normal mode, the resources are still up near 100%, anything else I can try....anyone?

Hopefully my advice will help you...Please post back with your results....thanks

anyone else have any views on this?
Thanks

Hopefully my advice will help you...Please post back with your results....thanks

Can you run Hijack This from safe mode.If so paste the log.

Also while in safe mode search for and delete any of these files if found:

C:\WINDOWS\secure32.html

C:\WINDOWS\system32\mspostsp.exe

C:\WINDOWS\system32\msupdate32.dll

C:\WINDOWS\tool3.exe

C:\WINDOWS\tool4.exe

C:\WINDOWS\toolbar.exe

C:\WINDOWS\system32\A.dll

yes, I can now run HJT in safe mode under administrator, thanks and I'll paste in the log for you....I sure appreciate it. I just got off work and I'll post the log in about 1/2 an hour from now. I'll also do a search for those items

Hopefully my advice will help you...Please post back with your results....thanks

Hi, I didn't find any of those files on this laptop, but here's my HJT log
Logfile of HijackThis v1.99.1
Scan saved at 1:09:06 AM, on 3/11/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\taskmgr.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.megalink.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Megalink
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Popup-Blocker Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\Smc.exe -startgui
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: Sygate Personal Firewall (SmcService) - Unknown owner - C:\Program Files\Sygate\SPF\Smc.exe (file missing)

Hopefully my advice will help you...Please post back with your results....thanks

I see nothing in the HT log, which is only a first step anyway. Four other things would would help with the HT tool.

Run HT,click the "open misc. tools section" button>check the two boxes to the right of "generate startup list log ">then click generate startup list log and post it.

Run HT,click the "open misc. tools section" button>click "open uninstall manager">click save list>click save>yes> post the list.

Run HT,click the "open misc. tools section" button>click "open host file manager">open in notepad and post those results.

Run HT,click the "open misc. tools section" button>click "open ADS spy..." button>scan>if anything shows up post the results.

Please download and run this cleaner in safe mode
http://www.atribune.org/content/view/19/2/ by Atribune.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

.

Navigate to and delete the contents of C:\WINDOWS\prefetch (not the folder itself.

See if you can run BlackLight and post it's results. Download from this link http://www.f-secure.com/blacklight/try.shtml

Save it to your desktop and double click on the file.

Have it scan your computer but do not try to fix or delete anything identified by the tool, it may list legitimate programs

If the scan does find anything then copy and paste the log back to this thread. The log should be on your desktop or root directory (C:\). This is the format for the log file name:
fsbl-<date-and-time>.log

If you have any trouble finding it do a search for fsbl*.log.

thanks, here's the generate startup list

StartupList report, 3/11/2006, 12:04:28 PM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Administrator\Local Settings\Temp\HijackThis.EXE
Detected: Windows XP (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2600.0000)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\HijackThis.exe

---------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Administrator\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
*No files*

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

---------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

---------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

avast! = C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
SmcService = C:\PROGRA~1\Sygate\SPF\Smc.exe -startgui

---------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

---------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

(Default) =

---------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

---------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

---------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background

---------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*Registry key not found*

---------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

---------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

---------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

---------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

---------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

---------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

---------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

---------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

---------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

---------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

---------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

---------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*Registry key not found*

---------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

---------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

---------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

---------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

---------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

---------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

---------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

---------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

---------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

---------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

---------------------

File association entry for .HTA:
*Registry key not found*

---------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

---------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>IEPerUser]
StubPath = RUNDLL32.EXE IEDKCS32.DLL,BrandIE4 SIGNUP

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS]
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{44BBA851-CC51-11CF-AAFA-00AA00B6015C}]
StubPath = rundll32.exeadvpack.dll

[{5945c046-1e7d-11d1-bc44-00c04fd912be}]
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.Install.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}]
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}]
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}]
StubPath = %SystemRoot%\System32\ie4uinit.exe

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
StubPath = %SystemRoot%\System32\updcrl.exe -e -u %SystemRoot%\System32\verisignpub1.crl

[{ACC563BC-4266-43f0-B6ED-9D38C4202C7E}]
StubPath = rundll32 iesetup.dll,IEAccessUserInst

[{CA0A4247-44BE-11d1-A005-00805F8ABE06}]
StubPath = RunDLL setupx.dll,InstallHinfSection PowerCfg.user 0 powercfg.inf

---------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

---------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

---------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\SYSTEM32\ssmyst.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

---------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

---------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: *Registry key not found*
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

---------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

---------------------

Enumerating Browser Helper Objects:

(no name) - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\NetZero\qsacc\X1IEBHO.dll (file missing) - {52706EF7-D7A2-49AD-A615-E903858CF284}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}

---------------------

Enumerating Task Scheduler jobs:

Maintenance-Defragment programs.job
Maintenance-Disk cleanup.job
Tune-up Application Start.job

---------------------

Enumerating Download Program Files:

[DirectAnimation Java Classes]
CODEBASE = file://c:\windows\SYSTEM\dajava.cab
OSD = C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

[Internet Explorer Classes for Java]
CODEBASE = file://c:\windows\SYSTEM\iejava.cab
OSD = C:\WINDOWS\Downloaded Program Files\Internet Explorer Classes for Java.osd

[Microsoft XML Parser for Java]
CODEBASE = file://c:\windows\Java\classes\xmldso4.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

[PCPitstop Utility]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\PCPitstop.dll
CODEBASE = http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

[ewidoOnlineScan Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\EWIDOO~1.DLL
CODEBASE = http://download.ewido.net/ewidoOnlineScan.cab

[{32564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://codecs.microsoft.com/codecs/i386/wmv8ax.cab

[{556DDE35-E955-11D0-A707-000000521957}]
CODEBASE = http://www.xblock.com/download/xclean_micro.exe

[BDSCANONLINE Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\oscan8.ocx
CODEBASE = http://download.bitdefender.com/resources/scan8/oscan8.cab

[WScanCtl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\webscan.dll
CODEBASE = http://www3.ca.com/securityadvisor/virusinfo/webscan.cab

[{8AD9C840-044E-11D1-B3E9-00805F499D93}]
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab

[{9F1C11AA-197B-4942-BA54-47A8489BB47F}]
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38127.5045949074

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

---------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll
Protocol #16: C:\WINDOWS\system32\mswsock.dll
Protocol #17: C:\WINDOWS\system32\mswsock.dll
Protocol #18: C:\WINDOWS\system32\mswsock.dll
Protocol #19: C:\WINDOWS\system32\mswsock.dll

---------------------

Enumerating Windows NT/2000/XP services

Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AEGIS Protocol (IEEE 802.1x) v3.4.3.0: System32\DRIVERS\AegisP.sys (autostart)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
Wireless-G Notebook Adapter with SRX400 Driver: System32\DRIVERS\Lssrx42.sys (manual start)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
AliIde: System32\DRIVERS\aliide.sys (system)
ALI AGP Bus Filter: System32\DRIVERS\alim1541.sys (system)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
avast! iAVS4 Control Service: "C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe" (autostart)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
Ati HotKey Poller: %SystemRoot%\System32\atievxx.exe (autostart)
atimpab: System32\DRIVERS\atimpab.sys (manual start)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
avast! Antivirus: "C:\Program Files\Alwil Software\Avast4\ashServ.exe" (autostart)
avast! Mail Scanner: "C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (manual start)
avast! Web Scanner: "C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (manual start)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: C:\WINDOWS\System32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Logical Disk Manager Driver: System32\drivers\dmio.sys (system)
dmload: System32\drivers\dmload.sys (system)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
Dynex DX-E201 CardBus PC Card: System32\DRIVERS\DXE201.SYS (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
ESS 1969 Audio Driver (WDM): system32\drivers\es1969.sys (manual start)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
Game Port Enumerator: System32\DRIVERS\gameenum.sys (manual start)
GEARAspiWDM: System32\Drivers\GEARAspiWDM.sys (manual start)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
InstallDriver Table Manager: C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (manual start)
IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)
Iomega Devices Disk Filter Services: System32\DRIVERS\iomdisk.sys (system)
Iomega Activity Disk2: "" (disabled)
Iomega App Services: "C:\PROGRA~1\Iomega\System32\AppServices.exe" (autostart)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
iPodService: C:\Program Files\iPod\bin\iPodService.exe (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Kodak Camera Connection Software: %SystemRoot%\system32\drivers\KodakCCS.exe (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
LT Modem Driver: System32\DRIVERS\ltmdmnt.sys (manual start)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\System32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (manual start)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (manual start)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NT Apm/Legacy Interface Driver: System32\DRIVERS\NtApm.sys (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
Office Source Engine: C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (manual start)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
Pcmcia: System32\DRIVERS\pcmcia.sys (system)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
PxHelp20: System32\Drivers\PxHelp20.sys (system)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Terminal Server Device Redirector Driver: System32\DRIVERS\rdpdr.sys (manual start)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (disabled)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card Helper: %SystemRoot%\System32\SCardSvr.exe (manual start)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Sygate Personal Firewall: C:\Program Files\Sygate\SPF\Smc.exe (autostart)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: \SystemRoot\System32\DRIVERS\sr.sys (disabled)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (manual start)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{88523665-6DB6-46CD-8CC8-BA698CB90324} (manual start)
SymEvent: \??\C:\Program Files\Symantec\SYMEVENT.SYS (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Teefer for NT: \SystemRoot\SYSTEM32\Drivers\Teefer.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Telnet: C:\WINDOWS\System32\tlntsvr.exe (disabled)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Upload Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Linksys USB 2.0 Network Adapter ver.2: System32\DRIVERS\USB200M2.sys (manual start)
USB2 Enabled Hub: System32\DRIVERS\usbhub.sys (manual start)
Microsoft USB Open Host Controller Miniport Driver: System32\DRIVERS\usbohci.sys (manual start)
USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
VgaSave: \SystemRoot\System32\drivers\vga.sys (system)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
SyGate for NT, wg3n: \SystemRoot\SYSTEM32\Drivers\wg3n.sys (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Windows Management Instrumentation Driver Extensions: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
Airgo Networks Protocol Driver: \??\C:\WINDOWS\System32\WNIPROT5.SYS (autostart)
wpsdrvnt: \??\C:\WINDOWS\System32\drivers\wpsdrvnt.sys (system)
Automatic Updates: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

---------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

---------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

---------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

---------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

---------------------

End of report, 31,366 bytes
Report generated in 0.902 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Hopefully my advice will help you...Please post back with your results....thanks

here's the uninstall manager list

Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Download Manager (Remove Only)
ALi AGP Driver 1.60
ATI mach64 Display Driver
avast! Antivirus
Carbon Copy 32
CCleaner (remove only)
CCScore
Compaq IE Custom
Compaq IE5 Customization
Compaq OOBE Online
Compaq Presario2 Screen Saver
Compaq WebISP
Compaq WebReg
Compaq.NET Registration
CPQ Hardware Discovery
Cumulus S5.0.9
DAO 3.5
DVDExpress
ESSBrwr
ESSCDBK
ESScore
ESSCT
ESSEMAIL
ESSgui
ESShelp
ESSini
ESSPCD
ESSSONIC
ESSTOOLS
essvatgt
essvcpt
ESSvpaht
ESSvpot
HijackThis 1.99.1
HLPIndex
HLPSFO
Image Expert
InterActual Player
Internet Explorer Q832894
Iomega HotBurn Pro
iTunes
KSU
Lucent 56K V.90 PCI DF Modem
Microsoft Internet Explorer 6 SP1
Microsoft Office 2000 SR-1 Premium
Microsoft Office Professional Edition 2003
Microsoft Works 4.5
MUSICMATCH Jukebox
Notifier
OfotoXMI
On-Screen Display
OTtBP
OTtBPSDK
Outlook Express Q837009
PC Doctor OnCall v1
PCFriendly
Quicken Basic 2000
QuickTime
RingCentral Fax
SafeCast Shared Components
Screen Saver Magic- Deluxe Edition 6.0
Service Connection
SFR
SHASTA
SideWinder Game Controller Software
SKIN0001
SKINXSDK
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
Sygate Personal Firewall 5.1
System Files Update
USB Storage Adapter V3 (TPP)
USB Storage Driver
VPRINTOL
WexTech AnswerWorks
Windows Media Player Hotfix [See Q828026 for more information]
Windows XP Application Compatibility Update[Q319580]
Windows XP Hotfix - KB810217
Windows XP Hotfix - KB823182
Windows XP Hotfix - KB823559
Windows XP Hotfix - KB824105
Windows XP Hotfix - KB825119
Windows XP Hotfix - KB828035
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB833407
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB837001
Windows XP Hotfix - KB840374
Windows XP Hotfix - KB842773
Windows XP Hotfix (SP1) [See Q309521 for more information]
Windows XP Hotfix (SP1) [See Q311889 for more information]
Windows XP Hotfix (SP1) [See Q311967 for more information]
Windows XP Hotfix (SP1) [See Q313450 for more information]
Windows XP Hotfix (SP1) [See Q315000 for more information]
Windows XP Hotfix (SP1) [See Q315403 for more information]
Windows XP Hotfix (SP1) [See Q317277 for more information]
Windows XP Hotfix (SP1) [See Q318138 for more information]
Windows XP Hotfix (SP1) [See Q321856 for more information]
Windows XP Hotfix (SP1) [See Q323172 for more information]
Windows XP Hotfix (SP1) [See Q324096 for more information]
Windows XP Hotfix (SP1) [See Q324380 for more information]
Windows XP Hotfix (SP1) [See Q326830 for more information]
Windows XP Hotfix (SP1) [See Q328940 for more information]
Windows XP Hotfix (SP1) [See Q329048 for more information]
Windows XP Hotfix (SP1) [See Q329390 for more information]
Windows XP Hotfix (SP1) [See Q329441 for more information]
Windows XP Hotfix (SP1) [See Q329834 for more information]
Windows XP Hotfix (SP1) Q329170
Windows XP Hotfix (SP1) Q817606
Windows XP Hotfix (SP1) Q819696
Windows XP Hotfix (SP2) [See Q329115 for more information]
Windows XP Uninstall
WinZip
WIRELESS
Wireless-G Notebook Adapter with SRX400

Hopefully my advice will help you...Please post back with your results....thanks

here's the open host file manager

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

Hopefully my advice will help you...Please post back with your results....thanks

the ADS Spy didn't show anything.
I tried the ATF cleaner, it used up 100$ resources and didn't do anything for almost 20 minutes, so I terminated it with windows task manager. I checked the prefetch and it was empty.
I'll now try the Blacklight utility and let you know if it runs, thanks

Hopefully my advice will help you...Please post back with your results....thanks

The blacklight utility would not run in safe mode so I rebooted and tried in normal. It said it couldn't scan because of an error.
03/11/06 12:48:05 [Info]: BlackLight Engine 1.0.33 initialized
03/11/06 12:48:05 [Info]: OS: 5.1 build 2600 ()
03/11/06 12:48:08 [Note]: 7019 4
03/11/06 12:48:08 [Note]: 7005 0
03/11/06 12:48:09 [Error]: 6040 3
03/11/06 12:48:09 [Error]: 6001 0
03/11/06 12:48:19 [Note]: 7006 0
03/11/06 12:48:19 [Error]: 6040 3
03/11/06 12:48:19 [Error]: 6005 0
03/11/06 12:50:11 [Note]: 7007 0

Hopefully my advice will help you...Please post back with your results....thanks

Nothing really jumps out at me yet.

Lets manually delete all cookies and temp files:

Go to control panel>internet options>clear history>yes>delete cookies>ok>delete files>check the box for offline content>ok.

Set up the computer to view hidden files by going to start>control panel>folder options>view tab>tick the circle beside "show hidden files and folders" and untick the box beside "hide extensions of known file types" and "hide protected system operating files">apply>ok.

Navigate to C:\Documents and Settings\Cookies for all users on the computer and delete the files in that folder.

Navigate to C:\Documents and settings\local settings\Temp and Temporary Internet Files for all users on the computer and delete all the files in that folder.

Navigate to C:\WINDOWS\Temp and delete the files in that folder.

Navigate to C:\WINDOWS\System32\Config\systemprofile and delete the contents of the cookie folder and the Temp folder.

Navigate to C:\WINDOWS\Prefetch and delete any files in there if found.

Download Ewido Security Suite then set it up this way Ewido Setup Instructions reboot into safe mode and run Ewido

When the scan has completed, Ewido will create a report.txt file. Click the "Save Report" button on the bottom of the screen and save the log to your desktop.

Please reboot into normal mode and post the ewido log.

Hi, I cleared out all the cookies and am now running the Ewido scan. I have to go to work in 3/4 of an hour and if the scan is done by then, I'll post back the results, if it's not done, I'll try to post the results later tonight,
thanks for all your help

Hopefully my advice will help you...Please post back with your results....thanks

Hi, I let that Ewido scanner run all night (over 8 hours and it was scanning all these temp files)....so I stopped the scan and deleted those file and started again...it sure is a slow process, but I will post as soon as the results are done, its already scanned again for 277 minutes and is only 6.6% done...Thanks

Hopefully my advice will help you...Please post back with your results....thanks

Should take about 20 minutes to run Ewido.

Turn off system restore if you haven't already done so , that will get rid of many files that are probably infected anyway.

Follow the directions Here to turn off system restore.

It is taking more than 20 minutes....lol....I'm up to 521 minutes and it's still running, so far, there are 16 infected objects removed....right now I'm at 58% done.

Hopefully my advice will help you...Please post back with your results....thanks

Hopefully the effort will pay-off for you.

Here's the ewdido report:

ewido anti-malware - Scan report

+ Created on: 4:15:01 AM, 3/13/2006
+ Report-Checksum: FA57AA6D

+ Scan result:

C:\Recycled\Dc49.txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Recycled\Dc56.txt -> TrackingCookie.Webtrendslive : Cleaned with backup
C:\Recycled\Dc59.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Recycled\Dc4.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Recycled\Dc8.txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Recycled\Dc10.txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Recycled\Dc11.txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Recycled\Dc26.txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Recycled\Dc29.txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Recycled\Dc30.txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Recycled\Dc32.txt -> TrackingCookie.Com : Cleaned with backup
C:\Recycled\Dc39.txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Recycled\Dc41.txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Recycled\Dc42.txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Recycled\Dc44.txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Recycled\Dc47.txt -> TrackingCookie.Mediaplex : Cleaned with backup

::Report End

Hopefully my advice will help you...Please post back with your results....thanks

After I booted back to normal mode, I opened task manager and it settled down to about 5-10%, but as soon as I tried a simple task like checking the trash bin, the resources shot up again to 100%.....a pretty frustrating laptop.

Hopefully my advice will help you...Please post back with your results....thanks

If you have not tried running the error checking tool and defrag you should try that.

I defragged this morning and luck has it, I can finally get on-line. The laptop lets me run some programs in normal mode now. I sure appreciate the help you have given me. Things are still slow loading on startup and I'm sure you saved me from having to reformat and re-install this Laptop...thanks a million!

Hopefully my advice will help you...Please post back with your results....thanks

See if BlackLight will run.

See if you can run this tool.

To look into the SharedTaskScheduler download

Getsts

Once it has downloaded, please double-click on the file, which should now be on your desktop. When the program is finished, it will create a text file on your desktop called getsts.txt and open it in notepad then post the results.

Hi jabuck,
I got Blacklight to run and it didn't find anything, I'll try the next Getsts and post the results

Hopefully my advice will help you...Please post back with your results....thanks

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com

(HKLM) {438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader => %SystemRoot%\System32\browseui.dll

(HKLM) {8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon => %SystemRoot%\System32\browseui.dll

Hopefully my advice will help you...Please post back with your results....thanks

Hi jabuck,
I got Blacklight to run and it didn't find anything, I'll try the next Getsts and post the results

Hopefully my advice will help you...Please post back with your results....thanks

I have another strange problem, While I'm on computing.net, things will be fine when all of a sudden I get this error message:
Internet Explorer cannot open the internet site http:/computing.net/cgi-bin/mycomputingml.pl?no_reply
Operation aborted

It took me 5 times to post the results og the gtsts
So something is still clinging on in that laptop

Hopefully my advice will help you...Please post back with your results....thanks

Nothing there in the getsts either.

See if you can post a HT log from normal mode.

Logfile of HijackThis v1.99.1
Scan saved at 5:42:10 PM, on 3/14/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\Smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\atievxx.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\taskmgr.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Compaq Customer\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\Smc.exe -startgui
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\Smc.exe

Hopefully my advice will help you...Please post back with your results....thanks

Nothing shows up bad.

You can remove these with HT:

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab

O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab

You said earlier that Sygate would not install. Is it installed and running properly as it looks to be or was it a problem install.

If you have the time download silentrunners from this link http://www.silentrunners.org/Silent%20Runners.vbs

Save it to the desktop and double-click on it. If you get any kind of warning message about scripts, please choose to allow the script to run. When the scan is finished, it will create a logfile on the desktop then post the results.

Also download Winpfind from this link http://www.bleepingcomputer.com/files/winpfind.php

Reboot into Safe Mode
Doubleclick WinPFind.exe
Click "Start Scan"
It will scan the entire System, so please be patient!
Once the Scan is Complete
Go to the WinPFind folder
Locate WinPFind.txt
Place those results in the next post!

Yes, I did get sygate firewall to install as well as Avast, they are both working fine.
Now I'll try those other 2 progs and post back the results, Thanks

Hopefully my advice will help you...Please post back with your results....thanks

I got some weird messages in safe mode like winpfind couldn't be found and also another one, can't remember what it said (sorry). But I noticed that the hour glass is on and when I opened task manager, I can see that there is a lot of activity (resources being used) by winlogon.exe
I'll let it run for awhile and see if it's working

Hopefully my advice will help you...Please post back with your results....thanks

Ok, WinPFind won't run...1st error:
File Not Found
2nd error:
Access violation at address0044DE27 in module 'winpfind.exe'
Read of address 00000004.

I have to get the laptop on-line now to send you the results of the Silent Runners scan

Hopefully my advice will help you...Please post back with your results....thanks

"Silent Runners.vbs", revision 44, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
----

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [null data]
"SmcService" = "C:\PROGRA~1\Sygate\SPF\Smc.exe -startgui" ["Sygate Technologies, Inc."]
"WinPatrol" = ""C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"" ["BillP Studios"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX" [empty string]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{5b4dae26-b807-11d0-9815-00c04fd91972}" = "Menu Band"
-> {HKLM...CLSID} = "Menu Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{8278F931-2A3E-11d2-838F-00C04FD918D0}" = "Tracking Shell Menu"
-> {HKLM...CLSID} = "Tracking Shell Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{E13EF4E4-D2F2-11d0-9816-00C04FD91972}" = "Menu Site"
-> {HKLM...CLSID} = "Menu Site"
\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{ECD4FC4F-521C-11D0-B792-00A0C90312E1}" = "Menu Desk Bar"
-> {HKLM...CLSID} = "Menu Desk Bar"
\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{D82BE2B0-5764-11D0-A96E-00C04FD705A2}" = "IShellFolderBand"
-> {HKLM...CLSID} = "IShellFolderBand"
\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{0E5CBF21-D15F-11d0-8301-00AA005B4383}" = "&Links"
-> {HKLM...CLSID} = "&Links"
\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{7487cd30-f71a-11d0-9ea7-00805f714772}" = "Thumbnail Image"
-> {HKLM...CLSID} = "Thumbnail Image"
\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{a2d76d60-0125-11d1-943d-004095210265}" = "M-Systems TrueFFS"
-> {HKLM...CLSID} = "M-Systems TrueFFS"
\InProcServer32\(Default) = "TFFSprop.dll" ["M-Systems"]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{acb4a560-3606-11d3-aef4-00104bd0f92d}" = "KodakShellExtension"
-> {HKLM...CLSID} = "KodakShellExtension"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Kodak\ifscore\KodakShX.dll" ["Eastman Kodak Company"]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

Active Desktop and Wallpaper:

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Compaq Customer\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\ssflwbox.scr" [MS]

Enabled Scheduled Tasks:
------------------------

"Maintenance-Defragment programs" -> launches: "C:\WINDOWS\DEFRAG.EXE /SAGERUN:0" [file not found]
"Maintenance-Disk cleanup" -> launches: "C:\WINDOWS\CLEANMGR.EXE /SAGERUN:0" [file not found]
"Tune-up Application Start" -> launches: "walign" [file not found]

Winsock2 Service Provider DLLs:
--

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Wins