Tech Support Forum - View Single Post - PC hijacked by various things, porn dialers, virus's, bho's etc.

khelbena · 04-21-2005, 01:17 PM

StartDreck (build 2.1.7 public stable) - 2005-04-21 @ 15:16:15 (GMT -04:00)
Platform: Windows XP (Win NT 5.1.2600 Service Pack 1)
Internet Explorer: 6.0.2800.1106
Logged in as agent3 at CSI0186-PC3

Registry
Run Keys
Current User
Run
*SpybotSD TeaTimer=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
RunOnce
Default User
Run
RunOnce
Local Machine
Run
*WinPatrol=C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
*Smapp=C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
*ShStatEXE="C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
*McAfeeUpdaterUI="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
*IgfxTray=C:\Windows\System32\igfxtray.exe
*HPDJ Taskbar Utility=C:\Windows\System32\spool\drivers\w32x86\3\hpztsb07.exe
*HotKeysCmds=C:\Windows\System32\hkcmd.exe
*CSISetup=S:\PCSetup\disk1\setup.exe -fdailysetup.ins
*CPQEASYACC=C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*Installed=1
*NoChange=1
+MAPI
*Installed=1
*NoChange=1
RunOnce
RunServices
*CPQDFWAG=C:\Windows\Cpqdiag\CpqDfwAg.exe
RunServicesOnce
RunOnceEx
RunServicesOnceEx
File Associations (CR)
+.bat
*batfile="%1" %*
+.com
*comfile="%1" %*
+.disabled
*SpybotSD.DisabledFile="C:\Program Files\Spybot - Search & Destroy\blindman.exe" "%1"
+.exe
*exefile="%1" %*
+.hta
*htafile=C:\WINDOWS\System32\mshta.exe "%1" %*
+.htm
*htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome
+.html
*htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome
+.js
*JSFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.jse
*JSEFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.pif
*piffile="%1" %*
+.reg
*regfile=regedit.exe "%1"
+.scr
*scrfile="%1" /S
+.txt
*txtfile=%SystemRoot%\system32\NOTEPAD.EXE %1
+.vbs
*VBSFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.vbe
*VBEFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.wsh
*WSHFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.wsf
*WSFFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.lnk
`lnkfile= [key or value does not exist]
Active Setup (LM)
+Windows Media Player/>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}
*StubPath=C:\Windows\inf\unregmp2.exe /ShowWMP
+Internet Explorer/>{26923b43-4d38-484f-9b9e-de460746276c}
*StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
+Browser Customizations/>{86EEAFA8-6F38-4657-B4F7-ED1033D2EA1C}S04947
*StubPath=RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
+Outlook Express/>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}
*StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
+Themes Setup/{2C7339CF-2B09-4501-B3F3-F3508C9228ED}
*StubPath=%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
+Microsoft Outlook Express 6/{44BBA840-CC51-11CF-AAFA-00AA00B6015C}
*StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
+NetMeeting 3.01/{44BBA842-CC51-11CF-AAFA-00AA00B6015B}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
+Windows Messenger 4.7/{5945c046-1e7d-11d1-bc44-00c04fd912be}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\msmsgs.inf,BLC.Install.PerUser
+Microsoft Windows Media Player/{6BF52A52-394A-11d3-B153-00C04F79FAA6}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\Windows\INF\wmp.inf,PerUserStub
+Address Book 6/{7790769C-0471-11d2-AF11-00C04FA35D02}
*StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
+Windows Desktop Update/{89820200-ECBD-11cf-8B85-00AA005B4340}
*StubPath=regsvr32.exe /s /n /i:U shell32.dll
+Internet Explorer 6/{89820200-ECBD-11cf-8B85-00AA005B4383}
*StubPath=%SystemRoot%\system32\ie4uinit.exe
Browser Helper Objects (LM)
Internet Explorer
Current User
*Local Page=C:\Windows\System32\blank.htm
*Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
*Start Page=http://www.msn.com/
+SearchUrl
*provider=
Default User
*Search Bar=
*Search Page=http://ie.search.msn.com
+SearchUrl
Local Machine
*Default_Page_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
*Default_Search_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
*Local Page=%SystemRoot%\system32\blank.htm
*Search Page=http://www.google.com
*Start Page=about:blank
*CustomizeSearch=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
*SearchAssistant=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
ShellServiceObjectDelayLoad (LM)
*PostBootReminder={7849596a-48ea-486e-8937-a2a3009f31a9}
`InprocServer32=%SystemRoot%\system32\SHELL32.dll
*CDBurn={fbeb8a05-beee-4442-804e-409d6c4515e9}
`InprocServer32=%SystemRoot%\system32\SHELL32.dll
*WebCheck={E6FB5E20-DE35-11CF-9C87-00AA005127ED}
`InprocServer32=%SystemRoot%\System32\webcheck.dll
*SysTray={35CEC8A3-2BE6-11D2-8773-92E220524153}
`InprocServer32=C:\WINDOWS\System32\stobject.dll
Special NT Values
Current User
*Load=
*Run=
*Programs=com exe bat pif cmd
*SHELL=
Default User
*Load=
*Run=
*Programs=com exe bat pif cmd
*SHELL=
Local Machine
*AppInit_DLLs=
*SHELL=Explorer.exe
*Userinit=C:\WINDOWS\system32\userinit.exe,
Files
Autostart Folders
Current User
*C:\Documents and Settings\agent3\Start Menu\Programs\Startup\desktop.ini
Default User
Local Machine
*C:\DOCUME~1\ALLUSE~1\Start Menu\Programs\Startup\desktop.ini
*C:\DOCUME~1\ALLUSE~1\Start Menu\Programs\Startup\QuickBooks 2001 Delivery Agent.lnk
INI-Files
WIN.INI\[windows]
*LOAD=
*RUN=
SYSTEM.INI\[boot]
*SHELL=Explorer.exe
Text Files
*C:\boot.ini
`[boot loader]
`timeout=30
`default=multi(0)disk(0)rdisk(0)partition(1)\Windows
`[operating systems]
`multi(0)disk(0)rdisk(0)partition(1)\Windows="Microsoft Windows XP Professional" /fastdetect
*C:\msdos.sys
*C:\Windows\System32\config.nt
`dos=high, umb
`device=%SystemRoot%\system32\himem.sys
`files=40
*C:\Windows\autoexec.nt
`@echo off
`lh %SystemRoot%\system32\mscdexnt.exe
`lh %SystemRoot%\system32\redir
`lh %SystemRoot%\system32\dosx
`SET BLASTER=A220 I5 D1 P330 T3
`lh %SystemRoot%\system32\nw16
`lh %SystemRoot%\system32\vwipxspx
*C:\Windows\System32\autoexec.nt
`@echo off
`lh %SystemRoot%\system32\mscdexnt.exe
`lh %SystemRoot%\system32\redir
`lh %SystemRoot%\system32\dosx
`SET BLASTER=A220 I5 D1 P330 T3
`lh %SystemRoot%\system32\nw16
`lh %SystemRoot%\system32\vwipxspx
*C:\autoexec.nt
`@echo off
`lh %SystemRoot%\system32\mscdexnt.exe
`lh %SystemRoot%\system32\redir
`lh %SystemRoot%\system32\dosx
`SET BLASTER=A220 I5 D1 P330 T3
*C:\Windows\wininit.ini
`[Rename]
`nul=C:\Program Files\EnergyPlugIn\EnergyPlugin.exe
`NUL=p8wDwp}w:w
*C:\Windows\System32\drivers\etc\hosts
`127.0.0.1 www01.paypopup.com
`127.0.0.1 www02.paypopup.com
`127.0.0.1 www03.paypopup.com
`127.0.0.1 www04.paypopup.com
`127.0.0.1 www05.paypopup.com
`127.0.0.1 www06.paypopup.com
`127.0.0.1 www07.paypopup.com
`127.0.0.1 www08.paypopup.com
`127.0.0.1 www09.paypopup.com
`127.0.0.1 www10.paypopup.com
`127.0.0.1 count.exitexchange.com
Program Files
*C:\ntldr
*C:\ntdetect.com
*C:\io.sys
*C:\Windows\System32\win.com
*C:\Windows\explorer.exe
%PATH% Companion Files
+C:\Windows\System32\TASKMGR.COM
*C:\Windows\System32\taskmgr.exe
+C:\Windows\System32\notepad.exe
*C:\Windows\NOTEPAD.EXE
+C:\Windows\System32\taskman.exe
*C:\Windows\TASKMAN.EXE
+C:\Windows\System32\winhlp32.exe
*C:\Windows\winhlp32.exe
+C:\Windows\REGEDIT.COM
*C:\Windows\regedit.exe
+C:\PROGRA~1\REFLEC~1\cnectwiz.exe
*C:\Program Files\Reflection\cnectwiz.exe
*C:\Program Files\Reflection\cnectwiz.exe
+C:\PROGRA~1\REFLEC~1\ed3270db.exe
*C:\Program Files\Reflection\ed3270db.exe
*C:\Program Files\Reflection\ed3270db.exe
+C:\PROGRA~1\REFLEC~1\ed5250db.exe
*C:\Program Files\Reflection\ed5250db.exe
*C:\Program Files\Reflection\ed5250db.exe
+C:\PROGRA~1\REFLEC~1\Edit3270.exe
*C:\Program Files\Reflection\Edit3270.exe
*C:\Program Files\Reflection\Edit3270.exe
+C:\PROGRA~1\REFLEC~1\Edit5250.exe
*C:\Program Files\Reflection\Edit5250.exe
*C:\Program Files\Reflection\Edit5250.exe
+C:\PROGRA~1\REFLEC~1\Hllsetup.exe
*C:\Program Files\Reflection\Hllsetup.exe
*C:\Program Files\Reflection\Hllsetup.exe
+C:\PROGRA~1\REFLEC~1\Nthlltsr.exe
*C:\Program Files\Reflection\Nthlltsr.exe
*C:\Program Files\Reflection\Nthlltsr.exe
+C:\PROGRA~1\REFLEC~1\R8win.exe
*C:\Program Files\Reflection\R8win.exe
*C:\Program Files\Reflection\R8win.exe
+C:\PROGRA~1\REFLEC~1\rbd240ex.exe
*C:\Program Files\Reflection\rbd240ex.exe
*C:\Program Files\Reflection\rbd240ex.exe
+C:\PROGRA~1\REFLEC~1\Rdoshll.exe
*C:\Program Files\Reflection\Rdoshll.exe
*C:\Program Files\Reflection\Rdoshll.exe
+C:\PROGRA~1\REFLEC~1\Receive.exe
*C:\Program Files\Reflection\Receive.exe
*C:\Program Files\Reflection\Receive.exe
+C:\PROGRA~1\REFLEC~1\rftpc.exe
*C:\Program Files\Reflection\rftpc.exe
*C:\Program Files\Reflection\rftpc.exe
+C:\PROGRA~1\REFLEC~1\rnPing.exe
*C:\Program Files\Reflection\rnPing.exe
*C:\Program Files\Reflection\rnPing.exe
+C:\PROGRA~1\REFLEC~1\Rvd.exe
*C:\Program Files\Reflection\Rvd.exe
*C:\Program Files\Reflection\Rvd.exe
+C:\PROGRA~1\REFLEC~1\Send.exe
*C:\Program Files\Reflection\Send.exe
*C:\Program Files\Reflection\Send.exe
+C:\PROGRA~1\REFLEC~1\Sfxlate.exe
*C:\Program Files\Reflection\Sfxlate.exe
*C:\Program Files\Reflection\Sfxlate.exe
+C:\PROGRA~1\REFLEC~1\Snaeng.exe
*C:\Program Files\Reflection\Snaeng.exe
System/Drivers
Running Processes
+0=<idle>
+4=<system>
+636=<unkown>
+688=<unkown>
+712=<unkown>
+756=<unkown>
+768=<unkown>
+936=<unkown>
+1044=<unkown>
+1204=<unkown>
+1236=<unkown>
+1364=<unkown>
+1480=<unkown>
+1496=<unkown>
+1508=<unkown>
+1572=<unkown>
+1696=<unkown>
+1724=<unkown>
+1856=<unkown>
+1864=<unkown>
+1920=<unkown>
+1980=<unkown>
+196=<unkown>
+3784=C:\Windows\Explorer.EXE
+3864=C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
+3872=C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
+3876=C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
+3888=C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
+3900=C:\Windows\System32\igfxtray.exe
+3912=C:\Windows\System32\spool\drivers\w32x86\3\hpztsb07.exe
+3896=C:\Windows\System32\hkcmd.exe
+128=C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
+260=C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2001.exe
+436=C:\Windows\System32\mrtMngr.EXE
+4000=C:\Compaq\EAKDRV\EAUSBKBD.EXE
+3636=C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
+3772=C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
+2548=<unkown>
+576=C:\agencysupport\startdreck\StartDreck.exe
NT Services
*Altiris Client Service AClient - disabled
*Alerter Alerter - on demand
*Application Layer Gateway Service ALG - on demand
*Application Management AppMgmt - on demand
*Windows Audio AudioSrv running auto
*Background Intelligent Transfer Service BITS - on demand
*Computer Browser Browser running auto
*Indexing Service cisvc - on demand
*ClipBook ClipSrv - on demand
*COM+ System Application COMSysApp - on demand
*Compaq Local Alerter CPQALERT running auto
*Compaq Remote Diagnostics Enabling Agent CpqDfwWebAgent running auto
*cpqdmi cpqdmi running auto
*Compaq DMI Web Agent cpqWebDmi running auto
*Cryptographic Services CryptSvc running auto
*DHCP Client Dhcp running auto
*Logical Disk Manager Administrative Service dmadmin - on demand
*Logical Disk Manager dmserver running auto
*DNS Client Dnscache running auto
*Error Reporting Service ERSvc running auto
*Event Log Eventlog running auto
*COM+ Event System EventSystem running on demand
*Fast User Switching Compatibility FastUserSwitchingCom - on demand
*Help and Support helpsvc running auto
*Human Interface Device Access HidServ - disabled
*IMAPI CD-Burning COM Service ImapiService - on demand
*IPv6 Internet Connection Firewall Ip6FwHlp - on demand
*Server lanmanserver running auto
*Workstation lanmanworkstation running auto
*TCP/IP NetBIOS Helper LmHosts running auto
*McAfee Framework Service McAfeeFramework running auto
*Network Associates McShield McShield running auto
*Network Associates Task Manager McTaskManager running auto
*Machine Debug Manager MDM running auto
*Messenger Messenger - disabled
*NetMeeting Remote Desktop Sharing mnmsrvc - on demand
*Distributed Transaction Coordinator MSDTC - on demand
*Windows Installer MSIServer - on demand
*Network DDE NetDDE - on demand
*Network DDE DSDM NetDDEdsdm - on demand
*Net Logon Netlogon - on demand
*Network Connections Netman running on demand
*Network Location Awareness (NLA) Nla running on demand
*NT LM Security Support Provider NtLmSsp - on demand
*Removable Storage NtmsSvc - on demand
*Plug and Play PlugPlay running auto
*IPSEC Services PolicyAgent running auto
*Protected Storage ProtectedStorage running auto
*Remote Access Auto Connection Manager RasAuto - on demand
*Remote Access Connection Manager RasMan running on demand
*Remote Desktop Help Session Manager RDSessMgr - on demand
*Routing and Remote Access RemoteAccess - disabled
*Remote Registry RemoteRegistry running auto
*Remote Procedure Call (RPC) Locator RpcLocator - on demand
*Remote Procedure Call (RPC) RpcSs running auto
*QoS RSVP RSVP - on demand
*Security Accounts Manager SamSs running auto
*Smart Card Helper SCardDrv - on demand
*Smart Card SCardSvr - on demand
*Task Scheduler Schedule running auto
*Secondary Logon seclogon running auto
*System Event Notification SENS running auto
*Shell Hardware Detection ShellHWDetection running auto
*Print Spooler Spooler running auto
*System Restore Service srservice - auto
*SSDP Discovery Service SSDPSRV running on demand
*Windows Image Acquisition (WIA) stisvc running on demand
*MS Software Shadow Copy Provider SwPrv - on demand
*Performance Logs and Alerts SysmonLog - on demand
*Telephony TapiSrv running on demand
*Terminal Services TermService running on demand
*Themes Themes running auto
*Telnet TlntSvr - on demand
*Distributed Link Tracking Client TrkWks running auto
*Upload Manager uploadmgr running auto
*Universal Plug and Play Device Host upnphost - on demand
*Uninterruptible Power Supply UPS - on demand
*Volume Shadow Copy VSS - on demand
*Windows Time W32Time running auto
*WebClient WebClient running auto
*WIN32SL WIN32SL running auto
*Windows Management Instrumentation winmgmt running auto
*VNC Server winvnc running auto
*Portable Media Serial Number Service WmdmPmSN - on demand
*Windows Management Instrumentation Driver Exten Wmi - on demand
`sions
*WMI Performance Adapter WmiApSrv - on demand
*Automatic Updates wuauserv running auto
*Wireless Zero Configuration WZCSVC running auto
VMM32Files (LM)
%System%\VMM32
%System%\IOSUBSYS
Application specific
MS Office 97/8.0 STARTUP-PATH
Current User
Default User
Local Machine
ICQ NetDetect
Current User
Default User

04-21-2005, 01:17 PM	#6 (permalink)
khelbena Member Join Date: Apr 2005 Posts: 35 OS: WIN XP	stardeck log StartDreck (build 2.1.7 public stable) - 2005-04-21 @ 15:16:15 (GMT -04:00) Platform: Windows XP (Win NT 5.1.2600 Service Pack 1) Internet Explorer: 6.0.2800.1106 Logged in as agent3 at CSI0186-PC3 Registry Run Keys Current User Run SpybotSD TeaTimer=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe RunOnce Default User Run RunOnce Local Machine Run WinPatrol=C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe Smapp=C:\Program Files\Analog Devices\SoundMAX\Smtray.exe ShStatEXE="C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE McAfeeUpdaterUI="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey IgfxTray=C:\Windows\System32\igfxtray.exe HPDJ Taskbar Utility=C:\Windows\System32\spool\drivers\w32x86\3\hpztsb07.exe HotKeysCmds=C:\Windows\System32\hkcmd.exe CSISetup=S:\PCSetup\disk1\setup.exe -fdailysetup.ins CPQEASYACC=C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe +OptionalComponents +MSFS Installed=1 +MAPI Installed=1 NoChange=1 +MAPI Installed=1 NoChange=1 RunOnce RunServices CPQDFWAG=C:\Windows\Cpqdiag\CpqDfwAg.exe RunServicesOnce RunOnceEx RunServicesOnceEx File Associations (CR) +.bat batfile="%1" % +.com comfile="%1" % +.disabled SpybotSD.DisabledFile="C:\Program Files\Spybot - Search & Destroy\blindman.exe" "%1" +.exe exefile="%1" %* +.hta htafile=C:\WINDOWS\System32\mshta.exe "%1" % +.htm htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome +.html htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome +.js JSFile=%SystemRoot%\System32\WScript.exe "%1" % +.jse JSEFile=%SystemRoot%\System32\WScript.exe "%1" % +.pif piffile="%1" % +.reg regfile=regedit.exe "%1" +.scr scrfile="%1" /S +.txt txtfile=%SystemRoot%\system32\NOTEPAD.EXE %1 +.vbs VBSFile=%SystemRoot%\System32\WScript.exe "%1" %* +.vbe VBEFile=%SystemRoot%\System32\WScript.exe "%1" % +.wsh WSHFile=%SystemRoot%\System32\WScript.exe "%1" % +.wsf WSFFile=%SystemRoot%\System32\WScript.exe "%1" % +.lnk `lnkfile= [key or value does not exist] Active Setup (LM) +Windows Media Player/>{22d6f312-b0f6-11d0-94ab-0080c74c7e95} StubPath=C:\Windows\inf\unregmp2.exe /ShowWMP +Internet Explorer/>{26923b43-4d38-484f-9b9e-de460746276c} StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE +Browser Customizations/>{86EEAFA8-6F38-4657-B4F7-ED1033D2EA1C}S04947 StubPath=RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP +Outlook Express/>{881dd1c5-3dcf-431b-b061-f3f88e8be88a} StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE +Themes Setup/{2C7339CF-2B09-4501-B3F3-F3508C9228ED} StubPath=%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll +Microsoft Outlook Express 6/{44BBA840-CC51-11CF-AAFA-00AA00B6015C} StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install +NetMeeting 3.01/{44BBA842-CC51-11CF-AAFA-00AA00B6015B} StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT +Windows Messenger 4.7/{5945c046-1e7d-11d1-bc44-00c04fd912be} StubPath=rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\msmsgs.inf,BLC.Install.PerUser +Microsoft Windows Media Player/{6BF52A52-394A-11d3-B153-00C04F79FAA6} StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\Windows\INF\wmp.inf,PerUserStub +Address Book 6/{7790769C-0471-11d2-AF11-00C04FA35D02} StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install +Windows Desktop Update/{89820200-ECBD-11cf-8B85-00AA005B4340} StubPath=regsvr32.exe /s /n /i:U shell32.dll +Internet Explorer 6/{89820200-ECBD-11cf-8B85-00AA005B4383} StubPath=%SystemRoot%\system32\ie4uinit.exe Browser Helper Objects (LM) Internet Explorer Current User Local Page=C:\Windows\System32\blank.htm Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch Start Page=http://www.msn.com/ +SearchUrl provider= Default User Search Bar= Search Page=http://ie.search.msn.com +SearchUrl Local Machine Default_Page_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome Default_Search_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch Local Page=%SystemRoot%\system32\blank.htm Search Page=http://www.google.com Start Page=about:blank CustomizeSearch=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm SearchAssistant=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm ShellServiceObjectDelayLoad (LM) PostBootReminder={7849596a-48ea-486e-8937-a2a3009f31a9} `InprocServer32=%SystemRoot%\system32\SHELL32.dll CDBurn={fbeb8a05-beee-4442-804e-409d6c4515e9} `InprocServer32=%SystemRoot%\system32\SHELL32.dll WebCheck={E6FB5E20-DE35-11CF-9C87-00AA005127ED} `InprocServer32=%SystemRoot%\System32\webcheck.dll SysTray={35CEC8A3-2BE6-11D2-8773-92E220524153} `InprocServer32=C:\WINDOWS\System32\stobject.dll Special NT Values Current User Load= Run= Programs=com exe bat pif cmd SHELL= Default User Load= Run= Programs=com exe bat pif cmd SHELL= Local Machine AppInit_DLLs= SHELL=Explorer.exe Userinit=C:\WINDOWS\system32\userinit.exe, Files Autostart Folders Current User C:\Documents and Settings\agent3\Start Menu\Programs\Startup\desktop.ini Default User Local Machine C:\DOCUME~1\ALLUSE~1\Start Menu\Programs\Startup\desktop.ini C:\DOCUME~1\ALLUSE~1\Start Menu\Programs\Startup\QuickBooks 2001 Delivery Agent.lnk INI-Files WIN.INI\[windows] LOAD= RUN= SYSTEM.INI\[boot] SHELL=Explorer.exe Text Files C:\boot.ini `[boot loader] `timeout=30 `default=multi(0)disk(0)rdisk(0)partition(1)\Windows `[operating systems] `multi(0)disk(0)rdisk(0)partition(1)\Windows="Microsoft Windows XP Professional" /fastdetect C:\msdos.sys C:\Windows\System32\config.nt `dos=high, umb `device=%SystemRoot%\system32\himem.sys `files=40 C:\Windows\autoexec.nt `@echo off `lh %SystemRoot%\system32\mscdexnt.exe `lh %SystemRoot%\system32\redir `lh %SystemRoot%\system32\dosx `SET BLASTER=A220 I5 D1 P330 T3 `lh %SystemRoot%\system32\nw16 `lh %SystemRoot%\system32\vwipxspx C:\Windows\System32\autoexec.nt `@echo off `lh %SystemRoot%\system32\mscdexnt.exe `lh %SystemRoot%\system32\redir `lh %SystemRoot%\system32\dosx `SET BLASTER=A220 I5 D1 P330 T3 `lh %SystemRoot%\system32\nw16 `lh %SystemRoot%\system32\vwipxspx C:\autoexec.nt `@echo off `lh %SystemRoot%\system32\mscdexnt.exe `lh %SystemRoot%\system32\redir `lh %SystemRoot%\system32\dosx `SET BLASTER=A220 I5 D1 P330 T3 C:\Windows\wininit.ini `[Rename] `nul=C:\Program Files\EnergyPlugIn\EnergyPlugin.exe `NUL=p8wDwp}w:w C:\Windows\System32\drivers\etc\hosts `127.0.0.1 www01.paypopup.com `127.0.0.1 www02.paypopup.com `127.0.0.1 www03.paypopup.com `127.0.0.1 www04.paypopup.com `127.0.0.1 www05.paypopup.com `127.0.0.1 www06.paypopup.com `127.0.0.1 www07.paypopup.com `127.0.0.1 www08.paypopup.com `127.0.0.1 www09.paypopup.com `127.0.0.1 www10.paypopup.com `127.0.0.1 count.exitexchange.com Program Files C:\ntldr C:\ntdetect.com C:\io.sys C:\Windows\System32\win.com C:\Windows\explorer.exe %PATH% Companion Files +C:\Windows\System32\TASKMGR.COM C:\Windows\System32\taskmgr.exe +C:\Windows\System32\notepad.exe C:\Windows\NOTEPAD.EXE +C:\Windows\System32\taskman.exe C:\Windows\TASKMAN.EXE +C:\Windows\System32\winhlp32.exe C:\Windows\winhlp32.exe +C:\Windows\REGEDIT.COM C:\Windows\regedit.exe +C:\PROGRA~1\REFLEC~1\cnectwiz.exe C:\Program Files\Reflection\cnectwiz.exe C:\Program Files\Reflection\cnectwiz.exe +C:\PROGRA~1\REFLEC~1\ed3270db.exe C:\Program Files\Reflection\ed3270db.exe C:\Program Files\Reflection\ed3270db.exe +C:\PROGRA~1\REFLEC~1\ed5250db.exe C:\Program Files\Reflection\ed5250db.exe C:\Program Files\Reflection\ed5250db.exe +C:\PROGRA~1\REFLEC~1\Edit3270.exe C:\Program Files\Reflection\Edit3270.exe C:\Program Files\Reflection\Edit3270.exe +C:\PROGRA~1\REFLEC~1\Edit5250.exe C:\Program Files\Reflection\Edit5250.exe C:\Program Files\Reflection\Edit5250.exe +C:\PROGRA~1\REFLEC~1\Hllsetup.exe C:\Program Files\Reflection\Hllsetup.exe C:\Program Files\Reflection\Hllsetup.exe +C:\PROGRA~1\REFLEC~1\Nthlltsr.exe C:\Program Files\Reflection\Nthlltsr.exe C:\Program Files\Reflection\Nthlltsr.exe +C:\PROGRA~1\REFLEC~1\R8win.exe C:\Program Files\Reflection\R8win.exe C:\Program Files\Reflection\R8win.exe +C:\PROGRA~1\REFLEC~1\rbd240ex.exe C:\Program Files\Reflection\rbd240ex.exe C:\Program Files\Reflection\rbd240ex.exe +C:\PROGRA~1\REFLEC~1\Rdoshll.exe C:\Program Files\Reflection\Rdoshll.exe C:\Program Files\Reflection\Rdoshll.exe +C:\PROGRA~1\REFLEC~1\Receive.exe C:\Program Files\Reflection\Receive.exe C:\Program Files\Reflection\Receive.exe +C:\PROGRA~1\REFLEC~1\rftpc.exe C:\Program Files\Reflection\rftpc.exe C:\Program Files\Reflection\rftpc.exe +C:\PROGRA~1\REFLEC~1\rnPing.exe C:\Program Files\Reflection\rnPing.exe C:\Program Files\Reflection\rnPing.exe +C:\PROGRA~1\REFLEC~1\Rvd.exe C:\Program Files\Reflection\Rvd.exe C:\Program Files\Reflection\Rvd.exe +C:\PROGRA~1\REFLEC~1\Send.exe C:\Program Files\Reflection\Send.exe C:\Program Files\Reflection\Send.exe +C:\PROGRA~1\REFLEC~1\Sfxlate.exe C:\Program Files\Reflection\Sfxlate.exe C:\Program Files\Reflection\Sfxlate.exe +C:\PROGRA~1\REFLEC~1\Snaeng.exe C:\Program Files\Reflection\Snaeng.exe System/Drivers Running Processes +0=<idle> +4=<system> +636=<unkown> +688=<unkown> +712=<unkown> +756=<unkown> +768=<unkown> +936=<unkown> +1044=<unkown> +1204=<unkown> +1236=<unkown> +1364=<unkown> +1480=<unkown> +1496=<unkown> +1508=<unkown> +1572=<unkown> +1696=<unkown> +1724=<unkown> +1856=<unkown> +1864=<unkown> +1920=<unkown> +1980=<unkown> +196=<unkown> +3784=C:\Windows\Explorer.EXE +3864=C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe +3872=C:\Program Files\Analog Devices\SoundMAX\Smtray.exe +3876=C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE +3888=C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe +3900=C:\Windows\System32\igfxtray.exe +3912=C:\Windows\System32\spool\drivers\w32x86\3\hpztsb07.exe +3896=C:\Windows\System32\hkcmd.exe +128=C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe +260=C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2001.exe +436=C:\Windows\System32\mrtMngr.EXE +4000=C:\Compaq\EAKDRV\EAUSBKBD.EXE +3636=C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE +3772=C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe +2548=<unkown> +576=C:\agencysupport\startdreck\StartDreck.exe NT Services Altiris Client Service AClient - disabled Alerter Alerter - on demand Application Layer Gateway Service ALG - on demand Application Management AppMgmt - on demand Windows Audio AudioSrv running auto Background Intelligent Transfer Service BITS - on demand Computer Browser Browser running auto Indexing Service cisvc - on demand ClipBook ClipSrv - on demand COM+ System Application COMSysApp - on demand Compaq Local Alerter CPQALERT running auto Compaq Remote Diagnostics Enabling Agent CpqDfwWebAgent running auto cpqdmi cpqdmi running auto Compaq DMI Web Agent cpqWebDmi running auto Cryptographic Services CryptSvc running auto DHCP Client Dhcp running auto Logical Disk Manager Administrative Service dmadmin - on demand Logical Disk Manager dmserver running auto DNS Client Dnscache running auto Error Reporting Service ERSvc running auto Event Log Eventlog running auto COM+ Event System EventSystem running on demand Fast User Switching Compatibility FastUserSwitchingCom - on demand Help and Support helpsvc running auto Human Interface Device Access HidServ - disabled IMAPI CD-Burning COM Service ImapiService - on demand IPv6 Internet Connection Firewall Ip6FwHlp - on demand Server lanmanserver running auto Workstation lanmanworkstation running auto TCP/IP NetBIOS Helper LmHosts running auto McAfee Framework Service McAfeeFramework running auto Network Associates McShield McShield running auto Network Associates Task Manager McTaskManager running auto Machine Debug Manager MDM running auto Messenger Messenger - disabled NetMeeting Remote Desktop Sharing mnmsrvc - on demand Distributed Transaction Coordinator MSDTC - on demand Windows Installer MSIServer - on demand Network DDE NetDDE - on demand Network DDE DSDM NetDDEdsdm - on demand Net Logon Netlogon - on demand Network Connections Netman running on demand Network Location Awareness (NLA) Nla running on demand NT LM Security Support Provider NtLmSsp - on demand Removable Storage NtmsSvc - on demand Plug and Play PlugPlay running auto IPSEC Services PolicyAgent running auto Protected Storage ProtectedStorage running auto Remote Access Auto Connection Manager RasAuto - on demand Remote Access Connection Manager RasMan running on demand Remote Desktop Help Session Manager RDSessMgr - on demand Routing and Remote Access RemoteAccess - disabled Remote Registry RemoteRegistry running auto Remote Procedure Call (RPC) Locator RpcLocator - on demand Remote Procedure Call (RPC) RpcSs running auto QoS RSVP RSVP - on demand Security Accounts Manager SamSs running auto Smart Card Helper SCardDrv - on demand Smart Card SCardSvr - on demand Task Scheduler Schedule running auto Secondary Logon seclogon running auto System Event Notification SENS running auto Shell Hardware Detection ShellHWDetection running auto Print Spooler Spooler running auto System Restore Service srservice - auto SSDP Discovery Service SSDPSRV running on demand Windows Image Acquisition (WIA) stisvc running on demand MS Software Shadow Copy Provider SwPrv - on demand Performance Logs and Alerts SysmonLog - on demand Telephony TapiSrv running on demand Terminal Services TermService running on demand Themes Themes running auto Telnet TlntSvr - on demand Distributed Link Tracking Client TrkWks running auto Upload Manager uploadmgr running auto Universal Plug and Play Device Host upnphost - on demand Uninterruptible Power Supply UPS - on demand Volume Shadow Copy VSS - on demand Windows Time W32Time running auto WebClient WebClient running auto WIN32SL WIN32SL running auto Windows Management Instrumentation winmgmt running auto VNC Server winvnc running auto Portable Media Serial Number Service WmdmPmSN - on demand Windows Management Instrumentation Driver Exten Wmi - on demand `sions WMI Performance Adapter WmiApSrv - on demand Automatic Updates wuauserv running auto *Wireless Zero Configuration WZCSVC running auto VMM32Files (LM) %System%\VMM32 %System%\IOSUBSYS Application specific MS Office 97/8.0 STARTUP-PATH Current User Default User Local Machine ICQ NetDetect Current User Default User