MAS Scan Log

[Dave Q]

Hi -

MAS doesn't send reports to Microsoft - it keeps erroring out.

I'm plaged by Winfixer popups and nothing stops them - NOTHING.

<MSSSRT version="1.0.615" createdate="10/9/2005 7:19:19 AM" os="XP.2600"
user=""><Audit><AutoRunAudit>
<StartupFiles>
<StartupFile path="C:\Documents and Settings\All Users\Start
Menu\Programs\Startup\Adobe Gamma Loader.lnk" nam="Adobe Gamma Loader (adobe
gamma loader.exe)" pub="Adobe Systems, Inc."
md5="c2ff17734176cd15221c10044ef0ba1a" ver="1, 0, 0, 1" sz="113664" is="0"
gfp="">c:\program files\common files\adobe\calibration\adobe gamma
loader.exe</StartupFile>
</StartupFiles>
<StartupFilesRegistry>
<StartupFileRegistry ex="1"
path="HLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" val="Sunkist2k"
dat="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" nam="Sunkist
(shwicon2k.exe)" pub="Alcor Micro, Corp."
md5="334e242417b1e66ecaf45d9dc62b288a" ver="1, 0, 0, 7" sz="139264" is="0"
gfp="">c:\program files\multimedia card
reader\shwicon2k.exe</StartupFileRegistry>
<StartupFileRegistry ex="1"
path="HLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" val="Recguard"
dat="C:\WINDOWS\SMINST\RECGUARD.EXE" nam="Recguard MFC Application
(recguard.exe)" pub="None" md5="d3cc7a3813123e955b3a497c04b404e2" ver="1, 0,
0, 1" sz="212992" is="0"
gfp="">c:\windows\sminst\recguard.exe</StartupFileRegistry>
<StartupFileRegistry ex="1"
path="HLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
val="NeroFilterCheck" dat="C:\WINDOWS\system32\NeroCheck.exe" nam="NeroCheck
(nerocheck.exe)" pub="Ahead Software Gmbh"
md5="3e4c03cefad8de135263236b61a49c90" ver="1, 0, 0, 2" sz="155648" is="0"
gfp="">c:\windows\system32\nerocheck.exe</StartupFileRegistry>
<StartupFileRegistry ex="1"
path="HLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" val="MediaFace
Integration" dat="C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe"
nam="MediaFACE Hook Application (sethook.exe)" pub="Fellowes, Inc."
md5="c108e71530073dda128b9998be00acf9" ver="4,0,1,27" sz="53248" is="0"
gfp="">c:\program files\fellowes\mediaface
4.0\sethook.exe</StartupFileRegistry>
<StartupFileRegistry ex="1"
path="HLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" val="LTMSG"
dat="LTMSG.exe 7" nam="ltmsg (ltmsg.exe)" pub="Agere Systems"
md5="4d3f3641aa76a48964102856fd7b955f" ver="3, 0, 0, 4" sz="40960" is="0"
gfp="">c:\windows\ltmsg.exe</StartupFileRegistry>
<StartupFileRegistry ex="1"
path="HLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" val="IgfxTray"
dat="C:\WINDOWS\system32\igfxtray.exe" nam="igfxTray Module (igfxtray.exe)"
pub="Intel Corporation" md5="8bbbada96ffe1449edd39256eda99cd8"
ver="3.0.0.3889" sz="155648" is="0"
gfp="">c:\windows\system32\igfxtray.exe</StartupFileRegistry>
<StartupFileRegistry ex="1"
path="HLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" val="hpsysdrv"
dat="c:\windows\system\hpsysdrv.exe" nam="hpsysdrv (hpsysdrv.exe)"
pub="Hewlett-Packard Company" md5="06a1ecb63df139ec639e084d4ab3c9d7" ver="1,
7, 0, 0" sz="52736" is="0"
gfp="">c:\windows\system\hpsysdrv.exe</StartupFileRegistry>
<StartupFileRegistry ex="1"
path="HLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" val="HotKeysCmds"
dat="C:\WINDOWS\system32\hkcmd.exe" nam="hkcmd Module (hkcmd.exe)"
pub="Intel Corporation" md5="ea5dd164296f66241bead39e12fa69f2"
ver="3.0.0.3889" sz="118784" is="0"
gfp="">c:\windows\system32\hkcmd.exe</StartupFileRegistry>
<StartupFileRegistry ex="1"
path="HLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" val="AutoTKit"
dat="C:\hp\bin\AUTOTKIT.EXE" nam=" (autotkit.exe)" pub=""
md5="6d013ba4120ab87d8694aaf12bd5d1c1" ver="" sz="53248" is="0"
gfp="">c:\hp\bin\autotkit.exe</StartupFileRegistry>
<StartupFileRegistry ex="1"
path="HLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" val="QuickTime
Task" dat="&quot;C:\Program Files\QuickTime\qttask.exe&quot; -atboottime"
nam="qttask.exe" pub="Apple Computer, Inc."
md5="76a3a30b58405c2c6d833895253a51a9" ver="6.5.1" sz="98304" is="0"
gfp="">c:\program files\quicktime\qttask.exe</StartupFileRegistry>
<StartupFileRegistry ex="1"
path="HLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" val="HP Component
Manager" dat="&quot;C:\Program Files\HP\hpcoretech\hpcmpmgr.exe&quot;"
nam="HP Framework Component Manager Service (hpcmpmgr.exe)"
pub="Hewlett-Packard Company" md5="b75b654ee1da99876461b24597ae3ff3"
ver="2.1.1.0" sz="241664" is="0" gfp="">c:\program
files\hp\hpcoretech\hpcmpmgr.exe</StartupFileRegistry>
<StartupFileRegistry ex="1"
path="HLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" val="HPDJ Taskbar
Utility" dat="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe"
nam="None (hpztsb10.exe)" pub="HP" md5="fd32127449af0b96ebeca3caab74e423"
ver="2.323.0.0" sz="172032" is="0"
gfp="">c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe</StartupFileRegistry>
<StartupFileRegistry ex="1"
path="HLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" val="AVG7_CC"
dat="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" nam="AVG Control
Center (avgcc.exe)" pub="GRISOFT, s.r.o."
md5="6e74941e3e14cb67fb1648b45a041f0d" ver="7,1,0,338" sz="352256" is="0"
gfp="">c:\progra~1\grisoft\avgfre~1\avgcc.exe</StartupFileRegistry>
<StartupFileRegistry ex="1"
path="HLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" val="gcasServ"
dat="&quot;C:\Program Files\Microsoft AntiSpyware\gcasServ.exe&quot;"
nam="Microsoft AntiSpyware Service (gcasserv.exe)" pub="Microsoft
Corporation" md5="263740ede788a60a6c0a47249fc410bf" ver="1.00.0615"
sz="473928" is="0" gfp="">c:\program files\microsoft
antispyware\gcasserv.exe</StartupFileRegistry>
<StartupFileRegistry ex="1"
path="HCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" val="NVIEW"
dat="rundll32.exe nview.dll,nViewLoadHook" nam="NVIDIA nView Desktop and
Window Manager 45.28 (nview.dll)" pub="NVIDIA Corporation"
md5="26b3de625fe075f43a61be19155220e6" ver="6.14.10.4528" sz="852038" is="0"
gfp="">c:\windows\system32\nview.dll</StartupFileRegistry>
<StartupFileRegistry ex="0"
path="HCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" val="SpySweeper"
dat="" nam="" pub="" md5="" ver="" sz="" is="0"
gfp=""></StartupFileRegistry>
</StartupFilesRegistry>
<WinlogonUserinitFiles>
<WinlogonUserinitFile ex="1" nam="Userinit Logon Application (userinit.exe)"
pub="Microsoft Corporation" md5="39b1ffb03c2296323832acbae50d2aff"
ver="5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)" sz="24576" is="0"
gfp="">c:\windows\system32\userinit.exe</WinlogonUserinitFile>

</WinlogonUserinitFiles>
<StartupWinIniFiles>

</StartupWinIniFiles>
<StartupSysIniFiles>

</StartupSysIniFiles>
</AutoRunAudit>
<InternetExplorerAudit version="6.0.2900.2180">
<BrowserHelperObjects>
<BHO ex="1" clsid="{15F4D456-5BAA-4076-8486-EECB38CD3E57}"
prog="ElnkScamBlocker.ElnkScamBHO.1" val="ElnkScamBHO Class" nam="Earthlink
ScamBlocker (escamblk.dll)" pub="EarthLink, Inc."
md5="545c561abbea44f88e7fe028d82d7b17" ver="2.2.59.0" sz="181328" is="0"
gfp="">c:\program files\earthlink totalaccess\toolbar\escamblk.dll</BHO>
<BHO ex="1" clsid="{512ACF1B-64D9-4928-B382-A80556F28DB4}"
prog="ELNK.ElnkPubBHO.1" val="ElnkPubBHO Class" nam="Earthlink PopupBlocker
(elnkpub.dll)" pub="EarthLink, Inc." md5="5d05e2c28d677e45bdb7105f4331b3dd"
ver="2.2.59.0" sz="197712" is="0" gfp="">c:\program files\earthlink
totalaccess\toolbar\elnkpub.dll</BHO>
<BHO ex="1" clsid="{656EC4B7-072B-4698-B504-2A414C1F0037}"
prog="Prpl_IePopupBlocker.IE_PopupBlocker.1" val="IE_PopupBlocker Class"
nam="prpl_IePopupBlocker Module (prpl_iepopupblocker.dll)" pub="Propel
Software Corporation" md5="7d4dce216a71d935fad9fbe4b29be00a"
ver="5.0.1.1054" sz="49152" is="0" gfp="">c:\program files\earthlink
totalaccess\accelerator\prpl_iepopupblocker.dll</BHO>
<BHO ex="1" clsid="{827DC836-DD9F-4A68-A602-5812EB50A834}"
prog="MSEvents.MSEvents.1" val="MSEvents Object" nam=" (wincr.dll)" pub=""
md5="02f0b37ab98887ab3600af69507cfad8" ver="" sz="516116" is="0"
gfp="">c:\windows\servicepackfiles\i386\wincr.dll</BHO>
<BHO ex="1" clsid="{9579D574-D4D8-4335-9560-FE8641A013BD}"
prog="ProtctIE.ElnkProtectionBHO.1" val="ElnkProtectionBHO Class"
nam="ProtcIE (protctie.dll)" pub="EarthLink, Inc."
md5="a91009a20d29895537c338ba5966511a" ver="2.2.59.0" sz="238672" is="0"
gfp="">c:\program files\earthlink totalaccess\toolbar\protctie.dll</BHO>
<BHO ex="1" clsid="{E713904C-DF05-4C79-BBAD-02DB923253BE}"
prog="uninsttb.ElnkLegacyUninstBHO.1" val="ElnkLegacyUninstBHO Class"
nam="uninsttb (uninsttb.dll)" pub="EarthLink, Inc."
md5="c02180535889c6de2a85b8570d79beb2" ver="2.2.59.0" sz="95312" is="0"
gfp="">c:\program files\earthlink totalaccess\toolbar\uninsttb.dll</BHO>
</BrowserHelperObjects>
<IEToolbars>
<IEToolbar ex="1" clsid="{C7768536-96F8-4001-B1A2-90EE21279187}"
prog="Toolbar.ElnkToolbar.1" val="EarthLink Toolbar" nam="Toolbar
(toolbar.dll)" pub="EarthLink, Inc." md5="d18c931184da46e5ac31022a755f635a"
ver="2.2.60.0" sz="173136" is="0" gfp="">c:\program files\earthlink
totalaccess\toolbar\toolbar.dll</IEToolbar>
</IEToolbars>
<IEExtensions>
</IEExtensions>
<IEExplorerBars>
<IEExplorerBar ex="1" clsid="{4D5C8C25-D075-11d0-B416-00C04FB90376}" prog=""
val="&amp;Tip of the Day" nam="Shell Doc Object and Control Library
(shdocvw.dll)" pub="Microsoft Corporation"
md5="47a418daae87e73814fa449ef32d0e0e" ver="6.00.2900.2713
(xpsp_sp2_gdr.050702-1513)" sz="1483776" is="0"
gfp="">c:\windows\system32\shdocvw.dll</IEExplorerBar>
<IEExplorerBar ex="0" clsid="{8F4902B6-6C04-4ade-8052-AA58578A21BD}" prog=""
val="" nam="" pub="" md5="" ver="" sz="" is="0" gfp=""></IEExplorerBar>
</IEExplorerBars>
<IEShellBrowsers>
<IEShellBrowser ex="0" clsid="{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}"
prog="" val="" nam="" pub="" md5="" ver="" sz="" is="0"
gfp=""></IEShellBrowser>
<IEShellBrowser ex="1" clsid="{01E04581-4EEE-11D0-BFE9-00AA005B4383}"
prog="" val="&amp;Address" nam="Shell Browser UI Library (browseui.dll)"
pub="Microsoft Corporation" md5="33e419191b4b92face6d6d3cf17b656f"
ver="6.00.2900.2713 (xpsp_sp2_gdr.050702-1513)" sz="1019904" is="0"
gfp="">c:\windows\system32\browseui.dll</IEShellBrowser>
<IEShellBrowser ex="0" clsid="{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5}"
prog="" val="HP View" nam="" pub="" md5="" ver="" sz="" is="0"
gfp=""></IEShellBrowser>
<IEShellBrowser ex="0" clsid="
" prog="" val="" nam="" pub="" md5="" ver="" sz="" is="0"
gfp=""></IEShellBrowser>
</IEShellBrowsers>
<IEWebBrowsers>
<IEWebBrowser ex="0" clsid="{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5}" prog=""
val="HP View" nam="" pub="" md5="" ver="" sz="" is="0"
gfp=""></IEWebBrowser>
<IEWebBrowser ex="0" clsid="
" prog="" val="" nam="" pub="" md5="" ver="" sz="" is="0"
gfp=""></IEWebBrowser>
<IEWebBrowser ex="1" clsid="{01E04581-4EEE-11D0-BFE9-00AA005B4383}" prog=""
val="&amp;Address" nam="Shell Browser UI Library (browseui.dll)"
pub="Microsoft Corporation" md5="33e419191b4b92face6d6d3cf17b656f"
ver="6.00.2900.2713 (xpsp_sp2_gdr.050702-1513)" sz="1019904" is="0"
gfp="">c:\windows\system32\browseui.dll</IEWebBrowser>
<IEWebBrowser ex="0" clsid="{2318C2B1-4965-11D4-9B18-009027A5CD4F}" prog=""
val="" nam="" pub="" md5="" ver="" sz="" is="0" gfp=""></IEWebBrowser>
<IEWebBrowser ex="0" clsid="{D7F30B62-8269-41AF-9539-B2697FA7D77E}" prog=""
val="" nam="" pub="" md5="" ver="" sz="" is="0" gfp=""></IEWebBrowser>
<IEWebBrowser ex="0" clsid="
" prog="" val="" nam="" pub="" md5="" ver="" sz="" is="0"
gfp=""></IEWebBrowser>
</IEWebBrowsers>
<IEMenuExts>
<IEMenuExt val="Refresh Pa&amp;ge with Full Quality">C:\Program
Files\EarthLink TotalAccess\Accelerator\\pac-page.html</IEMenuExt>
<IEMenuExt val="Refresh Pi&amp;cture with Full Quality">C:\Program
Files\EarthLink TotalAccess\Accelerator\\pac-image.html</IEMenuExt>
</IEMenuExts>
<IEURLSearchHooks>
<IEURLSearchHook ex="1" clsid="{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"
prog="" val="Microsoft Url Search Hook" nam="Shell Doc Object and Control
Library (shdocvw.dll)" pub="Microsoft Corporation"
md5="47a418daae87e73814fa449ef32d0e0e" ver="6.00.2900.2713
(xpsp_sp2_gdr.050702-1513)" sz="1483776" is="0"
gfp="">c:\windows\system32\shdocvw.dll</IEURLSearchHook>
</IEURLSearchHooks>
<IEURLs>
<IEURL val="HCU\Software\Microsoft\Internet Explorer Start
Page">http://www.google.com</IEURL>
<IEURL val="HCU\Software\Microsoft\Internet Explorer Search Page"> <G
..?AVCW</IEURL>
<IEURL val="HCU\Software\Microsoft\Internet Explorer
Default_Page_URL">http://start.earthlink.net</IEURL>
<IEURL val="HCU\Software\Microsoft\Internet Explore Local
Page">C:\WINDOWS\system32\blank.htm</IEURL>
<IEURL val="HCU\Software\Microsoft\Internet Explore Search Bar"></IEURL>
<IEURL val="HCU\Software\Microsoft\Internet Explorer
Default_Search_URL"></IEURL>
<IEURL val="HCU\Software\Microsoft\Internet Explorer HomeOldSP"></IEURL>
<IEURL val="HLM\Software\Microsoft\Internet Explorer Start
Page">http://www.google.com/</IEURL>
<IEURL val="HLM\Software\Microsoft\Internet Explorer Search Page"> <G
..?AVCW</IEURL>
<IEURL val="HLM\Software\Microsoft\Internet Explorer
Default_Page_URL">http://www.microsoft.com/isapi/redir.dll?prd=ie&amp;pver=6&amp;ar=msnhome</IEURL>
<IEURL val="HLM\Software\Microsoft\Internet Explorer Local
Page">%SystemRoot%\system32\blank.htm</IEURL>
<IEURL val="HLM\Software\Microsoft\Internet Explorer Search Bar"></IEURL>
<IEURL val="HLM\Software\Microsoft\Internet Explorer
Default_Search_URL">http://www.microsoft.com/isapi/redir.dll?prd=ie&amp;ar=iesearch</IEURL>
<IEURL val="HLM\Software\Microsoft\Internet Explorer HomeOldSP"></IEURL>
<IEURL val="HCU\Software\Microsoft\Internet Explorer\Search
CustomizeSearch"></IEURL>
<IEURL val="HCU\Software\Microsoft\Internet Explorer\Search
SearchAssistant"></IEURL>
<IEURL val="HLM\Software\Microsoft\Internet Explorer\Search
CustomizeSearch">http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm</IEURL>
<IEURL val="HLM\Software\Microsoft\Internet Explorer\Search
SearchAssistant">http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm</IEURL>
<IEURL val="HCU\Software\Microsoft\Internet
Explorer\SearchUrl">http://www.google.com/keyword/%s</IEURL>
<IEURL val="HLM\Software\Microsoft\Internet Explorer\SearchUrl"></IEURL>
<IEURL val="HLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs
blank">res://mshtml.dll/blank.htm</IEURL>
<IEURL val="HLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs
DesktopItemNavigationFailure">res://shdoclc.dll/navcancl.htm</IEURL>
<IEURL val="HLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs
NavigationCanceled">res://shdoclc.dll/navcancl.htm</IEURL>
<IEURL val="HLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs
NavigationFailure">res://shdoclc.dll/navcancl.htm</IEURL>
<IEURL val="HLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs
OfflineInformation">res://shdoclc.dll/offcancl.htm</IEURL>
<IEURL val="HLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs
PostNotCached">res://mshtml.dll/repost.htm</IEURL>
<IEURL val="HLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs
mozilla"></IEURL>
</IEURLs>
</InternetExplorerAudit>
<SystemAudit>
<ShellExecuteHooks>
<ShellExecuteHook ex="1" clsid="{9EF34FF2-3396-4527-9D27-04C8C1C67806}"
prog="Microsoft.AntiSpyware.ShellExecuteHook.1"
val="Microsoft.AntiSpyware.ShellExecuteHook.1" nam="Microsoft AntiSpyware
Shell Extension (shellextension.dll)" pub="Microsoft Corporation"
md5="4b202fff9eb43fdc8d3290deaab7487e" ver="1.0.0614.10" sz="101080" is="0"
gfp="">c:\program files\microsoft
antispyware\shellextension.dll</ShellExecuteHook>
</ShellExecuteHooks>
<ShellOpenCommands>
<ShellOpenCommand val="HCR\exefile\shell\open\command">&quot;%1&quot;
%*</ShellOpenCommand>
<ShellOpenCommand val="HCR\comfile\shell\open\command">&quot;%1&quot;
%*</ShellOpenCommand>
<ShellOpenCommand val="HCR\batfile\shell\open\command">&quot;%1&quot;
%*</ShellOpenCommand>
<ShellOpenCommand
val="HCR\htafile\shell\open\command">C:\WINDOWS\System32\mshta.exe
&quot;%1&quot; %*</ShellOpenCommand>
<ShellOpenCommand val="HCR\piffile\shell\open\command">&quot;%1&quot;
%*</ShellOpenCommand>
<ShellOpenCommand
val="HCR\txtfile\shell\open\command">%SystemRoot%\system32\NOTEPAD.EXE
%1</ShellOpenCommand>
<ShellOpenCommand val="HCR\mp3file\shell\open\command">&quot;C:\Program
Files\Windows Media Player\wmplayer.exe&quot; /prefetch:6 /Open
&quot;%L&quot;</ShellOpenCommand>
<ShellOpenCommand val="HCR\mpegfile\shell\open\command">&quot;C:\Program
Files\Windows Media Player\wmplayer.exe&quot; /prefetch:9 /Open
&quot;%L&quot;</ShellOpenCommand>
<ShellOpenCommand val="HCR\mailto\shell\open\command">&quot;C:\PROGRAM
FILES\OUTLOOK EXPRESS\MSIMN.EXE&quot; /mailurl:%1</ShellOpenCommand>
<ShellOpenCommand val="HCR\htmlfile\shell\open\command">&quot;C:\Program
Files\Internet Explorer\iexplore.exe&quot; -nohome</ShellOpenCommand>
<ShellOpenCommand val="HCR\http\shell\open\command">&quot;C:\Program
Files\Internet Explorer\iexplore.exe&quot; -nohome</ShellOpenCommand>
<ShellOpenCommand val="HCR\https\shell\open\command">&quot;C:\Program
Files\Internet Explorer\iexplore.exe&quot; -nohome</ShellOpenCommand>
<ShellOpenCommand val="HCR\ftp\shell\open\command">&quot;C:\Program
Files\Internet Explorer\iexplore.exe&quot; %1</ShellOpenCommand>
</ShellOpenCommands>
<ActiveXInstalls>
<ActiveXInstall clsid="{02BCC737-B171-4746-94C9-0D8A0B2C0089}"
prog="Office.awsdc.1" nam="Microsoft Office Template and Media Control"
codebase="http://office.microsoft.com/templates/ieawsdc.cab">
<Files>
<File ex="1" nam="IEAWSDC.DLL" pub="Unavailable"
md5="50804f20a0e541d9a0dbad1d56019ada" ver="Unavailable" sz="87240" is="0"
gfp="">C:\WINDOWS\Downloaded Program Files\IEAWSDC.DLL</File>
</Files>
</ActiveXInstall>
<ActiveXInstall clsid="{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}"
prog="QuickTime.QuickTime.4" nam="QuickTime Object"
codebase="http://www.apple.com/qtactivex/qtplugin.cab">
<Files>
</Files>
</ActiveXInstall>
<ActiveXInstall clsid="{166B1BCA-3F9C-11CF-8075-444553540000}"
prog="SWCtl.SWCtl.8.5.1" nam="Shockwave ActiveX Control"
codebase="http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab">
<Files>
</Files>
</ActiveXInstall>
<ActiveXInstall clsid="{17492023-C23A-453E-A040-C7C580BBF700}"
prog="LegitCheckControl.LegitCheck.1" nam="Windows Genuine Advantage
Validation Tool" codebase="http://go.microsoft.com/fwlink/?linkid=39204">
<Files>
<File ex="1" nam="PidGen (GWFSPidGen.DLL)" pub="Microsoft"
md5="76cfe0b49089af874d3d135efc38bf3a" ver="1, 5, 0, 42" sz="23304" is="0"
gfp="">C:\WINDOWS\system32\GWFSPidGen.DLL</File>
<File ex="1" nam="Windows Genuine Advantage Validation
(LegitCheckControl.DLL)" pub="Microsoft Corporation"
md5="679088dd42afb105a6da3f5e876d69b6" ver="1.3.0272.0" sz="520968" is="0"
gfp="">C:\WINDOWS\system32\LegitCheckControl.DLL</File>
</Files>
</ActiveXInstall>
<ActiveXInstall clsid="{8AD9C840-044E-11D1-B3E9-00805F499D93}" prog=""
nam="Java Plug-in 1.4.2"
codebase="http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab">
<Files>
</Files>
</ActiveXInstall>
<ActiveXInstall clsid="{CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA}" prog=""
nam="Java Plug-in 1.4.2"
codebase="http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab">
<Files>
</Files>
</ActiveXInstall>
<ActiveXInstall clsid="{D27CDB6E-AE6D-11CF-96B8-444553540000}"
prog="ShockwaveFlash.ShockwaveFlash.1" nam="Shockwave Flash Object"
codebase="http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab">
<Files>
</Files>
</ActiveXInstall>
</ActiveXInstalls>
<PROTOCOLSFilters>
<PROTOCOLSFilter ex="1" clsid="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"
prog="CorRegistration.CorFltr.1" filter="application/octet-stream"
val="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}" nam="Microsoft .NET Runtime
Execution Engine (mscoree.dll)" pub="Microsoft Corporation"
md5="4c702aea1c11d15c176c2c276d0907dd" ver="1.1.4322.573" sz="155648" is="0"
gfp="">c:\windows\system32\mscoree.dll</PROTOCOLSFilter>
<PROTOCOLSFilter ex="1" clsid="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"
prog="CorRegistration.CorFltr.1" filter="application/x-complus"
val="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}" nam="Microsoft .NET Runtime
Execution Engine (mscoree.dll)" pub="Microsoft Corporation"
md5="4c702aea1c11d15c176c2c276d0907dd" ver="1.1.4322.573" sz="155648" is="0"
gfp="">c:\windows\system32\mscoree.dll</PROTOCOLSFilter>
<PROTOCOLSFilter ex="1" clsid="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"
prog="CorRegistration.CorFltr.1" filter="application/x-msdownload"
val="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}" nam="Microsoft .NET Runtime
Execution Engine (mscoree.dll)" pub="Microsoft Corporation"
md5="4c702aea1c11d15c176c2c276d0907dd" ver="1.1.4322.573" sz="155648" is="0"
gfp="">c:\windows\system32\mscoree.dll</PROTOCOLSFilter>
<PROTOCOLSFilter ex="1" clsid="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"
prog="" filter="Class Install Handler"
val="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}" nam="OLE32 Extensions for Win32
(urlmon.dll)" pub="Microsoft Corporation"
md5="d73024f1a233361b9876c9d8432e87d7" ver="6.00.2900.2713
(xpsp_sp2_gdr.050702-1513)" sz="607744" is="0"
gfp="">c:\windows\system32\urlmon.dll</PROTOCOLSFilter>
<PROTOCOLSFilter ex="1" clsid="{8f6b0360-b80d-11d0-a9b3-006097942311}"
prog="" filter="deflate" val="{8f6b0360-b80d-11d0-a9b3-006097942311}"
nam="OLE32 Extensions for Win32 (urlmon.dll)" pub="Microsoft Corporation"
md5="d73024f1a233361b9876c9d8432e87d7" ver="6.00.2900.2713
(xpsp_sp2_gdr.050702-1513)" sz="607744" is="0"
gfp="">c:\windows\system32\urlmon.dll</PROTOCOLSFilter>
<PROTOCOLSFilter ex="1" clsid="{8f6b0360-b80d-11d0-a9b3-006097942311}"
prog="" filter="gzip" val="{8f6b0360-b80d-11d0-a9b3-006097942311}"
nam="OLE32 Extensions for Win32 (urlmon.dll)" pub="Microsoft Corporation"
md5="d73024f1a233361b9876c9d8432e87d7" ver="6.00.2900.2713
(xpsp_sp2_gdr.050702-1513)" sz="607744" is="0"
gfp="">c:\windows\system32\urlmon.dll</PROTOCOLSFilter>
<PROTOCOLSFilter ex="1" clsid="{8f6b0360-b80d-11d0-a9b3-006097942311}"
prog="" filter="lzdhtml" val="{8f6b0360-b80d-11d0-a9b3-006097942311}"
nam="OLE32 Extensions for Win32 (urlmon.dll)" pub="Microsoft Corporation"
md5="d73024f1a233361b9876c9d8432e87d7" ver="6.00.2900.2713
(xpsp_sp2_gdr.050702-1513)" sz="607744" is="0"
gfp="">c:\windows\system32\urlmon.dll</PROTOCOLSFilter>
<PROTOCOLSFilter ex="1" clsid="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"
prog="" filter="text/webviewhtml"
val="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}" nam="Windows Shell Common Dll
(shell32.dll)" pub="Microsoft Corporation"
md5="9833f278924d028414d7f89bfd4fc46b" ver="6.00.2900.2620
(xpsp_sp2_gdr.050225-1820)" sz="8450048" is="0"
gfp="">c:\windows\system32\shell32.dll</PROTOCOLSFilter>
</PROTOCOLSFilters>
<PROTOCOLSHandlers>
<PROTOCOLSHandler ex="1" clsid="{3050F406-98B5-11CF-BB82-00AA00BDCE0B}"
prog="" filter="about" val="{3050F406-98B5-11CF-BB82-00AA00BDCE0B}"
nam="Microsoft (R) HTML Viewer (mshtml.dll)" pub="Microsoft Corporation"
md5="31e7520e58e5e4dfa93215a6d5603af2" ver="6.00.2900.2722
(xpsp_sp2_gdr.050719-1518)" sz="3014144" is="0"
gfp="">c:\windows\system32\mshtml.dll</PROTOCOLSHandler>
<PROTOCOLSHandler ex="1" clsid="{3dd53d40-7b8b-11D0-b013-00aa0059ce02}"
prog="" filter="cdl" val="{3dd53d40-7b8b-11D0-b013-00aa0059ce02}" nam="OLE32
Extensions for Win32 (urlmon.dll)" pub="Microsoft Corporation"
md5="d73024f1a233361b9876c9d8432e87d7" ver="6.00.2900.2713
(xpsp_sp2_gdr.050702-1513)" sz="607744" is="0"
gfp="">c:\windows\system32\urlmon.dll</PROTOCOLSHandler>
<PROTOCOLSHandler ex="1" clsid="{CF184AD3-CDCB-4168-A3F7-8E447D129300}"
prog="HPCETI.UIZipProtocol.1" filter="cetihpz"
val="{CF184AD3-CDCB-4168-A3F7-8E447D129300}" nam="HPCETIUI Protocol Handler
Module (hpuiprot.dll)" pub="Hewlett-Packard Company"
md5="25709aea0b57a61e67c35ddd7994c9ed" ver="2.1.4" sz="81920" is="0"
gfp="">c:\program files\hp\hpcoretech\comp\hpuiprot.dll</PROTOCOLSHandler>
<PROTOCOLSHandler ex="1" clsid="{12D51199-0DB5-46FE-A120-47A3D7D937CC}"
prog="" filter="dvd" val="{12D51199-0DB5-46FE-A120-47A3D7D937CC}"
nam="ActiveX control for streaming video (msvidctl.dll)" pub="Microsoft
Corporation" md5="7b5ba7cb7cf42b557c17d08015be8a14" ver="6.05.2600.2180
(xpsp_sp2_rtm.040803-2158)" sz="1428480" is="0"
gfp="">c:\windows\system32\msvidctl.dll</PROTOCOLSHandler>
<PROTOCOLSHandler ex="1" clsid="{79eac9e7-baf9-11ce-8c82-00aa004ba90b}"
prog="" filter="file" val="{79eac9e7-baf9-11ce-8c82-00aa004ba90b}"
nam="OLE32 Extensions for Win32 (urlmon.dll)" pub="Microsoft Corporation"
md5="d73024f1a233361b9876c9d8432e87d7" ver="6.00.2900.2713
(xpsp_sp2_gdr.050702-1513)" sz="607744" is="0"
gfp="">c:\windows\system32\urlmon.dll</PROTOCOLSHandler>
<PROTOCOLSHandler ex="1" clsid="{79eac9e3-baf9-11ce-8c82-00aa004ba90b}"
prog="" filter="ftp" val="{79eac9e3-baf9-11ce-8c82-00aa004ba90b}" nam="OLE32
Extensions for Win32 (urlmon.dll)" pub="Microsoft Corporation"
md5="d73024f1a233361b9876c9d8432e87d7" ver="6.00.2900.2713
(xpsp_sp2_gdr.050702-1513)" sz="607744" is="0"
gfp="">c:\windows\system32\urlmon.dll</PROTOCOLSHandler>
<PROTOCOLSHandler ex="1" clsid="{79eac9e4-baf9-11ce-8c82-00aa004ba90b}"
prog="" filter="gopher" val="{79eac9e4-baf9-11ce-8c82-00aa004ba90b}"
nam="OLE32 Extensions for Win32 (urlmon.dll)" pub="Microsoft Corporation"
md5="d73024f1a233361b9876c9d8432e87d7" ver="6.00.2900.2713
(xpsp_sp2_gdr.050702-1513)" sz="607744" is="0"
gfp="">c:\windows\system32\urlmon.dll</PROTOCOLSHandler>
<PROTOCOLSHandler ex="1" clsid="{79eac9e2-baf9-11ce-8c82-00aa004ba90b}"
prog="" filter="http" val="{79eac9e2-baf9-11ce-8c82-00aa004ba90b}"
nam="OLE32 Extensions for Win32 (urlmon.dll)" pub="Microsoft Corporation"
md5="d73024f1a233361b9876c9d8432e87d7" ver="6.00.2900.2713
(xpsp_sp2_gdr.050702-1513)" sz="607744" is="0"
gfp="">c:\windows\system32\urlmon.dll</PROTOCOLSHandler>
<PROTOCOLSHandler ex="1" clsid="{79eac9e5-baf9-11ce-8c82-00aa004ba90b}"
prog="" filter="https" val="{79eac9e5-baf9-11ce-8c82-00aa004ba90b}"
nam="OLE32 Extensions for Win32 (urlmon.dll)" pub="Microsoft Corporation"
md5="d73024f1a233361b9876c9d8432e87d7" ver="6.00.2900.2713
(xpsp_sp2_gdr.050702-1513)" sz="607744" is="0"
gfp="">c:\windows\system32\urlmon.dll</PROTOCOLSHandler>
<PROTOCOLSHandler ex="1" clsid="{9D148291-B9C8-11D0-A4CC-0000F80149F6}"
prog="MSITFS1.0" filter="its" val="{9D148291-B9C8-11D0-A4CC-0000F80149F6}"
nam="Microsoft InfoTech Storage System Library (itss.dll)" pub="Microsoft
Corporation" md5="d9ad8b8b6135b4ff4a32e8c519345f35" ver="5.2.3790.2453
(srv03_sp1_gdr.050525-1542)" sz="137216" is="0"
gfp="">c:\windows\system32\itss.dll</PROTOCOLSHandler>
<PROTOCOLSHandler ex="1" clsid="{3050F3B2-98B5-11CF-BB82-00AA00BDCE0B}"
prog="" filter="javascript" val="{3050F3B2-98B5-11CF-BB82-00AA00BDCE0B}"
nam="Microsoft (R) HTML Viewer (mshtml.dll)" pub="Microsoft Corporation"
md5="31e7520e58e5e4dfa93215a6d5603af2" ver="6.00.2900.2722
(xpsp_sp2_gdr.050719-1518)" sz="3014144" is="0"
gfp="">c:\windows\system32\mshtml.dll</PROTOCOLSHandler>
<PROTOCOLSHandler ex="1" clsid="{79eac9e7-baf9-11ce-8c82-00aa004ba90b}"
prog="" filter="local" val="{79eac9e7-baf9-11ce-8c82-00aa004ba90b}"
nam="OLE32 Extensions for Win32 (urlmon.dll)" pub="Microsoft Corporation"
md5="d73024f1a233361b9876c9d8432e87d7" ver="6.00.2900.2713
(xpsp_sp2_gdr.050702-1513)" sz="607744" is="0"
gfp="">c:\windows\system32\urlmon.dll</PROTOCOLSHandler>
<PROTOCOLSHandler ex="1" clsid="{3050f3DA-98B5-11CF-BB82-00AA00BDCE0B}"
prog="" filter="mailto" val="{3050f3DA-98B5-11CF-BB82-00AA00BDCE0B}"
nam="Microsoft (R) HTML Viewer (mshtml.dll)" pub="Microsoft Corporation"
md5="31e7520e58e5e4dfa93215a6d5603af2" ver="6.00.2900.2722
(xpsp_sp2_gdr.050719-1518)" sz="3014144" is="0"
gfp="">c:\windows\system32\mshtml.dll</PROTOCOLSHandler>
<PROTOCOLSHandler ex="1" clsid="{05300401-BCBC-11d0-85E3-00C04FD85AB4}"
prog="" filter="mhtml" val="{05300401-BCBC-11d0-85E3-00C04FD85AB4}"
nam="Microsoft Internet Messaging API (inetcomm.dll)" pub="Microsoft
Corporation" md5="64528cdf39d8bc19d800be60039bb7e4" ver="6.00.2900.2180
(xpsp_sp2_rtm.040803-2158)" sz="678400" is="0"
gfp="">c:\windows\system32\inetcomm.dll</PROTOCOLSHandler>
<PROTOCOLSHandler ex="1" clsid="{79eac9e6-baf9-11ce-8c82-00aa004ba90b}"
prog="" filter="mk" val="{79eac9e6-baf9-11ce-8c82-00aa004ba90b}" nam="OLE32
Extensions for Win32 (urlmon.dll)" pub="Microsoft Corporation"
md5="d73024f1a233361b9876c9d8432e87d7" ver="6.00.2900.2713
(xpsp_sp2_gdr.050702-1513)" sz="607744" is="0"
gfp="">c:\windows\system32\urlmon.dll</PROTOCOLSHandler>
<PROTOCOLSHandler ex="1" clsid="{9D148291-B9C8-11D0-A4CC-0000F80149F6}"
prog="MSITFS1.0" filter="ms-its"
val="{9D148291-B9C8-11D0-A4CC-0000F80149F6}" nam="Microsoft InfoTech Storage
System Library (itss.dll)" pub="Microsoft Corporation"
md5="d9ad8b8b6135b4ff4a32e8c519345f35" ver="5.2.3790.2453
(srv03_sp1_gdr.050525-1542)" sz="137216" is="0"
gfp="">c:\windows\system32\itss.dll</PROTOCOLSHandler>
<PROTOCOLSHandler ex="1" clsid="{3050F3BC-98B5-11CF-BB82-00AA00BDCE0B}"
prog="" filter="res" val="{3050F3BC-98B5-11CF-BB82-00AA00BDCE0B}"
nam="Microsoft (R) HTML Viewer (mshtml.dll)" pub="Microsoft Corporation"
md5="31e7520e58e5e4dfa93215a6d5603af2" ver="6.00.2900.2722
(xpsp_sp2_gdr.050719-1518)" sz="3014144" is="0"
gfp="">c:\windows\system32\mshtml.dll</PROTOCOLSHandler>
<PROTOCOLSHandler ex="1" clsid="{76E67A63-06E9-11D2-A840-006008059382}"
prog="" filter="sysimage" val="{76E67A63-06E9-11D2-A840-006008059382}"
nam="Microsoft (R) HTML Viewer (mshtml.dll)" pub="Microsoft Corporation"
md5="31e7520e58e5e4dfa93215a6d5603af2" ver="6.00.2900.2722
(xpsp_sp2_gdr.050719-1518)" sz="3014144" is="0"
gfp="">c:\windows\system32\mshtml.dll</PROTOCOLSHandler>
<PROTOCOLSHandler ex="1" clsid="{CBD30858-AF45-11D2-B6D6-00C04FBBDE6E}"
prog="" filter="tv" val="{CBD30858-AF45-11D2-B6D6-00C04FBBDE6E}"
nam="ActiveX control for streaming video (msvidctl.dll)" pub="Microsoft
Corporation" md5="7b5ba7cb7cf42b557c17d08015be8a14" ver="6.05.2600.2180
(xpsp_sp2_rtm.040803-2158)" sz="1428480" is="0"
gfp="">c:\windows\system32\msvidctl.dll</PROTOCOLSHandler>
<PROTOCOLSHandler ex="1" clsid="{3050F3B2-98B5-11CF-BB82-00AA00BDCE0B}"
prog="" filter="vbscript" val="{3050F3B2-98B5-11CF-BB82-00AA00BDCE0B}"
nam="Microsoft (R) HTML Viewer (mshtml.dll)" pub="Microsoft Corporation"
md5="31e7520e58e5e4dfa93215a6d5603af2" ver="6.00.2900.2722
(xpsp_sp2_gdr.050719-1518)" sz="3014144" is="0"
gfp="">c:\windows\system32\mshtml.dll</PROTOCOLSHandler>
<PROTOCOLSHandler ex="1" clsid="{13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE}"
prog="Wia.WiaProtocol.1" filter="wia"
val="{13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE}" nam="WIA Scripting Layer
(wiascr.dll)" pub="Microsoft Corporation"
md5="dd469944b09b032e7c7fe85687c2a399" ver="5.1.2600.2180
(xpsp_sp2_rtm.040803-2158)" sz="75776" is="0"
gfp="">c:\windows\system32\wiascr.dll</PROTOCOLSHandler>
</PROTOCOLSHandlers>
<PROTOCOLSNameSpaceHandlers>
<PROTOCOLSNameSpaceHandler ex="1"
clsid="{9D148291-B9C8-11D0-A4CC-0000F80149F6}" prog="MSITFS1.0"
namespace="mk" namespacefilter="NameSpace Filter for MKMSITStore:..."
val="{79eac9e6-baf9-11ce-8c82-00aa004ba90b}" nam="Microsoft InfoTech Storage
System Library (itss.dll)" pub="Microsoft Corporation"
md5="d9ad8b8b6135b4ff4a32e8c519345f35" ver="5.2.3790.2453
(srv03_sp1_gdr.050525-1542)" sz="137216" is="0"
gfp="">c:\windows\system32\itss.dll</PROTOCOLSNameSpaceHandler>
</PROTOCOLSNameSpaceHandlers>
<TCPIPParamaters>
<TCPIPParamater
val="DataBasePath">%SystemRoot%\System32\drivers\etc</TCPIPParamater>
<TCPIPParamater val="Domain"></TCPIPParamater>
<TCPIPParamater val="NameServer"></TCPIPParamater>
<TCPIPParamater val="SearchList"></TCPIPParamater>
<TCPIPParamater val="VXD MSTCP: NameServer"></TCPIPParamater>
</TCPIPParamaters>
<InternetSettings>
<InternetSetting val="ProxyEnable">1</InternetSetting>
<InternetSetting val="ProxyServer">http=localhost:8080</InternetSetting>
<InternetSetting val="ProxyOverride">&lt;local&gt;</InternetSetting>
<InternetSetting val="User Agent">Mozilla/4.0 (compatible; MSIE 6.0;
Win32)</InternetSetting>
<InternetSetting val="ZoneMap Domain Count">0</InternetSetting>
</InternetSettings>
<IESettings>
<IESetting val="UseMyStylesheet"
set="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\Styles"></IESetting>
<IESetting val="UserStylesheet"
set="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\Styles"></IESetting>
<IESetting val="UseMyStylesheet"
set="HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet
Explorer\Styles"></IESetting>
<IESetting val="UserStylesheet"
set="HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet
Explorer\Styles"></IESetting>
</IESettings>
<AppInitDLLs val="">
</AppInitDLLs>
<ShellServiceObjectDelayLoads>
<ShellServiceObjectDelayLoad ex="1"
clsid="{7849596a-48ea-486e-8937-a2a3009f31a9}" prog=""
val="PostBootReminder" nam="Windows Shell Common Dll (shell32.dll)"
pub="Microsoft Corporation" md5="9833f278924d028414d7f89bfd4fc46b"
ver="6.00.2900.2620 (xpsp_sp2_gdr.050225-1820)" sz="8450048" is="0"
gfp="">c:\windows\system32\shell32.dll</ShellServiceObjectDelayLoad>
<ShellServiceObjectDelayLoad ex="1"
clsid="{fbeb8a05-beee-4442-804e-409d6c4515e9}" prog="" val="CDBurn"
nam="Windows Shell Common Dll (shell32.dll)" pub="Microsoft Corporation"
md5="9833f278924d028414d7f89bfd4fc46b" ver="6.00.2900.2620
(xpsp_sp2_gdr.050225-1820)" sz="8450048" is="0"
gfp="">c:\windows\system32\shell32.dll</ShellServiceObjectDelayLoad>
<ShellServiceObjectDelayLoad ex="1"
clsid="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}" prog="" val="WebCheck"
nam="Web Site Monitor (webcheck.dll)" pub="Microsoft Corporation"
md5="6501db5182d5a8c0f1f1707286161d66" ver="6.00.2900.2180
(xpsp_sp2_rtm.040803-2158)" sz="276480" is="0"
gfp="">c:\windows\system32\webcheck.dll</ShellServiceObjectDelayLoad>
<ShellServiceObjectDelayLoad ex="1"
clsid="{35CEC8A3-2BE6-11D2-8773-92E220524153}" prog="" val="SysTray"
nam="Systray shell service object (stobject.dll)" pub="Microsoft
Corporation" md5="297101a925ecffdcdf7f6341ffbb6c1a" ver="5.1.2600.2180
(xpsp_sp2_rtm.040803-2158)" sz="121856" is="0"
gfp="">c:\windows\system32\stobject.dll</ShellServiceObjectDelayLoad>
</ShellServiceObjectDelayLoads>
<ScheduledTasks>
</ScheduledTasks>
<Services>
<Service ex="1" disp="Adobe LM Service" desc="Adobe LM Service" nam="System
Level Service Utilty (Adobelmsvc.exe)" pub="Unavailable"
md5="3dca27d49522aacf37a4a3e2aca8e0b2" ver="2.43.000" sz="68096" is="0"
gfp="">C:\Program Files\Common Files\Adobe Systems
Shared\Service\Adobelmsvc.exe</Service>
<Service ex="1" disp="Application Layer Gateway Service" desc="Provides
support for 3rd party protocol plug-ins for Internet Connection Sharing and
the Windows Firewall." nam="Application Layer Gateway Service (alg.exe)"
pub="Microsoft Corporation" md5="f1958fbf86d5c004cf19a5951a9514b7"
ver="5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)" sz="44544" is="0"
gfp="">C:\WINDOWS\System32\alg.exe</Service>
<Service ex="1" disp="ASP.NET State Service" desc="Provides support for
out-of-process session states for ASP.NET. If this service is stopped,
out-of-process requests will not be processed. If this service is disabled,
any services that explicitly depend on it will fail to start."
nam="aspnet_state.exe (aspnet_state.exe)" pub="Microsoft Corporation"
md5="a986fcfdac587e68478db51547b90800" ver="1.1.4322.573" sz="32768" is="0"
gfp="">C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe</Service>
<Service ex="1" disp="AVG7 Alert Manager Server" desc="" nam="AVG Alert
Manager (avgamsvr.exe)" pub="GRISOFT, s.r.o."
md5="9dbd26d7d7967d918c507b1e2a93a37e" ver="7,1,0,321" sz="330240" is="0"
gfp="">C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe</Service>
<Service ex="1" disp="AVG7 Update Service" desc="" nam="AVG Update Service
(avgupsvc.exe)" pub="GRISOFT, s.r.o." md5="62e6b23b906b213836470740fe449b43"
ver="7,1,0,321" sz="84480" is="0"
gfp="">C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe</Service>
<Service ex="1" disp="Indexing Service" desc="Indexes contents and
properties of files on local and remote computers; provides rapid access to
files through flexible querying language." nam="Content Index service
(cisvc.exe)" pub="Microsoft Corporation"
md5="3192bd04d032a9c4a85a3278c268a13a" ver="5.1.2600.2180
(xpsp_sp2_rtm.040803-2158)" sz="5632" is="0"
gfp="">C:\WINDOWS\system32\cisvc.exe</Service>
<Service ex="1" disp="ClipBook" desc="Enables ClipBook Viewer to store
information and share it with remote computers. If the service is stopped,
ClipBook Viewer will not be able to share information with remote computers.
If this service is disabled, any services that explicitly depend on it will
fail to start." nam="Windows NT DDE Server (clipsrv.exe)" pub="Microsoft
Corporation" md5="c8dec22c4137d7a90f8bdf41ca4b82ae" ver="5.1.2600.2180
(xpsp_sp2_rtm.040803-2158)" sz="33280" is="0"
gfp="">C:\WINDOWS\system32\clipsrv.exe</Service>
<Service ex="1" disp="COM+ System Application" desc="Manages the
configuration and tracking of Component Object Model (COM)+-based
components. If the service is stopped, most COM+-based components will not
function properly. If this service is disabled, any services that explicitly
depend on it will fail to start." nam="COM Surrogate (dllhost.exe)"
pub="Microsoft Corporation" md5="dd87db7387b9eb441c5674888a0d840c"
ver="5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)" sz="5120" is="0"
gfp="">C:\WINDOWS\System32\dllhost.exe</Service>
<Service ex="1" disp="Logical Disk Manager Administrative Service"
desc="Configures hard disk drives and volumes. The service only runs for
configuration processes and then stops." nam="Logical Disk Manager service
process (dmadmin.exe)" pub="Microsoft Corp., Veritas Software"
md5="554c7cb178fe3bd12450b81ad63adbc3" ver="2600.2180.503.0" sz="224768"
is="0" gfp="">C:\WINDOWS\System32\dmadmin.exe</Service>
<Service ex="1" disp="EarthLink Monitor Service" desc="" nam="wmonitor
Module (wmonitor.exe)" pub="Boingo Wireless, Inc."
md5="80a5870b25b47e0a018cb42505e6ada0" ver="1, 4, 1220, 0" sz="65604" is="0"
gfp="">C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe</Service>
<Service ex="1" disp="Event Log" desc="Enables event log messages issued by
Windows-based programs and components to be viewed in Event Viewer. This
service cannot be stopped." nam="Services and Controller app (services.exe)"
pub="Microsoft Corporation" md5="c6ce6eec82f187615d1002bb3bb50ed4"
ver="5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)" sz="108032" is="0"
gfp="">C:\WINDOWS\system32\services.exe</Service>
<Service ex="1" disp="Fax" desc="Enables you to send and receive faxes,
utilizing fax resources available on this computer or on the network."
nam="Fax Service (fxssvc.exe)" pub="Microsoft Corporation"
md5="fcbd571fa0ee8dc238944ae5fab74461" ver="5.2.2600.2180
(xpsp_sp2_rtm.040803-2158)" sz="267776" is="0"
gfp="">C:\WINDOWS\system32\fxssvc.exe</Service>
<Service ex="1" disp="IMAPI CD-Burning COM Service" desc="Manages CD
recording using Image Mastering Applications Programming Interface (IMAPI).
If this service is stopped, this computer will be unable to record CDs. If
this service is disabled, any services that explicitly depend on it will
fail to start." nam="Image Mastering API (imapi.exe)" pub="Microsoft
Corporation" md5="fa788520bcac0f5d9d5cde5615c0d931" ver="5.1.2600.2180
(xpsp_sp2_rtm.040803-2158)" sz="150016" is="0"
gfp="">C:\WINDOWS\System32\imapi.exe</Service>
<Service ex="1" disp="NetMeeting Remote Desktop Sharing" desc="Enables an
authorized user to access this computer remotely by using NetMeeting over a
corporate intranet. If this service is stopped, remote desktop sharing will
be unavailable. If this service is disabled, any services that explicitly
depend on it will fail to start." nam="NetMeeting Remote Desktop Sharing
(mnmsrvc.exe)" pub="Microsoft Corporation"
md5="f6415361201915b9fe3896b0e4e724ff" ver="5.1.2600.2180" sz="32768" is="0"
gfp="">C:\WINDOWS\System32\mnmsrvc.exe</Service>
<Service ex="1" disp="Distributed Transaction Coordinator" desc="Coordinates
transactions that span multiple resource managers, such as databases,
message queues, and file systems. If this service is stopped, these
transactions will not occur. If this service is disabled, any services that
explicitly depend on it will fail to start. " nam="MS DTC console program
(msdtc.exe)" pub="Microsoft Corporation"
md5="c7c3d89eb0a6f3dba622ea737fa335b1" ver="2001.12.4414.258" sz="6144"
is="0" gfp="">C:\WINDOWS\System32\msdtc.exe</Service>
<Service ex="1" disp="Windows Installer" desc="Adds, modifies, and removes
applications provided as a Windows Installer (*.msi) package. If this
service is disabled, any services that explicitly depend on it will fail to
start." nam="Windows installer (msiexec.exe)" pub="Microsoft Corporation"
md5="f5f0146580e7023adb963879840777f8" ver="3.1.4000.1823" sz="78848" is="0"
gfp="">C:\WINDOWS\system32\msiexec.exe</Service>
<Service ex="1" disp="Network DDE" desc="Provides network transport and
security for Dynamic Data Exchange (DDE) for programs running on the same
computer or on different computers. If this service is stopped, DDE
transport and security will be unavailable. If this service is disabled, any
services that explicitly depend on it will fail to start." nam="Network
DDE - DDE Communication (netdde.exe)" pub="Microsoft Corporation"
md5="05afb5ad06462257bea7495283c86d50" ver="5.1.2600.2180
(xpsp_sp2_rtm.040803-2158)" sz="111104" is="0"
gfp="">C:\WINDOWS\system32\netdde.exe</Service>
<Service ex="1" disp="Network DDE DSDM" desc="Manages Dynamic Data Exchange
(DDE) network shares. If this service is stopped, DDE network shares will be
unavailable. If this service is disabled, any services that explicitly
depend on it will fail to start. " nam="Network DDE - DDE Communication
(netdde.exe)" pub="Microsoft Corporation"
md5="05afb5ad06462257bea7495283c86d50" ver="5.1.2600.2180
(xpsp_sp2_rtm.040803-2158)" sz="111104" is="0"
gfp="">C:\WINDOWS\system32\netdde.exe</Service>
<Service ex="1" disp="Net Logon" desc="Supports pass-through authentication
of account logon events for computers in a domain." nam="LSA Shell
(lsass.exe)" pub="Microsoft Corporation"
md5="84885f9b82f4d55c6146ebf6065d75d2" ver="5.1.2600.2180
(xpsp_sp2_rtm.040803-2158)" sz="13312" is="0"
gfp="">C:\WINDOWS\System32\lsass.exe</Service>
<Service ex="1" disp="NT LM Security Support Provider" desc="Provides
security to remote procedure call (RPC) programs that use transports other
than named pipes." nam="LSA Shell (lsass.exe)" pub="Microsoft Corporation"
md5="84885f9b82f4d55c6146ebf6065d75d2" ver="5.1.2600.2180
(xpsp_sp2_rtm.040803-2158)" sz="13312" is="0"
gfp="">C:\WINDOWS\System32\lsass.exe</Service>
<Service ex="1" disp="NVIDIA Driver Helper Service" desc="" nam="NVIDIA
Driver Helper Service, Version 45.28 (nvsvc32.exe)" pub="NVIDIA Corporation"
md5="88a8cfcd2bc3ff1484901ce985782e6e" ver="6.14.10.4528" sz="77824" is="0"
gfp="">C:\WINDOWS\System32\nvsvc32.exe</Service>
<Service ex="1" disp="Plug and Play" desc="Enables a computer to recognize
and adapt to hardware changes with little or no user input. Stopping or
disabling this service will result in system instability." nam="Services and
Controller app (services.exe)" pub="Microsoft Corporation"
md5="c6ce6eec82f187615d1002bb3bb50ed4" ver="5.1.2600.2180
(xpsp_sp2_rtm.040803-2158)" sz="108032" is="0"
gfp="">C:\WINDOWS\system32\services.exe</Service>
<Service ex="1" disp="IPSEC Services" desc="Manages IP security policy and
starts the ISAKMP/Oakley (IKE) and the IP security driver." nam="LSA Shell
(lsass.exe)" pub="Microsoft Corporation"
md5="84885f9b82f4d55c6146ebf6065d75d2" ver="5.1.2600.2180
(xpsp_sp2_rtm.040803-2158)" sz="13312" is="0"
gfp="">C:\WINDOWS\System32\lsass.exe</Service>
<Service ex="1" disp="Protected Storage" desc="Provides protected storage
for sensitive data, such as private keys, to prevent access by unauthorized
services, processes, or users." nam="LSA Shell (lsass.exe)" pub="Microsoft
Corporation" md5="84885f9b82f4d55c6146ebf6065d75d2" ver="5.1.2600.2180
(xpsp_sp2_rtm.040803-2158)" sz="13312" is="0"
gfp="">C:\WINDOWS\system32\lsass.exe</Service>
<Service ex="1" disp="Remote Desktop Help Session Manager" desc="Manages and
controls Remote Assistance. If this service is stopped, Remote Assistance
will be unavailable. Before stopping this service, see the Dependencies tab
of the Properties dialog box." nam="Microsoft Remote Desktop Help Session
Manager (sessmgr.exe)" pub="Microsoft Corporation"
md5="729798e0933076b8fcfcd9934698f164" ver="5.1.2600.2180
(xpsp_sp2_rtm.040803-2158)" sz="140800" is="0"
gfp="">C:\WINDOWS\system32\sessmgr.exe</Service>
<Service ex="1" disp="Remote Procedure Call (RPC) Locator" desc="Manages the
RPC name service database." nam="Rpc Locator (locator.exe)" pub="Microsoft
Corporation" md5="793f04a09b15e7c6c11dbdffaf06c0ab" ver="5.1.2600.2180
(xpsp_sp2_rtm.040803-2158)" sz="75264" is="0"
gfp="">C:\WINDOWS\System32\locator.exe</Service>
<Service ex="1" disp="QoS RSVP" desc="Provides network signaling and local
traffic control setup functionality for QoS-aware programs and control
applets." nam="Microsoft RSVP (rsvp.exe)" pub="Microsoft Corporation"
md5="471b3f9741d762abe75e9deea4787e47" ver="5.1.2600.0
(xpclient.010817-1148)" sz="132608" is="0"
gfp="">C:\WINDOWS\System32\rsvp.exe</Service>
<Service ex="1" disp="Security Accounts Manager" desc="Stores security
information for local user accounts." nam="LSA Shell (lsass.exe)"
pub="Microsoft Corporation" md5="84885f9b82f4d55c6146ebf6065d75d2"
ver="5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)" sz="13312" is="0"
gfp="">C:\WINDOWS\system32\lsass.exe</Service>
<Service ex="1" disp="Smart Card" desc="Manages access to smart cards read
by this computer. If this service is stopped, this computer will be unable
to read smart cards. If this service is disabled, any services that
explicitly depend on it will fail to start." nam="Smart Card Resource
Management Server (SCardSvr.exe)" pub="Microsoft Corporation"
md5="25d8de134df108e3dbc8d7d23b1aa58e" ver="5.1.2600.2180
(xpsp_sp2_rtm.040803-2158)" sz="95744" is="0"
gfp="">C:\WINDOWS\System32\SCardSvr.exe</Service>
<Service ex="1" disp="Print Spooler" desc="Loads files to memory for later
printing." nam="Spooler SubSystem App (spoolsv.exe)" pub="Microsoft
Corporation" md5="da81ec57acd4cdc3d4c51cf3d409af9f" ver="5.1.2600.2696
(xpsp_sp2_gdr.050610-1519)" sz="57856" is="0"
gfp="">C:\WINDOWS\system32\spoolsv.exe</Service>
<Service ex="1" disp="MS Software Shadow Copy Provider" desc="Manages
software-based volume shadow copies taken by the Volume Shadow Copy service.
If this service is stopped, software-based volume shadow copies cannot be
managed. If this service is disabled, any services that explicitly depend on
it will fail to start." nam="COM Surrogate (dllhost.exe)" pub="Microsoft
Corporation" md5="dd87db7387b9eb441c5674888a0d840c" ver="5.1.2600.2180
(xpsp_sp2_rtm.040803-2158)" sz="5120" is="0"
gfp="">C:\WINDOWS\System32\dllhost.exe</Service>
<Service ex="1" disp="Performance Logs and Alerts" desc="Collects
performance data from local or remote computers based on preconfigured
schedule parameters, then writes the data to a log or triggers an alert. If
this service is stopped, performance information will not be collected. If
this service is disabled, any services that explicitly depend on it will
fail to start." nam="Performance Logs and Alerts Service (smlogsvc.exe)"
pub="Microsoft Corporation" md5="8b54aa346d1b1b113ffaa75501b8b1b2"
ver="5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)" sz="89600" is="0"
gfp="">C:\WINDOWS\system32\smlogsvc.exe</Service>
<Service ex="1" disp="Windows User Mode Driver Framework" desc="Enables
Windows user mode drivers." nam="Windows User Mode Driver Manager
(wdfmgr.exe)" pub="Microsoft Corporation"
md5="c81b8635dee0d3ef5f64b3dd643023a5" ver="5.2.3790.1230 built by:
DNSRV(bld4act)" sz="38912" is="0"
gfp="">C:\WINDOWS\System32\wdfmgr.exe</Service>
<Service ex="1" disp="Uninterruptible Power Supply" desc="Manages an
uninterruptible power supply (UPS) connected to the computer." nam="UPS
Service (ups.exe)" pub="Microsoft Corporation"
md5="3f5df65b0758675f95a2d43918a740a3" ver="5.1.2600.2180
(xpsp_sp2_rtm.040803-2158)" sz="18432" is="0"
gfp="">C:\WINDOWS\System32\ups.exe</Service>
<Service ex="1" disp="Volume Shadow Copy" desc="Manages and implements
Volume Shadow Copies used for backup and other purposes. If this service is
stopped, shadow copies will be unavailable for backup and the backup may
fail. If this service is disabled, any services that explicitly depend on it
will fail to start." nam="Microsoft Volume Shadow Copy Service (vssvc.exe)"
pub="Microsoft Corporation" md5="3ee00364ae0fd8d604f46cbaf512838a"
ver="5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)" sz="289792" is="0"
gfp="">C:\WINDOWS\System32\vssvc.exe</Service>
<Service ex="1" disp="WMI Performance Adapter" desc="Provides performance
library information from WMI HiPerf providers." nam="WMI Performance Adapter
Service (wmiapsrv.exe)" pub="Microsoft Corporation"
md5="ba8cecc3e813e1f7c441b20393d4f86c" ver="5.1.2600.2180
(xpsp_sp2_rtm.040803-2158)" sz="126464" is="0"
gfp="">C:\WINDOWS\System32\wbem\wmiapsrv.exe</Service>
</Services>
</SystemAudit>
<ProcessesAudit>
<Processes>
<Process ex="1" pid="384" nam="Windows NT Session Manager (smss.exe)"
pub="Microsoft Corporation" md5="bd7fb0957c716f1a60333aee04de2178"
ver="5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)" sz="50688" is="0"
gfp="">c:\windows\system32\smss.exe</Process>
<Process ex="1" pid="456" nam="Client Server Runtime Process (csrss.exe)"
pub="Microsoft Corporation" md5="f12b178b1678d778cfd3ff1fc38c71fb"
ver="5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)" sz="6144" is="0"
gfp="">C:\WINDOWS\system32\csrss.exe</Process>
<Process ex="1" pid="480" nam="Windows NT Logon Application (winlogon.exe)"
pub="Microsoft Corporation" md5="01c3346c241652f43aed8e2149881bfe"
ver="5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)" sz="502272" is="0"
gfp="">c:\windows\system32\winlogon.exe</Process>
<Process ex="1" pid="524" nam="Services and Controller app (services.exe)"
pub="Microsoft Corporation" md5="c6ce6eec82f187615d1002bb3bb50ed4"
ver="5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)" sz="108032" is="0"
gfp="">c:\windows\system32\services.exe</Process>
<Process ex="1" pid="536" nam="LSA Shell (lsass.exe)" pub="Microsoft
Corporation" md5="84885f9b82f4d55c6146ebf6065d75d2" ver="5.1.2600.2180
(xpsp_sp2_rtm.040803-2158)" sz="13312" is="0"
gfp="">c:\windows\system32\lsass.exe</Process>
<Process ex="1" pid="684" nam="Generic Host Process for Win32 Services
(svchost.exe)" pub="Microsoft Corporation"
md5="8f078ae4ed187aaabc0a305146de6716" ver="5.1.2600.2180
(xpsp_sp2_rtm.040803-2158)" sz="14336" is="0"
gfp="">c:\windows\system32\svchost.exe</Process>
<Process ex="1" pid="760" nam="Generic Host Process for Win32 Services
(svchost.exe)" pub="Microsoft Corporation"
md5="8f078ae4ed187aaabc0a305146de6716" ver="5.1.2600.2180
(xpsp_sp2_rtm.040803-2158)" sz="14336" is="0"
gfp="">C:\WINDOWS\system32\svchost.exe</Process>
<Process ex="1" pid="808" nam="Generic Host Process for Win32 Services
(svchost.exe)" pub="Microsoft Corporation"
md5="8f078ae4ed187aaabc0a305146de6716" ver="5.1.2600.2180
(xpsp_sp2_rtm.040803-2158)" sz="14336" is="0"
gfp="">c:\windows\system32\svchost.exe</Process>
<Process ex="1" pid="848" nam="Generic Host Process for Win32 Services
(svchost.exe)" pub="Microsoft Corporation"
md5="8f078ae4ed187aaabc0a305146de6716" ver="5.1.2600.2180
(xpsp_sp2_rtm.040803-2158)" sz="14336" is="0"
gfp="">C:\WINDOWS\system32\svchost.exe</Process>
<Process ex="1" pid="912" nam="Generic Host Process for Win32 Services
(svchost.exe)" pub="Microsoft Corporation"
md5="8f078ae4ed187aaabc0a305146de6716" ver="5.1.2600.2180
(xpsp_sp2_rtm.040803-2158)" sz="14336" is="0"
gfp="">C:\WINDOWS\system32\svchost.exe</Process>
<Process ex="1" pid="1116" nam="Windows Explorer (explorer.exe)"
pub="Microsoft Corporation" md5="a0732187050030ae399b241436565e64"
ver="6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)" sz="1032192" is="0"
gfp="">c:\windows\explorer.exe</Process>
<Process ex="1" pid="1144" nam="Spooler SubSystem App (spoolsv.exe)"
pub="Microsoft Corporation" md5="da81ec57acd4cdc3d4c51cf3d409af9f"
ver="5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)" sz="57856" is="0"
gfp="">c:\windows\system32\spoolsv.exe</Process>
<Process ex="1" pid="1276" nam="AVG Alert Manager (avgamsvr.exe)"
pub="GRISOFT, s.r.o." md5="9dbd26d7d7967d918c507b1e2a93a37e" ver="7,1,0,321"
sz="330240" is="0"
gfp="">c:\progra~1\grisoft\avgfre~1\avgamsvr.exe</Process>
<Process ex="1" pid="1292" nam="AVG Update Service (avgupsvc.exe)"
pub="GRISOFT, s.r.o." md5="62e6b23b906b213836470740fe449b43" ver="7,1,0,321"
sz="84480" is="0" gfp="">c:\progra~1\grisoft\avgfre~1\avgupsvc.exe</Process>
<Process ex="1" pid="1340" nam="wmonitor Module (wmonitor.exe)" pub="Boingo
Wireless, Inc." md5="80a5870b25b47e0a018cb42505e6ada0" ver="1, 4, 1220, 0"
sz="65604" is="0" gfp="">c:\program files\earthlink
totalaccess\wengine\wmonitor.exe</Process>
<Process ex="1" pid="1516" nam="Generic Host Process for Win32 Services
(svchost.exe)" pub="Microsoft Corporation"
md5="8f078ae4ed187aaabc0a305146de6716" ver="5.1.2600.2180
(xpsp_sp2_rtm.040803-2158)" sz="14336" is="0"
gfp="">c:\windows\system32\svchost.exe</Process>
<Process ex="1" pid="1572" nam="Windows User Mode Driver Manager
(wdfmgr.exe)" pub="Microsoft Corporation"
md5="c81b8635dee0d3ef5f64b3dd643023a5" ver="5.2.3790.1230 built by:
DNSRV(bld4act)" sz="38912" is="0"
gfp="">C:\WINDOWS\system32\wdfmgr.exe</Process>
<Process ex="1" pid="1896" nam="Application Layer Gateway Service (alg.exe)"
pub="Microsoft Corporation" md5="f1958fbf86d5c004cf19a5951a9514b7"
ver="5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)" sz="44544" is="0"
gfp="">C:\WINDOWS\system32\alg.exe</Process>
<Process ex="1" pid="1924" nam="Sunkist (shwicon2k.exe)" pub="Alcor Micro,
Corp." md5="334e242417b1e66ecaf45d9dc62b288a" ver="1, 0, 0, 7" sz="139264"
is="0" gfp="">c:\program files\multimedia card
reader\shwicon2k.exe</Process>
<Process ex="1" pid="1964" nam="ltmsg (ltmsg.exe)" pub="Agere Systems"
md5="4d3f3641aa76a48964102856fd7b955f" ver="3, 0, 0, 4" sz="40960" is="0"
gfp="">c:\windows\ltmsg.exe</Process>
<Process ex="1" pid="1984" nam="hpsysdrv (hpsysdrv.exe)"
pub="Hewlett-Packard Company" md5="06a1ecb63df139ec639e084d4ab3c9d7" ver="1,
7, 0, 0" sz="52736" is="0" gfp="">c:\windows\system\hpsysdrv.exe</Process>
<Process ex="1" pid="1996" nam="hkcmd Module (hkcmd.exe)" pub="Intel
Corporation" md5="ea5dd164296f66241bead39e12fa69f2" ver="3.0.0.3889"
sz="118784" is="0" gfp="">c:\windows\system32\hkcmd.exe</Process>
<Process ex="1" pid="128" nam="HP Framework Component Manager Service
(hpcmpmgr.exe)" pub="Hewlett-Packard Company"
md5="b75b654ee1da99876461b24597ae3ff3" ver="2.1.1.0" sz="241664" is="0"
gfp="">c:\program files\hp\hpcoretech\hpcmpmgr.exe</Process>
<Process ex="1" pid="176" nam="None (hpztsb10.exe)" pub="HP"
md5="fd32127449af0b96ebeca3caab74e423" ver="2.323.0.0" sz="172032" is="0"
gfp="">c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe</Process>
<Process ex="1" pid="168" nam="AVG Control Center (avgcc.exe)" pub="GRISOFT,
s.r.o." md5="6e74941e3e14cb67fb1648b45a041f0d" ver="7,1,0,338" sz="352256"
is="0" gfp="">c:\progra~1\grisoft\avgfre~1\avgcc.exe</Process>
<Process ex="1" pid="364" nam="Microsoft AntiSpyware Data Service
(gcasdtserv.exe)" pub="Microsoft Corporation"
md5="21bd4696317a4a6383f86cdc5e026bfd" ver="1.00.0615" sz="756552" is="0"
gfp="">c:\program files\microsoft antispyware\gcasdtserv.exe</Process>
<Process ex="1" pid="2020" nam="Internet Explorer (iexplore.exe)"
pub="Microsoft Corporation" md5="e7484514c0464642be7b4dc2689354c8"
ver="6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)" sz="93184" is="0"
gfp="">c:\program files\internet explorer\iexplore.exe</Process>
<Process ex="1" pid="2572" nam="Microsoft AntiSpyware Service
(gcasserv.exe)" pub="Microsoft Corporation"
md5="263740ede788a60a6c0a47249fc410bf" ver="1.00.0615" sz="473928" is="0"
gfp="">c:\program files\microsoft antispyware\gcasserv.exe</Process>
<Process ex="1" pid="2740" nam="None (taskpanl.exe)" pub="EarthLink, Inc."
md5="031da5f6f0625b7db3c9629180de440c" ver="2005.2.98.0" sz="942080" is="0"
gfp="">c:\program files\earthlink totalaccess\taskpanl.exe</Process>
<Process ex="1" pid="3244" nam="IP Session Statistics (ipclient.exe)"
pub="Visual Networks" md5="a454402ec7ee565c0ed225ed6cfb452f"
ver="5.5.100.115" sz="364544" is="0" gfp="">c:\program files\earthlink
totalaccess\fastlane\ipclient.exe</Process>
<Process ex="1" pid="3376" nam="elinkacc.exe" pub="Unavailable"
md5="a0007fe4c1d8bc9b50d03792084f8f75" ver="Unavailable" sz="1007159" is="0"
gfp="">c:\program files\earthlink
totalaccess\accelerator\elinkacc.exe</Process>
<Process ex="1" pid="3504" nam="Outlook Express (msimn.exe)" pub="Microsoft
Corporation" md5="091c14f4c71328d4316248a2421190de" ver="6.00.2900.2180
(xpsp_sp2_rtm.040803-2158)" sz="60416" is="0" gfp="">c:\program
files\outlook express\msimn.exe</Process>
<Process ex="1" pid="2564" nam="Internet Explorer (iexplore.exe)"
pub="Microsoft Corporation" md5="e7484514c0464642be7b4dc2689354c8"
ver="6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)" sz="93184" is="0"
gfp="">c:\program files\internet explorer\iexplore.exe</Process>
<Process ex="1" pid="2940" nam="ccleaner.exe" pub="CCleaner.com"
md5="149bb71d2bdf3235cd7174fcacd4dc09" ver="1.24.0180" sz="528384" is="0"
gfp="">c:\program files\ccleaner\ccleaner.exe</Process>
<Process ex="1" pid="1636" nam="Microsoft AntiSpyware Main
(giantantispywaremain.exe)" pub="Microsoft Corporation"
md5="2f92f172d6f47c28b048e6899985bb4b" ver="1.00.0615" sz="4598608" is="0"
gfp="">c:\program files\microsoft
antispyware\giantantispywaremain.exe</Process>
<Process ex="1" pid="1244" nam="Microsoft Suspected Spyware Reporting Tool
(msssrt.exe)" pub="Microsoft Corporation"
md5="1d3fc56e8adb2e911390c775a4de94dd" ver="1.00.0615" sz="400200" is="0"
gfp="">c:\program files\microsoft antispyware\msssrt.exe</Process>
</Processes>
</ProcessesAudit>
</Audit>
</MSSSRT>

 

[Guest]

Are you unable to read the replies?
Has Plunl's information failed in your case?

Engel

 

[plun]

Hi Dave and Engel

Takes it again then:
I would try this but it´s a lot of manual work.

http://www.spyware-removal-guideline.com/winfixer-removal

Winfixer must be changed now with new processes but
maybe above works ?

This is a AndyM case beacuse I cannot find any good
advice within any forum without using HijackThis and
to be carefully guided.

http://www.merijn.org/files/hijackthis.zip

 

[plun]

Hi Dave

Run HijackThis and post a log.

The WebUI i much better now to handle these logs.

AndyM also probably sees it.

 

[Bill Sanderson]

It's actually better not to post these logs here, WebUI or no.

Go for a specialized forum--if you post here, there are several issues: 1)
bad advice--we don't have a log of folks with the skills to analyze the logs
and give you the best current advice--Ron Kinner is exceptional, and there
are others here, but you'll find more in the private forums such as
www.aumha.org

2) The logs are big--there are folks on dialup here.

--

 

[plun]

Mostly all "helpers" just look for similar HijackThis logs
and follows others with "canned" removal messages.

In this world we have a few really skilled helpers which can deal with
new unknown hijacks as Calamity Jane and a few others.

But this was the first time I´m not recommended to go to
a real HijackThis forum

So here they are again:

http://www.merijn.org/forums.html

ASAP:

http://asap.maddoktor2.com/

 

[Guest]

Bill's suggestion would be easier for you as its always better to deal with
these problems on a forum and running Hijack This would be alot faster to
review but here's a standard fix for Vundo and the file thats causing you
problems which is showing in the MS log

Download 'Hijack This!'.

http://www.spywareinfo.com/~merijn/files/HijackThis.exe

Save it in a convenient permanent folder such as C:\HJT\,

Make a copy of these instructions so you have them handy as the most steps
need to be done in safe mode with IE closed.

Please save the VundoFix tool to your desktop :

www.atribune.org/downloads/VundoFix.exe

Double-click VundoFix.exe to extract the files

This will create a folder named VundoFix on your desktop.

After the files are extracted, please reboot your computer into Safe Mode.

Reboot and Keep tapping F8 then choose safe mode from the list .

Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat

You will first be presented with a message and a list of forums to seek help
at

At this point press enter one time.

Next you will see:

--------------------------------------------------------------------------------
Type in the filepath as instructed by the forum staff
Then Press Enter, Then F6, Then Enter Again to continue with the fix
--------------------------------------------------------------------------------

At this point please type the following file path (make sure to enter it
exactly as below!):

c:\windows\servicepackfiles\i386\wincr.dll

Press Enter, then press the F6 key, then press Enter one more time to
continue with the fix.

Next you will see:

--------------------------------------------------------------------------------
Please type in the second filepath as instructed by the forum staff
Then Press Enter, Then F6, Then Enter Again to continue with the fix.
--------------------------------------------------------------------------------

At this point please type the following file path (make sure to enter it
exactly as below!):

c:\windows\servicepackfiles\i386\rcniw.*

Press Enter, then press the F6 key, then press Enter one more time to
continue with the fix.

The fix will run then HijackThis will open.

In HijackThis, please place a check next to the following items if they exist:

O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} -
c:\windows\servicepackfiles\i386\wincr.dll

O20 - Winlogon Notify: wincr.dll -c:\windows\servicepackfiles\i386\wincr.dll

With the above checked then press FIX CHECKED

After you have fixed these items, close Hijackthis and Press any key to
Force a reboot of your computer.

Pressing any key will cause a "Blue Screen of Death" this is normal !

Once your machine reboots Enable Hidden Files and Folder

Goto Start Menu and Search then Tools on the Top Bar, Choose Folder Options
then goto the view tab make sure that 'Show hidden files and folders' is
enabled. 'Display the contents of system folders' is checked & 'Hide
extentions for known file types ' is not checked then press apply

You can set this back later by opening the same page and pressing 'restore
defaults' then pressing apply,

Check for these files and delete if found

c:\windows\servicepackfiles\i386\wincr.dll
c:\windows\servicepackfiles\i386\rcniw.dll
c:\windows\servicepackfiles\i386\rcniw.bak1
c:\windows\servicepackfiles\i386\rcniw.bak2
c:\windows\servicepackfiles\i386\rcniw.ini
c:\windows\servicepackfiles\i386\rcniw.ini2
c:\windows\servicepackfiles\i386\rcniw.tmp
c:\windows\servicepackfiles\i386\rcniw.tmp1
c:\windows\servicepackfiles\i386\rcniw.tmp2

Then please run this online virus scan:

ActiveScan

http://www.pandasoftware.com/products/activescan.htm

Run Ccleaner on the cleaner and issues feature and remove any problems
repeat untill they show clear.

All The Best

Andy

 

[plun]

Hi Andy

Hmmm?

In the past this always seems to have been the "last resort"........

Let MSAS handle it in safe mode. This seems to be the MVP way to deal
with this ?!

Now we indeed have some really difficult "pests" to deal with so
it is probably best to directly "redirect" to a real HijackThis forum
for proper careful guidance for removal.

It is also not possible to announce or make messages "sticky" about
standard "house cleans" for a majority of threats within this UI.

The consequense is that users tries every antispyware app and removal
tool instead of using HijackThis and withhelp directly see the cause of
this "infection". It is easy with HijackThis logs and even more easy if
Adawares log is included to see the cause.

"In this world we have a few really skilled helpers which can deal with
new unknown hijacks as Calamity Jane and a few others."

Well Andy, you are probably among these few

Indeed difficult !

best regards
plun


AndyManchesta was thinking very hard :

 

[Guest]

Hey Plun

This isnt Winfixer Plun its Trojan Vundo, If it was Winfixer they wouldnt be
getting pop ups to install winfixer, With Vundo it can be a pain as its
Usually called from the Winlogon/Notify key and entered as a BHO so standand
spyware removers cannot kill it,

I posted to a user on one of these groups who just had it entered as a BHO
and not showing in the Winlogon/Notify key and took the easy option of
attempting to remove the file with killbox on reboot and fixing the entry in
hijack this as it was only in one area and didnt look like it had fully
infected the system but I decided to use the full canned speech here so they
know all possible files and folders.

If a spyware remover removed the dll file and its being called from the
Winlogon/Notify key there is a chance it will cause conflict if the Notify
key isnt also removed. If its pointing to a invalid entry there is a chance
the system wil refuse to boot, Its a very small chance but its not one worth
risking so the old fix would of been to use killbox and replace the dll with
a harmless dummy file then removing that and the 020 line in hijack this, The
Blue screen of death isnt a problem here as its just part of the fix and a
side effect of stopping winlogon but with this fix it should remove the
infection without any issues.

The alternative is very complicated using Process Explorer from sysinternals
and viewing system processes like explorer and winlogon and using the Threads
tab to stop the trojan files from using the genuine files as they are using
them to remain on the system and start with windows, They Trojan files will
usually be using Winlogon.exe, explorer.exe and iexplore.exe so its not a
easy task to kill them

I agree with your comments about posting on a hijack this forum but most are
getting swamped with requests for help so this was just to really let them
know whats involved and the steps they need to take to remove Vundo.

Regards

Andy

 

[plun]

Hi Andy

Writing in circles......

I know that this is the Vundo trojan which often comes with Winfixer
(always maybe ? Similar to PS Guard) But this is minor important
beacuse this was about principles for removals when it is severe
threats which MSAS, Adaware etc cannot handle.

I would then suggest that Aumhas quickfix protocol is good and maybe
worth to try for all in conjunction with MSAS and safe mode scans.

http://www.aumha.org/a/quickfix.htm

Step 2 then with CCleaner to save time.

Step 5 should then be, scan in safe mode with MSAS and Adaware

Sorry Aumha for this maybe unpolite way to make a proposal)

It ends up in HijackThis and saves time for both a user and a helper.

Maybe we must take this private but it´s important for all users
to get help as fast as possible and also a solution and HijackThis
is the only way for this as I can see it.

I takes "milliseconds" to find other similar solved removals with
HijackThis logs and to get proper guidance from a "canned" message.
Nevertheless it´s important that these logs matches.

Trying to be constructive or what the word is ?


best regards
plun


AndyManchesta expressed precisely :

 

[plun]

Hi

Well, it´s a free world but it´s important to give a user a chance
to start over with a clean PC. As clean as possible with standard
tools.

There is some basics within this cleaning which also you easily
can find in every well known forum dealing with this pests.
Also with MVPs as "helpers" ( in modern board forums as Castlecops and
Aumha)

- Remove the temporarily hidden junkyard.

- Scan with at least 2 standard antispyware apps.

A majority is clean after this !

But if a user wants to just do it with MSAS and scan around in this
temporarily junkyard and loose time it´s up to them.

This is basic weakness in MSAS and how Windows is built.

So CCleaner, Lavasoft Adaware and MSAS are my standard tools and it´s
not "serious surgery", it´s basic to "reclaim a PC to it´s owner"

IMHO

 

[Ron Chamberlin]

Plun, MVP's don't need to walk the party line. We'll suggest what we view as
best. MWAS is getting stronger with each definition release, and it's worth
a try before we get into serious surgery for novice users.

Ron Chamberlin
MS-MVP

 

[Guest]

The UI on the http side of this site is a pain, If you take too long writing
a reply when you send it you then get asked to sign in again , When you sign
in it then clears your response and goes back to the original reply page so
maybe I should type faster or make my responses shorter

MSAS isnt detecting the Trojan File so you can scan from now till christmas
and unless MSAS update the definitions to include the trojan file it will not
fix the problem. Asking the user to download and use 5 or 6 different
scanners also isnt what I would regard as a realistic response to an
infection especially not one like this as it could take many hours to then
find none of the scanners can remove the trojan,

Atribune's fix works great and will remove the infection but Hijack This is
also needed as Vundofix opens it as part of the fix, Hijack This should
always be seen first before giving advise on an infection as the problems are
clear to see unless its a rootkit but I understand they are not appreciated
on these newsgroups so I can respect that and wouldnt ask for one, I just
take the information that is provided and give the best response based on
that info.

I'm sure the user has took the advise given by others and has post on a
hijack this forum as they will get the solution for this if they are prepared
to wait for a response, I know on sites like spywareinfo you would have to
wait about 3 days to receive help because of the amount of posts they get but
I'm sure there is other forums that can repond faster if they dont get as
many posts, The fix will be the same using Vundofix and Hijack This but it
would help them as Hijack This could show additional problems which wasnt
clear in the MS log.

All The Best

Andy