My HiJackThis Log

this file looks a little strange
C:\WINNT\SYSTEM32\m?iexec.exe
mainly the question mark i would do a virus scan in that folder and see if that picks up this file.

O3 - Toolbar: (no name) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - (no file)
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchmiracle.com

did you run hijack this in safe mode too because this looks amazingly short for a comp with pop up problems.

nope - it was ran in normal mode ... i may of unchecked some things from msconfig - which i now see is unrecommended - but if they aren't loaded, i dont see how they could be the cause of the problem.

Can you please download this file from here:

Getservice.zip

Extract the file to the c:\ drive. Then navigate to the c:\getservices and double-click on the getservices.bat file. A notepad will open up. Please paste the contents of that notepad into this post.

I rechecked every box within msconfig, and reset the PC. Here is the logfile afterwards:

Logfile of HijackThis v1.98.2
Scan saved at 9:05:13 AM, on 10/12/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\system32\internat.exe
E:\- Programs -\Administrative\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\jmvys.dll/sp.html#12802
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\jmvys.dll/sp.html#12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\jmvys.dll/sp.html#12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\jmvys.dll/sp.html#12802
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\jmvys.dll/sp.html#12802
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\jmvys.dll/sp.html#12802
O2 - BHO: (no name) - {6BF86F2B-EE35-7CC4-D05A-62550CF6293F} - C:\WINNT\system32\ixyuhla.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: (no name) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=9eafaeb2a8e2a9518112bc6e0cedee1552dd4ecb1dd748bcf1cf4d42ced1394245b14c137e17952f3a6abadc3d36297b2b37:b70ac5aa8ec48e2e58a29296baabe1d6
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/ei/PopularScreenSaversInitialSetup1.0.0.8.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {D18B7EC3-EECA-11D3-8E71-0000E82C6C0D} - http://www.slotchbar.com/ist/softwares/remove/ist_remove.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = [private].com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = [private].com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = [private].com

I did a backup, then removed:
O3 - Toolbar: (no name) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - (no file)
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

webrebates had already been removed, yet problems continued.
after I removed the above entries, the pop up problem still showed up - with nothing more then www.briefing.com being open (a very secure site, so I highly doubt it's the culprit)

A few entries that I question:
O2 - BHO: (no name) - {6BF86F2B-EE35-7CC4-D05A-62550CF6293F} - C:\WINNT\system32\ixyuhla.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx

crunchie - I see your post now and when the user is less busy on their PC, I will run this other utility on it and update this thread ASAP.

Also, Download Registrar Lite from here:
http://www.resplendence.com/download/reglite.exe

Put it in its own folder. You may want to keep this program. It is an excellent free, registry editor.

Install, run, copy and paste this line to reglite's address bar:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

and hit the "go" tab. Find: "Appinit_Dlls" value on the right side panel, DoubleClick, copy and post here the information in the 'Value' field.

alrighty - well, first things first.

navigating the program files folder - i found a folder that screams Spyware

c:\programfiles\MyWebSearch

now - the most recent, updated version of AdAware did not find this - so i find that interesting...

but in case this isn't the only culprit, here is the result of the advice above:

a) Reglite showed the value: "AppInit_DLLs" in the value field.

b) the getservice log is quite large... rather then paste it into this thread, here is a direct link to the log file getservice

Go to the Control Panel and in the Add/Remove Programs, uninstall MyWebSearch. You can then delete the folder in c:\Program Files if you like. Next time you scan with HJT, have it fix any entries that have mywebsearch in them (if any).

AppInit_DLLs should be on the side panel, when you double-click it you should get some other information in the Value Field (like ixalhua.dll or some gibberish like that). Try it again.

It's okay to post a getservice log here, but crunchie should be along soon to review your link.

Please do as dlh6213 said. Getservice showed nothing.

(the below was written when I assumed all was fixed - but just a minute ago, the problem showed up again! the message has been edited to reflect what seemed to be the fix, but now shows it was not)

alrighty - so here's the current situation:

the problem SEEMED to be fixed. In fact, everything was running fine for about 20 minutes, a new record that I thought indicated everything was ok! JUST a second ago, it started with the exact same problem again!

At first, it seems no matter how much I trusted Lavasoft's AdAware - it would not detect what I thought was the cause of this problem. I ran Spybot - and it found:

WebTrends live: Tracking cookie (Internet Explorer: Administrator) (Cookie, nothing done)
WebTrends live: Tracking cookie (Internet Explorer: Administrator) (Cookie, nothing done)

Alexa Related: Link (Replace file, nothing done)
C:\WINNT\Web\RELATED.HTM

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-21-18636371-1523486670-2959832362-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

FunWeb: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\FunWebProducts

FunWebProducts: Installer (File, nothing done)
C:\WINNT\Downloaded Program Files\f3initialsetup1.0.0.8-2.inf

FunWebProducts: Program directory (Directory, nothing done)
C:\Program Files\MyWebSearch\

FunWebProducts: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB}

ICOO Loader: Root class (Registry key, nothing done)
HKEY_CLASSES_ROOT\icoo

Travelocity: Tracking cookie (Internet Explorer: Administrator) (Cookie, nothing done)
Travelocity: Tracking cookie (Internet Explorer: Administrator) (Cookie, nothing done)
Travelocity: Tracking cookie (Internet Explorer: Administrator) (Cookie, nothing done)

I'm a bit disappointed that AdAware did not find these problems - being I’ve always thought of them as the pioneers of spyware removal and prevention.

dlh6213 - I did go to the add/remove panel - but it did not list MyWebSearch as a program that could be removed. After running spybot - it seems that the C:\programfiles\MyWebSearch directory has been removed.

crunchie - Believe it or not, I followed your directions exactly - and in the 'Value' field - it did indeed list "AppInit_DLLs" as the value. Seems odd - but I just triple checked it.

have I discovered spyware that manages to elude even our best efforts? I’m kind of fresh out of ideas here...

I will list the popups that I see - I unfortunately forgot the name of the first few, but the most recent ones were:

Jimmy Surf Popunder
Freeze Screensavers

Ok - so I tried CA's PestPatrol free online scan - and it found the following:

ISTbar - Hijacker
C:\WINNT\alchem.ini

Ezula - Adware
C:\WINNT\preinsln.exe
C:\WINNT\conscorr.ini
HKEY_CLASSES_ROOT\typelib\{baf13496-8f72-47a1-9cee-09238efc75f0}
HKEY_CLASSES_ROOT\interface\{370f6327-41c4-4fa6-a2df-1ba57ee0fbb9}

Virtual Bouncer - Adware
hkey_local_machine\software\classes\richtext.richtextctrl\curver
hkey_local_machine\software\classes\richtext.richtextctrl\clsid
hkey_local_machine\software\classes\richtext.richtextctrl

and then some Tracking Cookies
SearchGauge
SearchCo
Passport.com
DealTime
Com.com
Atwola
Ads.SpecificClick.com
About.com

Can anyone here honestly and sensibly answer why the supposed two BEST spyware programs - spybot and adaware - did not detect these (especially something as well known as eZula!) I would honestly be interested in an educated explanation of this.

I'll let you know what results from cleaning these listed files - hopefully this will do it!

spyware doctor is a pretty good program but it cost money if you learn how to use hijackthis effectively then that is the best program. The best thing to do is to try to block out spyware on your comp before it gets there for that there is spyware blaster (free) and norton internet security (expensive).

Download dllcompare from http://download.broadbandmedic.com/DllCompare.exe

Now open DllCompare.exe and click the "Run Locate.com" button.
Then click the "Compare" button (this will take a few minutes)
When it finishes click the "Make Log...." button.
save the log to desktop

Next copy and paste the contents of the DllCompare log in your
reply along with a fresh HijackThis log.

Once this is done do not reboot or turn off your PC until after we get this fix going, or we may have to start over again.

alrighty - here we go:

DLLCompare Log:

*    DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found :)"
________________________________________________

1,041 items found:  1,041 files, 0 directories.
Total of file sizes:  212,562,063 bytes    202.71 M

Administrator Account =  True

--------------------End log---------------------

HiJackThis Log:

Logfile of HijackThis v1.98.2
Scan saved at 8:52:23 AM, on 10/14/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\AIM\aim.exe
C:\WINNT\SYSTEM32\m?iexec.exe
C:\WINNT\system32\msiexec.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\- Programs -\Administrative\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url]http://www.dell.com[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\gotiu.dll/sp.html#12802
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\gotiu.dll/sp.html#12802
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://www.yahoo.com/[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\jmvys.dll/sp.html#12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\jmvys.dll/sp.html#12802
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\gotiu.dll/sp.html#12802
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\jmvys.dll/sp.html#12802
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Assent
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {6BF86F2B-EE35-7CC4-D05A-62550CF6293F} - C:\WINNT\system32\ixyuhla.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - Startup: AOL Instant Messenger.lnk = C:\Program Files\AIM\aim.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchmiracle.com
O16 - DPF: ppctlcab - [url]http://www.pestscan.com/scanner/ppctlcab.cab[/url]
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - [url]http://public.windupdates.com/get_file.php?bt=ie&p=9eafaeb2a8e2a9518112bc6e0cedee1552dd4ecb1dd748bcf1cf4d42ced1394245b14c137e17952f3a6abadc3d36297b2b37:b70ac5aa8ec48e2e58a29296baabe1d6[/url]
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - [url]http://www.pestscan.com/scanner/axscanner.cab[/url]
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - [url]http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab[/url]
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - [url]http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab[/url]
O16 - DPF: {D18B7EC3-EECA-11D3-8E71-0000E82C6C0D} - [url]http://www.slotchbar.com/ist/softwares/remove/ist_remove.cab[/url]
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Assent.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Assent.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Assent.com

StartupList Log:

StartupList report, 10/14/2004, 8:53:39 AM
StartupList version: 1.52
Started from : E:\- Programs -\Administrative\StartupList.EXE
Detected: Windows 2000 SP4 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\AIM\aim.exe
C:\WINNT\SYSTEM32\m?iexec.exe
C:\WINNT\system32\msiexec.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\- Programs -\Administrative\StartupList.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\greg.kaled\Start Menu\Programs\Startup]
AOL Instant Messenger.lnk = C:\Program Files\AIM\aim.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Synchronization Manager = mobsync.exe /logon
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
vptray = C:\PROGRA~1\SYMANT~1\VPTray.exe
iTunesHelper = C:\Program Files\iTunes\iTunesHelper.exe
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
ViewMgr = C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
PestPatrol Control Center = C:\PROGRA~1\PESTPA~1\PPControl.exe
PPMemCheck = C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
CookiePatrol = C:\PROGRA~1\PESTPA~1\CookiePatrol.exe

--------------------------------------------------

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.Exe
SCRNSAVE.EXE=(NONE)
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\WINNT\system32\ixyuhla.dll - {6BF86F2B-EE35-7CC4-D05A-62550CF6293F}

--------------------------------------------------

Enumerating Task Scheduler jobs:

At1.job

--------------------------------------------------

Enumerating Download Program Files:

[ppctlcab]
CODEBASE = [url]http://www.pestscan.com/scanner/ppctlcab.cab[/url]
OSD = C:\WINNT\Downloaded Program Files\OSD406.OSD

[{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}]
CODEBASE = [url]http://public.windupdates.com/get_file.php?bt=ie&p=9eafaeb2a8e2a9518112bc6e0cedee1552dd4ecb1dd748bcf1cf4d42ced1394245b14c137e17952f3a6abadc3d36297b2b37:b70ac5aa8ec48e2e58a29296baabe1d6[/url]

[Shockwave ActiveX Control]
InProcServer32 = C:\WINNT\system32\macromed\Shockwave 10\Download.dll
CODEBASE = [url]http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab[/url]

[PPSDKActiveXScanner.MainScreen]
InProcServer32 = C:\WINNT\Downloaded Program Files\PPSDKActiveXScanner.ocx
CODEBASE = [url]http://www.pestscan.com/scanner/axscanner.cab[/url]

[YInstStarter Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\yinsthelper.dll
CODEBASE = [url]http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab[/url]

[HouseCall Control]
InProcServer32 = C:\WINNT\DOWNLO~1\xscan53.ocx
CODEBASE = [url]http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab[/url]

[{D18B7EC3-EECA-11D3-8E71-0000E82C6C0D}]
CODEBASE = [url]http://www.slotchbar.com/ist/softwares/remove/ist_remove.cab[/url]

[Shockwave Flash Object]
InProcServer32 = C:\WINNT\system32\macromed\flash\Flash.ocx
CODEBASE = [url]http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab[/url]

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:

[\\Assent.com\SysVol\Assent.com\Policies\{BD9A975A-2ACC-482C-B240-2C8331B2FA61}\User\Scripts\scripts.ini]
[Logon]
0CmdLine=block.bat
0Parameters=
1CmdLine=sav9instl.bat
1Parameters=
2CmdLine=reboot.bat
2Parameters=
3CmdLine=killcopy.bat
3Parameters=
4CmdLine=imreg.bat
4Parameters=

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
WebCheck: C:\WINNT\system32\webcheck.dll
SysTray: stobject.dll

--------------------------------------------------
End of report, 6,515 bytes
Report generated in 0.046 seconds

[b] Get Service Log: [/b]


PsService v1.1 - local and remote services viewer/controller
Copyright (C) 2001-2003 Mark Russinovich
Sysinternals - [url]www.sysinternals.com[/url]

SERVICE_NAME: Alerter
Notifies selected users and computers of administrative alerts.
    TYPE          : 20 WIN32_SHARE_PROCESS 
    START_TYPE    : 3  DEMAND_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\system32\services.exe
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : Alerter
    DEPENDENCIES      : LanmanWorkstation
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: AppMgmt
Provides software installation services such as Assign, Publish, and Remove.
    TYPE          : 20 WIN32_SHARE_PROCESS 
    START_TYPE    : 3  DEMAND_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\system32\services.exe
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : Application Management
    DEPENDENCIES      : 
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ASFAgent
(null)
    TYPE          : 10 WIN32_OWN_PROCESS 
    START_TYPE    : 2  AUTO_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\Program Files\Intel\ASF Agent\ASFAgent.exe
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : ASF Agent
    DEPENDENCIES      : RPCSS
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: BITS
Transfers files in the background using idle network bandwidth. If the service is disabled, then any functions that depend on BITS, such as Windows Update or MSN Explorer will be unable to automatically download programs and other information.
    TYPE          : 20 WIN32_SHARE_PROCESS 
    START_TYPE    : 3  DEMAND_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\system32\svchost.exe -k BITSgroup
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : Background Intelligent Transfer Service
    DEPENDENCIES      : LanmanWorkstation
              : Rpcss
              : SENS
              : Wmi
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Browser
Maintains an up-to-date list of computers on your network and supplies the list to programs that request it.
    TYPE          : 20 WIN32_SHARE_PROCESS 
    START_TYPE    : 2  AUTO_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\system32\services.exe
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : Computer Browser
    DEPENDENCIES      : LanmanWorkstation
              : LanmanServer
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ccEvtMgr
Symantec Event Manager
    TYPE          : 10 WIN32_OWN_PROCESS 
    START_TYPE    : 2  AUTO_START
    ERROR_CONTROL     : 0  IGNORE
    BINARY_PATH_NAME  : "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
    LOAD_ORDER_GROUP  : Symantec Services
    TAG       : 0
    DISPLAY_NAME      : Symantec Event Manager
    DEPENDENCIES      : RPCSS
              : ccSetMgr
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ccPwdSvc
Symantec Password Validation Service
    TYPE          : 10 WIN32_OWN_PROCESS 
    START_TYPE    : 3  DEMAND_START
    ERROR_CONTROL     : 0  IGNORE
    BINARY_PATH_NAME  : "C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe"
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : Symantec Password Validation
    DEPENDENCIES      : 
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ccSetMgr
Symantec Settings Manager
    TYPE          : 10 WIN32_OWN_PROCESS 
    START_TYPE    : 2  AUTO_START
    ERROR_CONTROL     : 0  IGNORE
    BINARY_PATH_NAME  : "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
    LOAD_ORDER_GROUP  : Symantec Services
    TAG       : 0
    DISPLAY_NAME      : Symantec Settings Manager
    DEPENDENCIES      : RPCSS
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: cisvc
(null)
    TYPE          : 20 WIN32_SHARE_PROCESS 
    START_TYPE    : 4  DISABLED
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\system32\cisvc.exe
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : Indexing Service
    DEPENDENCIES      : RPCSS
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ClipSrv
Supports ClipBook Viewer, which allows pages to be seen by remote ClipBooks.
    TYPE          : 10 WIN32_OWN_PROCESS 
    START_TYPE    : 3  DEMAND_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\system32\clipsrv.exe
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : ClipBook
    DEPENDENCIES      : NetDDE
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: DefWatch
Monitors and maintains virus definitions.
    TYPE          : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS  
    START_TYPE    : 2  AUTO_START
    ERROR_CONTROL     : 0  IGNORE
    BINARY_PATH_NAME  : "C:\Program Files\Symantec AntiVirus\DefWatch.exe"
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : Symantec AntiVirus Definition Watcher
    DEPENDENCIES      : 
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Dhcp
Manages network configuration by registering and updating IP addresses and DNS names.
    TYPE          : 20 WIN32_SHARE_PROCESS 
    START_TYPE    : 2  AUTO_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\system32\services.exe
    LOAD_ORDER_GROUP  : TDI
    TAG       : 0
    DISPLAY_NAME      : DHCP Client
    DEPENDENCIES      : Tcpip
              : Afd
              : NetBT
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: dmadmin
Administrative service for disk management requests
    TYPE          : 20 WIN32_SHARE_PROCESS 
    START_TYPE    : 3  DEMAND_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\System32\dmadmin.exe /com
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : Logical Disk Manager Administrative Service
    DEPENDENCIES      : RpcSs
              : PlugPlay
              : DmServer
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: dmserver
Logical Disk Manager Watchdog Service
    TYPE          : 20 WIN32_SHARE_PROCESS 
    START_TYPE    : 2  AUTO_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\System32\services.exe
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : Logical Disk Manager
    DEPENDENCIES      : RpcSs
              : PlugPlay
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Dnscache
Resolves and caches Domain Name System (DNS) names.
    TYPE          : 20 WIN32_SHARE_PROCESS 
    START_TYPE    : 2  AUTO_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\system32\services.exe
    LOAD_ORDER_GROUP  : TDI
    TAG       : 0
    DISPLAY_NAME      : DNS Client
    DEPENDENCIES      : Tcpip
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Eventlog
Logs event messages issued by programs and Windows.  Event Log reports contain information that can be useful in diagnosing problems.  Reports are viewed in Event Viewer.
    TYPE          : 20 WIN32_SHARE_PROCESS 
    START_TYPE    : 2  AUTO_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\system32\services.exe
    LOAD_ORDER_GROUP  : Event log
    TAG       : 0
    DISPLAY_NAME      : Event Log
    DEPENDENCIES      : 
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: EventSystem
Provides automatic distribution of events to subscribing COM components.
    TYPE          : 20 WIN32_SHARE_PROCESS 
    START_TYPE    : 3  DEMAND_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\system32\svchost.exe -k netsvcs
    LOAD_ORDER_GROUP  : Network
    TAG       : 0
    DISPLAY_NAME      : COM+ Event System
    DEPENDENCIES      : RPCSS
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Fax
Helps you send and receive faxes
    TYPE          : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS  
    START_TYPE    : 3  DEMAND_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\system32\faxsvc.exe
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : Fax Service
    DEPENDENCIES      : TapiSrv
              : RpcSs
              : PlugPlay
              : Spooler
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: iPodService
iPod hardware management services
    TYPE          : 10 WIN32_OWN_PROCESS 
    START_TYPE    : 3  DEMAND_START
    ERROR_CONTROL     : 0  IGNORE
    BINARY_PATH_NAME  : C:\Program Files\iPod\bin\iPodService.exe
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : iPod Service
    DEPENDENCIES      : 
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: lanmanserver
Provides RPC support and file, print, and named pipe sharing.
    TYPE          : 20 WIN32_SHARE_PROCESS 
    START_TYPE    : 2  AUTO_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\system32\services.exe
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : Server
    DEPENDENCIES      : 
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: lanmanworkstation
Provides network connections and communications.
    TYPE          : 20 WIN32_SHARE_PROCESS 
    START_TYPE    : 2  AUTO_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\system32\services.exe
    LOAD_ORDER_GROUP  : NetworkProvider
    TAG       : 0
    DISPLAY_NAME      : Workstation
    DEPENDENCIES      : 
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: LmHosts
Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution.
    TYPE          : 20 WIN32_SHARE_PROCESS 
    START_TYPE    : 2  AUTO_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\system32\services.exe
    LOAD_ORDER_GROUP  : TDI
    TAG       : 0
    DISPLAY_NAME      : TCP/IP NetBIOS Helper Service
    DEPENDENCIES      : NetBT
              : Afd
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Messenger
Sends and receives messages transmitted by administrators or by the Alerter service.
    TYPE          : 20 WIN32_SHARE_PROCESS 
    START_TYPE    : 4  DISABLED
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\system32\services.exe
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : Messenger
    DEPENDENCIES      : LanmanWorkstation
              : NetBIOS
              : RpcSS
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: mnmsrvc
Allows authorized people to remotely access your Windows desktop using NetMeeting.
    TYPE          : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS  
    START_TYPE    : 3  DEMAND_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\system32\mnmsrvc.exe
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : NetMeeting Remote Desktop Sharing
    DEPENDENCIES      : 
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: MSDTC
Coordinates transactions that are distributed across two or more databases, message queues, file systems, or other transaction protected resource managers.
    TYPE          : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS  
    START_TYPE    : 3  DEMAND_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\system32\msdtc.exe
    LOAD_ORDER_GROUP  : MS Transactions
    TAG       : 0
    DISPLAY_NAME      : Distributed Transaction Coordinator
    DEPENDENCIES      : RPCSS
              : SamSS
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: MSIServer
Installs, repairs and removes software according to instructions contained in .MSI files.
    TYPE          : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS  
    START_TYPE    : 3  DEMAND_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\system32\msiexec.exe /V
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : Windows Installer
    DEPENDENCIES      : RpcSs
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NetDDE
Provides network transport and security for dynamic data exchange (DDE).
    TYPE          : 20 WIN32_SHARE_PROCESS 
    START_TYPE    : 3  DEMAND_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\system32\netdde.exe
    LOAD_ORDER_GROUP  : NetDDEGroup
    TAG       : 0
    DISPLAY_NAME      : Network DDE
    DEPENDENCIES      : NetDDEDSDM
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NetDDEdsdm
Manages shared dynamic data exchange and is used by Network DDE
    TYPE          : 20 WIN32_SHARE_PROCESS 
    START_TYPE    : 3  DEMAND_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\system32\netdde.exe
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : Network DDE DSDM
    DEPENDENCIES      : 
              : EGrLocalSystem
              : Network DDE DSDM
              : etwork DDE
              : ted Transaction Coordinator
              : trative Service
              : n
              : 
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Netlogon
Supports pass-through authentication of account logon events for computers in a domain.
    TYPE          : 20 WIN32_SHARE_PROCESS 
    START_TYPE    : 2  AUTO_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\system32\lsass.exe
    LOAD_ORDER_GROUP  : RemoteValidation
    TAG       : 0
    DISPLAY_NAME      : Net Logon
    DEPENDENCIES      : LanmanWorkstation
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Netman
Manages objects in the Network and Dial-Up Connections folder, in which you can view both local area network and remote connections.
    TYPE          : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS  
    START_TYPE    : 3  DEMAND_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\System32\svchost.exe -k netsvcs
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : Network Connections
    DEPENDENCIES      : RpcSs
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NetSvc
(null)
    TYPE          : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS  
    START_TYPE    : 3  DEMAND_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : Intel NCS NetService
    DEPENDENCIES      : RPCSS
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NtLmSsp
Provides security to remote procedure call (RPC) programs that use transports other than named pipes.
    TYPE          : 20 WIN32_SHARE_PROCESS 
    START_TYPE    : 3  DEMAND_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\system32\lsass.exe
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : NT LM Security Support Provider
    DEPENDENCIES      : 
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NtmsSvc
Manages removable media, drives, and libraries.
    TYPE          : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS  
    START_TYPE    : 2  AUTO_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\System32\svchost.exe -k netsvcs
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : Removable Storage
    DEPENDENCIES      : RpcSs
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NVSvc
(null)
    TYPE          : 10 WIN32_OWN_PROCESS 
    START_TYPE    : 2  AUTO_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\system32\nvsvc32.exe
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : NVIDIA Driver Helper Service
    DEPENDENCIES      : 
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: PlugPlay
Manages device installation and configuration and notifies programs of device changes.
    TYPE          : 20 WIN32_SHARE_PROCESS 
    START_TYPE    : 2  AUTO_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\system32\services.exe
    LOAD_ORDER_GROUP  : PlugPlay
    TAG       : 0
    DISPLAY_NAME      : Plug and Play
    DEPENDENCIES      : 
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: PolicyAgent
Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver.
    TYPE          : 20 WIN32_SHARE_PROCESS 
    START_TYPE    : 2  AUTO_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\system32\lsass.exe
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : IPSEC Policy Agent
    DEPENDENCIES      : RPCSS
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ProtectedStorage
Provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services, processes, or users.
    TYPE          : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS  
    START_TYPE    : 2  AUTO_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\system32\services.exe
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : Protected Storage
    DEPENDENCIES      : RpcSs
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RasAuto
Creates a connection to a remote network whenever a program references a remote DNS or NetBIOS name or address.
    TYPE          : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS  
    START_TYPE    : 3  DEMAND_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\system32\svchost.exe -k netsvcs
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : Remote Access Auto Connection Manager
    DEPENDENCIES      : RasMan
              : Tapisrv
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RasMan
Creates a network connection.
    TYPE          : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS  
    START_TYPE    : 3  DEMAND_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\system32\svchost.exe -k netsvcs
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : Remote Access Connection Manager
    DEPENDENCIES      : Tapisrv
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RemoteAccess
Offers routing services to businesses in local area and wide area network environments.
    TYPE          : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS  
    START_TYPE    : 4  DISABLED
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\system32\svchost.exe -k netsvcs
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : Routing and Remote Access
    DEPENDENCIES      : RpcSS
              : +NetBIOSGroup
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RemoteRegistry
Allows remote registry manipulation.
    TYPE          : 10 WIN32_OWN_PROCESS 
    START_TYPE    : 2  AUTO_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\system32\regsvc.exe
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : Remote Registry Service
    DEPENDENCIES      : 
    SERVICE_START_NAME: LocalSystem
    FAIL_RESET_PERIOD : 0 seconds
    FAILURE_ACTIONS   : Restart DELAY: 1000 seconds

SERVICE_NAME: RpcLocator
Manages the RPC name service database.
    TYPE          : 10 WIN32_OWN_PROCESS 
    START_TYPE    : 3  DEMAND_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\system32\locator.exe
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : Remote Procedure Call (RPC) Locator
    DEPENDENCIES      : LanmanWorkstation
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RpcSs
Provides the endpoint mapper and other miscellaneous RPC services.
    TYPE          : 20 WIN32_SHARE_PROCESS 
    START_TYPE    : 2  AUTO_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\system32\svchost -k rpcss
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : Remote Procedure Call (RPC)
    DEPENDENCIES      : 
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RSVP
Provides network signaling and local traffic control setup functionality for QoS-aware programs and control applets.
    TYPE          : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS  
    START_TYPE    : 3  DEMAND_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\system32\rsvp.exe -s
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : QoS RSVP
    DEPENDENCIES      : TcpIp
              : Afd
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SamSs
Stores security information for local user accounts.
    TYPE          : 20 WIN32_SHARE_PROCESS 
    START_TYPE    : 2  AUTO_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\system32\lsass.exe
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : Security Accounts Manager
    DEPENDENCIES      : 
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SavRoam
Symantec AntiVirus Roaming Service
    TYPE          : 10 WIN32_OWN_PROCESS 
    START_TYPE    : 2  AUTO_START
    ERROR_CONTROL     : 0  IGNORE
    BINARY_PATH_NAME  : "C:\Program Files\Symantec AntiVirus\SavRoam.exe"
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : SAVRoam
    DEPENDENCIES      : 
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SCardDrv
Provides support for legacy smart card readers attached to the computer.
    TYPE          : 20 WIN32_SHARE_PROCESS 
    START_TYPE    : 3  DEMAND_START
    ERROR_CONTROL     : 0  IGNORE
    BINARY_PATH_NAME  : C:\WINNT\System32\SCardSvr.exe
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : Smart Card Helper
    DEPENDENCIES      : +Smart Card Reader
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SCardSvr
Manages and controls access to a smart card inserted into a smart card reader attached to the computer.
    TYPE          : 20 WIN32_SHARE_PROCESS 
    START_TYPE    : 3  DEMAND_START
    ERROR_CONTROL     : 0  IGNORE
    BINARY_PATH_NAME  : C:\WINNT\System32\SCardSvr.exe
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : Smart Card
    DEPENDENCIES      : PlugPlay
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Schedule
Enables a program to run at a designated time.
    TYPE          : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS  
    START_TYPE    : 2  AUTO_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\system32\MSTask.exe
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : Task Scheduler
    DEPENDENCIES      : RpcSs
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: seclogon
Enables starting processes under alternate credentials
    TYPE          : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS  
    START_TYPE    : 2  AUTO_START
    ERROR_CONTROL     : 0  IGNORE
    BINARY_PATH_NAME  : C:\WINNT\system32\services.exe
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : RunAs Service
    DEPENDENCIES      : 
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SENS
Tracks system events such as Windows logon, network, and power events.  Notifies COM+ Event System subscribers of these events.
    TYPE          : 20 WIN32_SHARE_PROCESS 
    START_TYPE    : 2  AUTO_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\system32\svchost.exe -k netsvcs
    LOAD_ORDER_GROUP  : Network
    TAG       : 0
    DISPLAY_NAME      : System Event Notification
    DEPENDENCIES      : EventSystem
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SharedAccess
Provides network address translation, addressing, and name resolution services for all computers on your home network through a dial-up connection.
    TYPE          : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS  
    START_TYPE    : 3  DEMAND_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\system32\svchost.exe -k netsvcs
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : Internet Connection Sharing
    DEPENDENCIES      : RasMan
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SNDSrvc
Symantec Network Drivers Service
    TYPE          : 10 WIN32_OWN_PROCESS 
    START_TYPE    : 3  DEMAND_START
    ERROR_CONTROL     : 0  IGNORE
    BINARY_PATH_NAME  : "C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe"
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : Symantec Network Drivers Service
    DEPENDENCIES      : 
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Spooler
Loads files to memory for later printing.
    TYPE          : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS  
    START_TYPE    : 2  AUTO_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\system32\spoolsv.exe
    LOAD_ORDER_GROUP  : SpoolerGroup
    TAG       : 0
    DISPLAY_NAME      : Print Spooler
    DEPENDENCIES      : RPCSS
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Symantec AntiVirus
Provides real-time virus scanning, reporting, and management functionality for Symantec AntiVirus.
    TYPE          : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS  
    START_TYPE    : 2  AUTO_START
    ERROR_CONTROL     : 0  IGNORE
    BINARY_PATH_NAME  : "C:\Program Files\Symantec AntiVirus\Rtvscan.exe"
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : Symantec AntiVirus
    DEPENDENCIES      : 
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SysmonLog
Configures performance logs and alerts.
    TYPE          : 10 WIN32_OWN_PROCESS 
    START_TYPE    : 3  DEMAND_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\system32\smlogsvc.exe
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : Performance Logs and Alerts
    DEPENDENCIES      : 
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: TapiSrv
Provides Telephony API (TAPI) support for programs that control telephony devices and IP based voice connections on the local computer and, through the LAN, on servers that are also running the service.
    TYPE          : 20 WIN32_SHARE_PROCESS 
    START_TYPE    : 3  DEMAND_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\System32\svchost.exe -k netsvcs
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : Telephony
    DEPENDENCIES      : PlugPlay
              : RpcSs
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: TlntSvr
Allows a remote user to log on to the system and run console programs using the command line.
    TYPE          : 10 WIN32_OWN_PROCESS 
    START_TYPE    : 3  DEMAND_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\system32\tlntsvr.exe
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : Telnet
    DEPENDENCIES      : RpcSs
              : TcpIp
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: TrkWks
Sends notifications of files moving between NTFS volumes in a network domain.
    TYPE          : 20 WIN32_SHARE_PROCESS 
    START_TYPE    : 2  AUTO_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\system32\services.exe
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : Distributed Link Tracking Client
    DEPENDENCIES      : RpcSs
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: UPS
Manages an uninterruptible power supply (UPS) connected to the computer.
    TYPE          : 10 WIN32_OWN_PROCESS 
    START_TYPE    : 3  DEMAND_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\System32\ups.exe
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : Uninterruptible Power Supply
    DEPENDENCIES      : 
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: UtilMan
Starts and configures accessibility tools from one window 
    TYPE          : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS  
    START_TYPE    : 3  DEMAND_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\System32\UtilMan.exe
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : Utility Manager
    DEPENDENCIES      : 
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: W32Time
Sets the computer clock.
    TYPE          : 20 WIN32_SHARE_PROCESS 
    START_TYPE    : 2  AUTO_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\System32\services.exe
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : Windows Time
    DEPENDENCIES      : 
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: WinMgmt
Provides system management information.
    TYPE          : 10 WIN32_OWN_PROCESS 
    START_TYPE    : 3  DEMAND_START
    ERROR_CONTROL     : 0  IGNORE
    BINARY_PATH_NAME  : C:\WINNT\System32\WBEM\WinMgmt.exe
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : Windows Management Instrumentation
    DEPENDENCIES      : RPCSS
    SERVICE_START_NAME: LocalSystem
    FAIL_RESET_PERIOD : 86400 seconds
    FAILURE_ACTIONS   : Restart DELAY: 60000 seconds
              : Restart DELAY: 60000 seconds

SERVICE_NAME: WmdmPmSN
Retrieves the serial number of any portable media player connected to this computer. If this service is stopped, protected content might not be down loaded to the device.
    TYPE          : 20 WIN32_SHARE_PROCESS 
    START_TYPE    : 3  DEMAND_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\System32\svchost.exe -k netsvcs
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : Portable Media Serial Number Service
    DEPENDENCIES      : 
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Wmi
Provides systems management information to and from drivers.
    TYPE          : 20 WIN32_SHARE_PROCESS 
    START_TYPE    : 3  DEMAND_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\system32\Services.exe
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : Windows Management Instrumentation Driver Extensions
    DEPENDENCIES      : 
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: wuauserv
Enables the download and installation of critical Windows updates. If the service is disabled, the operating system can be manually updated at the Windows Update Web site.
    TYPE          : 20 WIN32_SHARE_PROCESS 
    START_TYPE    : 2  AUTO_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\system32\svchost.exe -k wugroup
    LOAD_ORDER_GROUP  : 
    TAG       : 0
    DISPLAY_NAME      : Automatic Updates
    DEPENDENCIES      : 
    SERVICE_START_NAME: LocalSystem

SERVICE_NAME: WZCSVC
Provides authenticated network access control using IEEE 802.1x for wired and wireless Ethernet networks.
    TYPE          : 20 WIN32_SHARE_PROCESS 
    START_TYPE    : 3  DEMAND_START
    ERROR_CONTROL     : 1  NORMAL
    BINARY_PATH_NAME  : C:\WINNT\System32\svchost.exe -k netsvcs
    LOAD_ORDER_GROUP  : TDI
    TAG       : 0
    DISPLAY_NAME      : Wireless Configuration
    DEPENDENCIES      : RpcSs
              : Ndisuio
              : ProtectedStorage
              : WMI
    SERVICE_START_NAME: LocalSystem

Registrar Results
my mistake crunchie, - registrar lite showed NOTHING in the 'Value' field ... not AppIni_DLLs ... that was in the 'Value Name' - my mistake for overlooking this.

Hehe, hope this is more of an adventure then a hassel.

Download About:buster from http://malwarebytes.biz/AboutBuster.zip and unzip it to your desktop.

Download & instal Adaware from here
& update it before scanning.
In settings under 'scanning,' have it set to
'scan within archives,'
'scan active processes,'
'scan registry,'
'deepscan registry'
'scan my IE Favourites for banned URL's,'
'scan my host's file.'
In 'tweaks' under 'scanning engine' set it to 'unload recognised processes during scanning.'
Also in 'tweaks' under 'cleaning engine' set it to 'Automatically try to unregister objects prior to deletion' & 'let Windows remove files in use at next reboot.'

Click here for instructions on how to boot into safe mode.

Boot up in safe mode.

Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked':

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\gotiu.dll/sp.html#12802
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\gotiu.dll/sp.html#12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\jmvys.dll/sp.html#12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\jmvys.dll/sp.html#12802
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\gotiu.dll/sp.html#12802
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\jmvys.dll/sp.html#12802

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {6BF86F2B-EE35-7CC4-D05A-62550CF6293F} - C:\WINNT\system32\ixyuhla.dll

O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll

O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchmiracle.com

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...8a29296baabe1d6

Run About:buster, click OK, Start, and OK again to start the scan. Let it scan and fix everything it finds.

Still in safe mode, do a full system scan with Adaware. When the scan is finished select *next* & place a check in the boxes to the left of what is found & click *next* again. Let it delete those entries.

Reboot your computer in normal mode.