Unknown process

[okitismine]

This started out as an attempt to fund out what a process was and what it may have benn doing and has become my daily nightmare.

IF anyone here has spent time in the DSLR sercuity fourm you may have seen the problem.

Here is the lastest HIjack this log. I Have run adware, TDS-3, NAV and Wormguard. Hijack found a few things but I would assume that some things are still here. Gav suggested I post here the log. I also have files from the date this all started which seem to under control at this point but whos knows!

Gavin suggested I should spend some time here to get this removed.

One last thing, My son did this to my PC not ME.



Sorry, as a newbee it guess it is expected.

Logfile of HijackThis v1.97.3
Scan saved at 3:06:59 PM, on 11/7/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\POPROXY.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\RNATHCHK.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.dslreports.com/"); (C:\Program Files\Netscape\Users\blow\prefs.js)
O1 - Hosts: 203.161.127.141 www.dcsresearch.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton SystemWorks\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NORTON~2\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O12 - Plugin for .wma: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npdsplay.dll
O16 - DPF: {0D6451B3-FDDA-11D3-BFEC-00D0B725EB0B} (Yahoo! Vision) - http://download.yahoo.com/dl/fv/yv.cab
O16 - DPF: {73020B72-CDD6-4F80-8098-1B2ECD9CA4CA} (HearMe VoiceCREATOR) - http://vp.hearme.com/products/vp/embedded/plugins/evp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinstc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37872.3185069444
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab
O16 - DPF: Yahoo! Games Voice Chat - http://yog55.games.scd.yahoo.com/yog/y/va1_x.cab
O16 - DPF: Tornado 21 - http://download.games.yahoo.com/games/clients/y/t21t0_x.cab
O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.scd.yahoo.com/yog/y/ks12_x.cab
O16 - DPF: Toki Toki Boom - http://download.games.yahoo.com/games/clients/y/vtm_x.cab
O16 - DPF: {72944257-0AE0-44FD-8A51-AA21853092C8} (PhxStudent.OeSetup15) - https://mycampus.phoenix.edu/secure/PhxStudent15.CAB

[LowWaterMark]

Hi okitismine,

It appears the HijackThis log did not post. Did you try to attach it? If you can't do that, just paste it all right into a new post reply here.

Edit: By the way, if you did try to attach a log file but used the post Preview function between attaching and posting, that removes prevents the attachment from coming through. It is best to just paste the text of the full log into the posting window anyway.

[Dan Perez]

Hi okitisme,

Welcome to Wilders!

Actually your log is quite clean (now). You might want to remove some unneeded entries, if you do, close out of all programs / windows and select and fix the following;

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

Regards,

Dan

[okitismine]

Newbee mistake type stuff without being logged and then click reply, type it all over again. I liked the stuff I typed the first time!

Thanks for the welcome

Nothing seemd to catch this at first, I wonder if things are still leftover!

I have many files created on 10/29/03 which include .exe files, I am not sure if they belong or not. I am by no means a windows expert, I am a router/ network guy. But I do know this PC very well and those in my house very well.

I beleive that the source of all is winfavorites.exe/exe1 file, which is the first process I seen I did not like. I killed that and quarantined it and then deleted. within hours. Next was utwevpdt.exe which seemed not to be doing much at all other than running.

I find myself sitting here wondering WHY the heck I went back to windows. When I was trained and use UNIX in the 80's.

thanks guys so far, but I would realy like to make sure I am clean.

[Dan Perez]

Well, you can also try an online scanner to get a second appraisal of those files. You might try Panda's

http://www.pandasoftware.com/actives..._principal.htm

Also, can you please download and run DCS's AutostartViewer from

http://www.diamondcs.com.au/downloads/asviewer.zip

Go to the "Main" menu and make sure that all three top options are selected and then press "Save" and then copy & paste the results here for us to review.

[okitismine]

DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for Ed@ED'S, 11-07-2003
c:\autoexec.bat
c:\windows\cwcdata\cwrdos.exe
c:\config.sys
C:\Dvdrom\oakcdrom.sys /d:gem001
C:\WINDOWS\dosstart.bat
c:\windows\command\MSCDEX.EXE /D:gem001
c:\mouse\MOUSE.exe
c:\windows\system.ini [boot]\shell
C:\WINDOWS\Explorer.exe
c:\windows\system.ini [boot]\scrnsave.exe
C:\WINDOWS\SYSTEM\BLANKS~1.SCR
HKCR\htafile\shell\open\command\
C:\WINDOWS\SYSTEM\MSHTA.EXE "%1" %*
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TkBellExe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Norton eMail Protect
C:\Program Files\Norton SystemWorks\Norton AntiVirus\POPROXY.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Norton Auto-Protect
C:\PROGRA~1\NORTON~1\NORTON~2\NAVAPW32.EXE /LOADQUIET
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\LoadPowerProfile
Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\ScriptBlocking
C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\SchedulingAgent
C:\WINDOWS\system\mstask.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
C:\WINDOWS\SYSTEM\WEBCHECK.DLL
C:\WINDOWS\Tasks\Symantec NetDetect.job
C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\NDETECT.EXE
C:\WINDOWS\Tasks\Scan once.job
C:\Program Files\Norton SystemWorks\Norton AntiVirus\SCNHNDLR.EXE
C:\WINDOWS\Start Menu\Programs\StartUp\Office Startup.lnk
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\system\iosubsys\
C:\WINDOWS\system\iosubsys\BIGMEM.DRV
C:\WINDOWS\system\iosubsys\ESDI_506.PDR
C:\WINDOWS\system\iosubsys\HSFLOP.PDR
C:\WINDOWS\system\iosubsys\RMM.PDR
C:\WINDOWS\system\iosubsys\SCSIPORT.PDR
C:\WINDOWS\system\iosubsys\ATAPCHNG.VXD
C:\WINDOWS\system\iosubsys\CDFS.VXD
C:\WINDOWS\system\iosubsys\CDTSD.VXD
C:\WINDOWS\system\iosubsys\CDVSD.VXD
C:\WINDOWS\system\iosubsys\DISKTSD.VXD
C:\WINDOWS\system\iosubsys\DISKVSD.VXD
C:\WINDOWS\system\iosubsys\DRVSPACX.VXD
C:\WINDOWS\system\iosubsys\DRVWCDB.VXD
C:\WINDOWS\system\iosubsys\DRVWPPQT.VXD
C:\WINDOWS\system\iosubsys\DRVWQ117.VXD
C:\WINDOWS\system\iosubsys\NECATAPI.VXD
C:\WINDOWS\system\iosubsys\SCSI1HLP.VXD
C:\WINDOWS\system\iosubsys\TORISAN3.VXD
C:\WINDOWS\system\iosubsys\VOLTRACK.VXD
C:\WINDOWS\system\iosubsys\CDR4VSD.VXD
C:\WINDOWS\system\iosubsys\apix.BAK
C:\WINDOWS\system\iosubsys\APIX.VXD
C:\WINDOWS\system\iosubsys\cdudf.vxd
C:\WINDOWS\system\iosubsys\cdrpwd.vxd
C:\WINDOWS\system\iosubsys\cdudfrw.vxd
C:\WINDOWS\system\iosubsys\IOMEGA.VXD
C:\WINDOWS\system\iosubsys\cdralvsd.vxd
C:\WINDOWS\system\iosubsys\acbhlpr.vxd
C:\WINDOWS\system\iosubsys\SMARTVSD.VXD
C:\WINDOWS\system32\vmm32\
C:\WINDOWS\system\vmm32\ifsmgr.vxd
C:\WINDOWS\system\vmm32\ios.vxd
C:\WINDOWS\system\vmm32\mrci2.vxd
C:\WINDOWS\system\vmm32\qemmfix.vxd
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
c:\windows\SYSTEM\mswsosp.dll
c:\windows\SYSTEM\msafd.dll
c:\windows\SYSTEM\rsvpsp.dll
HKLM\Software\Microsoft\Active Setup\Installed Components\SetupcPerUser\
rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection SetupcPerUser 64 c:\windows\INF\setupc.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\AppletsPerUser\
rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection AppletsPerUser 64 c:\windows\INF\applets.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\FontsPerUser\
rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection FontsPerUser 64 c:\windows\INF\fonts.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\{5A8D6EE0-3E18-11D0-821E-444553540000}\
rundll32.exe advpack.dll,LaunchINFSectionEx C:\WINDOWS\INF\icw.inf,PerUserStub,,36
HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_ICW_Inis\
rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_ICW_Inis 0 c:\windows\INF\icw97.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\
rundll32.exe advpack.dll,UserInstStubWrapper {89820200-ECBD-11cf-8B85-00AA005B4383}
HKLM\Software\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS\
RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4395}\
rundll32.exe advpack.dll,LaunchINFSectionEx c:\windows\SYSTEM\ie4uinit.inf,Shell.UserStub,,36
HKLM\Software\Microsoft\Active Setup\Installed Components\>PerUser_MSN_Clean\
c:\windows\msnmgsr1.exe
HKLM\Software\Microsoft\Active Setup\Installed Components\{CA0A4247-44BE-11d1-A005-00805F8ABE06}\
RunDLL setupx.dll,InstallHinfSection PowerCfg.user 0 powercfg.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_Msinfo\
rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Msinfo 64 c:\windows\INF\msinfo.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_Msinfo2\
rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Msinfo2 64 c:\windows\INF\msinfo.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\MotownMmsysPerUser\
rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection MotownMmsysPerUser 64 c:\windows\INF\motown.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\MotownAvivideoPerUser\
rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection MotownAvivideoPerUser 64 c:\windows\INF\motown.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\MmoptPreferredAudioDevices\
rundll32.exe shell32.dll,Control_RunDLL mmsys.cpl,@0,SPCI\VEN_1013&DEV_6005&SUBSYS_3154109F&REV_01\48F000
HKLM\Software\Microsoft\Active Setup\Installed Components\MotownMPlayPerUser\
rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection MotownMPlayPerUser 64 c:\windows\INF\mplay98.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_Base\
rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Base 64 c:\windows\INF\msmail.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\ShellPerUser\
rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection ShellPerUser 64 c:\windows\INF\shell.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\Shell2PerUser\
rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection Shell2PerUser 64 c:\windows\INF\shell2.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_winbase_Links\
rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_winbase_Links 64 c:\windows\INF\subase.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_winapps_Links\
rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_winapps_Links 64 c:\windows\INF\subase.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_LinkBar_URLs\
c:\windows\COMMAND\sulfnbk.exe /L
HKLM\Software\Microsoft\Active Setup\Installed Components\TapiPerUser\
rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection TapiPerUser 64 c:\windows\INF\tapi.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\{73fa19d0-2d75-11d2-995d-00c04f98bbc9}\
rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\webfldrs.inf,PerUserStub.Install,1
HKLM\Software\Microsoft\Active Setup\Installed Components\PerUserOldLinks\
rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUserOldLinks 64 c:\windows\INF\appletpp.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\MmoptRegisterPerUser\
rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection MmoptRegisterPerUser 64 c:\windows\INF\mmopt.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\OlsPerUser\
rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection OlsPerUser 64 c:\windows\INF\ols.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\OlsMsnPerUser\
rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection OlsMsnPerUser 64 c:\windows\INF\ols.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_Paint_Inis\
rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Paint_Inis 64 c:\windows\INF\applets.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_Calc_Inis\
rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Calc_Inis 64 c:\windows\INF\applets.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_dxxspace_Links\
rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_dxxspace_Links 64 c:\windows\INF\applets1.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_MSBackup_Inis\
rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_MSBackup_Inis 64 c:\windows\INF\applets1.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_CVT_Inis\
rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_CVT_Inis 64 c:\windows\INF\applets1.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_Enable_Inis\
rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Enable_Inis 64 c:\windows\INF\enable.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\MotownRecPerUser\
rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection MotownRecPerUser_remove 64 c:\windows\INF\motown.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_Vol\
rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Vol_remove 64 c:\windows\INF\motown.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_MSWordPad_Inis\
rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_MSWordPad_Inis 64 c:\windows\INF\wordpad.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_RNA_Inis\
rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Dialer_RNA_remove 64 c:\windows\INF\rna.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_Wingames_Inis\
rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Wingames_Inis 64 c:\windows\INF\appletpp.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_Sysmon_Inis\
rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Sysmon_Inis 64 c:\windows\INF\appletpp.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_Sysmeter_Inis\
rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Sysmeter_Inis 64 c:\windows\INF\appletpp.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_netwatch_Inis\
rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_netwatch_Inis 64 c:\windows\INF\appletpp.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_CharMap_Inis\
rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_CharMap_Inis 64 c:\windows\INF\appletpp.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_Onlinelnks_Inis\
rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Onlinelnks_Inis 64 c:\windows\INF\appletpp.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_Dialer_Inis\
rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Dialer_Inis 64 c:\windows\INF\appletpp.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_ClipBrd_Inis\
rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_ClipBrd_Inis 64 c:\windows\INF\clip.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\MmoptMusicaPerUser\
rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection MmoptMusicaPerUser 64 c:\windows\INF\mmopt.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\MmoptJunglePerUser\
rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection MmoptJunglePerUser 64 c:\windows\INF\mmopt.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\MmoptRobotzPerUser\
rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection MmoptRobotzPerUser 64 c:\windows\INF\mmopt.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\MmoptUtopiaPerUser\
rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection MmoptUtopiaPerUser 64 c:\windows\INF\mmopt.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_CDPlayer_Inis\
rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_CDPlayer_Inis_remove 64 c:\windows\INF\mmopt.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015C}\
rundll32.exe advpack.dll,LaunchINFSection c:\windows\INF\msnetmtg.inf,NetMtg.Install.PerUser.W95
HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\
rundll32.exe advpack.dll,UserInstStubWrapper {44BBA840-CC51-11CF-AAFA-00AA00B6015C}
HKLM\Software\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}\
rundll32.exe advpack.dll,UserInstStubWrapper {7790769C-0471-11d2-AF11-00C04FA35D02}
HKLM\Software\Microsoft\Active Setup\Installed Components\OlsAolPerUser\
rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection OlsAolPerUserRemove 64 c:\windows\INF\ols.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\OlsAttPerUser\
rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection OlsAttPerUserRemove 64 c:\windows\INF\ols.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\OlsCompuservePerUser\
rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection OlsCompuservePerUserRemove 64 c:\windows\INF\ols.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\OlsProdigyPerUser\
rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection OlsProdigyPerUserRemove 64 c:\windows\INF\ols.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\Shell3PerUser\
rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection Shell3PerUser 64 c:\windows\INF\shell3.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\Theme_Windows_PerUser\
rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection Themes_Windows_PerUser 0 c:\windows\INF\themes.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\Theme_MoreWindows_PerUser\
rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection Themes_MoreWindows_PerUser 0 c:\windows\INF\themes.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA851-CC51-11CF-AAFA-00AA00B6015C}\
rundll32.exeadvpack.dll
HKLM\Software\Microsoft\Active Setup\Installed Components\>IEPerUser\
RUNDLL32.EXE IEDKCS32.DLL,BrandIE4 SIGNUP
HKLM\Software\Microsoft\Active Setup\Installed Components\Chl99\
rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\chl99.inf,InstallUser
HKLM\Software\Microsoft\Active Setup\Installed Components\NetservrPerUser\
rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection NetservrPerUser 64 c:\windows\INF\netservr.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}\
C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl
HKLM\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\
rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub
HKLM\Software\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\
C:\WINDOWS\inf\unregmp2.exe /ShowWMP
HKLM\System\CurrentControlSet\Services\VxD\VNETSUP\
C:\WINDOWS\system\vnetsup.vxd
HKLM\System\CurrentControlSet\Services\VxD\NDIS\
ndis.vxd,ndis2sup.vxd
HKLM\System\CurrentControlSet\Services\VxD\JAVASUP\
C:\WINDOWS\system\JAVASUP.VXD
HKLM\System\CurrentControlSet\Services\VxD\VRTWD\
c:\windows\SYSTEM\vrtwd.386
HKLM\System\CurrentControlSet\Services\VxD\VFIXD\
c:\windows\SYSTEM\vfixd.vxd
HKLM\System\CurrentControlSet\Services\VxD\VNETBIOS\
C:\WINDOWS\system\vnetbios.vxd
HKLM\System\CurrentControlSet\Services\VxD\VGARTD\
C:\WINDOWS\system\VgartD.VxD
HKLM\System\CurrentControlSet\Services\VxD\ASPIENUM\
C:\WINDOWS\system\ASPIENUM.VXD
HKLM\System\CurrentControlSet\Services\VxD\VREDIR\
C:\WINDOWS\system\vredir.vxd
HKLM\System\CurrentControlSet\Services\VxD\DFS\
C:\WINDOWS\system\dfs.vxd
HKLM\System\CurrentControlSet\Services\VxD\VSERVER\
C:\WINDOWS\system\vserver.vxd
HKLM\System\CurrentControlSet\Services\VxD\SYMEVNT\
C:\PROGRA~1\SYMANTEC\SYMEVNT.386
HKLM\System\CurrentControlSet\Services\VxD\NAVAP\
C:\PROGRA~1\NORTON~1\NORTON~2\NAVAP.VXD

[okitismine]

Well I had time to let PANDA run this morning and nothing was found, I am sure happy about that!

If everyone is sure I will close this in my mind and continue about my work and play.

Ed