What is dees.exe

noahdfear · 2005/04/28

Oops...see next post

noahdfear · 2005/04/28

Time we dig a little deeper and find out what has dees hooked (and apparently recreating). May as well get 'em all at once so, a few logs in your future here.

Please download GetLogXP.zip. Save it to your desktop. If it saves as attachment.php, right click and rename to GetLogXP.zip
Now right click the zip and extract the GetLogXP.bat file to your desktop. Double click the file to run it. It will open GetLogXP.txt and place a copy on your desktop. Please post the contents of that log.

Download "Registry Search Tool" (RegSrch.vbs) from here
http://www.billsway.com/vbspage/
start it and type in dees.exe, wait for it to complete the search, click ok at the prompt. Save the log. Then do another search for ru.exe, save it's log and post both.

Download this zip.

http://www.downloads.subratam.org/pv.zip

Unzip it to the desktop. It will not work if you run it from inside the zip. After unzipping open the pv folder. Double click on the runme.bat. A dos window will open. Select option 1 for explorer dlls by typing 1 and then pressing enter. Notepad will open with a log in it. Copy and paste the log into this thread. Then run option 2 for IE dlls, and post it's log too. Usually pretty large and take more than one post.

Please download Process Explorer, unzip and open, then click file>save as and put on your desktop. Open the log and copy/paste it here.

Bucksone · 2005/04/29

I had problems downloading the GetLogXP.zip. Instead I got something called PhotoParade. It seems to me that I have had this happen before under similar circumstances.

I also ran into a problem trying to use the Registry Search Tool. I got an alert from Norton AntiVirus when I tried to search for both dees.exe and ru.exe. The alert was as follows:
Alert: Malicious script detected
Object: Windows script host shell object
Activity: Run
Your computer is halted and needs to do something about this script.
File: C:\DOCUME~1\OWNER\LOCALS~1\Temp\Temporary Directory 1 for RegSrch.zip\RegSrch.vbs
What do you want to do?
Action: Stop this script (recommended)
Allow this activity once
Allow the entire script once
Authorize this script

Below is the first log from the pv folder.

Module information for 'Explorer.EXE'
MODULE BASE SIZE PATH
Explorer.EXE 1000000 1044480 C:\WINNT\Explorer.EXE 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Windows Explorer
ntdll.dll 7c900000 720896 C:\WINNT\system32\ntdll.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) NT Layer DLL
kernel32.dll 7c800000 999424 C:\WINNT\system32\kernel32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows NT BASE API Client DLL
msvcrt.dll 77c10000 360448 C:\WINNT\system32\msvcrt.dll 7.0.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows NT CRT DLL
ADVAPI32.dll 77dd0000 634880 C:\WINNT\system32\ADVAPI32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Advanced Windows 32 Base API
RPCRT4.dll 77e70000 593920 C:\WINNT\system32\RPCRT4.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Remote Procedure Call Runtime
GDI32.dll 77f10000 286720 C:\WINNT\system32\GDI32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) GDI Client DLL
USER32.dll 77d40000 589824 C:\WINNT\system32\USER32.dll 5.1.2600.2622 (xpsp_sp2_gdr.050301-1519) Windows XP USER API Client DLL
SHLWAPI.dll 77f60000 483328 C:\WINNT\system32\SHLWAPI.dll 6.00.2900.2627 (xpsp_sp2_gdr.050309-1648) Shell Light-weight Utility Library
SHELL32.dll 7c9c0000 8470528 C:\WINNT\system32\SHELL32.dll 6.00.2900.2620 (xpsp_sp2_gdr.050225-1820) Windows Shell Common Dll
ole32.dll 774e0000 1298432 C:\WINNT\system32\ole32.dll 5.1.2600.2595 (xpsp_sp2_gdr.041130-1729) Microsoft OLE for Windows
OLEAUT32.dll 77120000 573440 C:\WINNT\system32\OLEAUT32.dll 5.1.2600.2180
BROWSEUI.dll 75f80000 1032192 C:\WINNT\system32\BROWSEUI.dll 6.00.2900.2627 (xpsp_sp2_gdr.050309-1648) Shell Browser UI Library
SHDOCVW.dll 77760000 1490944 C:\WINNT\system32\SHDOCVW.dll 6.00.2900.2627 (xpsp_sp2_gdr.050309-1648) Shell Doc Object and Control Library
CRYPT32.dll 77a80000 606208 C:\WINNT\system32\CRYPT32.dll 5.131.2600.2180 (xpsp_sp2_rtm.040803-2158) Crypto API32
MSASN1.dll 77b20000 73728 C:\WINNT\system32\MSASN1.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) ASN.1 Runtime APIs
CRYPTUI.dll 754d0000 524288 C:\WINNT\system32\CRYPTUI.dll 5.131.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Trust UI Provider
WINTRUST.dll 76c30000 188416 C:\WINNT\system32\WINTRUST.dll 5.131.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Trust Verification APIs
IMAGEHLP.dll 76c90000 163840 C:\WINNT\system32\IMAGEHLP.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows NT Image Helper
NETAPI32.dll 5b860000 344064 C:\WINNT\system32\NETAPI32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Net Win32 API DLL
WININET.dll 771b0000 679936 C:\WINNT\system32\WININET.dll 6.00.2900.2627 (xpsp_sp2_gdr.050309-1648) Internet Extensions for Win32
WLDAP32.dll 76f60000 180224 C:\WINNT\system32\WLDAP32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Win32 LDAP API DLL
VERSION.dll 77c00000 32768 C:\WINNT\system32\VERSION.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Version Checking and File Installation Libraries
UxTheme.dll 5ad70000 229376 C:\WINNT\system32\UxTheme.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Microsoft UxTheme Library
ShimEng.dll 5cb70000 155648 C:\WINNT\system32\ShimEng.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Shim Engine DLL
AcGenral.DLL 6f880000 1875968 C:\WINNT\AppPatch\AcGenral.DLL 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Compatibility DLL
WINMM.dll 76b40000 184320 C:\WINNT\system32\WINMM.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) MCI API DLL
MSACM32.dll 77be0000 86016 C:\WINNT\system32\MSACM32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft ACM Audio Filter
USERENV.dll 769c0000 733184 C:\WINNT\system32\USERENV.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Userenv
comctl32.dll 773d0000 1056768 C:\WINNT\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll 6.0 (xpsp_sp2_rtm.040803-2158) User Experience Controls Library
comctl32.dll 5d090000 618496 C:\WINNT\system32\comctl32.dll 5.82 (xpsp_sp2_rtm.040803-2158) Common Controls Library
appHelp.dll 77b40000 139264 C:\WINNT\system32\appHelp.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Application Compatibility Client Library
CLBCATQ.DLL 76fd0000 520192 C:\WINNT\system32\CLBCATQ.DLL 2001.12.4414.258
COMRes.dll 77050000 806912 C:\WINNT\system32\COMRes.dll 2001.12.4414.258
cscui.dll 77a20000 344064 C:\WINNT\System32\cscui.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Client Side Caching UI
CSCDLL.dll 76600000 118784 C:\WINNT\System32\CSCDLL.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Offline Network Agent
themeui.dll 5ba60000 462848 C:\WINNT\System32\themeui.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Windows Theme API
Secur32.dll 77fe0000 69632 C:\WINNT\System32\Secur32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Security Support Provider Interface
MSIMG32.dll 76380000 20480 C:\WINNT\System32\MSIMG32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) GDIEXT Client DLL
xpsp2res.dll 20000000 2904064 C:\WINNT\system32\xpsp2res.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Service Pack 2 Messages
wmpband.dll 74a0000 77824 C:\PROGRA~1\WINDOW~2\wmpband.dll 10.00.00.3646 Windows Media Player
MPR.dll 71b20000 73728 C:\WINNT\system32\MPR.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Multiple Provider Router DLL
SAMLIB.dll 71bf0000 77824 C:\WINNT\system32\SAMLIB.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) SAM Library DLL
ntshrui.dll 76990000 151552 C:\WINNT\system32\ntshrui.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Shell extensions for sharing
ATL.DLL 76b20000 69632 C:\WINNT\system32\ATL.DLL 3.05.2284 ATL Module for Windows XP (Unicode)
SETUPAPI.dll 77920000 995328 C:\WINNT\system32\SETUPAPI.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Setup API
LINKINFO.dll 76980000 32768 C:\WINNT\system32\LINKINFO.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Volume Tracking
urlmon.dll 77260000 647168 C:\WINNT\system32\urlmon.dll 6.00.2900.2627 (xpsp_sp2_gdr.050309-1648) OLE32 Extensions for Win32
NETSHELL.dll 76400000 1728512 C:\WINNT\system32\NETSHELL.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Network Connections Shell
rtutils.dll 76e80000 57344 C:\WINNT\system32\rtutils.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Routing Utilities
credui.dll 76c00000 188416 C:\WINNT\system32\credui.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Credential Manager User Interface
WS2_32.dll 71ab0000 94208 C:\WINNT\system32\WS2_32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71aa0000 32768 C:\WINNT\system32\WS2HELP.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Socket 2.0 Helper for Windows NT
iphlpapi.dll 76d60000 102400 C:\WINNT\system32\iphlpapi.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) IP Helper API
rsaenh.dll ffd0000 163840 C:\WINNT\system32\rsaenh.dll 5.1.2600.2161 (xpsp.040706-1629) Microsoft Enhanced Cryptographic Provider
MSCTF.dll 74720000 307200 C:\WINNT\system32\MSCTF.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) MSCTF Server DLL
msi.dll 1550000 2908160 C:\WINNT\system32\msi.dll 3.1.4000.1823 Windows Installer
WINSTA.dll 76360000 65536 C:\WINNT\system32\WINSTA.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Winstation Library
webcheck.dll 74b30000 286720 C:\WINNT\System32\webcheck.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Web Site Monitor
WSOCK32.dll 71ad0000 36864 C:\WINNT\System32\WSOCK32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Socket 32-Bit DLL
stobject.dll 76280000 135168 C:\WINNT\System32\stobject.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Systray shell service object
BatMeter.dll 74af0000 40960 C:\WINNT\System32\BatMeter.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Battery Meter Helper DLL
POWRPROF.dll 74ad0000 32768 C:\WINNT\System32\POWRPROF.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Power Profile Helper DLL
WTSAPI32.dll 76f50000 32768 C:\WINNT\System32\WTSAPI32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Terminal Server SDK APIs
wdmaud.drv 72d20000 36864 C:\WINNT\system32\wdmaud.drv 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) WDM Audio driver mapper
msacm32.drv 72d10000 32768 C:\WINNT\system32\msacm32.drv 5.1.2600.0 (xpclient.010817-1148) Microsoft Sound Mapper
midimap.dll 77bd0000 28672 C:\WINNT\system32\midimap.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft MIDI Mapper
drprov.dll 75f60000 28672 C:\WINNT\System32\drprov.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Terminal Server Network Provider
ntlanman.dll 71c10000 57344 C:\WINNT\System32\ntlanman.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft® Lan Manager
NETUI0.dll 71cd0000 94208 C:\WINNT\System32\NETUI0.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) NT LM UI Common Code - GUI Classes
NETUI1.dll 71c90000 262144 C:\WINNT\System32\NETUI1.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) NT LM UI Common Code - Networking classes
NETRAP.dll 71c80000 28672 C:\WINNT\System32\NETRAP.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Net Remote Admin Protocol DLL
davclnt.dll 75f70000 36864 C:\WINNT\System32\davclnt.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Web DAV Client DLL
NavShExt.dll 10000000 114688 C:\Program Files\Norton AntiVirus\NavShExt.dll 9.05.15 Norton AntiVirusNAVShellExt Module
ccTrust.dll be0000 106496 C:\WINNT\system32\ccTrust.dll 1.0.10.002 Common Client ccTrust
MSVCP60.dll 76080000 413696 C:\WINNT\system32\MSVCP60.dll 6.02.3104.0 Microsoft (R) C++ Runtime Library
cryptnet.dll 75e60000 77824 C:\WINNT\system32\cryptnet.dll 5.131.2600.2180 (xpsp_sp2_rtm.040803-2158) Crypto Network Related API
WINHTTP.dll 4d4f0000 360448 C:\WINNT\system32\WINHTTP.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows HTTP Services
SensApi.dll 722b0000 20480 C:\WINNT\system32\SensApi.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) SENS Connectivity API DLL
CmdLineExt03.dll 1ac0000 94208 C:\DOCUME~1\Owner\LOCALS~1\Temp\CmdLineExt03.dll
SXS.DLL 75e90000 720896 C:\WINNT\system32\SXS.DLL 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Fusion 2.5
shdoclc.dll 25e0000 557056 C:\WINNT\system32\shdoclc.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Shell Doc Object and Control Library
browselc.dll e90000 73728 C:\WINNT\system32\browselc.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Shell Browser UI Library
zipfldr.dll 73380000 356352 C:\WINNT\System32\zipfldr.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Compressed (zipped) Folders
sendmail.dll 5cdc0000 65536 C:\WINNT\System32\sendmail.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Send Mail
mydocs.dll 72410000 106496 C:\WINNT\System32\mydocs.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) My Documents Folder UI
camview.dll 1900000 212992 C:\Program Files\PhotoDeluxe HE 3.1\FotoNation Explorer\camview.dll 1, 2, 7, 0 CAMVIEW DLL
comdlg32.dll 763b0000 299008 C:\WINNT\system32\comdlg32.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Common Dialogs DLL
shgina.dll 73d70000 77824 C:\WINNT\System32\shgina.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Windows Shell User Logon
MSGINA.dll 75970000 1011712 C:\WINNT\system32\MSGINA.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows NT Logon GINA DLL
ODBC32.dll 74320000 249856 C:\WINNT\system32\ODBC32.dll 3.525.1117.0 (xpsp_sp2_rtm.040803-2158) Microsoft Data Access - ODBC Driver Manager
odbcint.dll 1220000 94208 C:\WINNT\system32\odbcint.dll 3.525.1117.0 (xpsp_sp2_rtm.040803-2158) Microsoft Data Access - ODBC Resources
Audiodev.dll 92d0000 495616 C:\WINNT\System32\Audiodev.dll 5.2.3790.3646 built by: DNSRV(bld4act) Portable Media Devices Shell Extension
WMVCore.DLL 86c0000 2375680 C:\WINNT\System32\WMVCore.DLL 10.00.00.3646 built by: DNSRV(bld4act) Windows Media Playback/Authoring DLL
WMASF.DLL 70d0000 241664 C:\WINNT\System32\WMASF.DLL 10.00.00.3646 built by: DNSRV(bld4act) Windows Media ASF DLL
wiashext.dll 593f0000 598016 C:\WINNT\system32\wiashext.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Imaging Devices Shell Folder UI
gdiplus.dll 4ec50000 1716224 C:\WINNT\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82\gdiplus.dll 5.1.3102.2180 (xpsp_sp2_rtm.040803-2158) Microsoft GDI+
sti.dll 73ba0000 77824 C:\WINNT\System32\sti.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Still Image Devices client DLL
CFGMGR32.dll 74ae0000 28672 C:\WINNT\System32\CFGMGR32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Configuration Manager Forwarder DLL
DUSER.dll 6c1b0000 315392 C:\WINNT\system32\DUSER.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows DirectUser Engine
wuapi.dll 506a0000 421888 C:\WINNT\System32\wuapi.dll 5.4.3790.2182 built by: srv03_rtm(ntvbl04) Windows Update Client API
sfc_os.dll 76c60000 172032 C:\WINNT\system32\sfc_os.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows File Protection
MLShell.dll c00000 61440 C:\Program Files\ATI Multimedia\mlibrary\MLShell.dll 8.6.000 ATI Media Library Shell Extensions
MFC42.DLL 73dd0000 1040384 C:\WINNT\system32\MFC42.DLL 6.02.4131.0 MFCDLL Shared Library - Retail Version
atisserv.dll 11d0000 61440 C:\Program Files\ATI Multimedia\atisserv.dll 9.01.001 ATI Shared Services
mlenu.rsc 18b0000 81920 C:\Program Files\ATI Multimedia\mlibrary\mlenu.rsc 9.01.001 ATI Library Language Resources
SDHelper.dll 2a00000 765952 C:\PROGRA~1\SPYBOT~1\SDHelper.dll 1, 3, 0, 12 Bad download blocker
olepro32.dll 5edd0000 94208 C:\WINNT\system32\olepro32.dll 5.1.2600.2180

The second log will be in the next post.

Bucksone · 2005/04/29

Here is the second log.

Module information for 'IEXPLORE.EXE'
MODULE BASE SIZE PATH
IEXPLORE.EXE 400000 102400 C:\Program Files\Internet Explorer\IEXPLORE.EXE 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Internet Explorer
ntdll.dll 7c900000 720896 C:\WINNT\system32\ntdll.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) NT Layer DLL
kernel32.dll 7c800000 999424 C:\WINNT\system32\kernel32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows NT BASE API Client DLL
msvcrt.dll 77c10000 360448 C:\WINNT\system32\msvcrt.dll 7.0.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows NT CRT DLL
USER32.dll 77d40000 589824 C:\WINNT\system32\USER32.dll 5.1.2600.2622 (xpsp_sp2_gdr.050301-1519) Windows XP USER API Client DLL
GDI32.dll 77f10000 286720 C:\WINNT\system32\GDI32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) GDI Client DLL
SHLWAPI.dll 77f60000 483328 C:\WINNT\system32\SHLWAPI.dll 6.00.2900.2627 (xpsp_sp2_gdr.050309-1648) Shell Light-weight Utility Library
ADVAPI32.dll 77dd0000 634880 C:\WINNT\system32\ADVAPI32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Advanced Windows 32 Base API
RPCRT4.dll 77e70000 593920 C:\WINNT\system32\RPCRT4.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Remote Procedure Call Runtime
SHDOCVW.dll 77760000 1490944 C:\WINNT\system32\SHDOCVW.dll 6.00.2900.2627 (xpsp_sp2_gdr.050309-1648) Shell Doc Object and Control Library
CRYPT32.dll 77a80000 606208 C:\WINNT\system32\CRYPT32.dll 5.131.2600.2180 (xpsp_sp2_rtm.040803-2158) Crypto API32
MSASN1.dll 77b20000 73728 C:\WINNT\system32\MSASN1.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) ASN.1 Runtime APIs
CRYPTUI.dll 754d0000 524288 C:\WINNT\system32\CRYPTUI.dll 5.131.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Trust UI Provider
WINTRUST.dll 76c30000 188416 C:\WINNT\system32\WINTRUST.dll 5.131.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Trust Verification APIs
IMAGEHLP.dll 76c90000 163840 C:\WINNT\system32\IMAGEHLP.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows NT Image Helper
OLEAUT32.dll 77120000 573440 C:\WINNT\system32\OLEAUT32.dll 5.1.2600.2180
ole32.dll 774e0000 1298432 C:\WINNT\system32\ole32.dll 5.1.2600.2595 (xpsp_sp2_gdr.041130-1729) Microsoft OLE for Windows
NETAPI32.dll 5b860000 344064 C:\WINNT\system32\NETAPI32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Net Win32 API DLL
WININET.dll 771b0000 679936 C:\WINNT\system32\WININET.dll 6.00.2900.2627 (xpsp_sp2_gdr.050309-1648) Internet Extensions for Win32
WLDAP32.dll 76f60000 180224 C:\WINNT\system32\WLDAP32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Win32 LDAP API DLL
VERSION.dll 77c00000 32768 C:\WINNT\system32\VERSION.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Version Checking and File Installation Libraries
comctl32.dll 773d0000 1056768 C:\WINNT\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll 6.0 (xpsp_sp2_rtm.040803-2158) User Experience Controls Library
SHELL32.dll 7c9c0000 8470528 C:\WINNT\system32\SHELL32.dll 6.00.2900.2620 (xpsp_sp2_gdr.050225-1820) Windows Shell Common Dll
comctl32.dll 5d090000 618496 C:\WINNT\system32\comctl32.dll 5.82 (xpsp_sp2_rtm.040803-2158) Common Controls Library
uxtheme.dll 5ad70000 229376 C:\WINNT\system32\uxtheme.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Microsoft UxTheme Library
MSCTF.dll 74720000 307200 C:\WINNT\system32\MSCTF.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) MSCTF Server DLL
BROWSEUI.dll 75f80000 1032192 C:\WINNT\system32\BROWSEUI.dll 6.00.2900.2627 (xpsp_sp2_gdr.050309-1648) Shell Browser UI Library
browselc.dll 20000000 73728 C:\WINNT\system32\browselc.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Shell Browser UI Library
appHelp.dll 77b40000 139264 C:\WINNT\system32\appHelp.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Application Compatibility Client Library
CLBCATQ.DLL 76fd0000 520192 C:\WINNT\system32\CLBCATQ.DLL 2001.12.4414.258
COMRes.dll 77050000 806912 C:\WINNT\system32\COMRes.dll 2001.12.4414.258
Secur32.dll 77fe0000 69632 C:\WINNT\system32\Secur32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Security Support Provider Interface
urlmon.dll 77260000 647168 C:\WINNT\system32\urlmon.dll 6.00.2900.2627 (xpsp_sp2_gdr.050309-1648) OLE32 Extensions for Win32
cscui.dll 77a20000 344064 C:\WINNT\System32\cscui.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Client Side Caching UI
CSCDLL.dll 76600000 118784 C:\WINNT\System32\CSCDLL.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Offline Network Agent
SETUPAPI.dll 77920000 995328 C:\WINNT\system32\SETUPAPI.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Setup API
SDHelper.dll 1520000 765952 C:\PROGRA~1\SPYBOT~1\SDHelper.dll 1, 3, 0, 12 Bad download blocker
olepro32.dll 5edd0000 94208 C:\WINNT\system32\olepro32.dll 5.1.2600.2180
xyysz.dll 3a000000 225280 C:\WINNT\system32\xyysz.dll
iphlpapi.dll 76d60000 102400 C:\WINNT\system32\iphlpapi.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) IP Helper API
WS2_32.dll 71ab0000 94208 C:\WINNT\system32\WS2_32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71aa0000 32768 C:\WINNT\system32\WS2HELP.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Socket 2.0 Helper for Windows NT
SXS.DLL 75e90000 720896 C:\WINNT\system32\SXS.DLL 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Fusion 2.5
shdoclc.dll 1710000 557056 C:\WINNT\system32\shdoclc.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Shell Doc Object and Control Library
xpsp2res.dll 17a0000 2904064 C:\WINNT\system32\xpsp2res.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Service Pack 2 Messages
mlang.dll 75cf0000 593920 C:\WINNT\system32\mlang.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Multi Language Support DLL
wsock32.dll 71ad0000 36864 C:\WINNT\system32\wsock32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Socket 32-Bit DLL
mswsock.dll 71a50000 258048 C:\WINNT\system32\mswsock.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Windows Sockets 2.0 Service Provider
hnetcfg.dll 662b0000 360448 C:\WINNT\system32\hnetcfg.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Home Networking Configuration Manager
wshtcpip.dll 71a90000 32768 C:\WINNT\System32\wshtcpip.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Sockets Helper DLL
RASAPI32.DLL 76ee0000 245760 C:\WINNT\system32\RASAPI32.DLL 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Remote Access API
rasman.dll 76e90000 73728 C:\WINNT\system32\rasman.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Remote Access Connection Manager
TAPI32.dll 76eb0000 192512 C:\WINNT\system32\TAPI32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft® Windows(TM) Telephony API Client DLL
rtutils.dll 76e80000 57344 C:\WINNT\system32\rtutils.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Routing Utilities
WINMM.dll 76b40000 184320 C:\WINNT\system32\WINMM.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) MCI API DLL
msi.dll 2110000 2908160 C:\WINNT\system32\msi.dll 3.1.4000.1823 Windows Installer
msv1_0.dll 77c70000 143360 C:\WINNT\system32\msv1_0.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Authentication Package v1.0
sensapi.dll 722b0000 20480 C:\WINNT\system32\sensapi.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) SENS Connectivity API DLL
USERENV.dll 769c0000 733184 C:\WINNT\system32\USERENV.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Userenv
DNSAPI.dll 76f20000 159744 C:\WINNT\system32\DNSAPI.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) DNS Client API DLL
rasadhlp.dll 76fc0000 24576 C:\WINNT\system32\rasadhlp.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Remote Access AutoDial Helper
mshtml.dll 7d4a0000 3035136 C:\WINNT\System32\mshtml.dll 6.00.2900.2627 (xpsp_sp2_gdr.050309-1648) Microsoft (R) HTML Viewer
msls31.dll 746c0000 159744 C:\WINNT\System32\msls31.dll 3.10.349.0 Microsoft Line Services library file
msimtf.dll 746f0000 172032 C:\WINNT\System32\msimtf.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Active IMM Server DLL
IMM32.DLL 76390000 118784 C:\WINNT\system32\IMM32.DLL 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows XP IMM32 API Client DLL
msohev.dll 32520000 73728 C:\Program Files\Microsoft Office\Office10\msohev.dll 10.0.2609 Microsoft Office XP component
scrauth.dll 10000000 110592 C:\Program Files\Common Files\Symantec Shared\Script Blocking\scrauth.dll 1, 1, 0, 126 ScriptBlocking Authenticator
ScrBlock.dll 1ae0000 122880 C:\Program Files\Common Files\Symantec Shared\Script Blocking\ScrBlock.dll 1, 1, 0, 126 ScriptBlocking
rsaenh.dll ffd0000 163840 C:\WINNT\system32\rsaenh.dll 5.1.2600.2161 (xpsp.040706-1629) Microsoft Enhanced Cryptographic Provider
cryptnet.dll 75e60000 77824 C:\WINNT\system32\cryptnet.dll 5.131.2600.2180 (xpsp_sp2_rtm.040803-2158) Crypto Network Related API
WINHTTP.dll 4d4f0000 360448 C:\WINNT\system32\WINHTTP.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows HTTP Services
jscript.dll 75c50000 450560 c:\winnt\system32\jscript.dll 5.6.0.8820 Microsoft (r) JScript
dxtrans.dll 6bdd0000 217088 C:\WINNT\system32\dxtrans.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) DirectX Media -- DirectX Transform Core
ATL.DLL 76b20000 69632 C:\WINNT\system32\ATL.DLL 3.05.2284 ATL Module for Windows XP (Unicode)
ddrawex.dll 6d430000 40960 C:\WINNT\System32\ddrawex.dll 5.03.2600.2180 (xpsp_sp2_rtm.040803-2158) Direct Draw Ex
DDRAW.dll 73760000 299008 C:\WINNT\System32\DDRAW.dll 5.03.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft DirectDraw
DCIMAN32.dll 73bc0000 24576 C:\WINNT\System32\DCIMAN32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) DCI Manager
dxtmsft.dll 6be10000 368640 C:\WINNT\system32\dxtmsft.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) DirectX Media -- Image DirectX Transforms
iepeers.dll 66e50000 262144 C:\WINNT\System32\iepeers.dll 6.00.2900.2627 (xpsp_sp2_gdr.050309-1648) Internet Explorer Peer Objects
WINSPOOL.DRV 73000000 155648 C:\WINNT\System32\WINSPOOL.DRV 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Spooler Driver
LINKINFO.dll 76980000 32768 C:\WINNT\system32\LINKINFO.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Volume Tracking
ntshrui.dll 76990000 151552 C:\WINNT\system32\ntshrui.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Shell extensions for sharing
wdmaud.drv 72d20000 36864 C:\WINNT\system32\wdmaud.drv 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) WDM Audio driver mapper
msacm32.drv 72d10000 32768 C:\WINNT\system32\msacm32.drv 5.1.2600.0 (xpclient.010817-1148) Microsoft Sound Mapper
MSACM32.dll 77be0000 86016 C:\WINNT\system32\MSACM32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft ACM Audio Filter
midimap.dll 77bd0000 28672 C:\WINNT\system32\midimap.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft MIDI Mapper
mshtmled.dll 76200000 462848 C:\WINNT\System32\mshtmled.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Microsoft (R) HTML Editing Component
actxprxy.dll 71d40000 114688 C:\WINNT\System32\actxprxy.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) ActiveX Interface Marshaling Library
plugin.ocx 72b20000 98304 C:\WINNT\system32\plugin.ocx 6.00.2600.0000 (xpclient.010817-1148) ActiveX Plugin OCX
comdlg32.dll 763b0000 299008 C:\WINNT\system32\comdlg32.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Common Dialogs DLL
wuapi.dll 506a0000 421888 C:\WINNT\System32\wuapi.dll 5.4.3790.2182 built by: srv03_rtm(ntvbl04) Windows Update Client API
sfc_os.dll 76c60000 172032 C:\WINNT\system32\sfc_os.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows File Protection

Here is the log from Process Explorer

Process PID CPU Description Company Name
System Idle Process 0 96.92
Interrupts n/a Hardware Interrupts
DPCs n/a Deferred Procedure Calls
System 4
smss.exe 604 Windows NT Session Manager Microsoft Corporation
csrss.exe 668 Client Server Runtime Process Microsoft Corporation
winlogon.exe 700 Windows NT Logon Application Microsoft Corporation
services.exe 744 Services and Controller app Microsoft Corporation
ati2evxx.exe 908 ATI External Event Utility EXE Module ATI Technologies Inc.
svchost.exe 924 Generic Host Process for Win32 Services Microsoft Corporation
rundll32.exe 1156 Run a DLL as an App Microsoft Corporation
msmsgs.exe 3908 Windows Messenger Microsoft Corporation
svchost.exe 1008 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1104 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1168 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1356 Generic Host Process for Win32 Services Microsoft Corporation
spoolsv.exe 1680 Spooler SubSystem App Microsoft Corporation
CCEVTMGR.EXE 1344 Event Manager Service Symantec Corporation
NAVAPSVC.EXE 1552 Norton AntiVirus Auto-Protect Service Symantec Corporation
slserv.exe 180 Smart Link
svchost.exe 236 1.54 Generic Host Process for Win32 Services Microsoft Corporation
wdfmgr.exe 1388 Windows User Mode Driver Manager Microsoft Corporation
vsmon.exe 416 TrueVector Service Zone Labs, LLC
alg.exe 2636 Application Layer Gateway Service Microsoft Corporation
lsass.exe 756 LSA Shell (Export Version) Microsoft Corporation
ati2evxx.exe 1484 ATI External Event Utility EXE Module ATI Technologies Inc.
explorer.exe 1580 Windows Explorer Microsoft Corporation
Directcd.exe 496 DirectCD Application Roxio
ccApp.exe 536 Common Client CC App Symantec Corporation
atidtct.exe 560 ATI Device Detection Application ATI Technologies Inc.
atiptaxx.exe 576 ATI Desktop Control Panel ATI Technologies, Inc.
zlclient.exe 396 Zone Labs Client Zone Labs, LLC
ctfmon.exe 624 CTF Loader Microsoft Corporation
ATIRW.EXE 664 ATI Remote Wonder ATI Technologies Inc.
iexplore.exe 2676 Internet Explorer Microsoft Corporation
procexp.exe 3752 1.54 Sysinternals Process Explorer Sysinternals
webshots.scr 1072 Webshots Photo Manager Webshots.com
dees.exe 1424
notepad.exe 1148 Notepad Microsoft Corporation
notepad.exe 3084 Notepad Microsoft Corporation

Process: Procexp Pid: -2

Type Name

noahdfear · 2005/04/29

I should have anticipated Norton blocking that script. It's quite safe. Please allow it to run.

I too remember you getting a 'photo parade' when trying to download an attachment from here. Very odd. Try accepting the file and then renaming it. The bat file should be inside there and run fine.

Bucksone · 2005/04/29

I was able this time to get the GetLogXP. Below is its log.

! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ctfmon.exe REG_SZ C:\WINNT\system32\ctfmon.exe
<NO NAME> REG_SZ
ATI Launchpad REG_SZ
ATI Remote Control REG_SZ C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
IgfxTray REG_SZ C:\WINNT\System32\igfxtray.exe
ccRegVfy REG_SZ "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe "
AdaptecDirectCD REG_SZ "c:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe "
HotKeysCmds REG_SZ C:\WINNT\System32\hkcmd.exe
Symantec NetDriver Monitor REG_SZ C:\PROGRA~1\SYMNET~1\SNDMon.exe
ccApp REG_SZ "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
KernelFaultCheck REG_EXPAND_SZ %systemroot%\system32\dumprep 0 -k
<NO NAME> REG_SZ
ATI DeviceDetect REG_SZ C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
ATIPTA REG_SZ C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
Zone Labs Client REG_SZ C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\New Key #1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ABBYY FineReader 5.0 Sprint

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ACTive Prep

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ad-Aware SE Personal

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Acrobat 5.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe PhotoDeluxe Home Edition 3.1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Type Manager 4.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AIMToolbar

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\All ATI Software

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ancient Spiders Solitaire

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AOL Instant Messenger

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Army Men World War

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ATI Display Driver

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Automap 9.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Big Kahuna Reef

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Call of Duty Dawnville Demo

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Call of Duty Single Player Demo

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Combat Flight Simulator 1.00

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Combat Flight Simulator 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Diner Dash(TM)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectAnimation

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Driver Cleaner Pro

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Finale NotePad 2005a

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Frogger

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GameChannel

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Gateway Drivers and Applications Recovery

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HijackThis

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\hp deskjet 3420 series

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\hp deskjet 3420 series_Driver

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\hp instant support

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ICW

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\InstallShield Uninstall Information

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\InstallShield_{1A22C818-D44D-4691-BF27-8884CB5B44B1}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\InstallShield_{3347F781-9C89-4C9B-B471-B1FFC3BC4A84}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\InstallShield_{8988F5D0-C83F-41F4-B41B-86031F9B37F5}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\InstallShield_{C88E49AA-41C5-4420-A08D-BE1B6C5A3A74}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\InstallShield_{D1AD7439-FBCA-4345-A780-2A5617EBA9DE}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\InstallShield_{EDE28287-D32C-415E-9C97-2BF9F9260150}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Jewel Quest

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB834707

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB867282

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB870669

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB873333

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB873339

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB884016

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB885250

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB885835

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB885836

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB885884

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB886185

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB887472

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB887742

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB888113

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB888302

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB890047

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB890175

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB890859

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB890923

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB891781

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB893066

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB893086

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB893803

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveReg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveUpdate

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Luxor

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\M886906

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Magic Vines

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mediamotor

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft .NET Framework Full v1.0.3705 (1033)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft Interactive Training

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft NetShow Player 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MSI30-Beta1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MSI30-Beta2

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MSI30-KB884016

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MSI30-RC1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MSI30-RC2

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MSI30a-KB884016

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MSI31-Beta

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MSI31-RC1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MsJavaVM

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MSN Music Assistant

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MTV Music Generator

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NetMeeting

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Network Play System (Patching)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Oasis(TM)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Oregon Trail II

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OutlookExpress

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PCHealth

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Picture Navigator

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Pizza Frenzy

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PMUninstall

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PROSet

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\QuickTime

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RealPlayer 6.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sevinst

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Shape Shifter(TM)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Shapo(TM) Gold

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Shockwave

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ShockwaveFlash

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Silent Package Run-Time Sample

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SLAMRMO

Ran out of room, so I must continue in the next post.

Bucksone · 2005/04/29

If I did this right, here is the rest of that log.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sound Blaster Live! 24-bit

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sound Blaster Live! 24-bit Windows Drivers

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Spybot - Search & Destroy_is1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpywareBlaster_is1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SysInfo

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Toy Story 2

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Uninstall Presto! BizCard 4.0 Eng

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Uninstall Presto! BizCard 4.1 Eng

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Viewpoint Manager

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ViewpointMediaPlayer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Webshots Desktop

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Windows Media Encoder 9

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Windows Media Format Runtime

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Windows Media Player

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Windows XP Service Pack

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Works2003Setup

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yahtzeev1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\YOU DON'T KNOW JACK Television

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ZoneAlarm

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Zoo Tycoon 1.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01F9D88C-3C86-4E82-840A-101A3221F67A}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{02B42D23-10F2-4862-ADA4-3DF1EA0021B2}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{03410014-3975-4267-9F39-1DC4745090B7}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{080E0356-D231-41FC-8F31-9760FC4487D9}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{083F79E4-6FE9-46FB-A6C6-4F8862742947}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0DEA94ED-915A-4834-A87E-388D012C8E02}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0E0131B2-CF18-40D9-A331-60A3746C1204}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{11E83B33-972B-4512-A447-FF0FD0246EE9}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12BDDF23-B1DB-49C8-92D3-3E6841CCED61}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1526D87C-A955-4FAB-BF18-697BA457E352}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{16FDA17D-D97C-415E-94EE-F6645E697C53}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1A22C818-D44D-4691-BF27-8884CB5B44B1}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1F7CCFA3-D926-4882-B2A5-A0217ED25597}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{21B6F79B-2286-4BB0-B1E3-BA6B9498D110}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{23EFDB58-0874-4883-9810-EDA510B19FAE}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2BB79C8D-9DCC-4861-8A23-AE1B0B45E2B6}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2BFBC62A-3353-443D-93BE-7AC641D9F342}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3347F781-9C89-4C9B-B471-B1FFC3BC4A84}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{33C279DD-AA04-406D-B122-CBE750316CEB}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{369B36BE-3D64-4641-9AEA-808D436FE132}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{39DA87A1-0B26-4562-A70C-2A6147366E47}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3DA2C525-0A4A-4634-8656-8F442FD2C44A}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3F50AF3B-8997-4916-0095-99D63DDB785A}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3F695596-85E6-4224-BC70-538F9036797A}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{45EBDA59-D33B-433A-956E-B2F236468B56}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4CE79985-8BCD-11D5-AA2E-0008C760B784}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4EF69D40-4DC9-485E-95D3-B1C22F218FC8}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5531CF62-6C27-4F13-8592-E370AA1000CE}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{56CFA833-F44F-4199-8C58-7F8B38F2BC7B}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5D1A81AA-ED90-11D6-86D3-00055DF3561E}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5F2A75DB-87B7-4E3B-9C8B-1E1059154C84}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{609F7AC8-C510-11D4-A788-009027ABA5D0}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6C11D561-620B-47DA-A693-4C597F3CDF40}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6C5D7191-140A-11D6-B5A0-0050DA208A93}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7169B8E4-2632-46B1-AA5F-167CB5FE5029}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{734BB64A-5A3D-4624-867D-6358B7068496}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7914BE1E-F186-4790-B8F4-9F63C52A41C1}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7EE9DE0D-9228-4C33-B80E-FDD1773600DF}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{823A68CC-3049-4A6B-8F63-7DC85E4BB1C9}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{87499F38-FD69-4A2B-B41A-BAB8DE9B94FE}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8851E12C-0EF9-11D4-A788-009027ABA5D0}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8988F5D0-C83F-41F4-B41B-86031F9B37F5}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8A708DD8-A5E6-11D4-A706-000629E95E20}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{907B4640-266B-4A21-92FB-CD1A86CD0F63}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{911B0409-6000-11D3-8CFE-0050048383C9}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{924EAD66-F854-4605-8493-696DD59A113B}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{98E8A2EF-4EAE-43B8-A172-74842B764777}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9A00D1BA-D03A-44E5-AF28-86A1F377DF61}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9F765BD0-B900-4EDE-A90B-61C8A9E95C42}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9F9F3775-7E5B-4028-B5E5-DA1C042517A8}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A198A102-87F7-4966-809A-45134182A3B1}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A790BEB1-BCCF-4EC6-807B-5708B36E8A79}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-000000000001}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ACC2E059-40E9-4464-B18D-C9BDD9A02CED}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B100B05B-E290-41EF-9366-8BC4C76D7769}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B14F9B26-D695-4C4A-8B11-0FE6CDCC797B}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B43357AA-3A6D-4D94-B56E-43C44D09E548}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B69CC1A5-0404-11D6-ABCB-005004C21D30}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BA586D1D-6E4B-4A05-B956-4ACF063BA711}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BAD59025-5B73-4E12-B789-0028C5A573C2}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C4AE01B9-84F3-489F-A990-68306BC5548C}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C88E49AA-41C5-4420-A08D-BE1B6C5A3A74}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D1696920-9794-4BBC-8A30-7A88763DE5A2}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D1AD7439-FBCA-4345-A780-2A5617EBA9DE}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D2B7C41F-C63D-4935-B323-B60673724D63}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D3568156-59C3-42DF-A520-2C25B6706C91}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D64DCF1C-7A95-49A4-BAFA-C42B5CF6B8B6}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E213C271-AEFA-481D-A9B4-914D88925B8D}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E3A20CB6-144D-4523-9112-01E5AE3A81B9}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{EBAE381B-60A6-4863-AA9F-FCAB755BC9E5}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{EDCD4CE3-DE92-49A9-87F9-FE09B2FBA16C}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{EDE28287-D32C-415E-9C97-2BF9F9260150}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{FAAA508A-05C0-488B-BFC2-F9217E545A81}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{FAD9402A-1A9B-4ABE-A410-393A3622FA5A}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{FB08F381-6533-4108-B7DD-039E11FBC27E}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{FE3DBADC-7D96-4AA3-B23B-20A381378544}

Below is the log from RegSrch. It found 2 instances of dees.exe, but none of ru.exe.

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "dees.exe" 4/29/2005 8:47:38 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Ltho "= "C:\\Documents and Settings\\NetworkService\\Application Data\\dees.exe "

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run]
"Ltho "= "C:\\Documents and Settings\\NetworkService\\Application Data\\dees.exe "

Hope this all came out OK.

noahdfear · 2005/04/30

Copy the quote box to notepad and save as fix.reg, then double click to merge with the registry.

REGEDIT4

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Ltho "=-

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run]
"Ltho "=-
Click to expand...

Again, clear the contents of the prefetch folder.

Add these two filepaths to the Killbox, one at a time, checking the box to delete on reboot, then clicking the red x and saying no to reboot on the first. Allow reboot on the second.

C:\WINNT\system32\xyysz.dll
C:\Documents and Settings\NetworkService\Application Data\dees.exe

Should you get any kind of error on the latter, try using the short name instead.

C:\Docume~1\Networ~1\Applic~1\dees.exe

After reboot, search for ru.exe and delete if found. Where does your firewall show it's location?

Bucksone · 2005/04/30

I followed your instructions without incident. After the reboot, neither dees.exe nor ru.exe caused a Zone Alarm alert. I did a search for ru.exe and came up empty. Just for the heck of it, I then did a search for dees.exe and found an entry in Prefetch. I did remember to empty out Prefetch at the point in the instructions that I was told to do so. I'm not certain how to check for the location in the firewall that you asked about, without having an alert pop up for me to see.

noahdfear · 2005/04/30

That's good to hear.

Open the firewall control panel, click Program Control, then Programs tab. There should be an entry for both dees.exe and ru.exe. Right click the dees entry and remove. Click the ru entry and it should show you a filepath in the Entry Detail section below. Remove the ru entry also, check for the existence of the file in the path shown and delete.

I would like to see one more HJT log also.

Bucksone · 2005/05/01

As usual, I spoke too soon. Zone Alarm alerted to dees.exe on this latest boot.

I removed both of the entries in Zone Alarm as directed. The file path for dees.exe was C:\WINNT\system32\dees.exe. The file path for ru.exe was C:\WINNT\ru.exe. I couldn't find either of those files in the paths shown.

Below is my latest log.

Logfile of HijackThis v1.99.1
Scan saved at 3:20:29 AM, on 5/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\WINNT\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\dees.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\slserv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.wowway.com/portal/index.asp?RG=Col
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5F00144C-D58C-DC5D-ADC5-846DD230B1C0} - C:\WINNT\system32\xyysz.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe "
O4 - HKLM\..\Run: [AdaptecDirectCD] "c:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe "
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ChatSpace Full Java Client 3.1.0.229 - http://64.55.105.205/Java/cfs31229.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15009/CTSUEng.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - file://C:\Program Files\gateway\helpspot\TechTools.CAB
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {7142BA01-8BDF-11CF-9E23-0000E8A37440} (Surround Video Control Object) - http://admission.udayton.edu//VirTour/svideo.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - file://C:\Program Files\gateway\helpspot\RunExeActiveX.CAB
O16 - DPF: {93CEA8A4-6059-4E0B-ADDD-73848153DD5E} (CWebLaunchCtl Object) - http://support.gateway.com/eSupport/static/weblaunch/weblaunch.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - https://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://www.shockwave.com/content/shapo/shapo.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/bejeweled2/popcaploader_v6.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15010/CTPID.cab
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINNT\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

Thanks for your persistance with this.

noahdfear · 2005/05/01

Grrr....I should have included the C:\WINNT\system32\dees.exe filepath in my last set of Killbox instructions. My apologies. Run the reg search tool on it again, just to see if it shows back up anywhere. I think while in safe mode would be best. Also do another pv log for option 2 (IE dlls) and post it (not in safe mode). We need to make sure another random dll wasn't created.

Delete the GetLogXP.txt that was previously created and run the GetLogXP.bat again while in safe mode. I only need to see the two run key sections of that log though, so leave out all the uninstall key info when posting.

Bucksone · 2005/05/01

I ran the RegSrch in safe mode and the result was "no instances found. "

Below is the requested pv log.

Module information for 'IEXPLORE.EXE'
MODULE BASE SIZE PATH
IEXPLORE.EXE 400000 102400 C:\Program Files\Internet Explorer\IEXPLORE.EXE 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Internet Explorer
ntdll.dll 7c900000 720896 C:\WINNT\system32\ntdll.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) NT Layer DLL
kernel32.dll 7c800000 999424 C:\WINNT\system32\kernel32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows NT BASE API Client DLL
msvcrt.dll 77c10000 360448 C:\WINNT\system32\msvcrt.dll 7.0.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows NT CRT DLL
USER32.dll 77d40000 589824 C:\WINNT\system32\USER32.dll 5.1.2600.2622 (xpsp_sp2_gdr.050301-1519) Windows XP USER API Client DLL
GDI32.dll 77f10000 286720 C:\WINNT\system32\GDI32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) GDI Client DLL
SHLWAPI.dll 77f60000 483328 C:\WINNT\system32\SHLWAPI.dll 6.00.2900.2627 (xpsp_sp2_gdr.050309-1648) Shell Light-weight Utility Library
ADVAPI32.dll 77dd0000 634880 C:\WINNT\system32\ADVAPI32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Advanced Windows 32 Base API
RPCRT4.dll 77e70000 593920 C:\WINNT\system32\RPCRT4.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Remote Procedure Call Runtime
SHDOCVW.dll 77760000 1490944 C:\WINNT\system32\SHDOCVW.dll 6.00.2900.2627 (xpsp_sp2_gdr.050309-1648) Shell Doc Object and Control Library
CRYPT32.dll 77a80000 606208 C:\WINNT\system32\CRYPT32.dll 5.131.2600.2180 (xpsp_sp2_rtm.040803-2158) Crypto API32
MSASN1.dll 77b20000 73728 C:\WINNT\system32\MSASN1.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) ASN.1 Runtime APIs
CRYPTUI.dll 754d0000 524288 C:\WINNT\system32\CRYPTUI.dll 5.131.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Trust UI Provider
WINTRUST.dll 76c30000 188416 C:\WINNT\system32\WINTRUST.dll 5.131.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Trust Verification APIs
IMAGEHLP.dll 76c90000 163840 C:\WINNT\system32\IMAGEHLP.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows NT Image Helper
OLEAUT32.dll 77120000 573440 C:\WINNT\system32\OLEAUT32.dll 5.1.2600.2180
ole32.dll 774e0000 1298432 C:\WINNT\system32\ole32.dll 5.1.2600.2595 (xpsp_sp2_gdr.041130-1729) Microsoft OLE for Windows
NETAPI32.dll 5b860000 344064 C:\WINNT\system32\NETAPI32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Net Win32 API DLL
WININET.dll 771b0000 679936 C:\WINNT\system32\WININET.dll 6.00.2900.2627 (xpsp_sp2_gdr.050309-1648) Internet Extensions for Win32
WLDAP32.dll 76f60000 180224 C:\WINNT\system32\WLDAP32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Win32 LDAP API DLL
VERSION.dll 77c00000 32768 C:\WINNT\system32\VERSION.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Version Checking and File Installation Libraries
comctl32.dll 773d0000 1056768 C:\WINNT\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll 6.0 (xpsp_sp2_rtm.040803-2158) User Experience Controls Library
SHELL32.dll 7c9c0000 8470528 C:\WINNT\system32\SHELL32.dll 6.00.2900.2620 (xpsp_sp2_gdr.050225-1820) Windows Shell Common Dll
comctl32.dll 5d090000 618496 C:\WINNT\system32\comctl32.dll 5.82 (xpsp_sp2_rtm.040803-2158) Common Controls Library
uxtheme.dll 5ad70000 229376 C:\WINNT\system32\uxtheme.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Microsoft UxTheme Library
MSCTF.dll 74720000 307200 C:\WINNT\system32\MSCTF.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) MSCTF Server DLL
BROWSEUI.dll 75f80000 1032192 C:\WINNT\system32\BROWSEUI.dll 6.00.2900.2627 (xpsp_sp2_gdr.050309-1648) Shell Browser UI Library
browselc.dll 20000000 73728 C:\WINNT\system32\browselc.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Shell Browser UI Library
appHelp.dll 77b40000 139264 C:\WINNT\system32\appHelp.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Application Compatibility Client Library
CLBCATQ.DLL 76fd0000 520192 C:\WINNT\system32\CLBCATQ.DLL 2001.12.4414.258
COMRes.dll 77050000 806912 C:\WINNT\system32\COMRes.dll 2001.12.4414.258
Secur32.dll 77fe0000 69632 C:\WINNT\system32\Secur32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Security Support Provider Interface
urlmon.dll 77260000 647168 C:\WINNT\system32\urlmon.dll 6.00.2900.2627 (xpsp_sp2_gdr.050309-1648) OLE32 Extensions for Win32
cscui.dll 77a20000 344064 C:\WINNT\System32\cscui.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Client Side Caching UI
CSCDLL.dll 76600000 118784 C:\WINNT\System32\CSCDLL.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Offline Network Agent
SETUPAPI.dll 77920000 995328 C:\WINNT\system32\SETUPAPI.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Setup API
SDHelper.dll 1520000 765952 C:\PROGRA~1\SPYBOT~1\SDHelper.dll 1, 3, 0, 12 Bad download blocker
olepro32.dll 5edd0000 94208 C:\WINNT\system32\olepro32.dll 5.1.2600.2180
shdoclc.dll 16e0000 557056 C:\WINNT\system32\shdoclc.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Shell Doc Object and Control Library
xpsp2res.dll 1770000 2904064 C:\WINNT\system32\xpsp2res.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Service Pack 2 Messages
mlang.dll 75cf0000 593920 C:\WINNT\system32\mlang.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Multi Language Support DLL
wsock32.dll 71ad0000 36864 C:\WINNT\system32\wsock32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Socket 32-Bit DLL
WS2_32.dll 71ab0000 94208 C:\WINNT\system32\WS2_32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71aa0000 32768 C:\WINNT\system32\WS2HELP.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Socket 2.0 Helper for Windows NT
mswsock.dll 71a50000 258048 C:\WINNT\system32\mswsock.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Windows Sockets 2.0 Service Provider
hnetcfg.dll 662b0000 360448 C:\WINNT\system32\hnetcfg.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Home Networking Configuration Manager
wshtcpip.dll 71a90000 32768 C:\WINNT\System32\wshtcpip.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Sockets Helper DLL
RASAPI32.DLL 76ee0000 245760 C:\WINNT\system32\RASAPI32.DLL 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Remote Access API
rasman.dll 76e90000 73728 C:\WINNT\system32\rasman.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Remote Access Connection Manager
TAPI32.dll 76eb0000 192512 C:\WINNT\system32\TAPI32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft® Windows(TM) Telephony API Client DLL
rtutils.dll 76e80000 57344 C:\WINNT\system32\rtutils.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Routing Utilities
WINMM.dll 76b40000 184320 C:\WINNT\system32\WINMM.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) MCI API DLL
msv1_0.dll 77c70000 143360 C:\WINNT\system32\msv1_0.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Authentication Package v1.0
iphlpapi.dll 76d60000 102400 C:\WINNT\system32\iphlpapi.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) IP Helper API
sensapi.dll 722b0000 20480 C:\WINNT\system32\sensapi.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) SENS Connectivity API DLL
msi.dll 20e0000 2908160 C:\WINNT\system32\msi.dll 3.1.4000.1823 Windows Installer
SXS.DLL 75e90000 720896 C:\WINNT\system32\SXS.DLL 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Fusion 2.5
USERENV.dll 769c0000 733184 C:\WINNT\system32\USERENV.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Userenv
DNSAPI.dll 76f20000 159744 C:\WINNT\system32\DNSAPI.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) DNS Client API DLL
rasadhlp.dll 76fc0000 24576 C:\WINNT\system32\rasadhlp.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Remote Access AutoDial Helper
mshtml.dll 7d4a0000 3035136 C:\WINNT\System32\mshtml.dll 6.00.2900.2627 (xpsp_sp2_gdr.050309-1648) Microsoft (R) HTML Viewer
msls31.dll 746c0000 159744 C:\WINNT\System32\msls31.dll 3.10.349.0 Microsoft Line Services library file
msimtf.dll 746f0000 172032 C:\WINNT\System32\msimtf.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Active IMM Server DLL
IMM32.DLL 76390000 118784 C:\WINNT\system32\IMM32.DLL 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows XP IMM32 API Client DLL
msohev.dll 32520000 73728 C:\Program Files\Microsoft Office\Office10\msohev.dll 10.0.2609 Microsoft Office XP component
scrauth.dll 10000000 110592 C:\Program Files\Common Files\Symantec Shared\Script Blocking\scrauth.dll 1, 1, 0, 126 ScriptBlocking Authenticator
ScrBlock.dll 2e30000 122880 C:\Program Files\Common Files\Symantec Shared\Script Blocking\ScrBlock.dll 1, 1, 0, 126 ScriptBlocking
rsaenh.dll ffd0000 163840 C:\WINNT\system32\rsaenh.dll 5.1.2600.2161 (xpsp.040706-1629) Microsoft Enhanced Cryptographic Provider
cryptnet.dll 75e60000 77824 C:\WINNT\system32\cryptnet.dll 5.131.2600.2180 (xpsp_sp2_rtm.040803-2158) Crypto Network Related API
WINHTTP.dll 4d4f0000 360448 C:\WINNT\system32\WINHTTP.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows HTTP Services
jscript.dll 75c50000 450560 c:\winnt\system32\jscript.dll 5.6.0.8820 Microsoft (r) JScript
dxtrans.dll 6bdd0000 217088 C:\WINNT\system32\dxtrans.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) DirectX Media -- DirectX Transform Core
ATL.DLL 76b20000 69632 C:\WINNT\system32\ATL.DLL 3.05.2284 ATL Module for Windows XP (Unicode)
ddrawex.dll 6d430000 40960 C:\WINNT\System32\ddrawex.dll 5.03.2600.2180 (xpsp_sp2_rtm.040803-2158) Direct Draw Ex
DDRAW.dll 73760000 299008 C:\WINNT\System32\DDRAW.dll 5.03.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft DirectDraw
DCIMAN32.dll 73bc0000 24576 C:\WINNT\System32\DCIMAN32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) DCI Manager
dxtmsft.dll 6be10000 368640 C:\WINNT\system32\dxtmsft.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) DirectX Media -- Image DirectX Transforms
iepeers.dll 66e50000 262144 C:\WINNT\System32\iepeers.dll 6.00.2900.2627 (xpsp_sp2_gdr.050309-1648) Internet Explorer Peer Objects
WINSPOOL.DRV 73000000 155648 C:\WINNT\System32\WINSPOOL.DRV 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Spooler Driver
LINKINFO.dll 76980000 32768 C:\WINNT\system32\LINKINFO.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Volume Tracking
ntshrui.dll 76990000 151552 C:\WINNT\system32\ntshrui.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Shell extensions for sharing
wdmaud.drv 72d20000 36864 C:\WINNT\system32\wdmaud.drv 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) WDM Audio driver mapper
msacm32.drv 72d10000 32768 C:\WINNT\system32\msacm32.drv 5.1.2600.0 (xpclient.010817-1148) Microsoft Sound Mapper
MSACM32.dll 77be0000 86016 C:\WINNT\system32\MSACM32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft ACM Audio Filter
midimap.dll 77bd0000 28672 C:\WINNT\system32\midimap.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft MIDI Mapper
mshtmled.dll 76200000 462848 C:\WINNT\System32\mshtmled.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Microsoft (R) HTML Editing Component

Next is the requested GetLogXP log.

! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ctfmon.exe REG_SZ C:\WINNT\system32\ctfmon.exe
<NO NAME> REG_SZ
ATI Launchpad REG_SZ
ATI Remote Control REG_SZ C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
IgfxTray REG_SZ C:\WINNT\System32\igfxtray.exe
ccRegVfy REG_SZ "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe "
AdaptecDirectCD REG_SZ "c:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe "
HotKeysCmds REG_SZ C:\WINNT\System32\hkcmd.exe
Symantec NetDriver Monitor REG_SZ C:\PROGRA~1\SYMNET~1\SNDMon.exe
ccApp REG_SZ "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
KernelFaultCheck REG_EXPAND_SZ %systemroot%\system32\dumprep 0 -k
<NO NAME> REG_SZ
ATI DeviceDetect REG_SZ C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
ATIPTA REG_SZ C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
Zone Labs Client REG_SZ C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\New Key #1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents

Hope I did all of this correctly.

noahdfear · 2005/05/01

You did that perfectly. Use the Killbox to delete this filepath on reboot and allow reboot.
C:\WINNT\system32\dees.exe

Upon restart, please run another RegSrch for dees.exe, post a log if found and a new HijackThis log.

Bucksone · 2005/05/02

Upon reboot, Zone Alarm alerts for both ru.exe and dees.exe appeared. The requested logs are below.

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "dees.exe" 5/2/2005 6:40:24 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Ltho "= "C:\\Documents and Settings\\NetworkService\\Application Data\\dees.exe "

[HKEY_USERS\S-1-5-21-1887652770-1093660630-2868307360-1003\Software\Microsoft\Search Assistant\ACMru\5604]
"000 "= "dees.exe "

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run]
"Ltho "= "C:\\Documents and Settings\\NetworkService\\Application Data\\dees.exe "

Logfile of HijackThis v1.99.1
Scan saved at 6:42:22 PM, on 5/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\WINNT\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\slserv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\dees.exe
C:\HJT\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.wowway.com/portal/index.asp?RG=Col
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5F00144C-D58C-DC5D-ADC5-846DD230B1C0} - C:\WINNT\system32\xyysz.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe "
O4 - HKLM\..\Run: [AdaptecDirectCD] "c:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe "
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ChatSpace Full Java Client 3.1.0.229 - http://64.55.105.205/Java/cfs31229.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15009/CTSUEng.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - file://C:\Program Files\gateway\helpspot\TechTools.CAB
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {7142BA01-8BDF-11CF-9E23-0000E8A37440} (Surround Video Control Object) - http://admission.udayton.edu//VirTour/svideo.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - file://C:\Program Files\gateway\helpspot\RunExeActiveX.CAB
O16 - DPF: {93CEA8A4-6059-4E0B-ADDD-73848153DD5E} (CWebLaunchCtl Object) - http://support.gateway.com/eSupport/static/weblaunch/weblaunch.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - https://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://www.shockwave.com/content/shapo/shapo.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/bejeweled2/popcaploader_v6.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15010/CTPID.cab
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINNT\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

noahdfear · 2005/05/02

Scan again with HijackThis and fix the following entries.

O2 - BHO: (no name) - {5F00144C-D58C-DC5D-ADC5-846DD230B1C0} - C:\WINNT\system32\xyysz.dll (file missing)
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

Close HijackThis

Download the attached Dees.zip file to your desktop. Rename if necessary, then extract.
Close all other windows and applications.
Open the Dees folder(s) and double click the RunThis.bat
Follow the prompts.

After reboot, post a new HJT log and let us know if you hear from dees.exe again.

Bucksone · 2005/05/02

I deleted the two entries in HJT. But, I am not having any luck with the dees.zip download. I keep getting that PhotoParade thing.

noahdfear · 2005/05/02

When you click Save on the download and the save dialog box opens, type Dees.zip in the File name space and change the Save as type to All Files

markp62 · 2005/05/03

This Photoparade thing has me perplexed. I went to their website, and no alarms were brought up by my system.
Maybe a Regsrch with Photoparade may show something up?

noahdfear · 2005/05/03

That has me perplexed as well, Mark. I'm familiar with the program, and feel it's safe. Just appears to have maybe taken over the zip association, but only on downloaded files, at least from this board.

Log in or Sign up

What is dees.exe

noahdfear Inactive

noahdfear Inactive

Bucksone Well-Known Member Thread Starter

Bucksone Well-Known Member Thread Starter

noahdfear Inactive

Bucksone Well-Known Member Thread Starter

Bucksone Well-Known Member Thread Starter

noahdfear Inactive

Bucksone Well-Known Member Thread Starter

noahdfear Inactive

Bucksone Well-Known Member Thread Starter

noahdfear Inactive

Bucksone Well-Known Member Thread Starter

noahdfear Inactive

Bucksone Well-Known Member Thread Starter

noahdfear Inactive

Bucksone Well-Known Member Thread Starter

noahdfear Inactive

markp62 Geek Member Alumni

noahdfear Inactive

Share This Page

Log in or Sign up

What is dees.exe

noahdfear Inactive

noahdfear Inactive

Bucksone Well-Known Member Thread Starter

Bucksone Well-Known Member Thread Starter

noahdfear Inactive

Bucksone Well-Known Member Thread Starter

Bucksone Well-Known Member Thread Starter

noahdfear Inactive

Bucksone Well-Known Member Thread Starter

noahdfear Inactive

Bucksone Well-Known Member Thread Starter

noahdfear Inactive

Bucksone Well-Known Member Thread Starter

noahdfear Inactive

Bucksone Well-Known Member Thread Starter

noahdfear Inactive

Bucksone Well-Known Member Thread Starter

noahdfear Inactive

markp62 Geek Member Alumni

noahdfear Inactive

Share This Page

Useful Searches