Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Something seriously wrong here [RESOLVED]

Started by DarrenZ , Sep 16 2006 02:27 PM

This topic is locked

#1
DarrenZ

Posted 16 September 2006 - 02:27 PM

Member

Member
22 posts

I am having a very strang problem on my computer that I have never encountered before. The problem shows up in a variety of ways. First off is when I am using a browser (firefox or IE) and i search for something related to computer security such as anti-virus, norton, avg, ewido, trendmicro and the browser will close itself automatically. I am unable to download any of this software from any site. If I try and go to download.com and download the software it also closes automatically.

Secondly if I try and burn the software to a CD and then install from the disk the same thing happens and the install closes automatically.

Even when I try to access this site and I click on the Hijakthis section of the forum the browser will close automatically

Finally I do have a version of avg on my computer and when I try to open it then it will close automatically as well. This is a very weird problem as it seems anything I will need to fix my computer I am unable to access.

I wanted to post a hijak this file but was unable to do so because of the nature of this problem. If anyone has any ideas on how to fix this I would greatly appreciate it.

Thanks in Advance.

#2
Armodeluxe

Posted 16 September 2006 - 08:32 PM

Member 2k

Retired Staff
2,744 posts

Hi DarrenZ,

Please post these two logs and let's see what you got there.

Download WinPFind2.zip and unzip it to your Desktop. It will create a folder named WinPFind2. Do NOT run the program directly from the zip file.

Open the folder and double-click on winpfind2.exe to start the program.
Click on the Services tab.
From the two drop down boxes next to Filter list:, on the left one choose List all type of services and on the right one choose List all services.
Click on the Configuration tab.
Keep the standard settings and then in the AddOn-Options box click the checkboxes for
- HKCU_IEDesktop.def
- Policies.def
- SID_Run_Policies.def
- Security.def
to select them.
Under File Options click Select All
Under Other Options put a check to both Show All boxes
Please maximize the window in order to be able to view the Status Bar where you can see the progress of the scan.
Now click the Run All Scans button on the toolbar.
When the scans are complete click the Simple Report button in the lower right-hand corner to create a report file. Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is, click on it to uncheck it and then please post that report into this topic. After posting please check if the whole report fit into the post. If it did fit, it should say <End of Report> at the end. If not, please post the section that was cut off in a second post.

In a seperate post, please post this one:

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

#3
DarrenZ

Posted 17 September 2006 - 01:41 AM

Member

Topic Starter
Member
22 posts

Thanks very much for offering your help to me.

Here is the Simple Report from the winpfind2.exe program:

Logfile created on: 09/17/2006 10:35
WinPFind2 by OldTimer - Version 1.0.9 Folder = C:\Documents and Settings\Administrator.NRS-MEKCSMQ3ZNE.007\Desktop\New Folder\WinPFind2\
Microsoft Windows 2000 Service Pack 4 (Version = 5.0.2195)
Internet Explorer (Version = 6.0.2800.1106)

< All Processes >
c:\program files\symantec\pcanywhere\awhost32.exe - (Symantec Corporation )
\??\c:\winnt\system32\csrss.exe - (Microsoft Corporation )
c:\winnt\explorer.exe - (Microsoft Corporation )
c:\program files\internet explorer\iexplore.exe - (Microsoft Corporation )
c:\winnt\system32\internat.exe - (Microsoft Corporation )
c:\program files\java\jre1.5.0_06\bin\jusched.exe - (Sun Microsystems, Inc. )
c:\winnt\system32\lsass.exe - (Microsoft Corporation )
c:\winnt\system32\dllcache\mscom.exe - ( )
c:\winnt\system32\dllcache\mslogon.exe - ( )
c:\winnt\system32\mspmspsv.exe - (Microsoft Corporation )
c:\winnt\system32\mstask.exe - (Microsoft Corporation )
d:\program files\symantec\ghost\ngctw32.exe - (Symantec New Zealand Limited )
c:\winnt\system32\progman.exe - (Microsoft Corporation )
c:\winnt\system32\regsvc.exe - (Microsoft Corporation )
c:\winnt\system32\rundll32.exe - (Microsoft Corporation )
c:\winnt\system32\services.exe - (Microsoft Corporation )
\systemroot\system32\smss.exe - (Microsoft Corporation )
c:\winnt\system32\snmp.exe - (Microsoft Corporation )
c:\winnt\system32\spoolsv.exe - (Microsoft Corporation )
c:\winnt\system32\stisvc.exe - (Microsoft Corporation )
c:\winnt\system32\svchost.exe - (Microsoft Corporation )
c:\winnt\system32\svchost.exe - (Microsoft Corporation )
\??\c:\winnt\system32\winlogon.exe - (Microsoft Corporation )
c:\winnt\system32\wbem\winmgmt.exe - (Microsoft Corporation )
c:\documents and settings\administrator.nrs-mekcsmq3zne.007\desktop\new folder\winpfind2\winpfind2.exe - (OldTimer Tools )
c:\winnt\system32\xpjavams.exe - ( )

< Registry Entries >

[>> Internet Explorer Settings <<]
HKLM->Main\\Start Page - http://www.microsoft...p...ER}&ar=home
HKLM->Main\\Search Page - http://www.microsoft...amp;ar=iesearch
HKLM->Main\\Default_Page_URL - http://www.microsoft...p...&ar=msnhome
HKLM->Main\\Default_Search_URL - http://www.microsoft...amp;ar=iesearch
HKLM->Main\\Local Page - %SystemRoot%\system32\blank.htm
HKCU->Main\\Start Page - http://www.microsoft...p...&ar=msnhome
HKCU->Main\\Search Page - http://www.microsoft...amp;ar=iesearch
HKCU->Main\\Local Page - C:\WINNT\system32\blank.htm
HKLM->Search\\CustomizeSearch - http://ie.search.msn...st/srchcust.htm
HKLM->Search\\SearchAssistant - http://ie.search.msn...st/srchasst.htm
HKCU->URLSearchHooks\\{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Microsoft Url Search Hook = %SystemRoot%\system32\shdocvw.dll (Microsoft Corporation )
HKCU->Internet Settings\\ProxyEnable - 0

[>> BHO's <<]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - AcroIEHlprObj Class = d:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx ( )
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - SSVHelper Class = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (Sun Microsystems, Inc. )

[>> Internet Explorer Bars, Toolbars and Extensions <<]

[HKLM-> Internet Explorer Bars]
{4D5C8C25-D075-11d0-B416-00C04FB90376} - &Tip of the Day = %SystemRoot%\system32\shdocvw.dll (Microsoft Corporation )

[HKLM-> Internet Explorer ToolBars]
{8E718888-423F-11D2-876E-00A0C9082467} - &Radio = C:\WINNT\system32\msdxm.ocx ( )

[HKCU-> Internet Explorer ToolBars]
WebBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\system32\browseui.dll (Microsoft Corporation )
WebBrowser\\{0E5CBF21-D15F-11D0-8301-00AA005B4383} - &Links = %SystemRoot%\system32\browseui.dll (Microsoft Corporation )

[HKCU-> Internet Explorer CmdMapping]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - 8192 - Sun Java Console
{669695BC-A811-4A9D-8CDF-BA8C795F261C} - 8193 - Reg Data missing or invalid
{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - 8194 - Reg Data missing or invalid
NextId - 8195

[HKLM-> Internet Explorer Extensions]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - MenuText: Sun Java Console = C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll (Sun Microsystems, Inc. )
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} (HKCU CLSID) - MenuText: Sun Java Console = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (Sun Microsystems, Inc. )
{669695BC-A811-4A9D-8CDF-BA8C795F261C} - ButtonText: Run DAP = C:\PROGRA~1\DAP\DAP.EXE (Speedbit Ltd. )
{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - ButtonText: AIM = C:\Program Files\AIM\aim.exe (America Online, Inc. )

[HKCU-> Internet Explorer Menu Extensions]
&Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm ( )
Download &all with DAP - D:\PROGRA~1\DAP\dapextie2.htm (File not found))

[HKLM-> Internet Explorer Plugins]
.spop - Reg Data missing or invalid = C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll (InterTrust Technologies Corporation, Inc. )

[>> Approved Shell Extensions (Non-Microsoft only) <<]

[HKLM-> Approved Shell Extensions]
{42071714-76d4-11d1-8b24-00a0c9068ff3} - Display Panning CPL Extension = deskpan.dll (File not found))
{764BF0E1-F219-11ce-972D-00AA00A14F56} - Shell extensions for file compression = Reg Data missing or invalid (File not found))
{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} - Encryption Context Menu = Reg Data missing or invalid (File not found))
{88895560-9AA2-1069-930E-00AA0030EBC8} - HyperTerminal Icon Ext = C:\WINNT\System32\hticons.dll (Hilgraeve, Inc. )
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} - AVG7 Shell Extension = C:\Program Files\Grisoft\AVG Free\avgse.dll (GRISOFT, s.r.o. )
{9F97547E-460A-42C5-AE0C-81C61FFAEBC3} - AVG7 Find Extension = C:\Program Files\Grisoft\AVG Free\avgse.dll (GRISOFT, s.r.o. )
{E0D79304-84BE-11CE-9641-444553540000} - WinZip = D:\PROGRA~1\WinZip\WZSHLSTB.DLL (WinZip Computing, Inc. )
{E0D79305-84BE-11CE-9641-444553540000} - WinZip = D:\PROGRA~1\WinZip\WZSHLSTB.DLL (WinZip Computing, Inc. )
{E0D79306-84BE-11CE-9641-444553540000} - WinZip = D:\PROGRA~1\WinZip\WZSHLSTB.DLL (WinZip Computing, Inc. )

[>> ContextMenuHandlers (Non-Microsoft only) <<]

[HKLM-> ContextMenuHandlers]
* - AVG7 Shell Extension - {9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll (GRISOFT, s.r.o. )
* - WinZip - {E0D79304-84BE-11CE-9641-444553540000} = D:\PROGRA~1\WinZip\WZSHLSTB.DLL (WinZip Computing, Inc. )
Directory - WinZip - {E0D79304-84BE-11CE-9641-444553540000} = D:\PROGRA~1\WinZip\WZSHLSTB.DLL (WinZip Computing, Inc. )
Directory\Background - igfxcui - {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} = C:\WINNT\System32\igfxpph.dll (Intel Corporation )
Folder - AVG7 Shell Extension - {9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll (GRISOFT, s.r.o. )
Folder - WinZip - {E0D79304-84BE-11CE-9641-444553540000} = D:\PROGRA~1\WinZip\WZSHLSTB.DLL (WinZip Computing, Inc. )

[>> ColumnHandlers (Non-Microsoft only) <<]

[HKLM-> ColumnHandlers]

[>> File Associations Keys <<]
HKLM->SOFTWARE\Classes\.bat\\'' - batfile
HKLM->SOFTWARE\Classes\batfile\shell\open\command\\'' - "%1" %*
HKLM->SOFTWARE\Classes\.cmd\\'' - cmdfile
HKLM->SOFTWARE\Classes\cmdfile\shell\open\command\\'' - "%1" %*
HKLM->SOFTWARE\Classes\.com\\'' - comfile
HKLM->SOFTWARE\Classes\comfile\shell\open\command\\'' - "%1" %*
HKLM->SOFTWARE\Classes\.exe\\'' - exefile
HKLM->SOFTWARE\Classes\exefile\shell\open\command\\'' - "%1" %*
HKLM->SOFTWARE\Classes\.hta\\'' - htafile
HKLM->SOFTWARE\Classes\htafile\shell\open\command\\'' - C:\WINNT\system32\mshta.exe "%1" %*
HKLM->SOFTWARE\Classes\.js\\'' - JSFile
HKLM->SOFTWARE\Classes\jsfile\shell\open\command\\'' - %SystemRoot%\System32\WScript.exe "%1" %*
HKLM->SOFTWARE\Classes\.jse\\'' - JSEFile
HKLM->SOFTWARE\Classes\jsefile\shell\open\command\\'' - %SystemRoot%\System32\WScript.exe "%1" %*
HKLM->SOFTWARE\Classes\.scr\\'' - scrfile
HKLM->SOFTWARE\Classes\scrfile\shell\open\command\\'' - "%1" /S
HKLM->SOFTWARE\Classes\.vbe\\'' - VBEFile
HKLM->SOFTWARE\Classes\vbefile\shell\open\command\\'' - %SystemRoot%\System32\WScript.exe "%1" %*
HKLM->SOFTWARE\Classes\.vbs\\'' - VBSFile
HKLM->SOFTWARE\Classes\vbsfile\shell\open\command\\'' - %SystemRoot%\System32\WScript.exe "%1" %*
HKLM->SOFTWARE\Classes\.wsf\\'' - WSFFile
HKLM->SOFTWARE\Classes\wsffile\shell\open\command\\'' - %SystemRoot%\System32\WScript.exe "%1" %*
HKLM->SOFTWARE\Classes\.wsh\\'' - WSHFile
HKLM->SOFTWARE\Classes\wshfile\shell\open\command\\'' - %SystemRoot%\System32\WScript.exe "%1" %*
HKLM->SOFTWARE\Classes\.txt\\'' - txtfile
HKLM->SOFTWARE\Classes\txtfile\shell\open\command\\'' - %SystemRoot%\system32\NOTEPAD.EXE %1

[>> Registry Run Keys <<]
HKLM->Run\\AVG7_CC - C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP (GRISOFT, s.r.o. )
HKLM->Run\\AVG7_EMC - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe (GRISOFT, s.r.o. )
HKLM->Run\\NGClient - D:\Program Files\Symantec\Ghost\ngctw32.exe (Symantec New Zealand Limited )
HKLM->Run\\PD0620 STISvc - RunDLL32.exe P0620Pin.dll,RunDLL32EP 513 (Microsoft Corporation )
HKLM->Run\\SunJavaUpdateSched - C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe (Sun Microsystems, Inc. )
HKLM->Run\\Synchronization Manager - mobsync.exe /logon (Microsoft Corporation )
HKLM->Run\\Tweak UI - RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp (Microsoft Corporation )
HKLM->RunServices\\MS Java for Windows NT, XP & ME - xpjavams.exe ( )
HKLM->RunServices\\MS Java Service Wrapper for Windows NT & XP - wrapper.exe ( )
HKLM->Run\OptionalComponents\IMAIL - Installed = 1
HKLM->Run\OptionalComponents\MAPI - Installed = 1
HKLM->Run\OptionalComponents\MSFS - Installed = 1
HKCU->Run\\AVG7_Run - C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (GRISOFT, s.r.o. )
HKCU->Run\\internat.exe - internat.exe (Microsoft Corporation )
HKCU->RunServices\\MS Java for Windows NT, XP & ME - xpjavams.exe ( )
HKCU->RunServices\\MS Java Service Wrapper for Windows NT & XP - wrapper.exe ( )

[>> Miscellaneous Startup Keys <<]

[AppInit DLLs]
AppInit_DLL - (File not found))

[Image File Execution Options]
Your Image File Name Here without a path - Debugger = ntsd -d

[Shell Service Object Delay Load]
Network.ConnectionTray - {7007ACCF-3202-11D1-AAD2-00805FC1270E} = C:\WINNT\system32\NETSHELL.dll (Microsoft Corporation )
SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} = stobject.dll (Microsoft Corporation )
WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll (Microsoft Corporation )

[Shell Execute Hooks]
{AEB6717E-7E19-11d0-97EE-00C04FD91972} - URL Exec Hook = shell32.dll (Microsoft Corporation )

[Shared Task Scheduler]
{438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader = %SystemRoot%\system32\browseui.dll (Microsoft Corporation )
{8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon = %SystemRoot%\system32\browseui.dll (Microsoft Corporation )

[SafeBoot Option]

[HKLM Command Processor AutoRun]
HKLM->Command Processor\\AutoRun -

[HKCU Command Processor AutoRun]

[Security Providers]
SecurityProviders\\SecurityProviders - msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll

[BootExecute]
Session Manager\\BootExecute - autocheck autochk *;

[PendingFileRenameOperations]

[FileRenameOperations]

[ExcludeFromKnownDlls]
Session Manager\\ExcludeFromKnownDlls -

[>> Disabled MSConfig Items <<]

[>> User Agent Post Platform <<]

[>> Winlogon <<]
HMLM->UserInit - C:\WINNT\system32\userinit.exe,xpjavams.exe (File not found))
HKLM->Shell - Explorer.exe xpjavams.exe (File not found))
HKLM->System - (File not found))
HKLM->VMApplet - rundll32 shell32,Control_RunDLL "sysdm.cpl"
Notify\crypt32chain - crypt32.dll (Microsoft Corporation )
Notify\cryptnet - cryptnet.dll (Microsoft Corporation )
Notify\cscdll - cscdll.dll (Microsoft Corporation )
Notify\PCANotify - PCANotify.dll (Symantec Corporation )
Notify\sclgntfy - sclgntfy.dll (Microsoft Corporation )
Notify\SensLogn - WlNotify.dll (Microsoft Corporation )
Notify\wzcnotif - wzcdlg.dll (Microsoft Corporation )

[>> DNS Name Servers <<]
{43C27F81-2F7A-49CA-8E23-676C7D944DA4} - (Intel® PRO/100 VE Network Connection)
{87F6BCED-71DA-48FE-AE65-AA211D84D10B} - (Intel® PRO/100 VE Network Connection)

[>> All Winsock2 Catalogs <<]
NameSpace_Catalog5\Catalog_Entries\000000000001 - %SystemRoot%\System32\rnr20.dll (Microsoft Corporation )
NameSpace_Catalog5\Catalog_Entries\000000000002 - %SystemRoot%\System32\winrnr.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000001 - %SystemRoot%\system32\msafd.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000002 - %SystemRoot%\system32\msafd.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000003 - %SystemRoot%\system32\msafd.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000004 - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000005 - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000006 - %SystemRoot%\system32\msafd.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000007 - %SystemRoot%\system32\msafd.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000008 - %SystemRoot%\system32\msafd.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000009 - %SystemRoot%\system32\msafd.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000010 - %SystemRoot%\system32\msafd.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000011 - %SystemRoot%\system32\msafd.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000012 - %SystemRoot%\system32\msafd.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000013 - %SystemRoot%\system32\msafd.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000014 - %SystemRoot%\system32\msafd.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000015 - %SystemRoot%\system32\msafd.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000016 - %SystemRoot%\system32\msafd.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000017 - %SystemRoot%\system32\msafd.dll (Microsoft Corporation )

[>> Protocol Handlers (Non-Microsoft only) <<]
ipp - (File not found))
msdaipp - (File not found))
vnd.ms.radio - C:\WINNT\system32\msdxm.ocx ( )

[>> Protocol Filters (Non-Microsoft only) <<]

< All Services >
Abiosdsk (Abiosdsk) - (File not found)) [Disabled - Stopped - Kernel driver]
abp480n5 (abp480n5) - (File not found)) [Disabled - Stopped - Kernel driver]
Microsoft ACPI Driver (ACPI) - \SystemRoot\System32\DRIVERS\ACPI.sys (Microsoft Corporation ) [ - Running - Kernel driver]
ACPIEC (ACPIEC) - (File not found)) [Disabled - Stopped - Kernel driver]
adpu160m (adpu160m) - (File not found)) [Disabled - Stopped - Kernel driver]
AFD Networking Support Environment (AFD) - \SystemRoot\System32\drivers\afd.sys (Microsoft Corporation ) [Automatic - Running - Kernel driver]
Aha154x (Aha154x) - (File not found)) [Disabled - Stopped - Kernel driver]
aic116x (aic116x) - (File not found)) [Disabled - Stopped - Kernel driver]
aic78u2 (aic78u2) - (File not found)) [Disabled - Stopped - Kernel driver]
aic78xx (aic78xx) - (File not found)) [Disabled - Stopped - Kernel driver]
Alerter (Alerter) - C:\WINNT\System32\services.exe (Microsoft Corporation ) [On Demand - Stopped - Win32, running in a shared process]
ami0nt (ami0nt) - (File not found)) [Disabled - Stopped - Kernel driver]
amsint (amsint) - (File not found)) [Disabled - Stopped - Kernel driver]
Application Management (AppMgmt) - C:\WINNT\system32\services.exe (Microsoft Corporation ) [On Demand - Stopped - Win32, running in a shared process]
asc (asc) - (File not found)) [Disabled - Stopped - Kernel driver]
asc3350p (asc3350p) - (File not found)) [Disabled - Stopped - Kernel driver]
asc3550 (asc3550) - (File not found)) [Disabled - Stopped - Kernel driver]
RAS Asynchronous Media Driver (AsyncMac) - System32\DRIVERS\asyncmac.sys (Microsoft Corporation ) [On Demand - Stopped - Kernel driver]
Standard IDE/ESDI Hard Disk Controller (atapi) - \SystemRoot\System32\DRIVERS\atapi.sys (Microsoft Corporation ) [ - Running - Kernel driver]
Atdisk (Atdisk) - (File not found)) [Disabled - Stopped - Kernel driver]
ATM ARP Client Protocol (Atmarpc) - System32\DRIVERS\atmarpc.sys (Microsoft Corporation ) [On Demand - Stopped - Kernel driver]
Audio Stub Driver (audstub) - System32\DRIVERS\audstub.sys (Microsoft Corporation ) [On Demand - Running - Kernel driver]
AVG7 Alert Manager Server (Avg7Alrt) - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (GRISOFT, s.r.o. ) [Automatic - Stopped - Win32, running in it's own process]
AVG7 Kernel (Avg7Core) - \SystemRoot\System32\Drivers\avg7core.sys (GRISOFT, s.r.o. ) [ - Running - Kernel driver]
AVG7 Rezident Driver (Avg7RsNT) - \SystemRoot\System32\Drivers\avg7rsnt.sys (GRISOFT, s.r.o. ) [ - Running - Kernel driver]
AVG7 Wrap Driver (Avg7RsW) - \SystemRoot\System32\Drivers\avg7rsw.sys (GRISOFT, s.r.o. ) [ - Running - Kernel driver]
AVG7 Update Service (Avg7UpdSvc) - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe (GRISOFT, s.r.o. ) [Automatic - Stopped - Win32, running in it's own process]
AVG Network Redirector (AvgTdi) - \??\C:\WINNT\System32\Drivers\avgtdi.sys (GRISOFT, s.r.o. ) [Automatic - Running - Kernel driver]
pcAnywhere Host Service (awhost32) - C:\Program Files\Symantec\pcAnywhere\awhost32.exe (Symantec Corporation ) [Automatic - Running - Win32, running in it's own process]
awlegacy (awlegacy) - \SystemRoot\System32\Drivers\awlegacy.sys (Symantec Corporation ) [ - Running - Kernel driver]
AW_HOST (AW_HOST) - system32\drivers\aw_host5.sys (Symantec Corporation ) [Disabled - Stopped - Kernel driver]
Beep (Beep) - (File not found)) [ - Running - Kernel driver]
Background Intelligent Transfer Service (BITS) - C:\WINNT\System32\svchost.exe -k BITSgroup (Microsoft Corporation ) [On Demand - Stopped - Win32, running in a shared process]
Computer Browser (Browser) - C:\WINNT\System32\services.exe (Microsoft Corporation ) [On Demand - Stopped - Win32, running in a shared process]
BusLogic (BusLogic) - (File not found)) [Disabled - Stopped - Kernel driver]
Closed Caption Decoder (ccdecode) - system32\drivers\ccdecode.sys (Microsoft Corporation ) [On Demand - Stopped - Kernel driver]
cd20xrnt (cd20xrnt) - (File not found)) [Disabled - Stopped - Kernel driver]
Cdaudio (Cdaudio) - (File not found)) [ - Stopped - Kernel driver]
Cdfs (Cdfs) - (File not found)) [Disabled - Running - Filesystem driver]
CD-ROM Driver (Cdrom) - System32\DRIVERS\cdrom.sys (Microsoft Corporation ) [ - Running - Kernel driver]
Changer (Changer) - (File not found)) [ - Stopped - Kernel driver]
Indexing Service (cisvc) - C:\WINNT\System32\cisvc.exe (Microsoft Corporation ) [On Demand - Stopped - Win32, running in a shared process]
ClipBook (ClipSrv) - C:\WINNT\system32\clipsrv.exe (Microsoft Corporation ) [On Demand - Stopped - Win32, running in it's own process]
Cpqarray (Cpqarray) - (File not found)) [Disabled - Stopped - Kernel driver]
cpqarry2 (cpqarry2) - (File not found)) [Disabled - Stopped - Kernel driver]
cpqfcalm (cpqfcalm) - (File not found)) [Disabled - Stopped - Kernel driver]
cpqfws2e (cpqfws2e) - (File not found)) [Disabled - Stopped - Kernel driver]
dac960nt (dac960nt) - (File not found)) [Disabled - Stopped - Kernel driver]
deckzpsx (deckzpsx) - (File not found)) [Disabled - Stopped - Kernel driver]
DHCP Client (Dhcp) - C:\WINNT\System32\services.exe (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Disk Driver (Disk) - \SystemRoot\System32\DRIVERS\disk.sys (Microsoft Corporation ) [ - Running - Kernel driver]
Diskperf (Diskperf) - (File not found)) [ - Running - Kernel driver]
Logical Disk Manager Administrative Service (dmadmin) - C:\WINNT\System32\dmadmin.exe /com (VERITAS Software Corp. ) [On Demand - Stopped - Win32, running in a shared process]
dmboot (dmboot) - System32\drivers\dmboot.sys (VERITAS Software Corp. ) [Disabled - Stopped - Kernel driver]
Logical Disk Manager Driver (dmio) - \SystemRoot\System32\drivers\dmio.sys (VERITAS Software Corp. ) [ - Running - Kernel driver]
dmload (dmload) - \SystemRoot\System32\drivers\dmload.sys (VERITAS Software Corp. ) [ - Running - Kernel driver]
Logical Disk Manager (dmserver) - C:\WINNT\System32\services.exe (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Microsoft DirectMusic SW Synth (WDM) (DMusic) - system32\drivers\DMusic.sys (Microsoft Corporation ) [On Demand - Stopped - Kernel driver]
DNS Client (Dnscache) - C:\WINNT\System32\services.exe (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Intel® PRO Adapter Driver (E100B) - System32\DRIVERS\e100bnt5.sys (Intel Corporation ) [On Demand - Running - Kernel driver]
e-DiagTools LAN Configuration Agent (edtlancfg) - C:\Program Files\HP\e-DiagTools\Service.exe ( ) [Automatic - Stopped - Win32, running in it's own process]
EFS (EFS) - (File not found)) [Disabled - Running - Filesystem driver]
Event Log (Eventlog) - C:\WINNT\system32\services.exe (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
COM+ Event System (EventSystem) - C:\WINNT\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [On Demand - Running - Win32, running in a shared process]
Fastfat (Fastfat) - (File not found)) [Disabled - Stopped - Filesystem driver]
Fax Service (Fax) - C:\WINNT\system32\faxsvc.exe (Microsoft Corporation ) [On Demand - Stopped - Win32, running in it's own process]
Fd16_700 (Fd16_700) - (File not found)) [Disabled - Stopped - Kernel driver]
Floppy Disk Controller Driver (Fdc) - System32\DRIVERS\fdc.sys (Microsoft Corporation ) [On Demand - Stopped - Kernel driver]
Fips (Fips) - (File not found)) [Automatic - Running - Kernel driver]
fireport (fireport) - (File not found)) [Disabled - Stopped - Kernel driver]
flashpnt (flashpnt) - (File not found)) [Disabled - Stopped - Kernel driver]
Floppy Disk Driver (Flpydisk) - System32\DRIVERS\flpydisk.sys (Microsoft Corporation ) [On Demand - Stopped - Kernel driver]
FltMgr (FltMgr) - \SystemRoot\system32\drivers\fltmgr.sys (Microsoft Corporation ) [ - Running - Filesystem driver]
Volume Manager Driver (Ftdisk) - \SystemRoot\System32\DRIVERS\ftdisk.sys (Microsoft Corporation ) [ - Running - Kernel driver]
Gernuwa (Gernuwa) - (File not found)) [ - Running - Kernel driver]
GhostPostConfig - Boot Phase Driver (GhPostConfig) - \SystemRoot\System32\Drivers\ghpcw2k.sys (Symantec Corporation ) [ - Stopped - Kernel driver]
GhostPostConfig - Auto Phase Driver (GhPostConfig_Auto) - System32\Drivers\ghpcw2k.sys (Symantec Corporation ) [Automatic - Stopped - Kernel driver]
Generic Packet Classifier (Gpc) - System32\DRIVERS\msgpc.sys (Microsoft Corporation ) [On Demand - Running - Kernel driver]
i8042 Keyboard and PS/2 Mouse Port Driver (i8042prt) - System32\DRIVERS\i8042prt.sys (Microsoft Corporation ) [ - Running - Kernel driver]
i81x (i81x) - System32\DRIVERS\i81xnt5.sys (Intel Corporation ) [On Demand - Running - Kernel driver]
Service for AC'97 Driver (WDM) (ichaud) - system32\drivers\ichaud.sys (Microsoft Corporation ) [On Demand - Stopped - Kernel driver]
idebd (idebd) - \SystemRoot\System32\DRIVERS\idebd.sys (Intel Corporation ) [ - Running - Kernel driver]
ini910u (ini910u) - (File not found)) [Disabled - Stopped - Kernel driver]
IntelATA (IntelATA) - \SystemRoot\System32\DRIVERS\intelata.sys (Intel Corporation ) [ - Running - Kernel driver]
IntelIde (IntelIde) - (File not found)) [Disabled - Stopped - Kernel driver]
IP Traffic Filter Driver (IpFilterDriver) - System32\DRIVERS\ipfltdrv.sys (Microsoft Corporation ) [On Demand - Stopped - Kernel driver]
IP in IP Tunnel Driver (IpInIp) - System32\DRIVERS\ipinip.sys (Microsoft Corporation ) [On Demand - Stopped - Kernel driver]
IP Network Address Translator (IpNat) - System32\DRIVERS\ipnat.sys (Microsoft Corporation ) [On Demand - Stopped - Kernel driver]
IPSEC driver (IPSEC) - System32\DRIVERS\ipsec.sys (Microsoft Corporation ) [On Demand - Running - Kernel driver]
ipsraidn (ipsraidn) - (File not found)) [Disabled - Stopped - Kernel driver]
IR Enumerator Service (IRENUM) - System32\DRIVERS\irenum.sys (Microsoft Corporation ) [On Demand - Stopped - Kernel driver]
PnP ISA/EISA Bus Driver (isapnp) - \SystemRoot\System32\DRIVERS\isapnp.sys (Microsoft Corporation ) [ - Running - Kernel driver]
Keyboard Class Driver (Kbdclass) - System32\DRIVERS\kbdclass.sys (Microsoft Corporation ) [ - Running - Kernel driver]
Microsoft Kernel Wave Audio Mixer (kmixer) - system32\drivers\kmixer.sys (Microsoft Corporation ) [On Demand - Running - Kernel driver]
KSecDD (KSecDD) - (File not found)) [ - Running - Kernel driver]
Server (lanmanserver) - C:\WINNT\System32\services.exe (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Workstation (lanmanworkstation) - C:\WINNT\System32\services.exe (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
lbrtfdc (lbrtfdc) - (File not found)) [ - Stopped - Kernel driver]
TCP/IP NetBIOS Helper Service (LmHosts) - C:\WINNT\System32\services.exe (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
lp6nds35 (lp6nds35) - (File not found)) [Disabled - Stopped - Kernel driver]
Messenger (Messenger) - C:\WINNT\System32\services.exe (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Microsoft Logon Service (Microsoft Logon Service) - "C:\WINNT\system32\dllcache\mslogon.exe" ( ) [Automatic - Running - Win32, running in it's own process]
mnmdd (mnmdd) - (File not found)) [ - Running - Kernel driver]
NetMeeting Remote Desktop Sharing (mnmsrvc) - C:\WINNT\System32\mnmsrvc.exe (Microsoft Corporation ) [On Demand - Stopped - Win32, running in it's own process]
Modem (Modem) - (File not found)) [On Demand - Stopped - Kernel driver]
Mouse Class Driver (Mouclass) - System32\DRIVERS\mouclass.sys (Microsoft Corporation ) [ - Running - Kernel driver]
MountMgr (MountMgr) - (File not found)) [ - Running - Kernel driver]
BDA MPE Filter (MPE) - system32\DRIVERS\MPE.sys (Microsoft Corporation ) [On Demand - Stopped - Kernel driver]
mraid35x (mraid35x) - (File not found)) [Disabled - Stopped - Kernel driver]
MRXSMB (MRxSmb) - System32\DRIVERS\mrxsmb.sys (Microsoft Corporation ) [ - Running - Filesystem driver]
MSCom (MSCom) - "C:\WINNT\system32\dllcache\mscom.exe" ( ) [Automatic - Running - Win32, running in it's own process]
Distributed Transaction Coordinator (MSDTC) - C:\WINNT\System32\msdtc.exe (Microsoft Corporation ) [On Demand - Stopped - Win32, running in it's own process]
Msfs (Msfs) - (File not found)) [ - Running - Filesystem driver]
Windows Installer (MSIServer) - C:\WINNT\system32\msiexec.exe /V (Microsoft Corporation ) [On Demand - Stopped - Win32, running in a shared process]
Microsoft Streaming Service Proxy (MSKSSRV) - system32\drivers\MSKSSRV.sys (Microsoft Corporation ) [On Demand - Stopped - Kernel driver]
Microsoft Streaming Clock Proxy (MSPCLOCK) - system32\drivers\MSPCLOCK.sys (Microsoft Corporation ) [On Demand - Stopped - Kernel driver]
Microsoft Streaming Quality Manager Proxy (MSPQM) - system32\drivers\MSPQM.sys (Microsoft Corporation ) [On Demand - Stopped - Kernel driver]
Microsoft Streaming Tee/Sink-to-Sink Converter (MSTEE) - system32\drivers\MSTEE.sys (Microsoft Corporation ) [On Demand - Stopped - Kernel driver]
Mup (Mup) - (File not found)) [ - Running - Filesystem driver]
NABTS/FEC VBI Codec (NABTSFEC) - system32\DRIVERS\NABTSFEC.sys (Microsoft Corporation ) [On Demand - Stopped - Kernel driver]
Ncrc710 (Ncrc710) - (File not found)) [Disabled - Stopped - Kernel driver]
NDIS System Driver (NDIS) - (File not found)) [ - Running - Kernel driver]
Remote Access NDIS TAPI Driver (NdisTapi) - System32\DRIVERS\ndistapi.sys (Microsoft Corporation ) [On Demand - Running - Kernel driver]
NDIS Usermode I/O Protocol (Ndisuio) - System32\DRIVERS\ndisuio.sys (Microsoft Corporation ) [On Demand - Stopped - Kernel driver]
Remote Access NDIS WAN Driver (NdisWan) - System32\DRIVERS\ndiswan.sys (Microsoft Corporation ) [On Demand - Running - Kernel driver]
NDIS Proxy (NDProxy) - (File not found)) [On Demand - Running - Kernel driver]
NetBIOS Interface (NetBIOS) - System32\DRIVERS\netbios.sys (Microsoft Corporation ) [ - Running - Filesystem driver]
NetBios over Tcpip (NetBT) - System32\DRIVERS\netbt.sys (Microsoft Corporation ) [ - Running - Kernel driver]
Network DDE (NetDDE) - C:\WINNT\system32\netdde.exe (Microsoft Corporation ) [On Demand - Stopped - Win32, running in a shared process]
Network DDE DSDM (NetDDEdsdm) - C:\WINNT\system32\netdde.exe (Microsoft Corporation ) [On Demand - Stopped - Win32, running in a shared process]
NetDetect (NetDetect) - \SystemRoot\system32\drivers\netdtect.sys (Microsoft Corporation ) [On Demand - Stopped - Kernel driver]
Net Logon (Netlogon) - C:\WINNT\System32\lsass.exe (Microsoft Corporation ) [On Demand - Stopped - Win32, running in a shared process]
Network Connections (Netman) - C:\WINNT\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [On Demand - Running - Win32, running in a shared process]
Symantec Ghost Client Agent (NGClient) - D:\Program Files\Symantec\Ghost\ngctw32.exe (Symantec New Zealand Limited ) [Automatic - Running - Win32, running in it's own process]
Npfs (Npfs) - (File not found)) [ - Running - Filesystem driver]
Ntfs (Ntfs) - (File not found)) [Disabled - Running - Filesystem driver]
NT LM Security Support Provider (NtLmSsp) - C:\WINNT\System32\lsass.exe (Microsoft Corporation ) [On Demand - Stopped - Win32, running in a shared process]
Removable Storage (NtmsSvc) - C:\WINNT\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Null (Null) - (File not found)) [ - Running - Kernel driver]
IPX Traffic Filter Driver (NwlnkFlt) - System32\DRIVERS\nwlnkflt.sys (Microsoft Corporation ) [On Demand - Stopped - Kernel driver]
IPX Traffic Forwarder Driver (NwlnkFwd) - System32\DRIVERS\nwlnkfwd.sys (Microsoft Corporation ) [On Demand - Stopped - Kernel driver]
Parallel class driver (Parallel) - System32\DRIVERS\parallel.sys (Microsoft Corporation ) [On Demand - Running - Kernel driver]
Parallel port driver (Parport) - System32\DRIVERS\parport.sys (Microsoft Corporation ) [ - Running - Kernel driver]
PartMgr (PartMgr) - (File not found)) [ - Running - Kernel driver]
ParVdm (ParVdm) - (File not found)) [Automatic - Running - Kernel driver]
PCI Bus Driver (PCI) - \SystemRoot\System32\DRIVERS\pci.sys (Microsoft Corporation ) [ - Running - Kernel driver]
PCIDump (PCIDump) - (File not found)) [ - Stopped - Kernel driver]
PCIIde (PCIIde) - System32\DRIVERS\pciide.sys (Microsoft Corporation ) [Disabled - Stopped - Kernel driver]
Pcmcia (Pcmcia) - (File not found)) [Disabled - Stopped - Kernel driver]
Creative WebCam Instant (PD0620VID) - system32\DRIVERS\P0620Vid.sys (Creative Technology Ltd. ) [On Demand - Running - Kernel driver]
Plug and Play (PlugPlay) - C:\WINNT\system32\services.exe (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
IPSEC Policy Agent (PolicyAgent) - C:\WINNT\System32\lsass.exe (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
PPPoEWin Miniport (PPPoEWin) - system32\DRIVERS\PPPoEWin.SYS ( ) [On Demand - Running - Kernel driver]
WAN Miniport (PPTP) (PptpMiniport) - System32\DRIVERS\raspptp.sys (Microsoft Corporation ) [On Demand - Running - Kernel driver]
Protected Storage (ProtectedStorage) - C:\WINNT\system32\services.exe (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Direct Parallel Link Driver (Ptilink) - System32\DRIVERS\ptilink.sys (Parallel Technologies, Inc. ) [On Demand - Running - Kernel driver]
ql1080 (ql1080) - (File not found)) [Disabled - Stopped - Kernel driver]
Ql10wnt (Ql10wnt) - (File not found)) [Disabled - Stopped - Kernel driver]
ql1240 (ql1240) - (File not found)) [Disabled - Stopped - Kernel driver]
ql2100 (ql2100) - (File not found)) [Disabled - Stopped - Kernel driver]
Remote Access Auto Connection Driver (RasAcd) - System32\DRIVERS\rasacd.sys (Microsoft Corporation ) [ - Running - Kernel driver]
Remote Access Auto Connection Manager (RasAuto) - C:\WINNT\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [On Demand - Stopped - Win32, running in a shared process]
WAN Miniport (L2TP) (Rasl2tp) - System32\DRIVERS\rasl2tp.sys (Microsoft Corporation ) [On Demand - Running - Kernel driver]
Remote Access Connection Manager (RasMan) - C:\WINNT\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [On Demand - Running - Win32, running in a shared process]
Direct Parallel (Raspti) - System32\DRIVERS\raspti.sys (Microsoft Corporation ) [On Demand - Running - Kernel driver]
Microsoft Streaming Network Raw Channel Access (RCA) - system32\drivers\RCA.sys (Microsoft Corporation ) [On Demand - Stopped - Kernel driver]
Rdbss (Rdbss) - System32\DRIVERS\rdbss.sys (Microsoft Corporation ) [ - Running - Filesystem driver]
Digital CD Audio Playback Filter Driver (redbook) - System32\DRIVERS\redbook.sys (Microsoft Corporation ) [ - Stopped - Kernel driver]
Routing and Remote Access (RemoteAccess) - C:\WINNT\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [Disabled - Stopped - Win32, running in a shared process]
Remote Registry Service (RemoteRegistry) - C:\WINNT\system32\regsvc.exe (Microsoft Corporation ) [Automatic - Running - Win32, running in it's own process]
Remote Procedure Call (RPC) Locator (RpcLocator) - C:\WINNT\System32\locator.exe (Microsoft Corporation ) [On Demand - Stopped - Win32, running in it's own process]
Remote Procedure Call (RPC) (RpcSs) - C:\WINNT\system32\svchost -k rpcss (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
QoS RSVP (RSVP) - C:\WINNT\System32\rsvp.exe -s (Microsoft Corporation ) [On Demand - Stopped - Win32, running in it's own process]
Security Accounts Manager (SamSs) - C:\WINNT\system32\lsass.exe (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Smart Card Helper (SCardDrv) - C:\WINNT\System32\SCardSvr.exe (Microsoft Corporation ) [On Demand - Stopped - Win32, running in a shared process]
Smart Card (SCardSvr) - C:\WINNT\System32\SCardSvr.exe (Microsoft Corporation ) [On Demand - Stopped - Win32, running in a shared process]
Task Scheduler (Schedule) - C:\WINNT\system32\MSTask.exe (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
RunAs Service (seclogon) - C:\WINNT\system32\services.exe (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
System Event Notification (SENS) - C:\WINNT\system32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Serenum Filter Driver (serenum) - System32\DRIVERS\serenum.sys (Microsoft Corporation ) [On Demand - Running - Kernel driver]
Serial port driver (Serial) - System32\DRIVERS\serial.sys (Microsoft Corporation ) [ - Running - Kernel driver]
Sfloppy (Sfloppy) - (File not found)) [ - Stopped - Kernel driver]
sglfb (sglfb) - (File not found)) [ - Stopped - Kernel driver]
Internet Connection Sharing (SharedAccess) - C:\WINNT\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [Disabled - Stopped - Win32, running in a shared process]
Simbad (Simbad) - (File not found)) [Disabled - Stopped - Kernel driver]
BDA Slip De-Framer (SLIP) - system32\DRIVERS\SLIP.sys (Microsoft Corporation ) [On Demand - Stopped - Kernel driver]
smwdm (smwdm) - system32\drivers\smwdm.sys (Analog Devices, Inc. ) [On Demand - Running - Kernel driver]
SNMP Service (SNMP) - C:\WINNT\System32\snmp.exe (Microsoft Corporation ) [Automatic - Running - Win32, running in it's own process]
SNMP Trap Service (SNMPTRAP) - C:\WINNT\System32\snmptrap.exe (Microsoft Corporation ) [On Demand - Stopped - Win32, running in it's own process]
Sparrow (Sparrow) - (File not found)) [Disabled - Stopped - Kernel driver]
Print Spooler (Spooler) - C:\WINNT\system32\spoolsv.exe (Microsoft Corporation ) [Automatic - Running - Win32, running in it's own process]
Srv (Srv) - System32\DRIVERS\srv.sys (Microsoft Corporation ) [On Demand - Running - Filesystem driver]
Still Image Service (StiSvc) - C:\WINNT\system32\stisvc.exe (Microsoft Corporation ) [Automatic - Running - Win32, running in it's own process]
BDA IPSink (streamip) - system32\DRIVERS\StreamIP.sys (Microsoft Corporation ) [On Demand - Stopped - Kernel driver]
Software Bus Driver (swenum) - System32\DRIVERS\swenum.sys (Microsoft Corporation ) [On Demand - Running - Kernel driver]
Microsoft Kernel GS Wavetable Synthesizer (swmidi) - system32\drivers\swmidi.sys (Microsoft Corporation ) [On Demand - Stopped - Kernel driver]
symc810 (symc810) - (File not found)) [Disabled - Stopped - Kernel driver]
symc8xx (symc8xx) - (File not found)) [Disabled - Stopped - Kernel driver]
SymEvent (SymEvent) - \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Corporation ) [On Demand - Stopped - Kernel driver]
sym_hi (sym_hi) - (File not found)) [Disabled - Stopped - Kernel driver]
Microsoft System Audio Device (sysaudio) - system32\drivers\sysaudio.sys (Microsoft Corporation ) [On Demand - Running - Kernel driver]
Performance Logs and Alerts (SysmonLog) - C:\WINNT\system32\smlogsvc.exe (Microsoft Corporation ) [On Demand - Stopped - Win32, running in it's own process]
Telephony (TapiSrv) - C:\WINNT\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [On Demand - Running - Win32, running in a shared process]
TCP/IP Protocol Driver (Tcpip) - System32\DRIVERS\tcpip.sys (Microsoft Corporation ) [ - Running - Kernel driver]
tga (tga) - (File not found)) [ - Stopped - Kernel driver]
Telnet (TlntSvr) - C:\WINNT\system32\tlntsvr.exe (Microsoft Corporation ) [On Demand - Stopped - Win32, running in it's own process]
Distributed Link Tracking Client (TrkWks) - C:\WINNT\system32\services.exe (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
UdfReadr (UdfReadr) - (File not found)) [ - Running - Filesystem driver]
Udfs (Udfs) - (File not found)) [Disabled - Stopped - Filesystem driver]
Microsoft USB Universal Host Controller Driver (uhcd) - System32\DRIVERS\uhcd.sys (Microsoft Corporation ) [On Demand - Running - Kernel driver]
ultra66 (ultra66) - (File not found)) [Disabled - Stopped - Kernel driver]
Microcode Update Driver (Update) - System32\DRIVERS\update.sys (Microsoft Corporation ) [On Demand - Running - Kernel driver]
Uninterruptible Power Supply (UPS) - C:\WINNT\System32\ups.exe (Microsoft Corporation ) [On Demand - Stopped - Win32, running in it's own process]
Microsoft USB Standard Hub Driver (usbhub) - System32\DRIVERS\usbhub.sys (Microsoft Corporation ) [On Demand - Running - Kernel driver]
USB Mass Storage Driver (USBSTOR) - System32\DRIVERS\USBSTOR.SYS (Microsoft Corporation ) [On Demand - Stopped - Kernel driver]
Utility Manager (UtilMan) - C:\WINNT\System32\UtilMan.exe (Microsoft Corporation ) [On Demand - Stopped - Win32, running in it's own process]
VgaSave (VgaSave) - \SystemRoot\System32\drivers\vga.sys (Microsoft Corporation ) [ - Running - Kernel driver]
Windows Time (W32Time) - C:\WINNT\System32\services.exe (Microsoft Corporation ) [On Demand - Stopped - Win32, running in a shared process]
Remote Access IP ARP Driver (Wanarp) - System32\DRIVERS\wanarp.sys (Microsoft Corporation ) [On Demand - Running - Kernel driver]
Microsoft WINMM WDM Audio Compatibility Driver (wdmaud) - system32\drivers\wdmaud.sys (Microsoft Corporation ) [On Demand - Running - Kernel driver]
Windows Management Instrumentation (WinMgmt) - C:\WINNT\System32\WBEM\WinMgmt.exe (Microsoft Corporation ) [Automatic - Running - Win32, running in it's own process]
WMDM PMSP Service (WMDM PMSP Service) - C:\WINNT\system32\mspmspsv.exe (Microsoft Corporation ) [Automatic - Running - Win32, running in it's own process]
Windows Management Instrumentation Driver Extensions (Wmi) - C:\WINNT\system32\Services.exe (Microsoft Corporation ) [On Demand - Running - Win32, running in a shared process]
World Standard Teletext Codec (WSTCODEC) - system32\DRIVERS\WSTCODEC.SYS (Microsoft Corporation ) [On Demand - Stopped - Kernel driver]
Automatic Updates (wuauserv) - C:\WINNT\system32\svchost.exe -k wugroup (Microsoft Corporation ) [Disabled - Stopped - Win32, running in a shared process]
Wireless Configuration (WZCSVC) - C:\WINNT\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [On Demand - Stopped - Win32, running in a shared process]

< Files >

%SystemDrive%

%ProgramFilesDir%

%WinDir%
C:\WINNT\lpt$vpn.919 - PECompact2 ( [Ver = | Size = 16257389 bytes | Date = 10/30/2005 12:54 | Attr = ])
C:\WINNT\lpt$vpn.919 - qoologic ( [Ver = | Size = 16257389 bytes | Date = 10/30/2005 12:54 | Attr = ])
C:\WINNT\lpt$vpn.919 - SAHAgent ( [Ver = | Size = 16257389 bytes | Date = 10/30/2005 12:54 | Attr = ])
C:\WINNT\RMAgentOutput.dll - UPX! ( [Ver = | Size = 25157 bytes | Date = 05/03/2005 11:44 | Attr = ])
C:\WINNT\tsc.exe - UPX! (Trend Micro Inc. [Ver = 3.9.0.1020 | Size = 170053 bytes | Date = 01/10/2005 16:17 | Attr = ])
C:\WINNT\VPTNFILE.919 - PECompact2 ( [Ver = | Size = 16257389 bytes | Date = 10/30/2005 12:54 | Attr = ])
C:\WINNT\VPTNFILE.919 - qoologic ( [Ver = | Size = 16257389 bytes | Date = 10/30/2005 12:54 | Attr = ])
C:\WINNT\VPTNFILE.919 - SAHAgent ( [Ver = | Size = 16257389 bytes | Date = 10/30/2005 12:54 | Attr = ])
C:\WINNT\vsapi32.dll - UPX! (Trend Micro Inc. [Ver = 7.510-1002 | Size = 1044560 bytes | Date = 02/18/2005 18:40 | Attr = ])
C:\WINNT\vsapi32.dll - aspack (Trend Micro Inc. [Ver = 7.510-1002 | Size = 1044560 bytes | Date = 02/18/2005 18:40 | Attr = ])

%System%
C:\WINNT\SYSTEM32\DivX.dll - PEC2 (DivXNetworks [Ver = 6,0,0,1571 | Size = 692736 bytes | Date = 06/09/2005 22:32 | Attr = ])
C:\WINNT\SYSTEM32\DivX.dll - PECompact2 (DivXNetworks [Ver = 6,0,0,1571 | Size = 692736 bytes | Date = 06/09/2005 22:32 | Attr = ])
C:\WINNT\SYSTEM32\mfc42u.dll - WSUD (Microsoft Corporation [Ver = 6.00.9586.0 | Size = 1011764 bytes | Date = 06/19/2003 12:05 | Attr = ])
C:\WINNT\SYSTEM32\MRT.exe - PECompact2 (Microsoft Corporation [Ver = 1.17.1478.0 | Size = 5967776 bytes | Date = 06/08/2006 18:19 | Attr = ])
C:\WINNT\SYSTEM32\MRT.exe - aspack (Microsoft Corporation [Ver = 1.17.1478.0 | Size = 5967776 bytes | Date = 06/08/2006 18:19 | Attr = ])
C:\WINNT\SYSTEM32\RASDLG.DLL - Umonitor (Microsoft Corporation [Ver = 5.00.2195.6920 | Size = 531216 bytes | Date = 01/12/2005 21:39 | Attr = ])
C:\WINNT\SYSTEM32\wbdbase.deu - winsync ( [Ver = | Size = 1309184 bytes | Date = 12/07/1999 14:00 | Attr = ])

%System%\Drivers folder and sub-folders
C:\WINNT\SYSTEM32\drivers\avg7core.sys - UPX! (GRISOFT, s.r.o. [Ver = 7,1,0,402 | Size = 777472 bytes | Date = 08/24/2006 21:49 | Attr = ])
C:\WINNT\SYSTEM32\drivers\avg7core.sys - FSG! (GRISOFT, s.r.o. [Ver = 7,1,0,402 | Size = 777472 bytes | Date = 08/24/2006 21:49 | Attr = ])
C:\WINNT\SYSTEM32\drivers\avg7core.sys - PEC2 (GRISOFT, s.r.o. [Ver = 7,1,0,402 | Size = 777472 bytes | Date = 08/24/2006 21:49 | Attr = ])
C:\WINNT\SYSTEM32\drivers\avg7core.sys - aspack (GRISOFT, s.r.o. [Ver = 7,1,0,402 | Size = 777472 bytes | Date = 08/24/2006 21:49 | Attr = ])

%windir% + sub-dirs for System or Hidden files less than 60 days old
C:\WINNT\ShellIconCache - ( [Ver = | Size = 1286842 bytes | Date = 09/15/2006 17:14 | Attr = H ])
C:\WINNT\CSC\00000001 - ( [Ver = | Size = 64 bytes | Date = 09/17/2006 09:53 | Attr = S])
C:\WINNT\CSC\00000002 - ( [Ver = | Size = 64 bytes | Date = 09/17/2006 09:53 | Attr = S])
C:\WINNT\CSC\csc1.tmp - ( [Ver = | Size = 64 bytes | Date = 09/16/2006 22:20 | Attr = S])
C:\WINNT\system32\config\default.LOG - ( [Ver = | Size = 1024 bytes | Date = 09/17/2006 10:20 | Attr = H ])
C:\WINNT\system32\config\SAM.LOG - ( [Ver = | Size = 1024 bytes | Date = 09/17/2006 09:53 | Attr = H ])
C:\WINNT\system32\config\SECURITY.LOG - ( [Ver = | Size = 1024 bytes | Date = 09/17/2006 10:11 | Attr = H ])
C:\WINNT\system32\config\software.LOG - ( [Ver = | Size = 1024 bytes | Date = 09/17/2006 10:20 | Attr = H ])
C:\WINNT\system32\dllcache\mscom.exe - ( [Ver = | Size = 87040 bytes | Date = 08/28/2006 17:58 | Attr = RHS])
C:\WINNT\system32\dllcache\mslogon.exe - ( [Ver = | Size = 89088 bytes | Date = 09/05/2006 00:09 | Attr = RHS])
C:\WINNT\Tasks\SA.DAT - ( [Ver = | Size = 6 bytes | Date = 09/17/2006 09:53 | Attr = H ])
CPL files -
C:\WINNT\SYSTEM32\access.cpl - (Microsoft Corporation [Ver = 5.00.2134.1 | Size = 67344 bytes | Date = 12/07/1999 14:00 | Attr = ])
C:\WINNT\SYSTEM32\appwiz.cpl - (Microsoft Corporation [Ver = 5.00.2195.6624 | Size = 301328 bytes | Date = 06/19/2003 12:05 | Attr = ])
C:\WINNT\SYSTEM32\DESK.CPL - (Microsoft Corporation [Ver = 5.00.2195.6601 | Size = 237328 bytes | Date = 06/19/2003 12:05 | Attr = ])
C:\WINNT\SYSTEM32\hdwwiz.cpl - (Microsoft Corporation [Ver = 5.00.2134.1 | Size = 128272 bytes | Date = 12/07/1999 14:00 | Attr = ])
C:\WINNT\SYSTEM32\igfxcpl.cpl - (Intel Corporation [Ver = 2, 2, 0, 6 | Size = 69632 bytes | Date = 02/12/2001 14:14 | Attr = ])
C:\WINNT\SYSTEM32\inetcpl.cpl - (Microsoft Corporation [Ver = 6.00.2800.1106 | Size = 292352 bytes | Date = 08/29/2002 07:14 | Attr = ])
C:\WINNT\SYSTEM32\intl.cpl - (Microsoft Corporation [Ver = 5.00.2134.1 | Size = 118032 bytes | Date = 12/07/1999 14:00 | Attr = ])
C:\WINNT\SYSTEM32\irprops.cpl - (Microsoft Corporation [Ver = 5.00.2167.1 | Size = 36112 bytes | Date = 12/07/1999 14:00 | Attr = ])
C:\WINNT\SYSTEM32\joy.cpl - (Microsoft Corporation [Ver = 5.1.2600.881 built by: Lab06_N(mmbuild) | Size = 326144 bytes | Date = 10/30/2001 08:10 | Attr = ])
C:\WINNT\SYSTEM32\jpicpl32.cpl - (Sun Microsystems, Inc. [Ver = 5.0.60.5 | Size = 49265 bytes | Date = 11/10/2005 13:03 | Attr = ])
C:\WINNT\SYSTEM32\main.cpl - (Microsoft Corporation [Ver = 5.00.2134.1 | Size = 122128 bytes | Date = 12/07/1999 14:00 | Attr = ])
C:\WINNT\SYSTEM32\mmsys.cpl - (Microsoft Corporation [Ver = 5.00.2161.1 | Size = 303888 bytes | Date = 12/07/1999 14:00 | Attr = ])
C:\WINNT\SYSTEM32\ncpa.cpl - (Microsoft Corporation [Ver = 5.00.2176.1 | Size = 17168 bytes | Date = 12/07/1999 14:00 | Attr = ])
C:\WINNT\SYSTEM32\nwc.cpl - (Microsoft Corporation [Ver = 5.00.2134.1 | Size = 41232 bytes | Date = 12/07/1999 14:00 | Attr = ])
C:\WINNT\SYSTEM32\odbccp32.cpl - (Microsoft Corporation [Ver = 3.520.6200.0 | Size = 41232 bytes | Date = 06/19/2003 12:05 | Attr = ])
C:\WINNT\SYSTEM32\powercfg.cpl - (Microsoft Corporation [Ver = 5.00.3502.6601 | Size = 90896 bytes | Date = 06/19/2003 12:05 | Attr = ])
C:\WINNT\SYSTEM32\sticpl.cpl - (Microsoft Corporation [Ver = 5.00.2195.6656 | Size = 83216 bytes | Date = 06/19/2003 12:05 | Attr = ])
C:\WINNT\SYSTEM32\SYSDM.CPL - (Microsoft Corporation [Ver = 5.00.2195.6601 | Size = 125712 bytes | Date = 06/19/2003 12:05 | Attr = ])
C:\WINNT\SYSTEM32\telephon.cpl - (Microsoft Corporation [Ver = 5.00.2143.1 | Size = 5904 bytes | Date = 12/07/1999 14:00 | Attr = ])
C:\WINNT\SYSTEM32\timedate.cpl - (Microsoft Corporation [Ver = 5.00.2137.1 | Size = 61200 bytes | Date = 12/07/1999 14:00 | Attr = ])
C:\WINNT\SYSTEM32\TWEAKUI.CPL - (Microsoft Corporation [Ver = 1.33.0.0 | Size = 106544 bytes | Date = 06/18/2000 14:03 | Attr = R ])
C:\WINNT\SYSTEM32\wuaucpl.cpl - (Microsoft Corporation [Ver = 5.8.0.2469 built by: lab01_n(wmbla) | Size = 174360 bytes | Date = 05/26/2005 04:16 | Attr = ])
C:\WINNT\SYSTEM32\dllcache\inetcpl.cpl - (Microsoft Corporation [Ver = 6.00.2800.1106 | Size = 292352 bytes | Date = 08/29/2002 07:14 | Attr = ])
C:\WINNT\SYSTEM32\dllcache\msmq.cpl - (Microsoft Corporation [Ver = 5.00.0748 | Size = 64784 bytes | Date = 01/12/2005 21:40 | Attr = ])
C:\WINNT\SYSTEM32\dllcache\mwcpa32.cpl - (IBM Corporation [Ver = 2.60.35.0 | Size = 94208 bytes | Date = 09/23/1999 18:44 | Attr = ])
C:\WINNT\SYSTEM32\dllcache\nwc.cpl - (Microsoft Corporation [Ver = 5.00.2134.1 | Size = 41232 bytes | Date = 12/07/1999 14:00 | Attr = ])
C:\WINNT\SYSTEM32\dllcache\wuaucpl.cpl - (Microsoft Corporation [Ver = 5.8.0.2469 built by: lab01_n(wmbla) | Size = 174360 bytes | Date = 05/26/2005 04:16 | Attr = ])

Auto-Start Folders

HKLM->Explorer\Shell Folders\\Common Startup = C:\Documents and Settings\All Users\Start Menu\Programs\Startup

HKLM->Explorer\User Shell Folders\\Common Startup = %ALLUSERSPROFILE%\Start Menu\Programs\Startup

HKLM->Explorer\Shell Folders\\Startup = C:\Documents and Settings\Administrator.NRS-MEKCSMQ3ZNE.007\Start Menu\Programs\Startup

HKCU->Explorer\User Shell Folders\\Startup = %USERPROFILE%\Start Menu\Programs\Startup

Miscellaneous Auto-Start Files
System.ini->[Boot]\\Shell - Explorer.exe xpjavams.exe
Config.nt: Line 1 - REM Windows MS-DOS Startup File
Config.nt: Line 2 - REM
Config.nt: Line 3 - REM CONFIG.SYS vs CONFIG.NT
Config.nt: Line 4 - REM CONFIG.SYS is not used to initialize the MS-DOS environment.
Config.nt: Line 5 - REM CONFIG.NT is used to initialize the MS-DOS environment unless a
Config.nt: Line 6 - REM different startup file is specified in an application's PIF.
Config.nt: Line 7 - REM
Config.nt: Line 8 - REM ECHOCONFIG
Config.nt: Line 9 - REM By default, no information is displayed when the MS-DOS environment
Config.nt: Line 10 - REM is initialized. To display CONFIG.NT/AUTOEXEC.NT information, add
Config.nt: Line 11 - REM the command echoconfig to CONFIG.NT or other startup file.
Config.nt: Line 12 - REM
Config.nt: Line 13 - REM NTCMDPROMPT
Config.nt: Line 14 - REM When you return to the command prompt from a TSR or while running an
Config.nt: Line 15 - REM MS-DOS-based application, Windows runs COMMAND.COM. This allows the
Config.nt: Line 16 - REM TSR to remain active. To run CMD.EXE, the Windows command prompt,
Config.nt: Line 17 - REM rather than COMMAND.COM, add the command ntcmdprompt to CONFIG.NT or
Config.nt: Line 18 - REM other startup file.
Config.nt: Line 19 - REM
Config.nt: Line 20 - REM DOSONLY
Config.nt: Line 21 - REM By default, you can start any type of application when running
Config.nt: Line 22 - REM COMMAND.COM. If you start an application other than an MS-DOS-based
Config.nt: Line 23 - REM application, any running TSR may be disrupted. To ensure that only
Config.nt: Line 24 - REM MS-DOS-based applications can be started, add the command dosonly to
Config.nt: Line 25 - REM CONFIG.NT or other startup file.
Config.nt: Line 26 - REM
Config.nt: Line 27 - REM EMM
Config.nt: Line 28 - REM You can use EMM command line to configure EMM(Expanded Memory Manager).
Config.nt: Line 29 - REM The syntax is:
Config.nt: Line 30 - REM
Config.nt: Line 31 - REM EMM = [A=AltRegSets] [B=BaseSegment] [RAM]
Config.nt: Line 32 - REM
Config.nt: Line 33 - REM AltRegSets
Config.nt: Line 34 - REM specifies the total Alternative Mapping Register Sets you
Config.nt: Line 35 - REM want the system to support. 1 <= AltRegSets <= 255. The
Config.nt: Line 36 - REM default value is 8.
Config.nt: Line 37 - REM BaseSegment
Config.nt: Line 38 - REM specifies the starting segment address in the Dos conventional
Config.nt: Line 39 - REM memory you want the system to allocate for EMM page frames.
Config.nt: Line 40 - REM The value must be given in Hexdecimal.
Config.nt: Line 41 - REM 0x1000 <= BaseSegment <= 0x4000. The value is rounded down to
Config.nt: Line 42 - REM 16KB boundary. The default value is 0x4000
Config.nt: Line 43 - REM RAM
Config.nt: Line 44 - REM specifies that the system should only allocate 64Kb address
Config.nt: Line 45 - REM space from the Upper Memory Block(UMB) area for EMM page frames
Config.nt: Line 46 - REM and leave the rests(if available) to be used by DOS to support
Config.nt: Line 47 - REM loadhigh and devicehigh commands. The system, by default, would
Config.nt: Line 48 - REM allocate all possible and available UMB for page frames.
Config.nt: Line 49 - REM
Config.nt: Line 50 - REM The EMM size is determined by pif file(either the one associated
Config.nt: Line 51 - REM with your application or _default.pif). If the size from PIF file
Config.nt: Line 52 - REM is zero, EMM will be disabled and the EMM line will be ignored.
Config.nt: Line 53 - REM
Config.nt: Line 54 - dos=high, umb
Config.nt: Line 55 - device=%SystemRoot%\system32\himem.sys
Config.nt: Line 56 - files=40
AutoExec.nt: Line 1 - @echo off
AutoExec.nt: Line 3 - REM AUTOEXEC.BAT is not used to initialize the MS-DOS environment.
AutoExec.nt: Line 4 - REM AUTOEXEC.NT is used to initialize the MS-DOS environment unless a
AutoExec.nt: Line 5 - REM different startup file is specified in an application's PIF.
AutoExec.nt: Line 7 - REM Install CD ROM extensions
AutoExec.nt: Line 8 - lh %SystemRoot%\

#4
DarrenZ

Posted 17 September 2006 - 01:44 AM

Member

Topic Starter
Member
22 posts

Here is the rest of the post:

AutoExec.nt: Line 10 - REM Install network redirector (load before dosx.exe)
AutoExec.nt: Line 11 - lh %SystemRoot%\system32\redir
AutoExec.nt: Line 13 - REM Install DPMI support
AutoExec.nt: Line 14 - lh %SystemRoot%\system32\dosx

Miscellaneous Folders

AllUsers ApplicationData Folder
C:\Documents and Settings\All Users\Application Data\hpzinstall.log - ( [Ver = | Size = 273 bytes | Date = 09/16/2006 22:11 | Attr = ])

CurrentUser ApplicationData Folder

Program Files Folder
C:\Program Files\desktop.ini - ( [Ver = | Size = 271 bytes | Date = 02/25/2002 12:39 | Attr = H ])
C:\Program Files\folder.htt - ( [Ver = | Size = 21952 bytes | Date = 02/25/2002 12:39 | Attr = H ])

Common Files Folder
C:\Program Files\Common Files\IRAABOUT.DLL - (Symantec Corp. [Ver = 1.0.0.52 | Size = 99840 bytes | Date = 12/09/1998 11:53 | Attr = ])
C:\Program Files\Common Files\IRALPTTR.DLL - (Symantec Corp., Peter Norton Computing Group [Ver = 1.0.0.110 | Size = 48640 bytes | Date = 12/09/1998 11:53 | Attr = ])
C:\Program Files\Common Files\IRAMDMTR.DLL - (Symantec Corp., Peter Norton Computing Group [Ver = 1.0.0.69 | Size = 70144 bytes | Date = 12/09/1998 11:53 | Attr = ])
C:\Program Files\Common Files\IRAREG.DLL - (Symantec Corp., Peter Norton Computing Group [Ver = 1.0.0.112 | Size = 186368 bytes | Date = 12/09/1998 11:53 | Attr = ])
C:\Program Files\Common Files\IRASRIAL.DLL - (Symantec Corp. [Ver = 1.0.0.58 | Size = 17920 bytes | Date = 12/09/1998 11:53 | Attr = ])
C:\Program Files\Common Files\IRAWEBTR.DLL - (Symantec Corp., Peter Norton Computing Group [Ver = 1.0.0.112 | Size = 31744 bytes | Date = 12/09/1998 11:53 | Attr = ])

DPF files
{00000162-9980-0010-8000-00AA00389B71} - - CodeBase = http://download.micr...4B9/wma9dmo.cab
{04E214E5-63AF-4236-83C6-A7ADCBF9BD02} - HouseCall Control - CodeBase = http://housecall60.t...all/xscan60.cab
{166B1BCA-3F9C-11CF-8075-444553540000} - Shockwave ActiveX Control - CodeBase = http://download.macr...director/sw.cab
{31564D57-0000-0010-8000-00AA00389B71} - - CodeBase = http://codecs.micros.../i386/wmvax.cab
{32505657-9980-0010-8000-00AA00389B71} - - CodeBase = http://download.micr...01F/wmvadvd.cab
{33564D57-0000-0010-8000-00AA00389B71} - - CodeBase = http://download.micr...922/wmv9VCM.CAB
{33564D57-9980-0010-8000-00AA00389B71} - - CodeBase = http://download.micr...D0C/wmv9dmo.cab
{8AD9C840-044E-11D1-B3E9-00805F499D93} - Java Plug-in 1.5.0_06 - CodeBase = http://java.sun.com/...indows-i586.cab
{9F1C11AA-197B-4942-BA54-47A8489BB47F} - - CodeBase = http://v4.windowsupd...8418.1821990741
{B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - MsnMessengerSetupDownloadControl Class - CodeBase = http://messenger.msn...pDownloader.cab
{B7E76C25-791F-432E-BDB7-748D01A93FC2} - - CodeBase = http://advnt01.com/d...r/int_ver30.CAB
{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - Java Plug-in 1.5.0_06 - CodeBase = http://java.sun.com/...indows-i586.cab
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - Java Plug-in 1.5.0_06 - CodeBase = http://java.sun.com/...indows-i586.cab
{D27CDB6E-AE6D-11CF-96B8-444553540000} - Shockwave Flash Object - CodeBase = http://fpdownload.ma...ent/swflash.cab
DirectAnimation Java Classes - - CodeBase = file://C:\WINNT\Java\classes\dajava.cab
Microsoft XML Parser for Java - - CodeBase = file://C:\WINNT\Java\classes\xmldso.cab

Hosts file (Non-Standard entries only)
Hosts file not found -

< Add On's >

>>>>Output for AddOn file HKCU_IEDesktop.def<<<<

KEY - HKCU\Software\Microsoft\Internet Explorer\Desktop - Include SUBKEYS
HKCU\Software\Microsoft\Internet Explorer\Desktop -
Desktop\Components -
Desktop\Components\\DeskHtmlVersion - 272
Desktop\Components\\DeskHtmlMinorVersion - 3
Desktop\Components\\Settings - 1
Desktop\Components\\GeneralFlags - 1
Desktop\Components\0 -
Desktop\Components\0\\Source - About:Home
Desktop\Components\0\\SubscribedURL - About:Home
Desktop\Components\0\\FriendlyName - My Current Home Page
Desktop\Components\0\\Flags - 8194
Desktop\Components\0\\Position - 2C 00 00 00 A0 00 00 00 00 00 00 00 80 02 00 00 3C 02 00 00 00 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00
Desktop\Components\0\\CurrentState - 04 00 00 40
Desktop\Components\0\\OriginalStateInfo - 18 00 00 00 FF FF 00 00 FF FF 00 00 FF FF FF FF FF FF FF FF 04 00 00 00
Desktop\Components\0\\RestoredStateInfo - 18 00 00 00 68 02 00 00 1F 00 00 00 A8 00 00 00 9E 00 00 00 01 00 00 00
Desktop\General -
Desktop\General\\BackupWallpaper - %SystemRoot%\HP.bmp
Desktop\General\\WallpaperFileTime - 00 20 81 45 CF E7 BF 01
Desktop\General\\WallpaperLocalFileTime - 00 F0 09 09 E0 E7 BF 01
Desktop\General\\ComponentsPositioned - 1
Desktop\SafeMode -
Desktop\SafeMode\General -
Desktop\SafeMode\General\\Wallpaper - %SystemRoot%\Web\SafeMode.htt
Desktop\SafeMode\General\\VisitGallery - 0
Desktop\Scheme -
Desktop\Scheme\\Edit -
Desktop\Scheme\\Display -

>>>>Output for AddOn file Policies.def<<<<

KEY - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies - Include SUBKEYS
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies -
policies\ActiveDesktop -
policies\ActiveDesktop\AdminComponent -
policies\NonEnum -
policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} - 1
policies\Ratings -
policies\system -
policies\system\\dontdisplaylastusername - 0
policies\system\\legalnoticecaption -
policies\system\\legalnoticetext -
policies\system\\shutdownwithoutlogon - 1

KEY - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies - Include SUBKEYS
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies -
policies\Explorer -
policies\Explorer\\NoDriveTypeAutoRun - 149

>>>>Output for AddOn file Security.def<<<<

KEY - HKLM\SOFTWARE\Microsoft\Security Center - Include SUBKEYS
HKLM\SOFTWARE\Microsoft\Security Center not found. -

KEY - HKLM\SYSTEM\CurrentControlSet\Services\BITS - Include SUBKEYS
HKLM\SYSTEM\CurrentControlSet\Services\BITS -
BITS\\DependOnGroup -
BITS\\DependOnService - Rpcss;SENS;Wmi;
BITS\\Description - Transfers files in the background using idle network bandwidth. If the service is disabled, then any functions that depend on BITS, such as Windows Update or MSN Explorer will be unable to automatically download programs and other information.
BITS\\DisplayName - Background Intelligent Transfer Service
BITS\\ErrorControl - 1
BITS\\ImagePath - %SystemRoot%\System32\svchost.exe -k BITSgroup
BITS\\ObjectName - LocalSystem
BITS\\Start - 3
BITS\\Type - 32
BITS\Parameters -
BITS\Parameters\\ServiceDll - %SystemRoot%\System32\qmgr.dll
BITS\Security -
BITS\Security\\Security - 01 00 14 80 A0 00 00 00 AC 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 70 00 04 00 00 00 00 00 18 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 00 00 00 00 1C 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 72 00 73 00 00 00 18 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 20 02 00 00 00 00 1C 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 72 00 73 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
BITS\Enum -
BITS\Enum\\0 - Root\LEGACY_BITS\0000
BITS\Enum\\Count - 1
BITS\Enum\\NextInstance - 1

KEY - HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess - Include SUBKEYS
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess -
SharedAccess\\Type - 288
SharedAccess\\Start - 4
SharedAccess\\ErrorControl - 1
SharedAccess\\ImagePath - %SystemRoot%\System32\svchost.exe -k netsvcs
SharedAccess\\DisplayName - Internet Connection Sharing
SharedAccess\\DependOnService - RasMan;
SharedAccess\\DependOnGroup -
SharedAccess\\ObjectName - LocalSystem
SharedAccess\\Description - Provides network address translation, addressing, and name resolution services for all computers on your home network through a dial-up connection.
SharedAccess\Parameters -
SharedAccess\Parameters\\ServiceDll - %SystemRoot%\System32\ipnathlp.dll
SharedAccess\Security -
SharedAccess\Security\\Security - 01 00 14 80 A0 00 00 00 AC 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 70 00 04 00 00 00 00 00 18 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 20 02 00 00 00 00 1C 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 00 00 00 00 18 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 20 02 00 00 00 00 1C 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 00 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00

KEY - HKLM\SYSTEM\CurrentControlSet\Services\wuauserv - Include SUBKEYS
HKLM\SYSTEM\CurrentControlSet\Services\wuauserv -
wuauserv\\Description - Enables the download and installation of critical Windows updates. If the service is disabled, the operating system can be manually updated at the Windows Update Web site.
wuauserv\\DisplayName - Automatic Updates
wuauserv\\ErrorControl - 1
wuauserv\\ImagePath - %systemroot%\system32\svchost.exe -k wugroup
wuauserv\\ObjectName - LocalSystem
wuauserv\\Start - 4
wuauserv\\Type - 32
wuauserv\Parameters -
wuauserv\Parameters\\ServiceDll - C:\WINNT\system32\wuauserv.dll
wuauserv\Security -
wuauserv\Security\\Security - 01 00 14 80 A0 00 00 00 AC 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 70 00 04 00 00 00 00 00 18 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 00 00 00 00 1C 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 34 00 00 00 18 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 20 02 00 00 00 00 1C 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 00 00 34 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
wuauserv\Enum -
wuauserv\Enum\\0 - Root\LEGACY_WUAUSERV\0000
wuauserv\Enum\\Count - 1
wuauserv\Enum\\NextInstance - 1

>>>>Output for AddOn file SID_Run_Policies.def<<<<

KEY - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run - No SUBKEYS
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run -
Run\\internat.exe - internat.exe
Run\\AVG7_Run - C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE

KEY - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run - No SUBKEYS
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run not found. -

KEY - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies - Include SUBKEYS
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies -
Policies\Explorer -
Policies\Explorer\\NoDriveTypeAutoRun - 149

KEY - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Policies - Include SUBKEYS
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Policies not found. -

< End of report >

#5
DarrenZ

Posted 17 September 2006 - 01:51 AM

Member

Topic Starter
Member
22 posts

Administrator - Sun 09/17/2006 10:42:40.62 Service Pack 4
ComboFix 06.09.14 - Running from: C:\Documents and Settings\Administrator.NRS-MEKCSMQ3ZNE.007\Desktop

((((((((((((((((((((((((((((((( Files Created from 2006-08-17 to 2006-09-17 ))))))))))))))))))))))))))))))))))

2006-09-16 21:20 180,736 --a------ C:\javanet.exe
2006-09-15 22:41 180,736 --a------ C:\xpjavams.exe
2006-09-07 16:48 0 --a------ C:\WINNT\system32\11235_netapi.exe
2006-09-05 15:48 0 --a------ C:\WINNT\system32\07686_netapi.exe
2006-09-02 22:32 98,816 --a------ C:\WINNT\system32\dmstyle.dll
2006-09-02 22:32 974,848 --a------ C:\WINNT\system32\dxdiag.exe
2006-09-02 22:32 80,896 --a------ C:\WINNT\system32\dpvsetup.exe
2006-09-02 22:32 797,184 --a------ C:\WINNT\system32\d3dim700.dll
2006-09-02 22:32 79,360 --a------ C:\WINNT\system32\dpwsockx.dll
2006-09-02 22:32 77,824 --a------ C:\WINNT\system32\dpmodemx.dll
2006-09-02 22:32 76,800 --a------ C:\WINNT\system32\dmscript.dll
2006-09-02 22:32 733,184 --a------ C:\WINNT\system32\qedwipes.dll
2006-09-02 22:32 723,968 --a------ C:\WINNT\system32\dpnet.dll
2006-09-02 22:32 7,168 --a------ C:\WINNT\system32\d3d8thk.dll
2006-09-02 22:32 68,096 --a------ C:\WINNT\system32\dpnhupnp.dll
2006-09-02 22:32 664,576 --a------ C:\WINNT\system32\dinput8.dll
2006-09-02 22:32 645,120 --a------ C:\WINNT\system32\dinput.dll
2006-09-02 22:32 64,512 --a------ C:\WINNT\system32\amstream.dll
2006-09-02 22:32 602,624 --a------ C:\WINNT\system32\dx7vb.dll
2006-09-02 22:32 591,120 --a------ C:\WINNT\system32\d3dramp.dll
2006-09-02 22:32 58,368 --a------ C:\WINNT\system32\dmcompos.dll
2006-09-02 22:32 491,520 --a------ C:\WINNT\system32\dsdmoprp.dll
2006-09-02 22:32 49,424 --a------ C:\WINNT\system32\d3dxof.dll
2006-09-02 22:32 480,256 --a------ C:\WINNT\system32\msvidctl.dll
2006-09-02 22:32 470,528 --a------ C:\WINNT\system32\qdvd.dll
2006-09-02 22:32 47,104 --a------ C:\WINNT\system32\wstdecod.dll
2006-09-02 22:32 46,592 --a------ C:\WINNT\system32\dxdllreg.exe
2006-09-02 22:32 459,264 --a------ C:\WINNT\system32\diactfrm.dll
2006-09-02 22:32 446,224 --a------ C:\WINNT\system32\d3dim.dll
2006-09-02 22:32 44,032 --a------ C:\WINNT\system32\dimap.dll
2006-09-02 22:32 4,096 --a------ C:\WINNT\system32\ksuser.dll
2006-09-02 22:32 381,952 --a------ C:\WINNT\system32\dsound.dll
2006-09-02 22:32 381,952 --a------ C:\WINNT\system32\dpvoice.dll
2006-09-02 22:32 37,648 --a------ C:\WINNT\system32\d3dpmesh.dll
2006-09-02 22:32 364,816 --a------ C:\WINNT\system32\d3drm.dll
2006-09-02 22:32 354,816 --a------ C:\WINNT\system32\psisdecd.dll
2006-09-02 22:32 34,304 --a------ C:\WINNT\system32\mciqtz32.dll
2006-09-02 22:32 33,280 --a------ C:\WINNT\system32\dmloader.dll
2006-09-02 22:32 324,096 --a------ C:\WINNT\system32\mswebdvd.dll
2006-09-02 22:32 32,768 --a------ C:\WINNT\system32\dpnhpast.dll
2006-09-02 22:32 316,928 --a------ C:\WINNT\system32\qdv.dll
2006-09-02 22:32 31,744 --a------ C:\WINNT\system32\pid.dll
2006-09-02 22:32 3,072 --a------ C:\WINNT\system32\dpnlobby.dll
2006-09-02 22:32 3,072 --a------ C:\WINNT\system32\dpnaddr.dll
2006-09-02 22:32 292,864 --a------ C:\WINNT\system32\ddraw.dll
2006-09-02 22:32 28,160 --a------ C:\WINNT\system32\dplaysvr.exe
2006-09-02 22:32 27,136 --a------ C:\WINNT\system32\dmband.dll
2006-09-02 22:32 257,024 --a------ C:\WINNT\system32\qcap.dll
2006-09-02 22:32 230,400 --a------ C:\WINNT\system32\dplayx.dll
2006-09-02 22:32 206,336 --a------ C:\WINNT\system32\gcdef.dll
2006-09-02 22:32 19,968 --a------ C:\WINNT\system32\dpvacm.dll
2006-09-02 22:32 186,880 --a------ C:\WINNT\system32\dsdmo.dll
2006-09-02 22:32 181,248 --a------ C:\WINNT\system32\dmime.dll
2006-09-02 22:32 18,944 --a------ C:\WINNT\system32\encapi.dll
2006-09-02 22:32 18,432 --a------ C:\WINNT\system32\dswave.dll
2006-09-02 22:32 173,056 --a------ C:\WINNT\system32\qasf.dll
2006-09-02 22:32 16,896 --a------ C:\WINNT\system32\msyuv.dll
2006-09-02 22:32 16,896 --a------ C:\WINNT\system32\dpnsvr.exe
2006-09-02 22:32 132,608 --a------ C:\WINNT\system32\devenum.dll
2006-09-02 22:32 13,312 --a------ C:\WINNT\system32\msdmo.dll
2006-09-02 22:32 122,880 --a------ C:\WINNT\system32\dmusic.dll
2006-09-02 22:32 112,128 --a------ C:\WINNT\system32\dpvvox.dll
2006-09-02 22:32 100,864 --a------ C:\WINNT\system32\dmsynth.dll
2006-09-02 22:32 1,962,496 --a------ C:\WINNT\system32\quartz.dll
2006-09-02 22:32 1,798,144 --a------ C:\WINNT\system32\qedit.dll
2006-09-02 22:32 1,769,472 --a------ C:\WINNT\system32\dxdiagn.dll
2006-09-02 22:32 1,703,936 --a------ C:\WINNT\system32\d3d9.dll
2006-09-02 22:32 1,294,336 --a------ C:\WINNT\system32\dsound3d.dll
2006-09-02 22:32 1,201,152 --a------ C:\WINNT\system32\d3d8.dll
2006-09-02 22:32 1,189,888 --a------ C:\WINNT\system32\dx8vb.dll
2006-09-02 22:31 86,016 -ra------ C:\WINNT\CtDrvIns.exe
2006-09-02 22:31 57,344 -ra------ C:\WINNT\system32\P0620Hwx.dll
2006-09-02 22:31 51,472 --a------ C:\WINNT\system32\vfwwdm32.dll
2006-09-02 22:31 36,864 -ra------ C:\WINNT\system32\P0620Pin.dll
2006-09-02 22:31 36,864 -ra------ C:\WINNT\system32\CtRegApp.dll
2006-09-02 22:31 36,864 -ra------ C:\WINNT\system32\CtCamMgr.dll
2006-09-02 22:31 32,768 -ra------ C:\WINNT\system32\p0620sti.dll
2006-09-02 22:31 20,480 -ra------ C:\WINNT\system32\P0620Srv.exe
2006-09-02 22:31 20,480 -ra------ C:\WINNT\P0620Cfg.exe
2006-09-02 22:31 126,976 -ra------ C:\WINNT\system32\P0620Vfw.dll
2006-09-02 22:28 24,576 -ra------ C:\WINNT\system32\P0620Aor.dll
2006-09-02 22:23 24,576 --------- C:\WINNT\system32\CTWEBFUN.DLL

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

C:\Program Files
2006-09-17 10:11 -------- d-------- C:\Program Files\Mozilla Firefox
2006-09-17 10:11 -------- d-------- C:\Program Files\Mozilla Firefox
2006-09-17 09:55 -------- d-a------ C:\Program Files\Common Files
2006-09-17 09:55 -------- d-a------ C:\Program Files\Common Files
2006-09-17 09:55 -------- d-------- C:\Program Files\Windows Media Player
2006-09-17 09:55 -------- d-------- C:\Program Files\Windows Media Player
2006-09-17 09:55 -------- d-------- C:\Program Files\Outlook Express
2006-09-17 09:55 -------- d-------- C:\Program Files\Outlook Express
2006-09-17 09:55 -------- d-------- C:\Program Files\Common Files\System
2006-09-17 09:55 -------- d-------- C:\Program Files\Common Files\Services
2006-09-15 18:18 -------- d-------- C:\Program Files\Internet Explorer
2006-09-15 18:18 -------- d-------- C:\Program Files\Internet Explorer
2006-09-15 18:09 -------- d-------- C:\Program Files\Java
2006-09-15 18:09 -------- d-------- C:\Program Files\Java
2006-09-15 18:06 -------- d-------- C:\Program Files\Common Files\Java
2006-09-02 22:31 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-09-02 22:31 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-09-02 22:23 -------- d-------- C:\Program Files\Creative
2006-09-02 22:23 -------- d-------- C:\Program Files\Creative
2006-08-24 21:49 777472 --a------ C:\WINNT\system32\drivers\avg7core.sys
2006-08-24 21:49 27904 --a------ C:\WINNT\system32\drivers\avg7rsxp.sys
2006-08-24 21:49 26912 --a------ C:\WINNT\system32\drivers\avg7rsnt.sys

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"="internat.exe"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]
"MS Java for Windows NT, XP & ME"="xpjavams.exe"
"MS Java Service Wrapper for Windows NT & XP"="wrapper.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"Tweak UI"="RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp"
"NGClient"="D:\\Program Files\\Symantec\\Ghost\\ngctw32.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"AVG7_EMC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgemc.exe"
"PD0620 STISvc"="RunDLL32.exe P0620Pin.dll,RunDLL32EP 513"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]
"MS Java for Windows NT, XP & ME"="xpjavams.exe"
"MS Java Service Wrapper for Windows NT & XP"="wrapper.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000003
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00002002
"Position"=hex:2c,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3c,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,68,02,00,00,1f,00,00,00,a8,00,00,00,9e,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"="internat.exe"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]
"MS Java for Windows NT, XP & ME"="xpjavams.exe"
"MS Java Service Wrapper for Windows NT & XP"="wrapper.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Network.ConnectionTray"="{7007ACCF-3202-11D1-AAD2-00805FC1270E}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll

Contents of the 'Scheduled Tasks' folder
C:\WINNT\tasks\Symantec NetDetect.job

Completion time: Sun 2006-09-17 10:44:55.75
ComboFix.txt

#6
Armodeluxe

Posted 17 September 2006 - 03:27 AM

Member 2k

Retired Staff
2,744 posts

Please download the Killbox.

Do not run it yet.

Please save these instructions on Notepad as a text file, you will need to do some copying/pasting in safe mode.

Download SDFix and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

Please run Killbox.
Select "Delete on Reboot". Click on "All Files".
Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINNT\system32\dllcache\mslogon.exe
C:\WINNT\system32\dllcache\mscom.exe
C:\javanet.exe
C:\xpjavams.exe
C:\WINNT\system32\11235_netapi.exe
C:\WINNT\system32\07686_netapi.exe
C:\WINNT\RMAgentOutput.dll
Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "NO" at the Do You Want to Reboot Now prompt.
Right click the SDFix.zip folder and choose Extract All,
Open the extracted folder and double click RunThis.bat to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log if you can run it.

#7
DarrenZ

Posted 18 September 2006 - 04:15 PM

Member

Topic Starter
Member
22 posts

Ok So i was out of town for one day and just got back, I followed your instructions exactly and it all went smoothe until the very end. When the computer restarted and the screen popped up saying that the fixtool was running and will take 2-3 minutes an error message then came up after about a minute saying that it was unable to excecute the program and then it just froze up.

Here is the report it generated as well as a Hijakthis log file that I was finally able to download and run:

SDFix: Version 1.24
-------------------------

Tue 09/19/2006
12:48a

Microsoft Windows 2000 [Version 5.00.2195]

Running from: C:\Documents and Settings\Administrator.NRS-MEKCSMQ3ZNE.007\Desktop\sdfix\SDFix

Stage One...

Checking Services...

Name:
-------

Microsoft Logon Service
MSCom

Path:
-------

"C:\WINNT\system32\dllcache\mslogon.exe"
"C:\WINNT\system32\dllcache\mscom.exe"

Microsoft Logon Service ... deleted
MSCom ... deleted

Repairing Registry...

Killing PID 432 'xpjavams.exe'

Restoring Default Hosts File...

Stage One Complete

Rebooting!

Stage Two...

Registry Cleaning Finished...

Checking For Malware Files:
----------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 01:11:32, on 19/09/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\WINNT\System32\svchost.exe
D:\Program Files\Symantec\Ghost\ngctw32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\wuauclt.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\system32\RunDLL32.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINNT\system32\internat.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator.NRS-MEKCSMQ3ZNE.007\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [NGClient] D:\Program Files\Symantec\Ghost\ngctw32.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [PD0620 STISvc] RunDLL32.exe P0620Pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B7E76C25-791F-432E-BDB7-748D01A93FC2} - http://advnt01.com/d...r/int_ver30.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{56721B3E-4034-485A-8B3A-605DE516D296}: NameServer = 192.115.106.35 62.219.186.7
O20 - Winlogon Notify: PCANotify - C:\WINNT\SYSTEM32\PCANotify.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: e-DiagTools LAN Configuration Agent (edtlancfg) - Unknown owner - C:\Program Files\HP\e-DiagTools\Service.exe
O23 - Service: Symantec Ghost Client Agent (NGClient) - Symantec New Zealand Limited - D:\Program Files\Symantec\Ghost\ngctw32.exe

#8
Armodeluxe

Posted 19 September 2006 - 06:08 AM

Member 2k

Retired Staff
2,744 posts

It took everything out of memory, but may not have removed all the files. Please run it again to make sure and post the new log along with a new combofix log and let's see if there are any leftovers.

Also under your C:\ drive there will be a folder named !Killbox. Look in that folder and tell me if there are any files in there. Do not click on any of the files, just look and close the folder!!

#9
DarrenZ

Posted 19 September 2006 - 02:11 PM

Member

Topic Starter
Member
22 posts

Ok I ran the RunThis.bat file again and experienced the same problem as before. Once the computer restarted it showed an error message saying "the program could not execute the specified program" and then it froze up. I had to exit the program to allow the computer to load the rest of the way.

Here is the report it generated:

SDFix: Version 1.24
-------------------------

Tue 2006-09-19
22:43

Microsoft Windows 2000 [Version 5.00.2195]

Running from: C:\Documents and Settings\Administrator.NRS-MEKCSMQ3ZNE.007\Desktop\sdfix\SDFix

Stage One...

Checking Services...

Name:
-------

Path:
-------

Repairing Registry...

Restoring Default Hosts File...

Stage One Complete

Rebooting!

Stage Two...

Registry Cleaning Finished...

Checking For Malware Files:
----------------------------------

Here is a copy of the combofix report:

Administrator - Tue 2006-09-19 23:01:36.06 Service Pack 4
ComboFix 06.09.14 - Running from: C:\Documents and Settings\Administrator.NRS-MEKCSMQ3ZNE.007\Desktop

((((((((((((((((((((((((((((((( Files Created from 2006-08-19 to 2006-09-19 ))))))))))))))))))))))))))))))))))

2006-09-02 22:32 98,816 --a------ C:\WINNT\system32\dmstyle.dll
2006-09-02 22:32 974,848 --a------ C:\WINNT\system32\dxdiag.exe
2006-09-02 22:32 80,896 --a------ C:\WINNT\system32\dpvsetup.exe
2006-09-02 22:32 797,184 --a------ C:\WINNT\system32\d3dim700.dll
2006-09-02 22:32 79,360 --a------ C:\WINNT\system32\dpwsockx.dll
2006-09-02 22:32 77,824 --a------ C:\WINNT\system32\dpmodemx.dll
2006-09-02 22:32 76,800 --a------ C:\WINNT\system32\dmscript.dll
2006-09-02 22:32 733,184 --a------ C:\WINNT\system32\qedwipes.dll
2006-09-02 22:32 723,968 --a------ C:\WINNT\system32\dpnet.dll
2006-09-02 22:32 7,168 --a------ C:\WINNT\system32\d3d8thk.dll
2006-09-02 22:32 68,096 --a------ C:\WINNT\system32\dpnhupnp.dll
2006-09-02 22:32 664,576 --a------ C:\WINNT\system32\dinput8.dll
2006-09-02 22:32 645,120 --a------ C:\WINNT\system32\dinput.dll
2006-09-02 22:32 64,512 --a------ C:\WINNT\system32\amstream.dll
2006-09-02 22:32 602,624 --a------ C:\WINNT\system32\dx7vb.dll
2006-09-02 22:32 591,120 --a------ C:\WINNT\system32\d3dramp.dll
2006-09-02 22:32 58,368 --a------ C:\WINNT\system32\dmcompos.dll
2006-09-02 22:32 491,520 --a------ C:\WINNT\system32\dsdmoprp.dll
2006-09-02 22:32 49,424 --a------ C:\WINNT\system32\d3dxof.dll
2006-09-02 22:32 480,256 --a------ C:\WINNT\system32\msvidctl.dll
2006-09-02 22:32 470,528 --a------ C:\WINNT\system32\qdvd.dll
2006-09-02 22:32 47,104 --a------ C:\WINNT\system32\wstdecod.dll
2006-09-02 22:32 46,592 --a------ C:\WINNT\system32\dxdllreg.exe
2006-09-02 22:32 459,264 --a------ C:\WINNT\system32\diactfrm.dll
2006-09-02 22:32 446,224 --a------ C:\WINNT\system32\d3dim.dll
2006-09-02 22:32 44,032 --a------ C:\WINNT\system32\dimap.dll
2006-09-02 22:32 4,096 --a------ C:\WINNT\system32\ksuser.dll
2006-09-02 22:32 381,952 --a------ C:\WINNT\system32\dsound.dll
2006-09-02 22:32 381,952 --a------ C:\WINNT\system32\dpvoice.dll
2006-09-02 22:32 37,648 --a------ C:\WINNT\system32\d3dpmesh.dll
2006-09-02 22:32 364,816 --a------ C:\WINNT\system32\d3drm.dll
2006-09-02 22:32 354,816 --a------ C:\WINNT\system32\psisdecd.dll
2006-09-02 22:32 34,304 --a------ C:\WINNT\system32\mciqtz32.dll
2006-09-02 22:32 33,280 --a------ C:\WINNT\system32\dmloader.dll
2006-09-02 22:32 324,096 --a------ C:\WINNT\system32\mswebdvd.dll
2006-09-02 22:32 32,768 --a------ C:\WINNT\system32\dpnhpast.dll
2006-09-02 22:32 316,928 --a------ C:\WINNT\system32\qdv.dll
2006-09-02 22:32 31,744 --a------ C:\WINNT\system32\pid.dll
2006-09-02 22:32 3,072 --a------ C:\WINNT\system32\dpnlobby.dll
2006-09-02 22:32 3,072 --a------ C:\WINNT\system32\dpnaddr.dll
2006-09-02 22:32 292,864 --a------ C:\WINNT\system32\ddraw.dll
2006-09-02 22:32 28,160 --a------ C:\WINNT\system32\dplaysvr.exe
2006-09-02 22:32 27,136 --a------ C:\WINNT\system32\dmband.dll
2006-09-02 22:32 257,024 --a------ C:\WINNT\system32\qcap.dll
2006-09-02 22:32 230,400 --a------ C:\WINNT\system32\dplayx.dll
2006-09-02 22:32 206,336 --a------ C:\WINNT\system32\gcdef.dll
2006-09-02 22:32 19,968 --a------ C:\WINNT\system32\dpvacm.dll
2006-09-02 22:32 186,880 --a------ C:\WINNT\system32\dsdmo.dll
2006-09-02 22:32 181,248 --a------ C:\WINNT\system32\dmime.dll
2006-09-02 22:32 18,944 --a------ C:\WINNT\system32\encapi.dll
2006-09-02 22:32 18,432 --a------ C:\WINNT\system32\dswave.dll
2006-09-02 22:32 173,056 --a------ C:\WINNT\system32\qasf.dll
2006-09-02 22:32 16,896 --a------ C:\WINNT\system32\msyuv.dll
2006-09-02 22:32 16,896 --a------ C:\WINNT\system32\dpnsvr.exe
2006-09-02 22:32 132,608 --a------ C:\WINNT\system32\devenum.dll
2006-09-02 22:32 13,312 --a------ C:\WINNT\system32\msdmo.dll
2006-09-02 22:32 122,880 --a------ C:\WINNT\system32\dmusic.dll
2006-09-02 22:32 112,128 --a------ C:\WINNT\system32\dpvvox.dll
2006-09-02 22:32 100,864 --a------ C:\WINNT\system32\dmsynth.dll
2006-09-02 22:32 1,798,144 --a------ C:\WINNT\system32\qedit.dll
2006-09-02 22:32 1,769,472 --a------ C:\WINNT\system32\dxdiagn.dll
2006-09-02 22:32 1,703,936 --a------ C:\WINNT\system32\d3d9.dll
2006-09-02 22:32 1,294,336 --a------ C:\WINNT\system32\dsound3d.dll
2006-09-02 22:32 1,227,776 --a------ C:\WINNT\system32\quartz.dll
2006-09-02 22:32 1,201,152 --a------ C:\WINNT\system32\d3d8.dll
2006-09-02 22:32 1,189,888 --a------ C:\WINNT\system32\dx8vb.dll
2006-09-02 22:31 86,016 -ra------ C:\WINNT\CtDrvIns.exe
2006-09-02 22:31 57,344 -ra------ C:\WINNT\system32\P0620Hwx.dll
2006-09-02 22:31 51,472 --a------ C:\WINNT\system32\vfwwdm32.dll
2006-09-02 22:31 36,864 -ra------ C:\WINNT\system32\P0620Pin.dll
2006-09-02 22:31 36,864 -ra------ C:\WINNT\system32\CtRegApp.dll
2006-09-02 22:31 36,864 -ra------ C:\WINNT\system32\CtCamMgr.dll
2006-09-02 22:31 32,768 -ra------ C:\WINNT\system32\p0620sti.dll
2006-09-02 22:31 20,480 -ra------ C:\WINNT\system32\P0620Srv.exe
2006-09-02 22:31 20,480 -ra------ C:\WINNT\P0620Cfg.exe
2006-09-02 22:31 126,976 -ra------ C:\WINNT\system32\P0620Vfw.dll
2006-09-02 22:28 24,576 -ra------ C:\WINNT\system32\P0620Aor.dll
2006-09-02 22:23 24,576 --------- C:\WINNT\system32\CTWEBFUN.DLL

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-09-19 22:54 -------- d-------- C:\Program Files\Mozilla Firefox
2006-09-19 00:53 -------- d-------- C:\Documents and Settings\Administrator.NRS-MEKCSMQ3ZNE.007\Application Data\AVG7
2006-09-19 00:19 -------- d-a------ C:\Program Files\Common Files\Microsoft Shared
2006-09-19 00:19 -------- d-a------ C:\Program Files\Common Files
2006-09-19 00:19 -------- d-------- C:\Program Files\Windows Media Player
2006-09-19 00:19 -------- d-------- C:\Program Files\Outlook Express
2006-09-19 00:19 -------- d-------- C:\Program Files\Common Files\System
2006-09-19 00:19 -------- d-------- C:\Program Files\Common Files\Services
2006-09-19 00:19 -------- d-------- C:\Documents and Settings\Administrator.NRS-MEKCSMQ3ZNE.007\Application Data\Identities
2006-09-17 10:12 -------- d-------- C:\Documents and Settings\Administrator.NRS-MEKCSMQ3ZNE.007\Application Data\Macromedia
2006-09-17 10:11 -------- d-------- C:\Documents and Settings\Administrator.NRS-MEKCSMQ3ZNE.007\Application Data\Talkback
2006-09-17 10:11 -------- d-------- C:\Documents and Settings\Administrator.NRS-MEKCSMQ3ZNE.007\Application Data\Mozilla
2006-09-16 22:41 -------- d---s---- C:\Documents and Settings\Administrator.NRS-MEKCSMQ3ZNE.007\Application Data\Microsoft
2006-09-15 18:18 -------- d-------- C:\Program Files\Internet Explorer
2006-09-15 18:09 -------- d-------- C:\Program Files\Java
2006-09-15 18:06 -------- d-------- C:\Program Files\Common Files\Java
2006-09-02 22:31 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-09-02 22:23 -------- d-------- C:\Program Files\Creative
2006-08-24 21:49 777472 --a------ C:\WINNT\system32\drivers\avg7core.sys
2006-08-24 21:49 27904 --a------ C:\WINNT\system32\drivers\avg7rsxp.sys
2006-08-24 21:49 26912 --a------ C:\WINNT\system32\drivers\avg7rsnt.sys
2006-08-22 12:48 136912 --------- C:\WINNT\system32\drivers\fltmgr.sys
2006-07-25 07:08 840976 --a------ C:\WINNT\system32\mmcndmgr.dll
2006-07-21 17:08 72704 --a------ C:\WINNT\system32\hlink.dll
2006-07-06 13:45 96528 --a------ C:\WINNT\system32\dnsrslvr.dll
2006-07-06 11:52 613648 --a------ C:\WINNT\system32\mmc.exe
2006-06-27 10:30 1427728 --a------ C:\WINNT\system32\query.dll
2006-06-21 08:52 54544 --a------ C:\WINNT\system32\mpr.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"="internat.exe"
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"Tweak UI"="RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp"
"NGClient"="D:\\Program Files\\Symantec\\Ghost\\ngctw32.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"AVG7_EMC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgemc.exe"
"PD0620 STISvc"="RunDLL32.exe P0620Pin.dll,RunDLL32EP 513"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000003
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00002002
"Position"=hex:2c,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3c,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,68,02,00,00,1f,00,00,00,a8,00,00,00,9e,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"="internat.exe"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]
"MS Java for Windows NT, XP & ME"="xpjavams.exe"
"MS Java Service Wrapper for Windows NT & XP"="wrapper.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Network.ConnectionTray"="{7007ACCF-3202-11D1-AAD2-00805FC1270E}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll

Contents of the 'Scheduled Tasks' folder
C:\WINNT\tasks\Symantec NetDetect.job

Completion time: Tue 2006-09-19 23:04:18.68
ComboFix.txt
ComboFix2.txt

In the killbox folder I found the following files:

07686_netapi
11234_netapi
mscom.exe
mslogon.exe
RMAgentOutput.dll
xpjavams

Thanks for all your help.

#10
Armodeluxe

Posted 20 September 2006 - 06:51 AM

Member 2k

Retired Staff
2,744 posts

Go to the C:\!Killbox folder, and right click it then choose Send To then Compressed (zipped) folder) this will add a second folder there named !Killbox.zip, Right click that file and choose Explore then from the menu bar at the top choose File then Add A Password. Make the password malware (all lowercase letters)

Please email the Password protected zip file to
AndyManchesta(AT)hotmail.com (replace (AT) with @) ,

You can then delete the !Killbox folder and the !Killbox.zip file. Also delete the SDFix folder.

Now please copy the following text in the code box to Notepad. Make sure there is no empty line above REGEDIT4. In Notepad go to File > Save As. Name it Fixit.reg, in the drop down box at the bottom choose "All Files", and save it on your desktop. Then double click on Fixit.reg and let it merge with the registry..

REGEDIT4

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]
"MS Java for Windows NT, XP & ME"=-
"MS Java Service Wrapper for Windows NT & XP"=-

Please do an online scan with Kaspersky WebScanner. If you have any quarantined items in your antivirus, please delete those archives before the scan.

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make sure that the following are selected:
- Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
- Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

#11
DarrenZ

Posted 22 September 2006 - 04:26 AM

Member

Topic Starter
Member
22 posts

Thanks for your reply. I am using Windows 2000 and I think I should have mentioned this before. Actually this is my girlfriends mothers computer and I am helping her fix it. I made the zip file of the killbox folder but am unable to put a password for it. WHen I right click on the folder there is no explore option. Can you please tell me what to do instead or how to add a password?

Thanks

#12
Armodeluxe

Posted 22 September 2006 - 08:32 AM

Member 2k

Retired Staff
2,744 posts

Please go here:
The Spy Killer Forum

Click on "New Topic"
Put your name, e-mail address, and this as the title: "SDBot files"
Put a link to this Geeks to Go topic in the description box.
Then next to the file box, at the bottom, click the browse button, then navigate to this file:
- C:\!Killbox.zip
Click Open.
Click Post.

Thank you!

Then please run the Kaspersky scan.

#13
DarrenZ

Posted 26 September 2006 - 01:26 AM

Member

Topic Starter
Member
22 posts

I followed your instructtions and created a new topic and posted the killbox.zip file.

Here is the results of the Kapersky Scan:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
06-09-26 10:20
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 25/09/2006
Kaspersky Anti-Virus database records: 226372
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 58699
Number of viruses found: 1
Number of infected objects: 24 / 0
Number of suspicious objects: 0
Duration of the scan process: 03:02:03

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator.NRS-MEKCSMQ3ZNE.006\.housecall6.6\Quarantine\00476_netapi.exe.bac_a01492 Infected: Backdoor.Win32.VanBot.d skipped
C:\Documents and Settings\Administrator.NRS-MEKCSMQ3ZNE.006\.housecall6.6\Quarantine\04403_netapi.exe.bac_a01492 Infected: Backdoor.Win32.VanBot.d skipped
C:\Documents and Settings\Administrator.NRS-MEKCSMQ3ZNE.006\.housecall6.6\Quarantine\11774_netapi.exe.bac_a01492 Infected: Backdoor.Win32.VanBot.d skipped
C:\Documents and Settings\Administrator.NRS-MEKCSMQ3ZNE.006\.housecall6.6\Quarantine\12778_netapi.exe.bac_a01492 Infected: Backdoor.Win32.VanBot.d skipped
C:\Documents and Settings\Administrator.NRS-MEKCSMQ3ZNE.006\.housecall6.6\Quarantine\17705_netapi.exe.bac_a01492 Infected: Backdoor.Win32.VanBot.d skipped
C:\Documents and Settings\Administrator.NRS-MEKCSMQ3ZNE.006\.housecall6.6\Quarantine\23870_netapi.exe.bac_a01492 Infected: Backdoor.Win32.VanBot.d skipped
C:\Documents and Settings\Administrator.NRS-MEKCSMQ3ZNE.006\.housecall6.6\Quarantine\24631_netapi.exe.bac_a01492 Infected: Backdoor.Win32.VanBot.d skipped
C:\Documents and Settings\Administrator.NRS-MEKCSMQ3ZNE.006\.housecall6.6\Quarantine\36520_netapi.exe.bac_a01492 Infected: Backdoor.Win32.VanBot.d skipped
C:\Documents and Settings\Administrator.NRS-MEKCSMQ3ZNE.006\.housecall6.6\Quarantine\36744_netapi.exe.bac_a01492 Infected: Backdoor.Win32.VanBot.d skipped
C:\Documents and Settings\Administrator.NRS-MEKCSMQ3ZNE.006\.housecall6.6\Quarantine\41267_netapi.exe.bac_a01492 Infected: Backdoor.Win32.VanBot.d skipped
C:\Documents and Settings\Administrator.NRS-MEKCSMQ3ZNE.006\.housecall6.6\Quarantine\43620_netapi.exe.bac_a01492 Infected: Backdoor.Win32.VanBot.d skipped
C:\Documents and Settings\Administrator.NRS-MEKCSMQ3ZNE.006\.housecall6.6\Quarantine\44461_netapi.exe.bac_a01492 Infected: Backdoor.Win32.VanBot.d skipped
C:\Documents and Settings\Administrator.NRS-MEKCSMQ3ZNE.006\.housecall6.6\Quarantine\50648_netapi.exe.bac_a01492 Infected: Backdoor.Win32.VanBot.d skipped
C:\Documents and Settings\Administrator.NRS-MEKCSMQ3ZNE.006\.housecall6.6\Quarantine\51162_netapi.exe.bac_a01492 Infected: Backdoor.Win32.VanBot.d skipped
C:\Documents and Settings\Administrator.NRS-MEKCSMQ3ZNE.006\.housecall6.6\Quarantine\54657_netapi.exe.bac_a01492 Infected: Backdoor.Win32.VanBot.d skipped
C:\Documents and Settings\Administrator.NRS-MEKCSMQ3ZNE.006\.housecall6.6\Quarantine\57375_netapi.exe.bac_a01492 Infected: Backdoor.Win32.VanBot.d skipped
C:\Documents and Settings\Administrator.NRS-MEKCSMQ3ZNE.006\.housecall6.6\Quarantine\57772_netapi.exe.bac_a01492 Infected: Backdoor.Win32.VanBot.d skipped
C:\Documents and Settings\Administrator.NRS-MEKCSMQ3ZNE.006\.housecall6.6\Quarantine\62253_netapi.exe.bac_a01492 Infected: Backdoor.Win32.VanBot.d skipped
C:\Documents and Settings\Administrator.NRS-MEKCSMQ3ZNE.006\.housecall6.6\Quarantine\64055_netapi.exe.bac_a01492 Infected: Backdoor.Win32.VanBot.d skipped
C:\Documents and Settings\Administrator.NRS-MEKCSMQ3ZNE.006\.housecall6.6\Quarantine\72322_netapi.exe.bac_a01492 Infected: Backdoor.Win32.VanBot.d skipped
C:\Documents and Settings\Administrator.NRS-MEKCSMQ3ZNE.006\.housecall6.6\Quarantine\81178_netapi.exe.bac_a01492 Infected: Backdoor.Win32.VanBot.d skipped
C:\Documents and Settings\Administrator.NRS-MEKCSMQ3ZNE.006\.housecall6.6\Quarantine\netapi[1].exe.bac_a01492 Infected: Backdoor.Win32.VanBot.d skipped
C:\Documents and Settings\Administrator.NRS-MEKCSMQ3ZNE.006\.housecall6.6\Quarantine\wrapper.exe.bac_a01492 Infected: Backdoor.Win32.VanBot.d skipped
C:\Documents and Settings\Administrator.NRS-MEKCSMQ3ZNE.006\.housecall6.6\Quarantine\xpjavams.exe.bac_a01492 Infected: Backdoor.Win32.VanBot.d skipped
C:\Documents and Settings\Administrator.NRS-MEKCSMQ3ZNE.007\Application Data\AVG7\Log\emc.log Object is locked skipped
C:\Documents and Settings\Administrator.NRS-MEKCSMQ3ZNE.007\Application Data\Mozilla\Firefox\Profiles\kbzrsbu2.default\cert8.db Object is locked skipped
C:\Documents and Settings\Administrator.NRS-MEKCSMQ3ZNE.007\Application Data\Mozilla\Firefox\Profiles\kbzrsbu2.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Administrator.NRS-MEKCSMQ3ZNE.007\Application Data\Mozilla\Firefox\Profiles\kbzrsbu2.default\history.dat Object is locked skipped
C:\Documents and Settings\Administrator.NRS-MEKCSMQ3ZNE.007\Application Data\Mozilla\Firefox\Profiles\kbzrsbu2.default\key3.db Object is locked skipped
C:\Documents and Settings\Administrator.NRS-MEKCSMQ3ZNE.007\Application Data\Mozilla\Firefox\Profiles\kbzrsbu2.default\parent.lock Object is locked skipped
C:\Documents and Settings\Administrator.NRS-MEKCSMQ3ZNE.007\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator.NRS-MEKCSMQ3ZNE.007\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator.NRS-MEKCSMQ3ZNE.007\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator.NRS-MEKCSMQ3ZNE.007\Local Settings\Application Data\Mozilla\Firefox\Profiles\kbzrsbu2.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Administrator.NRS-MEKCSMQ3ZNE.007\Local Settings\Application Data\Mozilla\Firefox\Profiles\kbzrsbu2.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Administrator.NRS-MEKCSMQ3ZNE.007\Local Settings\Application Data\Mozilla\Firefox\Profiles\kbzrsbu2.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Administrator.NRS-MEKCSMQ3ZNE.007\Local Settings\Application Data\Mozilla\Firefox\Profiles\kbzrsbu2.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Administrator.NRS-MEKCSMQ3ZNE.007\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator.NRS-MEKCSMQ3ZNE.007\Local Settings\History\History.IE5\MSHist012006092620060927\index.dat Object is locked skipped
C:\Documents and Settings\Administrator.NRS-MEKCSMQ3ZNE.007\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator.NRS-MEKCSMQ3ZNE.007\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator.NRS-MEKCSMQ3ZNE.007\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\AWLABMRO\netapi[1].exe Object is locked skipped
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\AWLABMRO\netapi[2].exe Object is locked skipped
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\BR1RCUXC\netapi[1].exe Object is locked skipped
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\BR1RCUXC\netapi[2].exe Object is locked skipped
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\Q9YZ0GH7\netapi[1].exe Object is locked skipped
C:\WINNT\CSC\00000001 Object is locked skipped
C:\WINNT\Debug\ipsecpa.log Object is locked skipped
C:\WINNT\Debug\oakley.log Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\Sti_Trace.log Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\default Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\software Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\system Object is locked skipped
C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
C:\WINNT\system32\Perflib_Perfdata_330.dat Object is locked skipped
C:\WINNT\system32\wrapper.exe Object is locked skipped
C:\WINNT\system32\xpjavams.exe Object is locked skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped

Scan process completed.

Am I able to delte the SDFix folder and the killbox.zip and killbox folder now or should I leave them alone?

Thanks

#14
Armodeluxe

Posted 27 September 2006 - 06:54 AM

Member 2k

Retired Staff
2,744 posts

Delete these files:

C:\WINNT\system32\wrapper.exe
C:\WINNT\system32\xpjavams.exe

and empty this folder:

C:\Documents and Settings\Administrator.NRS-MEKCSMQ3ZNE.006\.housecall6.6\Quarantine

If you don't have any problems left, you should be good to go, please let me know either way.