Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

services.exe shutdown [RESOLVED] [RESOLVED]

Started by nedomacho , Jan 23 2006 03:32 PM

  • This topic is locked This topic is locked

#1
nedomacho
Posted 23 January 2006 - 03:32 PM

nedomacho

    Member

  • Member
  • PipPip
  • 14 posts
Got the machine infected (Windows updated twice a week, updated Kaspersky Antivirus, Adaware Pro). Disabled system restore, full antivirus scan in Safe Mode. Detected and deleted all files with the following:

Trojan-Clicker.Win32.Small
Trojan-Spy.Win32.Small
Trojan-Downloader.Win32.Tiny
Trojan-Win32.Harnig.a
Trojan-PSW.Win32.Bublik.c
Trojan-Hoax.Win32.Renos
Trojan-Downloader.Win32.Adload.j
Trojan-Win32.StartPag.ahg
Trojan-Email_Worm.Win32.Delf.i
Trojan-Proxy.Win32.Delf.an
Downloader.Win32.CWS.s
Trojan-Clicker.Win32.Small.lf

Also, a lot of copies of Qoologic, though don't have the complete name here.

As I said, deleted all. Those that could not get deleted by the antivirus -- deleted manually in Safe Mode. Cleaned up all suspicious registry entries/executables found by Adaware and Spybot S&D. Currently, no infected files/threats found by these tools.
Currently, as soon as network is detected, two connections are established: http (port 1034) 64.71.167.118 and http (port 1035) on ftp.icq.com. After a short download (traffic clearly seen), NT AUTHORITY message pops up saying that C:\windows\system32\services.exe terminated with status code 1073741674.
cmd > shutdown -a to prevent shutdown works, but the IE freezes as well as control panel.
The machine is connected to a Netgear router, no software firewall except the built-in windows (doesn't help here). Physical disconnect eliminates the crash, but as soon as network is detected, it happens again.
It is my suspicion that some critical updates were uninstalled, the machine rolled the date back to 2003 on the first restart after infection. As of right now, the antivirus sees a completely clean system.

HijackThis! scan log:

Logfile of HijackThis v1.99.1
Scan saved at 12:30:41 PM, on 1/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\windows\system32\svchost.exe
C:\windows\Explorer.EXE
C:\windows\system32\dumprep.exe
C:\windows\system32\dwwin.exe
C:\windows\system32\mmc.exe
C:\windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_10\bin\npjpi142_10.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_10\bin\npjpi142_10.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1124508777359
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1137998955312
O16 - DPF: {CAFEEFAC-0014-0001-0005-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_05) - https://timekeeper.a...indows-i586.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\windows\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB701\webserver\bin\win32\matlabserver.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe


Any ideas besides system reinstall? Thanks.

p.s. Sorry guys, if I posted it in the wrong subforum. Stress sucks.

Edited by nedomacho, 23 January 2006 - 03:35 PM.

  • 0

Advertisements

#2
tampabelle
Posted 23 January 2006 - 04:38 PM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi,

Looks like you dont have good net connectivity because of infections.

Can you post the complete scan report of Kaspersky and Ad Aware ??? This will give me some clues of where to start.
  • 0

#3
nedomacho
Posted 23 January 2006 - 04:45 PM

nedomacho

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts

Can you post the complete scan report of Kaspersky and Ad Aware ??? This will give me some clues of where to start.

Thanks for your reply. Unfortunately, I don't have the reports for the scans I did right after the infection, and the Kaspersky now doesn't find anything at all after I deleted everything it found the first time. Running Adaware full system scan in safe mode, the report is on its way. BTW, the connectivity is fine in safe mode. :tazz:
  • 0

#4
tampabelle
Posted 23 January 2006 - 04:51 PM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
OK, in that case, lets do this -


Please visit Panda and do an online scan. Save the scan report.

Run Hijack This and post a fresh HJT log along with Panda scan report.
  • 0

#5
tampabelle
Posted 23 January 2006 - 04:52 PM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Sorry missed the portion about the Ad Aware scan that you are doing.

Complete it and post the scan report and I will take it up from there.
  • 0

#6
nedomacho
Posted 23 January 2006 - 05:01 PM

nedomacho

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts

OK, in that case, lets do this -
Please visit Panda and do an online scan. Save the scan report.

scanning in the safe mode now. Already 6 spyware objects found, so much for Kaspersky.

Adaware found a clean system, not a single critical object. Do you want the HJT in Safe Mode or in normal?

Edited by nedomacho, 23 January 2006 - 05:03 PM.

  • 0

#7
nedomacho
Posted 23 January 2006 - 05:30 PM

nedomacho

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Here's the Panda report:


Incident Status Location

Spyware:Cookie/SpyLog Not disinfected C:\Documents and Settings\Shura\Application Data\Mozilla\Firefox\Profiles\3zo9yp8i.default\cookies.txt[]
Spyware:Cookie/Microsofte Not disinfected C:\Documents and Settings\Shura\Cookies\[email protected][1].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\Shura\Cookies\[email protected][1].txt
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Shura\Cookies\shura@yadro[1].txt
Spyware:Cookie/Banner Not disinfected C:\Documents and Settings\Shura\Local Settings\Temp\Cookies\shura@banner[1].txt
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Shura\Local Settings\Temp\Cookies\shura@yadro[1].txt
Virus:Trj/PWSteal.V Disinfected C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll.bak
Virus:Trj/Bancos.LU Disinfected C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll.bak
Adware:Adware/BHO Not disinfected C:\WINDOWS\inet20003\3.00.13.dll
Adware:Adware/Aureate-Radiate Not disinfected C:\WINDOWS\system32\adimage.dll
Adware:Adware/Aureate-Radiate Not disinfected C:\WINDOWS\system32\msipcsv.exe
Adware:Adware/Aureate-Radiate Not disinfected C:\WINDOWS\system32\tfde.dll
Adware:adware/cws.searchmeup Not disinfected C:\WINDOWS\uniq



HJT report:

Logfile of HijackThis v1.99.1
Scan saved at 5:32:33 PM, on 1/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\system32\svchost.exe
C:\windows\Explorer.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_10\bin\npjpi142_10.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_10\bin\npjpi142_10.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1124508777359
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1137998955312
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {CAFEEFAC-0014-0001-0005-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_05) - https://timekeeper.a...indows-i586.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\windows\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe

Edited by nedomacho, 23 January 2006 - 05:34 PM.

  • 0

#8
nedomacho
Posted 23 January 2006 - 06:45 PM

nedomacho

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
BTW, here's the content of my system.ini

Check out the line at the bottom. The file is missing, but can this be simply deleted? Anything else unusual? I am looking at it because the machine starts downloading crap (causing services.exe to crash) without opening IE.

; for 16-bit app support

[drivers]
wave=mmdrv.dll
timer=timer.drv

[mci]
[driver32]
msacm.l3acm=l3codeca.acm
vidc.iv50=ir50_32.dll
msacm.iac2=iac25_32.ax
msacm.sl_anet=sl_anet.acm
msacm.msaudio1=msaud32.acm
vidc.M261=msh261.drv
vidc.M263=msh263.drv
msacm.msg723=msg723.acm
vidc.yvyu=msyuv.dll
vidc.yvu9=tsbyuv.dll
vidc.yuy2=msyuv.dll
vidc.uyvy=msyuv.dll
vidc.msvc=msvidc32.dll
vidc.mrle=msrle32.dll
vidc.iyuv=iyuv_32.dll
vidc.iv41=ir41_32.ax
vidc.iv32=ir32_32.dll
vidc.iv31=ir32_32.dll
vidc.I420=msh263.drv
vidc.cvid=iccvid.dll
msacm.trspch=tssoft32.acm
msacm.msgsm610=msgsm32.acm
msacm.msg711=msg711.acm
msacm.msadpcm=msadp32.acm
msacm.imaadpcm=imaadp32.acm
[386enh]
woafont=app866.FON
EGA80WOA.FON=EGA80866.FON
EGA40WOA.FON=EGA40866.FON
CGA80WOA.FON=CGA80866.FON
CGA40WOA.FON=CGA40866.FON
[Windows]
load=C:\WINDOWS\inet20003\services.exe
  • 0

#9
nedomacho
Posted 23 January 2006 - 09:02 PM

nedomacho

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Removed all the files found by Panda (actually, backed them up on a different HD). Also, boot.ini has been modified to turn off the /noexecute option. Changed that back to /noexecute=optin. On the first start in normal mode -- same thing. Within about a minute after the system loads completely, connections to the same locations are established (netstat), there is a period of traffic (maybe 3 seconds), then services.exe shuts down again with the same code.
Followed by another Panda scan in Safe Mode -- no additional threats found.

Is reinstalling the system my best bet here?

p.s. All this garbage actually was downloaded by "Spy Sheriff" already mentioned here. Not sure if that matters now, but that's the case.

Edited by nedomacho, 23 January 2006 - 09:08 PM.

  • 0

#10
nedomacho
Posted 23 January 2006 - 11:54 PM

nedomacho

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
The battle continues... Installed Agnitum Outpost 1.0 and blocked network access for C:/WINDOWS/SYSTEM32/services.exe , and now the log shows what's going on: it actively attempts to access codec.divx-update.biz (host 64.71.167.118) using TCP ports starting with 1034 and counting up. Does it in 'packs' of 6 quick subsequent attempts, each 'pack' per approx. 30 seconds.
It doesn't have to look like a virus to the antiviruses, per se...
  • 0

Advertisements

#11
tampabelle
Posted 24 January 2006 - 01:20 PM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
C:/WINDOWS/SYSTEM32/services.exe is a critical system file. Dont tinker with that.


Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.

Delete the files, if still there -

C:\WINDOWS\system32\adimage.dll
C:\WINDOWS\system32\msipcsv.exe
C:\WINDOWS\system32\tfde.dll


Delete the folders -

C:\WINDOWS\inet20003
C:\WINDOWS\uniq


Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Reboot back into Windows.

Post the contents of the smitfiles.txt by using Add Reply.

Let us know if any problems persist.
  • 0

#12
nedomacho
Posted 24 January 2006 - 09:08 PM

nedomacho

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Did all as instructed. Now, services.exe is active very much, attempting the same stuff, except the address is now update.firefoxupdatecenter.net

Here's the log file by SmitRem:

smitRem © log file
version 2.8

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: Tue 01/24/2006
The current time is: 20:48:09.56

Running from
C:\Documents and Settings\Shura\Desktop\smitRem
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key


WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~

Install.dat


~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 792 'explorer.exe'
Killing PID 792 'explorer.exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Deleting files


Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

CLEAN! :tazz:
  • 0

#13
nedomacho
Posted 25 January 2006 - 04:02 PM

nedomacho

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Did we hit a dead end or something? :tazz:
  • 0

#14
tampabelle
Posted 25 January 2006 - 08:47 PM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi,

I have been doing some research and I would some more info / logs.


1) Run Hijack This. Click on config ---> Misc Tools.

Check both the boxes next to "Generate Startup List" and then click on Generate Startup List. Save the Startup List.


2) Search for the files *.dmp (using Windows search function. We are interested in files created in the last 2-3 days and located in the folder C:\windows\system32 folder).


3) Click on Start ---> settings ---> Control panel. Double click on Administrative Tools --> Computer Management.

Click on System Tools ---> Event Viewer ---> Application. Now click on Action ---> Export List. Save the list.

Click on System Tools ---> Event Viewer ---> System. Now click on Action ---> Export List. Save the list.



Please post back the logs requested for. That will tell us more about the issue.
  • 0

#15
nedomacho
Posted 25 January 2006 - 11:18 PM

nedomacho

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Behold...

HJT Startup list:


StartupList report, 1/25/2006, 10:53:21 PM
StartupList version: 1.52.2
Started from : D:\Downloads\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\system32\svchost.exe
C:\windows\Explorer.EXE
C:\Documents and Settings\Shura\Desktop\stng259.exe
C:\windows\PCHealth\HelpCtr\Binaries\HelpSvc.exe
D:\Downloads\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Shura\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
VPN Client.lnk = ?

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Outpost Firewall = C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe /waitservice
AWMON = "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\system32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{4b218e3e-bc98-4770-93d3-2731b9329278}] *
StubPath = %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install

[{8b15971b-5355-4c82-8c07-7e181ea07608}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\windows\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\windows\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\windows\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\windows\Explorer\Explorer.exe: not present
C:\windows\System\Explorer.exe: not present
C:\windows\System32\Explorer.exe: not present
C:\windows\Command\Explorer.exe: not present
C:\windows\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\windows
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - c:\program files\google\googletoolbar2.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}
(no name) - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll - {AE7CD045-E861-484f-8273-0445EE161910}

--------------------------------------------------

Enumerating Task Scheduler jobs:

ISP signup reminder 1.job

--------------------------------------------------

Enumerating Download Program Files:

[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\system32\LegitCheckControl.DLL
CODEBASE = http://go.microsoft....k/?linkid=39204

[Symantec AntiVirus scanner]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\avsniff.dll
CODEBASE = http://security.syma...bin/AvSniff.cab

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\wuweb.dll
CODEBASE = http://update.micros...b?1124508777359

[Symantec RuFSI Utility Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\rufsi.dll
CODEBASE = http://security.syma...n/bin/cabsa.cab

[MUWebControl Class]
InProcServer32 = C:\windows\system32\muweb.dll
CODEBASE = http://update.micros...b?1137998955312

[Java Plug-in 1.5.0_04]
InProcServer32 = C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
CODEBASE = http://java.sun.com/...indows-i586.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
CODEBASE = http://acs.pandasoft...free/asinst.cab

[Java Plug-in 1.4.1_05]
InProcServer32 = \\CANARY\DISTAPPS$\java\j2re1.4.1_05\bin\npjpi141_05.dll
CODEBASE = https://timekeeper.a...indows-i586.exe

[Java Plug-in 1.4.2_10]
InProcServer32 = C:\Program Files\Java\j2re1.4.2_10\bin\npjpi142_10.dll
CODEBASE = http://java.sun.com/...indows-i586.cab

[Java Plug-in 1.5.0_04]
InProcServer32 = C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
CODEBASE = http://java.sun.com/...indows-i586.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\windows\System32\mswsock.dll
NameSpace #2: C:\windows\System32\winrnr.dll
NameSpace #3: C:\windows\System32\mswsock.dll
NameSpace #4: C:\windows\system32\wshbth.dll
Protocol #1: C:\windows\system32\mswsock.dll
Protocol #2: C:\windows\system32\mswsock.dll
Protocol #3: C:\windows\system32\mswsock.dll
Protocol #4: C:\windows\system32\rsvpsp.dll
Protocol #5: C:\windows\system32\rsvpsp.dll
Protocol #6: C:\windows\system32\mswsock.dll
Protocol #7: C:\windows\system32\mswsock.dll
Protocol #8: C:\windows\system32\mswsock.dll
Protocol #9: C:\windows\system32\mswsock.dll
Protocol #10: C:\windows\system32\mswsock.dll
Protocol #11: C:\windows\system32\mswsock.dll
Protocol #12: C:\windows\system32\mswsock.dll
Protocol #13: C:\windows\system32\mswsock.dll
Protocol #14: C:\windows\system32\mswsock.dll
Protocol #15: C:\windows\system32\mswsock.dll
Protocol #16: C:\windows\system32\mswsock.dll
Protocol #17: C:\windows\system32\mswsock.dll
Protocol #18: C:\windows\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

abp480n5: \SystemRoot\system32\DRIVERS\ABP480N5.SYS (disabled)
Microsoft ACPI Driver: system32\DRIVERS\ACPI.sys (system)
Outpost Firewall PlugIn (ADBLOCK.DLL): \??\C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\ADBLOCK.DLL (manual start)
adpu160m: \SystemRoot\system32\DRIVERS\adpu160m.sys (disabled)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD: \SystemRoot\System32\drivers\afd.sys (system)
Intel AGP Bus Filter: \SystemRoot\system32\DRIVERS\agp440.sys (disabled)
Compaq AGP Bus Filter: \SystemRoot\system32\DRIVERS\agpCPQ.sys (disabled)
Aha154x: \SystemRoot\system32\DRIVERS\aha154x.sys (disabled)
aic78u2: \SystemRoot\system32\DRIVERS\aic78u2.sys (disabled)
aic78xx: \SystemRoot\system32\DRIVERS\aic78xx.sys (disabled)
Alerter: %SystemRoot%\system32\svchost.exe -k LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
AliIde: \SystemRoot\system32\DRIVERS\aliide.sys (disabled)
ALI AGP Bus Filter: \SystemRoot\system32\DRIVERS\alim1541.sys (disabled)
AMD AGP Bus Filter Driver: \SystemRoot\system32\DRIVERS\amdagp.sys (disabled)
amsint: \SystemRoot\system32\DRIVERS\amsint.sys (disabled)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
asc: \SystemRoot\system32\DRIVERS\asc.sys (disabled)
asc3350p: \SystemRoot\system32\DRIVERS\asc3350p.sys (disabled)
asc3550: \SystemRoot\system32\DRIVERS\asc3550.sys (disabled)
ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (manual start)
RAS Asynchronous Media Driver: system32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: system32\DRIVERS\atapi.sys (system)
Ati HotKey Poller: %SystemRoot%\system32\Ati2evxx.exe (manual start)
ATI Smart: C:\WINDOWS\system32\ati2sgag.exe (manual start)
ati2mtag: system32\DRIVERS\ati2mtag.sys (manual start)
ATM ARP Client Protocol: system32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: system32\DRIVERS\audstub.sys (manual start)
Background Intelligent Transfer Service: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
Computer Browser: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Bluetooth Request Block Driver: system32\DRIVERS\BthEnum.sys (manual start)
Bluetooth Serial Communications Driver: system32\DRIVERS\bthmodem.sys (manual start)
Bluetooth Device (Personal Area Network): system32\DRIVERS\bthpan.sys (manual start)
Bluetooth Port Driver: System32\Drivers\BTHport.sys (manual start)
Bluetooth Support Service: %SystemRoot%\system32\svchost.exe -k bthsvcs (autostart)
Bluetooth Radio USB Driver: System32\Drivers\BTHUSB.sys (manual start)
cbidf: \SystemRoot\system32\DRIVERS\cbidf2k.sys (disabled)
cd20xrnt: \SystemRoot\system32\DRIVERS\cd20xrnt.sys (disabled)
CD-ROM Driver: system32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
CmdIde: \SystemRoot\system32\DRIVERS\cmdide.sys (disabled)
COM+ System Application: C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Outpost Firewall PlugIn (CONTENT.DLL): \??\C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\CONTENT.DLL (manual start)
Cpqarray: \SystemRoot\system32\DRIVERS\cpqarray.sys (disabled)
Creative Service for CDROM Access: C:\WINDOWS\system32\CTsvcCDA.EXE (disabled)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Creative SoundFont Management Device Driver: system32\DRIVERS\ctsfm2k.sys (manual start)
Cisco Systems VPN Adapter: system32\DRIVERS\CVirtA.sys (manual start)
Cisco Systems, Inc. VPN Service: "C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe" (autostart)
Cisco Systems Inc. IPSec Driver: \??\C:\WINDOWS\system32\Drivers\CVPNDRVA.sys (manual start)
dac2w2k: \SystemRoot\system32\DRIVERS\dac2w2k.sys (disabled)
dac960nt: \SystemRoot\system32\DRIVERS\dac960nt.sys (disabled)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Disk Driver: system32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
dmio: System32\drivers\dmio.sys (disabled)
dmload: System32\drivers\dmload.sys (disabled)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
Deterministic Network Enhancer Miniport: system32\DRIVERS\dne2000.sys (manual start)
DNS Client: %SystemRoot%\system32\svchost.exe -k NetworkService (autostart)
Outpost Firewall PlugIn (DNSCACHE.DLL): \??\C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\DNSCACHE.DLL (manual start)
dpti2o: \SystemRoot\system32\DRIVERS\dpti2o.sys (disabled)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
Intel® PRO Network Connection Driver: system32\DRIVERS\e100b325.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\system32\svchost.exe -k netsvcs (manual start)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Fax: %systemroot%\system32\fxssvc.exe (manual start)
Floppy Disk Controller Driver: system32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: system32\DRIVERS\flpydisk.sys (manual start)
FltMgr: system32\DRIVERS\fltMgr.sys (system)
Volume Manager Driver: system32\DRIVERS\ftdisk.sys (system)
Outpost Firewall PlugIn (FTPFILT.DLL): \??\C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\FTPFILT.DLL (manual start)
Generic Packet Classifier: system32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Microsoft HID Class Driver: system32\DRIVERS\hidusb.sys (manual start)
hpn: \SystemRoot\system32\DRIVERS\hpn.sys (disabled)
Outpost Firewall PlugIn (HTMLFILT.DLL): \??\C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\HTMLFILT.DLL (manual start)
HTTP: System32\Drivers\HTTP.sys (manual start)
Outpost Firewall PlugIn (HTTPFILT.DLL): \??\C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\HTTPFILT.DLL (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
i2omp: \SystemRoot\system32\DRIVERS\i2omp.sys (disabled)
i8042 Keyboard and PS/2 Mouse Port Driver: system32\DRIVERS\i8042prt.sys (system)
Intel® Matrix Storage Event Monitor: C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe (disabled)
Intel AHCI Controller: system32\drivers\iastor.sys (system)
Outpost Firewall PlugIn (IMAPFILT.DLL): \??\C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\IMAPFILT.DLL (manual start)
CD-Burning Filter Driver: system32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\system32\imapi.exe (manual start)
ini910u: \SystemRoot\system32\DRIVERS\ini910u.sys (disabled)
IntelIde: \SystemRoot\system32\DRIVERS\intelide.sys (disabled)
Intel Processor Driver: system32\DRIVERS\intelppm.sys (system)
IPv6 Windows Firewall Driver: system32\DRIVERS\Ip6Fw.sys (manual start)
IP Traffic Filter Driver: system32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: system32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: system32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: system32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: system32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: system32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: system32\DRIVERS\kbdclass.sys (system)
Keyboard HID Driver: system32\DRIVERS\kbdhid.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Outpost Firewall PlugIn (MAILFILT.DLL): \??\C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\MAILFILT.DLL (manual start)
MATLAB Server: C:\MATLAB701\webserver\bin\win32\matlabserver.exe (disabled)
Messenger: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\system32\mnmsrvc.exe (manual start)
Mouse Class Driver: system32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: system32\DRIVERS\mouhid.sys (manual start)
mraid35x: \SystemRoot\system32\DRIVERS\mraid35x.sys (disabled)
WebDav Client Redirector: system32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: system32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\system32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\system32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: system32\DRIVERS\mssmbios.sys (manual start)
Nal Service : \??\C:\WINDOWS\system32\Drivers\iqvw32.sys (manual start)
Remote Access NDIS TAPI Driver: system32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: system32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: system32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: system32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: system32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\system32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Network Location Awareness (NLA): %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
Outpost Firewall PlugIn (NNTPFILT.DLL): \??\C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\NNTPFILT.DLL (manual start)
NT LM Security Support Provider: %SystemRoot%\system32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
nv: system32\DRIVERS\nv4_mini.sys (manual start)
IPX Traffic Filter Driver: system32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: system32\DRIVERS\nwlnkfwd.sys (manual start)
O&O Defrag: C:\WINDOWS\system32\oodag.exe (manual start)
OMCI WDM Device Driver: system32\DRIVERS\omci.sys (system)
Creative OS Services Driver: system32\DRIVERS\ctoss2k.sys (manual start)
Outpost Firewall Service: C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe /service (autostart)
Sound Blaster Live! 24-bit: system32\drivers\P17.sys (manual start)
Parallel port driver: system32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: system32\DRIVERS\pci.sys (system)
PCIIde: system32\DRIVERS\pciide.sys (system)
perc2: \SystemRoot\system32\DRIVERS\perc2.sys (disabled)
perc2hib: \SystemRoot\system32\DRIVERS\perc2hib.sys (disabled)
PfModNT: \??\C:\WINDOWS\system32\drivers\PfModNT.sys (autostart)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\system32\lsass.exe (autostart)
Outpost Firewall PlugIn (POP3FILT.DLL): \??\C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\POP3FILT.DLL (manual start)
WAN Miniport (PPTP): system32\DRIVERS\raspptp.sys (manual start)
Outpost Firewall PlugIn (PROTECT.DLL): \??\C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\PROTECT.DLL (manual start)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
QoS Packet Scheduler: system32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: system32\DRIVERS\ptilink.sys (manual start)
PxHelp20: System32\Drivers\PxHelp20.sys (system)
ql1080: \SystemRoot\system32\DRIVERS\ql1080.sys (disabled)
Ql10wnt: \SystemRoot\system32\DRIVERS\ql10wnt.sys (disabled)
ql12160: \SystemRoot\system32\DRIVERS\ql12160.sys (disabled)
ql1240: \SystemRoot\system32\DRIVERS\ql1240.sys (disabled)
ql1280: \SystemRoot\system32\DRIVERS\ql1280.sys (disabled)
Remote Access Auto Connection Driver: system32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): system32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: system32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: system32\DRIVERS\raspti.sys (manual start)
Rdbss: system32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Terminal Server Device Redirector Driver: system32\DRIVERS\rdpdr.sys (manual start)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: system32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
Bluetooth Device (RFCOMM Protocol TDI): system32\DRIVERS\rfcomm.sys (manual start)
Remote Procedure Call (RPC) Locator: %SystemRoot%\system32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\system32\rsvp.exe (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Secdrv: system32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: system32\DRIVERS\serenum.sys (manual start)
Serial port driver: system32\DRIVERS\serial.sys (system)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
SIS AGP Bus Filter: \SystemRoot\system32\DRIVERS\sisagp.sys (disabled)
Sparrow: \SystemRoot\system32\DRIVERS\sparrow.sys (disabled)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: \SystemRoot\system32\DRIVERS\sr.sys (disabled)
System Restore Service: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Srv: system32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\system32\svchost.exe -k imgsvc (autostart)
Software Bus Driver: system32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\system32\dllhost.exe /Processid:{A445BD1E-49EE-4607-B370-5CCA447377C4} (manual start)
symc810: \SystemRoot\system32\DRIVERS\symc810.sys (disabled)
symc8xx: \SystemRoot\system32\DRIVERS\symc8xx.sys (disabled)
sym_hi: \SystemRoot\system32\DRIVERS\sym_hi.sys (disabled)
sym_u3: \SystemRoot\system32\DRIVERS\sym_u3.sys (disabled)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
32bit system bus driver: \??\C:\WINDOWS\system32\drivers\sysbus32.sys (system)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: system32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: system32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TosIde: \SystemRoot\system32\DRIVERS\toside.sys (disabled)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
ultra: \SystemRoot\system32\DRIVERS\ultra.sys (disabled)
Windows User Mode Driver Framework: C:\WINDOWS\system32\wdfmgr.exe (autostart)
Microcode Update Driver: system32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: system32\DRIVERS\usbehci.sys (manual start)
Microsoft USB Standard Hub Driver: system32\DRIVERS\usbhub.sys (manual start)
Microsoft USB PRINTER Class: system32\DRIVERS\usbprint.sys (manual start)
USB Scanner Driver: system32\DRIVERS\usbscan.sys (manual start)
USB Mass Storage Driver: system32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: system32\DRIVERS\usbuhci.sys (manual start)
Outpost Firewall Kernel Driver: \??\C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\2000\FILTNT.SYS (system)
VgaSave: \SystemRoot\System32\drivers\vga.sys (system)
VIA AGP Bus Filter: \SystemRoot\system32\DRIVERS\viaagp.sys (disabled)
ViaIde: \SystemRoot\system32\DRIVERS\viaide.sys (disabled)
VirtualFD: \??\D:\Downloads\Floppy\vfd.sys (manual start)
vsdatant: System32\vsdatant.sys (manual start)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: system32\DRIVERS\wanarp.sys (manual start)
WAN Miniport (ATW): system32\DRIVERS\wanatw4.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
WINIO: \??\C:\WINDOWS\system32\winio.sys (manual start)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
WMDM PMSP Service: C:\WINDOWS\system32\MsPMSPSv.exe (disabled)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\system32\wbem\wmiapsrv.exe (manual start)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\windows\system32\SHELL32.dll
CDBurn: C:\windows\system32\SHELL32.dll
WebCheck: C:\windows\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

End of report, 36,945 bytes
Report generated in 0.188 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


Dump files

Here, uploaded them.



System error log

Type Date Time Source Category Event User Computer
Information 1/25/2006 8:47:42 PM Service Control Manager None 7036 N/A SHURAMAIN
Information 1/25/2006 8:47:42 PM Service Control Manager None 7035 SYSTEM SHURAMAIN
Error 1/25/2006 8:47:42 PM Service Control Manager None 7026 N/A SHURAMAIN
Error 1/25/2006 8:46:23 PM DCOM None 10005 SYSTEM SHURAMAIN
Information 1/25/2006 8:45:58 PM eventlog None 6005 N/A SHURAMAIN
Information 1/25/2006 8:45:58 PM eventlog None 6009 N/A SHURAMAIN
Information 1/25/2006 8:45:21 PM eventlog None 6006 N/A SHURAMAIN
Error 1/25/2006 8:45:19 PM DCOM None 10005 SYSTEM SHURAMAIN
Information 1/25/2006 8:32:03 PM Service Control Manager None 7036 N/A SHURAMAIN
Information 1/25/2006 8:32:03 PM Service Control Manager None 7035 SYSTEM SHURAMAIN
Error 1/25/2006 8:32:03 PM Service Control Manager None 7026 N/A SHURAMAIN
Error 1/25/2006 8:31:06 PM DCOM None 10005 SYSTEM SHURAMAIN
Information 1/25/2006 8:30:15 PM eventlog None 6005 N/A SHURAMAIN
Information 1/25/2006 8:30:15 PM eventlog None 6009 N/A SHURAMAIN
Information 1/25/2006 2:51:29 AM eventlog None 6006 N/A SHURAMAIN
Error 1/25/2006 2:51:23 AM Service Control Manager None 7034 N/A SHURAMAIN
Information 1/24/2006 11:04:33 PM Service Control Manager None 7036 N/A SHURAMAIN
Information 1/24/2006 11:04:32 PM Service Control Manager None 7036 N/A SHURAMAIN
Information 1/24/2006 11:04:32 PM Service Control Manager None 7036 N/A SHURAMAIN
Information 1/24/2006 11:04:32 PM Service Control Manager None 7035 SYSTEM SHURAMAIN
Information 1/24/2006 11:04:32 PM Service Control Manager None 7035 Shura SHURAMAIN
Information 1/24/2006 11:04:32 PM Service Control Manager None 7036 N/A SHURAMAIN
Information 1/24/2006 11:04:32 PM Service Control Manager None 7036 N/A SHURAMAIN
Information 1/24/2006 11:04:32 PM Service Control Manager None 7036 N/A SHURAMAIN
Information 1/24/2006 11:04:32 PM Service Control Manager None 7035 SYSTEM SHURAMAIN
Information 1/24/2006 11:04:32 PM Service Control Manager None 7035 SYSTEM SHURAMAIN
Information 1/24/2006 11:04:32 PM Service Control Manager None 7035 SYSTEM SHURAMAIN
Information 1/24/2006 11:04:32 PM Service Control Manager None 7036 N/A SHURAMAIN
Information 1/24/2006 11:04:32 PM Service Control Manager None 7035 SYSTEM SHURAMAIN
Information 1/24/2006 11:04:32 PM Service Control Manager None 7036 N/A SHURAMAIN
Information 1/24/2006 11:04:32 PM Service Control Manager None 7035 SYSTEM SHURAMAIN
Information 1/24/2006 11:04:32 PM Service Control Manager None 7036 N/A SHURAMAIN
Error 1/24/2006 11:04:32 PM Service Control Manager None 7000 N/A SHURAMAIN
Information 1/24/2006 11:03:57 PM eventlog None 6005 N/A SHURAMAIN
Information 1/24/2006 11:03:57 PM eventlog None 6009 N/A SHURAMAIN
Information 1/24/2006 11:03:16 PM eventlog None 6006 N/A SHURAMAIN
Error 1/24/2006 11:03:10 PM Service Control Manager None 7034 N/A SHURAMAIN
Error 1/24/2006 11:01:55 PM W32Time None 29 N/A SHURAMAIN
Error 1/24/2006 11:01:55 PM W32Time None 17 N/A SHURAMAIN
Information 1/24/2006 10:57:18 PM Windows File Protection None 64017 N/A SHURAMAIN
Error 1/24/2006 10:46:55 PM W32Time None 29 N/A SHURAMAIN
Error 1/24/2006 10:46:55 PM W32Time None 17 N/A SHURAMAIN
Information 1/24/2006 10:34:52 PM Windows File Protection None 64016 N/A SHURAMAIN
Information 1/24/2006 10:33:17 PM Service Control Manager None 7036 N/A SHURAMAIN
Information 1/24/2006 10:33:12 PM Service Control Manager None 7036 N/A SHURAMAIN
Information 1/24/2006 10:33:11 PM Service Control Manager None 7036 N/A SHURAMAIN
Information 1/24/2006 10:33:11 PM Service Control Manager None 7035 SYSTEM SHURAMAIN
Information 1/24/2006 10:33:11 PM Service Control Manager None 7035 Shura SHURAMAIN
Information 1/24/2006 10:33:11 PM Service Control Manager None 7036 N/A SHURAMAIN
Information 1/24/2006 10:33:11 PM Service Control Manager None 7036 N/A SHURAMAIN
Information 1/24/2006 10:33:11 PM Service Control Manager None 7035 SYSTEM SHURAMAIN
Information 1/24/2006 10:33:11 PM Service Control Manager None 7036 N/A SHURAMAIN
Information 1/24/2006 10:33:11 PM Service Control Manager None 7035 SYSTEM SHURAMAIN
Information 1/24/2006 10:33:11 PM Service Control Manager None 7035 SYSTEM SHURAMAIN
Information 1/24/2006 10:33:11 PM Service Control Manager None 7036 N/A SHURAMAIN
Information 1/24/2006 10:33:11 PM Service Control Manager None 7035 SYSTEM SHURAMAIN
Information 1/24/2006 10:33:11 PM Service Control Manager None 7036 N/A SHURAMAIN
Information 1/24/2006 10:33:11 PM Service Control Manager None 7035 SYSTEM SHURAMAIN
Information 1/24/2006 10:33:11 PM Service Control Manager None 7036 N/A SHURAMAIN
Error 1/24/2006 10:32:19 PM Service Control Manager None 7000 N/A SHURAMAIN
Information 1/24/2006 10:31:48 PM eventlog None 6005 N/A SHURAMAIN
Information 1/24/2006 10:31:48 PM eventlog None 6009 N/A SHURAMAIN
Information 1/24/2006 10:31:14 PM eventlog None 6006 N/A SHURAMAIN
Error 1/24/2006 10:31:11 PM DCOM None 10005 SYSTEM SHURAMAIN
Information 1/24/2006 9:47:39 PM Service Control Manager None 7036 N/A SHURAMAIN
Information 1/24/2006 9:47:39 PM Service Control Manager None 7035 SYSTEM SHURAMAIN
Error 1/24/2006 9:47:39 PM Service Control Manager None 7026 N/A SHURAMAIN
Error 1/24/2006 9:46:21 PM DCOM None 10005 SYSTEM SHURAMAIN
Information 1/24/2006 9:45:54 PM eventlog None 6005 N/A SHURAMAIN
Information 1/24/2006 9:45:54 PM eventlog None 6009 N/A SHURAMAIN
Information 1/24/2006 9:40:33 PM Service Control Manager None 7036 N/A SHURAMAIN
Information 1/24/2006 9:40:30 PM Service Control Manager None 7036 N/A SHURAMAIN
Information 1/24/2006 9:40:30 PM Service Control Manager None 7036 N/A SHURAMAIN
Information 1/24/2006 9:40:30 PM Service Control Manager None 7035 SYSTEM SHURAMAIN
Information 1/24/2006 9:40:30 PM Service Control Manager None 7035 Shura SHURAMAIN
Information 1/24/2006 9:40:30 PM Service Control Manager None 7036 N/A SHURAMAIN
Information 1/24/2006 9:40:30 PM Service Control Manager None 7036 N/A SHURAMAIN
Information 1/24/2006 9:40:30 PM Service Control Manager None 7035 SYSTEM SHURAMAIN
Information 1/24/2006 9:40:30 PM Service Control Manager None 7036 N/A SHURAMAIN
Information 1/24/2006 9:40:30 PM Service Control Manager None 7035 SYSTEM SHURAMAIN
Information 1/24/2006 9:40:30 PM Service Control Manager None 7035 SYSTEM SHURAMAIN
Information 1/24/2006 9:40:30 PM Service Control Manager None 7036 N/A SHURAMAIN
Information 1/24/2006 9:40:30 PM Service Control Manager None 7036 N/A SHURAMAIN
Information 1/24/2006 9:40:30 PM Service Control Manager None 7035 SYSTEM SHURAMAIN
Information 1/24/2006 9:40:30 PM Service Control Manager None 7035 SYSTEM SHURAMAIN
Information 1/24/2006 9:40:30 PM Service Control Manager None 7036 N/A SHURAMAIN
Error 1/24/2006 9:40:30 PM Service Control Manager None 7000 N/A SHURAMAIN
Information 1/24/2006 9:39:56 PM eventlog None 6005 N/A SHURAMAIN
Information 1/24/2006 9:39:56 PM eventlog None 6009 N/A SHURAMAIN
Information 1/24/2006 9:32:34 PM Service Control Manager None 7036 N/A SHURAMAIN
Information 1/24/2006 9:32:32 PM Service Control Manager None 7036 N/A SHURAMAIN
Information 1/24/2006 9:32:31 PM Service Control Manager None 7036 N/A SHURAMAIN
Information 1/24/2006 9:32:31 PM Service Control Manager None 7035 SYSTEM SHURAMAIN
Information 1/24/2006 9:32:31 PM Service Control Manager None 7035 Shura SHURAMAIN
Information 1/24/2006 9:32:31 PM Service Control Manager None 7036 N/A SHURAMAIN
Information 1/24/2006 9:32:31 PM Service Control Manager None 7036 N/A SHURAMAIN
Information 1/24/2006 9:32:31 PM Service Control Manager None 7035 SYSTEM SHURAMAIN
Information 1/24/2006 9:32:31 PM Service Control Manager None 7035 SYSTEM SHURAMAIN
Information 1/24/2006 9:32:31 PM Service Control Manager None 7036 N/A SHURAMAIN
Information 1/24/2006 9:32:31 PM Service Control Manager None 7035 SYSTEM SHURAMAIN
Information 1/24/2006 9:32:31 PM Service Control Manager None 7036 N/A SHURAMAIN
Information 1/24/2006 9:32:31 PM Service Control Manager None 7035 SYSTEM SHURAMAIN
Information 1/24/2006 9:32:31 PM Service Control Manager None 7035 SYSTEM SHURAMAIN
Information 1/24/2006 9:32:31 PM Service Control Manager None 7036 N/A SHURAMAIN
Information 1/24/2006 9:32:31 PM Service Control Manager None 7036 N/A SHURAMAIN
Error 1/24/2006 9:32:31 PM Service Control Manager None 7000 N/A SHURAMAIN
Information 1/24/2006 9:31:58 PM eventlog None 6005 N/A SHURAMAIN
Information 1/24/2006 9:31:58 PM eventlog None 6009 N/A SHURAMAIN
Information 1/24/2006 9:31:22 PM eventlog None 6006 N/A SHURAMAIN
Information 1/24/2006 9:31:21 PM Service Control Manager None 7036 N/A SHURAMAIN
Error 1/24/2006 9:31:16 PM Service Control Manager None 7034 N/A SHURAMAIN
Warning 1/24/2006 9:31:13 PM Dhcp None 1003 N/A SHURAMAIN
Information 1/24/2006 9:30:44 PM Tcpip None 4201 N/A SHURAMAIN
Information 1/24/2006 9:30:03 PM Service Control Manager None 7036 N/A SHURAMAIN
Information 1/24/2006 9:29:58 PM Service Control Manager None 7036 N/A SHURAMAIN
Information 1/24/2006 9:29:57 PM Service Control Manager None 7036 N/A SHURAMAIN
Information 1/24/2006 9:29:57 PM Service Control Manager None 7035 SYSTEM SHURAMAIN
Information 1/24/2006 9:29:57 PM Service Control Manager None 7036 N/A SHURAMAIN
Information 1/24/2006 9:29:57 PM Service Control Manager None 7035 SYSTEM SHURAMAIN
Information 1/24/2006 9:29:57 PM Service Control Manager None 7035 Shura SHURAMAIN
Information 1/24/2006 9:29:57 PM Service Control Manager None 7036 N/A SHURAMAIN
Information 1/24/2006 9:29:57 PM Service Control Manager None 7036 N/A SHURAMAIN
Information 1/24/2006 9:29:57 PM Service Control Manager None 7035 SYSTEM SHURAMAIN
Information 1/24/2006 9:29:57 PM Service Control Manager None 7036 N/A SHURAMAIN
Information 1/24/2006 9:29:57 PM Service Control Manager None 7035 SYSTEM SHURAMAIN
Information 1/24/2006 9:29:57 PM Service Control Manager None 7035 SYSTEM SHURAMAIN
Information 1/24/2006 9:29:57 PM Service Control Manager None 7036 N/A SHURAMAIN
Information 1/24/2006 9:29:57 PM Service Control Manager None 7035 SYSTEM SHURAMAIN
Information 1/24/2006 9:29:57 PM Service Control Manager None 7036 N/A SHURAMAIN
Information 1/24/2006 9:28:39 PM Tcpip None 4202 N/A SHURAMAIN
Error 1/24/2006 9:29:03 PM Service Control Manager None 7000 N/A SHURAMAIN
Information 1/24/2006 9:28:44 PM eventlog None 6005 N/A SHURAMAIN
Information 1/24/2006 9:28:44 PM eventlog None 6009 N/A SHURAMAIN
Information 1/24/2006 9:23:06 PM Service Control Manager None 7036 N/A SHURAMAIN
Information 1/24/2006 9:23:03 PM Service Control Manager None 7036 N/A SHURAMAIN
Information 1/24/2006 9:23:03 PM Service Control Manager None 7036 N/A SHURAMAIN
Information 1/24/2006 9:23:03 PM Service Control Manager None 7035 SYSTEM SHURAMAIN
Information 1/24/2006 9:23:03 PM Service Control Manager None 7035 Shura SHURAMAIN
Information 1/24/2006 9:23:03 PM Service Control Manager None 7036 N/A SHURAMAIN
Information 1/24/2006 9:23:03 PM Service Control Manager None 7036 N/A SHURAMAIN
Information 1/24/2006 9:23:03 PM Service Control Manager None 7036 N/A SHURAMAIN
Information 1/24/2006 9:23:03 PM Service Control Manager None 7035 SYSTEM SHURAMAIN
Information 1/24/2006 9:23:03 PM Service Control Manager None 7035 SYSTEM SHURAMAIN
Information 1/24/2006 9:23:03 PM Service Control Manager None 7035 SYSTEM SHURAMAIN
Information 1/24/2006 9:23:03 PM Service Control Manager None 7036 N/A SHURAMAIN
Information 1/24/2006 9:23:03 PM Service Control Manager None 7035 SYSTEM SHURAMAIN
Information 1/24/2006 9:23:03 PM Service Control Manager None 7036 N/A SHURAMAIN
Information 1/24/2006 9:23:03 PM Service Control Manager None 7035 SYSTEM SHURAMAIN
Information 1/24/2006 9:23:03 PM Service Control Manager None 7036 N/A SHURAMAIN
Error 1/24/2006 9:23:03 PM Service Control Manager None 7000 N/A SHURAMAIN
Information 1/24/2006 9:22:29 PM eventlog None 6005 N/A SHURAMAIN
Information 1/24/2006 9:22:29 PM eventlog None 6009 N/A SHURAMAIN
Information 1/24/2006 9:21:53 PM eventlog None 6006 N/A SHURAMAIN
Error 1/24/2006 9:21:47 PM Service Control Manager None 7034 N/A SHURAMAIN
Information 1/24/2006 8:55:01 PM Service Control Manager None 7036 N/A SHURAMAIN
Information 1/24/2006 8:54:59 PM Service Control Manager None 7036 N/A SHURAMAIN
Information 1/24/2006 8:54:58 PM Service Control Manager None 7036 N/A SHURAMAIN
Information 1/24/2006 8:54:58 PM Service Control Manager None 7035 SYSTEM SHURAMAIN
Information 1/24/2006 8:54:58 PM Service Control Manager None 7035 Shura SHURAMAIN
Information 1/24/2006 8:54:58 PM Service Control Manager None 7036 N/A SHURAMAIN
Information 1/24/2006 8:54:58 PM Service Control Manager None 7036 N/A SHURAMAIN
Information 1/24/2006 8:54:58 PM Service Control Manager None 7036 N/A SHURAMAIN
Information 1/24/2006 8:54:58 PM Service Control Manager None 7035 SYSTEM SHURAMAIN
Information 1/24/2006 8:54:58 PM Service Control Manager None 7035 SYSTEM SHURAMAIN
Information 1/24/2006 8:54:58 PM Service Control Manager None 7035 SYSTEM SHURAMAIN
Information 1/24/2006 8:54:58 PM Service Control Manager None 7036 N/A SHURAMAIN
Information 1/24/2006 8:54:58 PM Service Control Manager None 7035 SYSTEM SHURAMAIN
Information 1/24/2006 8:54:58 PM Service Control Manager None 7036 N/A SHURAMAIN
Information 1/24/2006 8:54:58 PM Service Control Manager None 7035 SYSTEM SHURAMAIN
Information 1/24/2006 8:54:58 PM Service Control Manager None 7036 N/A SHURAMAIN
Error 1/24/2006 8:54:58 PM Service Control Manager None 7000 N/A SHURAMAIN
Information 1/24/2006 8:54:25 PM eventlog None 6005 N/A SHURAMAIN
Information 1/24/2006 8:54:25 PM eventlog None 6009 N/A SHURAMAIN
Information 1/24/2006 8:53:50 PM eventlog None 6006 N/A SHURAMAIN
Error 1/24/2006 8:53:48 PM DCOM None 10005 SYSTEM SHURAMAIN
Error 1/24/2006 8:50:36 PM DCOM None 10005 Shura SHURAMAIN
Error 1/24/2006 8:35:02 PM Service Control Manager None 7026 N/A SHURAMAIN
Error 1/24/2006 8:35:02 PM Service Control Manager None 7001 N/A SHURAMAIN
Error 1/24/2006 8:35:02 PM Service Control Manager None 7001 N/A SHURAMAIN
Error 1/24/2006 8:35:02 PM Service Control Manager None 7001 N/A SHURAMAIN
Error 1/24/2006 8:35:02 PM Service Control Manager None 7001 N/A SHURAMAIN
Error 1/24/2006 8:34:05 PM DCOM None 10005 SYSTEM SHURAMAIN
Error 1/24/2006 8:33:55 PM DCOM None 10005 Shura SHURAMAIN
Information 1/24/2006 8:33:17 PM eventlog None 6005 N/A SHURAMAIN
Information 1/24/2006 8:33:17 PM eventlog None 6009 N/A SHURAMAIN
Information 1/24/2006 1:23:45 AM eventlog None 6006 N/A SHURAMAIN
Error 1/24/2006 1:23:39 AM Service Control Manager None 7034 N/A SHURAMAIN
Information 1/24/2006 1:15:09 AM Windows File Protection None 64017 N/A SHURAMAIN
Information 1/24/2006 1:14:44 AM Windows File Protection None 64021 N/A SHURAMAIN
Information 1/24/2006 1:14:18 AM Application Popup None 26 N/A SHURAMAIN
Information 1/24/2006 12:54:26 AM Windows File Protection None 64016 N/A SHURAMAIN
Information 1/23/2006 10:57:43 PM Tcpip None 4201 N/A SHURAMAIN
Information 1/23/2006 10:56:55 PM Service Control Manager None 7036 N/A SHURAMAIN
Information 1/23/2006 10:56:49 PM Service Control Manager None 7036 N/A SHURAMAIN
Information 1/23/2006 10:56:49 PM Service Control Manager None 7035 SYSTEM SHURAMAIN
Information 1/23/2006 10:56:46 PM Service Control Manager None 7036 N/A SHURAMAIN
Information 1/23/2006 10:56:41 PM Service Control Manager None 7035 Shura SHURAMAIN
Information 1/23/2006 10:56:41 PM Service Control Manager None 7036 N/A SHURAMAIN
Information 1/23/2006 10:56:40 PM Service Control Manager None 7036 N/A SHURAMAIN
Information 1/23/2006 10:56:40 PM Service Control Manager None 7035 SYSTEM SHURAMAIN
Information 1/23/2006 10:56:37 PM Service Control Manager None 7036 N/A SHURAMAIN
Information 1/23/2006 10:56:37 PM Service Control Manager None 7035 SYSTEM SHURAMAIN
Information 1/23/2006 10:56:37 PM Service Control Manager None 7036 N/A SHURAMAIN
Information 1/23/2006 10:56:37 PM Service Control Manager None 7035 SYSTEM SHURAMAIN
Information 1/23/2006 10:56:37 PM Service Control Manager None 7036 N/A SHURAMAIN
Information 1/23/2006 10:56:37 PM Service Control Manager None 7036 N/A SHURAMAIN
Information 1/23/2006 10:56:37 PM Service Control Manager None 7035 SYSTEM SHURAMAIN
Information 1/23/2006 10:56:37 PM Service Control Manager None 7035 SYSTEM SHURAMAIN
Error 1/23/2006 10:56:34 PM Service Control Manager None 7000 N/A SHURAMAIN
Information 1/23/2006 10:56:18 PM Tcpip None 4202 N/A SHURAMAIN
Information 1/23/2006 10:56:18 PM eventlog None 6005 N/A SHURAMAIN
Information 1/23/2006 10:56:18 PM eventlog None 6009 N/A SHURAMAIN
Information 1/23/2006 10:55:43 PM eventlog None 6006 N/A SHURAMAIN
Error 1/23/2006 10:55:40 PM DCOM None 10005 SYSTEM SHURAMAIN
Information 1/23/2006 10:55:18 PM Service Control Manager None 7035 SYSTEM SHURAMAIN
Information 1/23/2006 10:55:18 PM Service Control Manager None 7036 N/A SHURAMAIN
Information 1/23/2006 10:20:05 PM Service Control Manager None 7036 N/A SHURAMAIN
Information 1/23/2006 10:20:05 PM Service Control Manager None 7036 N/A SHURAMAIN
Information 1/23/2006 10:20:05 PM Service Control Manager None 7035 SYSTEM SHURAMAIN
Error 1/23/2006 10:20:05 PM Service Control Manager None 7026 N/A SHURAMAIN
Error 1/23/2006 10:18:49 PM DCOM None 10005 SYSTEM SHURAMAIN
Information 1/23/2006 10:18:21 PM eventlog None 6005 N/A SHURAMAIN
Information 1/23/2006 10:18:21 PM eventlog None 6009 N/A SHURAMAIN
Information 1/23/2006 10:08:47 PM Tcpip None 4201 N/A SHURAMAIN
Information 1/23/
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP