Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Spy-Agent.n Trojan in winlogon.exe


  • Please log in to reply

#1
helpme6686

helpme6686

    New Member

  • Member
  • Pip
  • 7 posts
Hello,

First let me start by saying I don't exactly have a large amount of computer smarts, so be patient as I try to explain the problem as best as I can!

Yesterday morning I used Windows Update and after it rebooted McAfee started finding C;\Windows\system32\windowslogon.exe as infected with spy-agent.n trojan. However it cannot be removed or quarenteened by this, or any of the other application's I have tried so far.

Note: This is a BRAND NEW computer. It actually just arrived the other day, it is beyond me how it is already infected. The only changes that have been made are Windows Update, installing 1 or 2 games and that is about it. Barely even began to go around the net, so I am not sure where anything could have come from.

I saw the exact problem in another post, but wasn't certain if I should try the same fix, being the post was almost a year ago, and also figured it be smarter to wait and see what responses I get for my own problem.


Here is my HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 5:49:15 AM, on 7/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
c:\progra~1\mcafee.com\vso\mcmnhdlr.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\shared\mghtml.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Home\Desktop\HijackThis.exe

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...01/mcinsctl.cab
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe


Currently this alert is going off nonstop, from the research I have done, winlogon.exe is a legit file in Windows, which may be why I am unable to delete it. However, McAfee continues to alert me it is infected. Even if I click ignore, it keeps popping up saying it is infected.

Hopefully someone here can find the problem. Thanks in advance.

Edited by helpme6686, 01 July 2006 - 06:50 AM.

  • 0

Advertisements


#2
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Hi helpme6686 and Welcome to GeekstoGo!


Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.

Now go to the HijackThis folder and Right Click HijackThis.exe

Select Rename and Rename it to look.exe

Double Click look.exe to launch HijackThis

Do a System Scan and Save a Logfile


Post those results along with the CureIt log in the next reply.
  • 0

#3
helpme6686

helpme6686

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Thanks for the response, that did find some things McAfee and others didn't.

Here are the results.

DrWeb Log:

lo1718839003.exe;C:\;Trojan.DownLoader.9654;Deleted.;
makepak.exe;C:\Program Files\Steam\bin;Trojan.Classic;Deleted.;
A0003087.exe;C:\System Volume Information\_restore{FD87CD0B-B08C-4DC0-885E-D3F4EEE08A24}\RP19;Trojan.DownLoader.9654;Deleted.;
A0003092.exe;C:\System Volume Information\_restore{FD87CD0B-B08C-4DC0-885E-D3F4EEE08A24}\RP19;Trojan.Classic;Deleted.;

HiJackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 11:03:49 AM, on 7/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Steam\steam.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\look.exe

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...01/mcinsctl.cab
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
  • 0

#4
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Go ahead and Rename HijackThis back to its original name (HijackThis.exe)


Download GMER from Here

Right Click the Zip and Select "Extract All"

Double Click gmer.exe to launch the program.

Click on the Rootkit Tab and then click Scan.

It takes a while to run,once complete,copy the results to notepad and save them somewhere safe.

Post those results in the next reply.
  • 0

#5
helpme6686

helpme6686

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
GMER 1.0.10.10122 - http://www.gmer.net
Rootkit 2006-07-03 12:47:05
Windows 5.1.2600 Service Pack 2


---- Files - GMER 1.0.10 ----

File C:\System Volume Information\MountPointManagerRemoteDatabase
File C:\System Volume Information\tracking.log
File C:\System Volume Information\_restore{FD87CD0B-B08C-4DC0-885E-D3F4EEE08A24}

---- EOF - GMER 1.0.10 ----
  • 0

#6
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
By chance can you see this file--> C:\Windows\system32\windowslogon.exe


Open the Search Assistant(Click Start>>Click Search)
Select All Files and Folders,
Select Advanced Options,
Make sure there is a check in every box under Advanced Options

Under "All or Part of the file name"--> Enter windowslogon.exe for a search of the system.

If found,right click on the file and select delete.


Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!
  • Follow the Instruction on the F-Secure page for proper installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.

  • 0

#7
helpme6686

helpme6686

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
I apologize, I made a typo in the very first post.

The file McAfee is finding infected with spy-agent.n trojan is winlogon.exe NOT windowslogon.exe
(this file does not exsist). I will edit my original post to prevent any further confusion with that. Again I apologize.

I can see winlogon.exe in my system32 folder. Should I still attempt to delete it?

F-Secure Online Scan Log

Monday, July 03, 2006 17:46:11 - 18:12:44
Computer name: ADMIN
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\


--------------------------------------------------------------------------------

Result: 35 malware found
Tracking Cookie (spyware)
System (Disinfected)
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 20736
System: 3607
Not scanned: 4
Actions:
Disinfected: 1
Renamed: 0
Deleted: 0
None: 34
Submitted: 0
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\WINLOGON.EXE
C:\WINDOWS\SYSTEM32\DLLCACHE\WINLOGON.EXE
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
  • 0

#8
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Download WinPFind to your C Drive.
http://download.blee...r/winpfind2.zip

Right Click the Zip Folder and Select "Extract All"

Don't use it yet

Reboot into SAFE MODE(Tap F8 when restarting)

From the WinPFind folder-> Doubleclick WinPFind.exe to launch the program.

Under File Options,Click the Select All tab.

Now,Click the "Files" Tab at the top and Click "Scan Files"

The scan will take a few minutes to complete.

Once you see Scan Complete,Click Configuration and then Click Export to Text

Click Yes to the prompt that follows and this will generate a log in the WinPFind folder


Restart Normal and post the log from WinPFind please.
  • 0

#9
helpme6686

helpme6686

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Logfile created on: 07/04/2006 12:47
WinPFind2 - PreRelease 1.3.0 Folder = C:\winpfind2\
Microsoft Windows XP (Version = Service Pack 2)
Internet Explorer (Version - 6.0.2900.2180)





Files
Full Path Details
%SystemDrive%
%ProgramFilesDir%
%WinDir%
%System%
C:\WINDOWS\SYSTEM32\d3dx9_25.dll D3DXUVAtlasPack Microsoft Corporation [Ver = 9.06.168.0000 / Size = 2337488 bytes] 03/18/2005 20:19
C:\WINDOWS\SYSTEM32\d3dx9_27.dll D3DXUVAtlasPack Microsoft Corporation [Ver = 9.08.299.0000 / Size = 2319568 bytes] 07/22/2005 22:59
C:\WINDOWS\SYSTEM32\dfrg.msc AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213 [Ver = / Size = 41397 bytes] 10/08/2004 08:01
C:\WINDOWS\SYSTEM32\MRT.exe (PeCompact2) Microsoft Corporation [Ver = 1.17.1478.0 / Size = 5967776 bytes] 06/08/2006 21:19
C:\WINDOWS\SYSTEM32\MRT.exe (ASPack) Microsoft Corporation [Ver = 1.17.1478.0 / Size = 5967776 bytes] 06/08/2006 21:19
C:\WINDOWS\SYSTEM32\ntdll.dll .aspack Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 708096 bytes]10/08/2004 08:01
C:\WINDOWS\SYSTEM32\rasdlg.dll \DuMonitor SendMessage(WM_RASEVENT) doneMicrosoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 657920 bytes]10/08/2004 08:01
C:\WINDOWS\SYSTEM32\wbdbase.deu msubjsuchsullsupeswinsyncszens [Ver = / Size = 1309184 bytes] 10/08/2004 08:01
%System%\Drivers folder and sub-folders
%windir% + sub-dirs for System or Hidden files less than 60 days old
C:\WINDOWS\bootstat.dat [Ver = / Size = 2048 bytes] 07/04/2006 12:44 S
C:\WINDOWS\WindowsShell.Manifest [Ver = / Size = 749 bytes] 06/23/2006 11:59 RH
C:\WINDOWS\assembly\Desktop.ini [Ver = / Size = 227 bytes] 06/23/2006 11:57 RHS
C:\WINDOWS\Downloaded Program Files\desktop.ini [Ver = / Size = 65 bytes] 06/23/2006 11:59 H
C:\WINDOWS\Fonts\desktop.ini [Ver = / Size = 67 bytes] 06/23/2006 12:00 HS
C:\WINDOWS\inf\oem38.inf [Ver = / Size = 0 bytes] 06/29/2006 11:48 H
C:\WINDOWS\Offline Web Pages\desktop.ini [Ver = / Size = 65 bytes] 06/23/2006 11:59 H
C:\WINDOWS\pchealth\helpctr\PackageStore\package_1.cab [Ver = / Size = 727 bytes] 06/23/2006 11:59 RHS
C:\WINDOWS\pchealth\helpctr\PackageStore\package_2.cab [Ver = / Size = 19854 bytes] 06/23/2006 11:59 RHS
C:\WINDOWS\pchealth\helpctr\PackageStore\package_3.cab [Ver = / Size = 244933 bytes] 06/23/2006 11:59 RHS
C:\WINDOWS\repair\ntuser.dat [Ver = / Size = 229376 bytes] 06/23/2006 12:00 H
C:\WINDOWS\system32\cdplayer.exe.manifest [Ver = / Size = 749 bytes] 06/23/2006 11:59 RH
C:\WINDOWS\system32\logonui.exe.manifest [Ver = / Size = 488 bytes] 06/23/2006 11:59 RH
C:\WINDOWS\system32\ncpa.cpl.manifest [Ver = / Size = 749 bytes] 06/23/2006 11:59 RH
C:\WINDOWS\system32\nwc.cpl.manifest [Ver = / Size = 749 bytes] 06/23/2006 11:59 RH
C:\WINDOWS\system32\sapi.cpl.manifest [Ver = / Size = 749 bytes] 06/23/2006 11:59 RH
C:\WINDOWS\system32\WindowsLogon.manifest [Ver = / Size = 488 bytes] 06/23/2006 11:59 RH
C:\WINDOWS\system32\wuaucpl.cpl.manifest [Ver = / Size = 749 bytes] 06/23/2006 11:59 RH
C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB911280.cat [Ver = / Size = 13309 bytes] 06/22/2006 07:18 S
C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB916281.cat [Ver = / Size = 23751 bytes] 05/29/2006 12:16 S
C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB917344.cat [Ver = / Size = 10925 bytes] 05/18/2006 03:15 S
C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB918439.cat [Ver = / Size = 11043 bytes] 06/01/2006 16:28 S
C:\WINDOWS\system32\config\default.LOG [Ver = / Size = 8192 bytes] 07/04/2006 12:44 H
C:\WINDOWS\system32\config\SAM.LOG [Ver = / Size = 1024 bytes] 07/04/2006 12:44 H
C:\WINDOWS\system32\config\SECURITY.LOG [Ver = / Size = 12288 bytes] 07/04/2006 12:44 H
C:\WINDOWS\system32\config\software.LOG [Ver = / Size = 69632 bytes] 07/04/2006 12:44 H
C:\WINDOWS\system32\config\system.LOG [Ver = / Size = 847872 bytes] 07/04/2006 12:44 H
C:\WINDOWS\system32\config\TempKey.LOG [Ver = / Size = 1024 bytes] 06/23/2006 04:46 H
C:\WINDOWS\system32\config\userdiff.LOG [Ver = / Size = 1024 bytes] 06/23/2006 04:46 H
C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG [Ver = / Size = 1024 bytes] 06/30/2006 23:41 H
C:\WINDOWS\system32\config\systemprofile\Application Data\desktop.ini [Ver = / Size = 62 bytes] 06/23/2006 04:48 HS
C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\3C83474D61E624A4F9844DF935AFE217 [Ver = / Size = 569 bytes] 06/23/2006 12:44 S
C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\904590238400AD963F77FAAAADC9BAB5 [Ver = / Size = 574 bytes] 06/23/2006 13:09 S
C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\3C83474D61E624A4F9844DF935AFE217 [Ver = / Size = 142 bytes] 06/23/2006 12:44 S
C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\904590238400AD963F77FAAAADC9BAB5 [Ver = / Size = 136 bytes] 06/23/2006 13:09 S
C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\Desktop.htt [Ver = / Size = 2712 bytes] 06/23/2006 13:06 HS
C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini [Ver = / Size = 170 bytes] 06/23/2006 12:08 HS
C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Protect\CREDHIST [Ver = / Size = 24 bytes] 06/23/2006 12:11 HS
C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Protect\S-1-5-21-602162358-484061587-839522115-500\872b089f-b9ad-457a-aa2c-0e99638a999a [Ver = / Size = 388 bytes] 06/23/2006 12:11 HS
C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Protect\S-1-5-21-602162358-484061587-839522115-500\Preferred [Ver = / Size = 24 bytes] 06/23/2006 12:11 HS
C:\WINDOWS\system32\config\systemprofile\Favorites\Desktop.ini [Ver = / Size = 122 bytes] 06/23/2006 12:08 HS
C:\WINDOWS\system32\config\systemprofile\Local Settings\desktop.ini [Ver = / Size = 62 bytes] 06/23/2006 13:07 HS
C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\IconCache.db [Ver = / Size = 3721278 bytes] 06/23/2006 13:24 H
C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat [Ver = / Size = 262144 bytes] 06/23/2006 13:24 H
C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG [Ver = / Size = 1024 bytes] 06/23/2006 13:24 H
C:\WINDOWS\system32\config\systemprofile\Local Settings\History\desktop.ini [Ver = / Size = 113 bytes] 06/29/2006 12:14 HS
C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\desktop.ini [Ver = / Size = 113 bytes] 06/29/2006 12:14 HS
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\desktop.ini [Ver = / Size = 67 bytes] 06/29/2006 12:14 HS
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini [Ver = / Size = 67 bytes] 06/29/2006 12:14 HS
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\05CN4XPG\desktop.ini [Ver = / Size = 67 bytes] 06/29/2006 12:14 HS
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2IEKP28Z\desktop.ini [Ver = / Size = 67 bytes] 06/29/2006 12:14 HS
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\E0H9WCJ4\desktop.ini [Ver = / Size = 67 bytes] 06/29/2006 12:14 HS
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YY5ALQPF\desktop.ini [Ver = / Size = 67 bytes] 06/29/2006 12:14 HS
C:\WINDOWS\system32\config\systemprofile\My Documents\desktop.ini [Ver = / Size = 84 bytes] 06/23/2006 12:08 HS
C:\WINDOWS\system32\config\systemprofile\My Documents\My Music\Desktop.ini [Ver = / Size = 189 bytes] 06/23/2006 12:08 HS
C:\WINDOWS\system32\config\systemprofile\My Documents\My Pictures\Desktop.ini [Ver = / Size = 191 bytes] 06/23/2006 12:08 HS
C:\WINDOWS\system32\config\systemprofile\Recent\Desktop.ini [Ver = / Size = 150 bytes] 06/23/2006 12:08 HS
C:\WINDOWS\system32\config\systemprofile\SendTo\desktop.ini [Ver = / Size = 181 bytes] 06/23/2006 11:59 HS
C:\WINDOWS\system32\config\systemprofile\Start Menu\desktop.ini [Ver = / Size = 62 bytes] 06/23/2006 04:48 HS
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\desktop.ini [Ver = / Size = 234 bytes] 06/23/2006 12:08 HS
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\desktop.ini [Ver = / Size = 542 bytes] 06/23/2006 12:08 HS
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Accessibility\desktop.ini [Ver = / Size = 348 bytes] 06/23/2006 12:00 HS
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Entertainment\desktop.ini [Ver = / Size = 84 bytes] 06/23/2006 12:00 HS
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini [Ver = / Size = 84 bytes] 06/23/2006 12:00 HS
C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\54564b4d-0d15-416e-9e92-fa51b8630cef [Ver = / Size = 388 bytes] 06/23/2006 12:04 HS
C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred [Ver = / Size = 24 bytes] 06/23/2006 12:04 HS
C:\WINDOWS\Tasks\SA.DAT [Ver = / Size = 6 bytes] 07/04/2006 12:43 H
C:\WINDOWS\Temp\History\History.IE5\desktop.ini [Ver = / Size = 113 bytes] 06/29/2006 12:17 HS
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\desktop.ini [Ver = / Size = 67 bytes] 06/29/2006 12:17 HS
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\0J2ZM1O7\desktop.ini [Ver = / Size = 67 bytes] 06/29/2006 12:17 HS
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\MXCLMD6X\desktop.ini [Ver = / Size = 67 bytes] 06/29/2006 12:17 HS
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\UFQTEHEN\desktop.ini [Ver = / Size = 67 bytes] 06/29/2006 12:17 HS
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\UXKFK583\desktop.ini [Ver = / Size = 67 bytes] 06/29/2006 12:17 HS
CPL files
C:\WINDOWS\SYSTEM32\access.cpl Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 68608 bytes]10/08/2004 08:01
C:\WINDOWS\SYSTEM32\alsndmgr.cpl Realtek Semiconductor Corp. [Ver = 2.2.0.44 / Size = 18726912 bytes] 05/18/2005 19:17 R
C:\WINDOWS\SYSTEM32\appwiz.cpl Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 549888 bytes]10/08/2004 08:01
C:\WINDOWS\SYSTEM32\bthprops.cpl Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 110592 bytes]10/08/2004 08:01
C:\WINDOWS\SYSTEM32\desk.cpl Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 135168 bytes]10/08/2004 08:01
C:\WINDOWS\SYSTEM32\firewall.cpl Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 80384 bytes]10/08/2004 08:01
C:\WINDOWS\SYSTEM32\hdwwiz.cpl Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 155136 bytes]10/08/2004 08:01
C:\WINDOWS\SYSTEM32\inetcpl.cpl Microsoft Corporation [Ver = 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) / Size = 358400 bytes]10/08/2004 08:01
C:\WINDOWS\SYSTEM32\intl.cpl Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 129536 bytes]10/08/2004 08:01
C:\WINDOWS\SYSTEM32\irprops.cpl Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 380416 bytes]10/08/2004 08:01
C:\WINDOWS\SYSTEM32\joy.cpl Microsoft Corporation [Ver = 5.03.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 68608 bytes]10/08/2004 08:01
C:\WINDOWS\SYSTEM32\main.cpl Microsoft Corporation [Ver = 5.1.2403.1 / Size = 187904 bytes] 10/08/2004 08:01
C:\WINDOWS\SYSTEM32\mmsys.cpl Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 618496 bytes]10/08/2004 08:01
C:\WINDOWS\SYSTEM32\ncpa.cpl Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) / Size = 35840 bytes] 10/08/2004 08:01
C:\WINDOWS\SYSTEM32\netsetup.cpl Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 25600 bytes]10/08/2004 08:01
C:\WINDOWS\SYSTEM32\nusrmgr.cpl Microsoft Corporation [Ver = 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) / Size = 257024 bytes]10/08/2004 08:01
C:\WINDOWS\SYSTEM32\nvtuicpl.cpl [Ver = / Size = 73728 bytes] 02/14/2006 01:05
C:\WINDOWS\SYSTEM32\nwc.cpl Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) / Size = 36864 bytes] 10/08/2004 08:01
C:\WINDOWS\SYSTEM32\odbccp32.cpl Microsoft Corporation [Ver = 3.525.1117.0 (xpsp_sp2_rtm.040803-2158) / Size = 32768 bytes] 10/08/2004 08:01
C:\WINDOWS\SYSTEM32\powercfg.cpl Microsoft Corporation [Ver = 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) / Size = 114688 bytes]10/08/2004 08:01
C:\WINDOWS\SYSTEM32\sysdm.cpl Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 298496 bytes]10/08/2004 08:01
C:\WINDOWS\SYSTEM32\telephon.cpl Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) / Size = 28160 bytes] 10/08/2004 08:01
C:\WINDOWS\SYSTEM32\timedate.cpl Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 94208 bytes]10/08/2004 08:01
C:\WINDOWS\SYSTEM32\wscui.cpl Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 148480 bytes]10/08/2004 08:01
C:\WINDOWS\SYSTEM32\wuaucpl.cpl Microsoft Corporation [Ver = 5.8.0.2469 built by: lab01_n(wmbla) / Size = 174360 bytes] 05/26/2005 07:16
C:\WINDOWS\SYSTEM32\dllcache\access.cpl Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 68608 bytes]10/08/2004 08:01
C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 549888 bytes]10/08/2004 08:01
C:\WINDOWS\SYSTEM32\dllcache\desk.cpl Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 135168 bytes]10/08/2004 08:01
C:\WINDOWS\SYSTEM32\dllcache\firewall.cpl Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 80384 bytes]10/08/2004 08:01
C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 155136 bytes]10/08/2004 08:01
C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl Microsoft Corporation [Ver = 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) / Size = 358400 bytes]10/08/2004 08:01
C:\WINDOWS\SYSTEM32\dllcache\intl.cpl Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 129536 bytes]10/08/2004 08:01
C:\WINDOWS\SYSTEM32\dllcache\joy.cpl Microsoft Corporation [Ver = 5.03.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 68608 bytes]10/08/2004 08:01
C:\WINDOWS\SYSTEM32\dllcache\main.cpl Microsoft Corporation [Ver = 5.1.2403.1 / Size = 187904 bytes] 10/08/2004 08:01
C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 618496 bytes]10/08/2004 08:01
C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) / Size = 35840 bytes] 10/08/2004 08:01
C:\WINDOWS\SYSTEM32\dllcache\netsetup.cpl Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 25600 bytes]10/08/2004 08:01
C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl Microsoft Corporation [Ver = 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) / Size = 257024 bytes]10/08/2004 08:01
C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) / Size = 36864 bytes] 10/08/2004 08:01
C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl Microsoft Corporation [Ver = 3.525.1117.0 (xpsp_sp2_rtm.040803-2158) / Size = 32768 bytes] 10/08/2004 08:01
C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl Microsoft Corporation [Ver = 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) / Size = 114688 bytes]10/08/2004 08:01
C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl Microsoft Corporation [Ver = 5.1.4111.00 (xpsp_sp2_rtm.040803-2158) / Size = 155648 bytes]10/08/2004 08:01
C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 298496 bytes]10/08/2004 08:01
C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) / Size = 28160 bytes] 10/08/2004 08:01
C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 94208 bytes]10/08/2004 08:01
C:\WINDOWS\SYSTEM32\dllcache\wscui.cpl Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 148480 bytes]10/08/2004 08:01
C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl Microsoft Corporation [Ver = 5.4.3790.2180 (xpsp_sp2_rtm.040803-2158) / Size = 162304 bytes]10/08/2004 08:01
AllUsers Startup Folder
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini [Ver = / Size = 84 bytes] 06/23/2006 12:00 HS
AllUsers ApplicationData Folder
C:\Documents and Settings\All Users\Application Data\desktop.ini [Ver = / Size = 62 bytes] 06/23/2006 04:48 HS
CurrentUser Startup Folder
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\desktop.ini [Ver = / Size = 84 bytes] 06/23/2006 12:00 HS
CurrentUser ApplicationData Folder
C:\Documents and Settings\Administrator\Application Data\desktop.ini [Ver = / Size = 62 bytes] 06/23/2006 04:48 HS
DPF files
{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} McAfee.com Operating System Class - CodeBase = http://download.mcaf...01/mcinsctl.cab
{9D190AE6-C81E-4039-8061-978EBAD10073} F-Secure Online Scanner 3.0 - CodeBase = http://support.f-sec.../ols3/fscax.cab
{D27CDB6E-AE6D-11CF-96B8-444553540000} - CodeBase = http://fpdownload.ma...ash/swflash.cab
Microsoft XML Parser for Java - CodeBase = file://C:\WINDOWS\Java\classes\xmldso.cab
Hosts file = 734 bytes. Reading all entries.
# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

Edited by helpme6686, 04 July 2006 - 10:50 AM.

  • 0

#10
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
OK,lets go back to safe mode and run WinPFind again.

Click Select All under the Registry Options

Click the registry tab at the top then click Scan Registry

Once completed,Click Configuration and Click the Export to Text tab.

The new log will be generated in the WinPFind folder.


Restart Normal and post those results.


From the F-Secure Scan I can see something is going on with Winlogon but Im not sure what just yet.


Are you having anymore alerts from Mcafee?
  • 0

#11
helpme6686

helpme6686

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
I apologize for the late response, it was a busy day. I appreciate your help in trying to solve the issue. And to answer your question, yes McAfee is still giving the alerts nonstop.

Here is the Registry Scan log.

Logfile created on: 07/06/2006 01:24
WinPFind2 - PreRelease 1.3.0 Folder = C:\winpfind2\
Microsoft Windows XP (Version = Service Pack 2)
Internet Explorer (Version - 6.0.2900.2180)



Registry Entries
Key Value Version Info
WinPFind2 - PreRelease 1.3.0
Microsoft Windows XP Version = Service Pack 2
Internet Explorer Version = 6.0.2900.2180
Internet Explorer Settings
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page http://www.microsoft...p...ER}&ar=home
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\\Search Page http://www.microsoft...amp;ar=iesearch
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\\Default Page http://www.microsoft...p...&ar=msnhome
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\\Default Search http://www.microsoft...amp;ar=iesearch
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\\Local Page %SystemRoot%\system32\blank.htm
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\\Search Page
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\\Local Page
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable 0
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride
BHO's
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7} Google Toolbar Helper = c:\program files\google\googletoolbar2.dll (Google Inc. [Ver = 3, 0, 131, 0 / Size = 1191424 bytes])
Internet Explorer Bars, Toolbars and Extensions
HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376} &Tip of the Day = %SystemRoot%\system32\shdocvw.dll (Microsoft Corporation [Ver = 6.00.2900.2919 (xpsp.060529-0207) / Size = 1496576 bytes])
HKLM\SOFTWARE\Microsoft\Internet Explorer\ToolBar\\{2318C2B1-4965-11d4-9B18-009027A5CD4F} &Google = c:\program files\google\googletoolbar2.dll (Google Inc. [Ver = 3, 0, 131, 0 / Size = 1191424 bytes])
HKLM\SOFTWARE\Microsoft\Internet Explorer\ToolBar\\{BA52B914-B692-46c4-B683-905236F6F655} McAfee VirusScan = c:\progra~1\mcafee.com\vso\mcvsshl.dll (McAfee, Inc. [Ver = 10, 0, 0, 19 / Size = 114688 bytes])
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683} ButtonText: Messenger = C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation [Ver = 4.7.3001 / Size = 1694208 bytes])
HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} &Address = %SystemRoot%\system32\browseui.dll (Microsoft Corporation [Ver = 6.00.2900.2904 (xpsp.060509-0230) / Size = 1022976 bytes])
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} &Address = %SystemRoot%\system32\browseui.dll (Microsoft Corporation [Ver = 6.00.2900.2904 (xpsp.060509-0230) / Size = 1022976 bytes])
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{0E5CBF21-D15F-11D0-8301-00AA005B4383} &Links = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation [Ver = 6.00.2900.2869 (xpsp_sp2_gdr.060316-1512) / Size = 8452096 bytes])
Approved Shell Extensions (Non-Microsoft only)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{1CDB2949-8F65-4355-8456-263E7C208A5D} Desktop Explorer = C:\WINDOWS\system32\nvshell.dll ( [Ver = / Size = 466944 bytes])
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{1E9B04FB-F9E5-4718-997B-B8DA88302A47} = C:\WINDOWS\system32\nvshell.dll ( [Ver = / Size = 466944 bytes])
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{1E9B04FB-F9E5-4718-997B-B8DA88302A48} nView Desktop Context Menu = C:\WINDOWS\system32\nvshell.dll ( [Ver = / Size = 466944 bytes])
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{42071714-76d4-11d1-8b24-00a0c9068ff3} Display Panning CPL Extension = deskpan.dll (File not found)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{88895560-9AA2-1069-930E-00AA0030EBC8} HyperTerminal Icon Ext = C:\WINDOWS\system32\hticons.dll (Hilgraeve, Inc. [Ver = 5.1.2600.0 / Size = 44544 bytes])
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A70C977A-BF00-412C-90B7-034C51DA2439} DesktopContext Class = C:\WINDOWS\system32\nvcpl.dll (NVIDIA Corporation [Ver = 6.14.10.8391 / Size = 7557120 bytes])
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{B41DB860-8EE4-11D2-9906-E49FADC173CA} WinRAR = C:\Program Files\WinRAR\rarext.dll ( [Ver = / Size = 125440 bytes])
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{FFB699E0-306A-11d3-8BD1-00104B6F7516} NVIDIA CPL Extension = C:\WINDOWS\system32\nvcpl.dll (NVIDIA Corporation [Ver = 6.14.10.8391 / Size = 7557120 bytes])
ContextMenuHandlers (Non-Microsoft only)
HKCR\*\shellex\ContextMenuHandlers\{CFC7205E-2792-4378-9591-3879CC6C9022} = c:\progra~1\mcafee.com\vso\mcvsshl.dll (McAfee, Inc. [Ver = 10, 0, 0, 19 / Size = 114688 bytes])
HKCR\*\shellex\ContextMenuHandlers\WinRAR {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll ( [Ver = / Size = 125440 bytes])
HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\{CFC7205E-2792-4378-9591-3879CC6C9022} = c:\progra~1\mcafee.com\vso\mcvsshl.dll (McAfee, Inc. [Ver = 10, 0, 0, 19 / Size = 114688 bytes])
HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll ( [Ver = / Size = 125440 bytes])
HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll ( [Ver = / Size = 125440 bytes])
ColumnHandlers (Non-Microsoft only)
Registry Run Keys
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\AGRSMMSG AGRSMMSG.exe (Agere Systems [Ver = 2.1.63 2.1.63 12/12/2005 14:50:01 / Size = 88204 bytes])
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll" (Creative Technology Ltd. [Ver = 1.0.21.0 / Size = 49152 bytes])
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\CTDVDDET "C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE" (Creative Technology Ltd [Ver = 1.0.3.0 / Size = 45056 bytes])
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\CTHelper CTHELPER.EXE (Creative Technology Ltd [Ver = 2, 0, 0, 29 / Size = 16384 bytes])
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\CTSysVol C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe /r (Creative Technology Ltd [Ver = 1.4.2.0 / Size = 57344 bytes])
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\ehTray C:\WINDOWS\ehome\ehtray.exe (Microsoft Corporation [Ver = 5.1.2710.2732 (xpsp(wmbla).050805-1239) / Size = 64512 bytes])
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\MCAgentExe c:\PROGRA~1\mcafee.com\agent\mcagent.exe (McAfee, Inc [Ver = 6, 0, 0, 16 / Size = 303104 bytes])
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\MCUpdateExe c:\PROGRA~1\mcafee.com\agent\mcupdate.exe (McAfee, Inc [Ver = 6, 0, 0, 21 / Size = 212992 bytes])
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\NeroFilterCheck C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh [Ver = 1, 0, 0, 2 / Size = 155648 bytes])
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\NvCplDaemon RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup (File not found)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\NvMediaCenter RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit (File not found)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\nwiz nwiz.exe /install ( [Ver = / Size = 1519616 bytes])
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\OASClnt C:\Program Files\McAfee.com\VSO\oasclnt.exe (McAfee, Inc. [Ver = 10, 0, 0, 24 / Size = 53248 bytes])
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\UpdReg C:\WINDOWS\UpdReg.EXE (Creative Technology Ltd. [Ver = 1.0.2 / Size = 90112 bytes])
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\VirusScan Online C:\Program Files\McAfee.com\VSO\mcvsshld.exe (McAfee, Inc. [Ver = 10, 0, 0, 22 / Size = 163840 bytes])
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\VSOCheckTask "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask (McAfee, Inc. [Ver = 10, 0, 0, 20 / Size = 151552 bytes])
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\ctfmon.exe C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 15360 bytes])
Startup Lnks
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini ( [Ver = / Size = 84 bytes])
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\desktop.ini C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\desktop.ini ( [Ver = / Size = 84 bytes])
Disabled MSConfig Items
HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpReg\MSMSGS msmsgs = "C:\Program Files\Messenger\msmsgs.exe" /background (Microsoft Corporation [Ver = 4.7.3001 / Size = 1694208 bytes])
HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpReg\Steam Steam = "C:\Program Files\Steam\Steam.exe" -silent (Valve Corporation [Ver = 1.0.0.0 / Size = 1249280 bytes])
User Agent Post Platform
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\\SV1
AppInit DLLs
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs (File not found)
Image File Execution Options
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path Debugger = ntsd -d
Shell Service Object Delay Load
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation [Ver = 6.00.2900.2869 (xpsp_sp2_gdr.060316-1512) / Size = 8452096 bytes])
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation [Ver = 6.00.2900.2869 (xpsp_sp2_gdr.060316-1512) / Size = 8452096 bytes])
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\system32\stobject.dll (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 121856 bytes])
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll (Microsoft Corporation [Ver = 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) / Size = 276480 bytes])
Shell Execute Hooks
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} URL Exec Hook = shell32.dll (Microsoft Corporation [Ver = 6.00.2900.2869 (xpsp_sp2_gdr.060316-1512) / Size = 8452096 bytes])
Winlogon
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit C:\WINDOWS\system32\userinit.exe, (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 24576 bytes])
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell Explorer.exe (Microsoft Corporation [Ver = 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) / Size = 1032192 bytes])
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\System (File not found)
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\crypt32chain crypt32.dll (Microsoft Corporation [Ver = 5.131.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 597504 bytes])
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\cryptnet cryptnet.dll (Microsoft Corporation [Ver = 5.131.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 63488 bytes])
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\cscdll cscdll.dll (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 101888 bytes])
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ScCertProp wlnotify.dll (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 92672 bytes])
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Schedule wlnotify.dll (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 92672 bytes])
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\sclgntfy sclgntfy.dll (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 20992 bytes])
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SensLogn WlNotify.dll (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 92672 bytes])
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\termsrv wlnotify.dll (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 92672 bytes])
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\wlballoon wlnotify.dll (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 92672 bytes])
DNS Name Servers
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{EA809C81-B594-4B87-92E8-040C618C1F5C} ()
Winsock2 Catalogs (Non-Microsoft only)
Protocol Handlers (Non-Microsoft only)
HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\ipp (File not found)
HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\msdaipp (File not found)
Protocol Filters (Non-Microsoft only)
  • 0

#12
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Are you still getting alerts from Mcafee?

I just cant see anything in these logs.


Let me see a HijackThis Start Up log.

Open HijackThis and Click the "Open Misc Tools Section" tab.

Select Generate StartUpList log and make sure that both Boxes beside it are checked:

Put a check by:
List all minor sections(Full)
and
List Empty Sections(Complete)

It will produce a NotePad Page,I need you to copy the entire contents of that page to the next reply.
  • 0

#13
helpme6686

helpme6686

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Been awhile since I last responded, Hopefully you are still around to look at the most recent log. And yes, McAfee is still giving alerts.


StartupList report, 7/11/2006, 11:10:03 AM
StartupList version: 1.52.2
Started from : C:\HJT\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Home\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
*No files*

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ehTray = C:\WINDOWS\ehome\ehtray.exe
NeroFilterCheck = C:\WINDOWS\system32\NeroCheck.exe
CTDVDDET = "C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE"
CTSysVol = C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe /r
AudioDrvEmulator = "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
CTHelper = CTHELPER.EXE
UpdReg = C:\WINDOWS\UpdReg.EXE
VSOCheckTask = "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
VirusScan Online = C:\Program Files\McAfee.com\VSO\mcvsshld.exe
OASClnt = C:\Program Files\McAfee.com\VSO\oasclnt.exe
MCAgentExe = c:\PROGRA~1\mcafee.com\agent\mcagent.exe
MCUpdateExe = c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
AGRSMMSG = AGRSMMSG.exe
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
nwiz = nwiz.exe /install
NvMediaCenter = RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
SunJavaUpdateSched = C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
CleanUp = C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\system32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[KB910393] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\EasyCDBlock.inf,PerUserInstall

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{407408d4-94ed-4d86-ab69-a7f649d112ee}] *
StubPath = %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection QuickLaunchShortcut 640 %systemroot%\inf\mcdftreg.inf

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{4b218e3e-bc98-4770-93d3-2731b9329278}] *
StubPath = %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\system32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - c:\program files\google\googletoolbar2.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}

--------------------------------------------------

Enumerating Task Scheduler jobs:

*No jobs found*

--------------------------------------------------

Enumerating Download Program Files:

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINDOWS\Java\classes\xmldso.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

[McAfee.com Operating System Class]
InProcServer32 = C:\WINDOWS\system32\mcinsctl.dll
CODEBASE = http://download.mcaf...01/mcinsctl.cab

[Java Plug-in 1.5.0_03]
InProcServer32 = C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
CODEBASE = http://java.sun.com/...indows-i586.cab

[F-Secure Online Scanner 3.0]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\fscax.dll
CODEBASE = http://support.f-sec.../ols3/fscax.cab

[Java Plug-in 1.5.0_03]
InProcServer32 = C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
CODEBASE = http://java.sun.com/...indows-i586.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9.ocx
CODEBASE = http://fpdownload.ma...ash/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: system32\DRIVERS\ACPI.sys (system)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD: \SystemRoot\System32\drivers\afd.sys (system)
Agere Systems Soft Modem: system32\DRIVERS\AGRSM.sys (manual start)
Alerter: %SystemRoot%\system32\svchost.exe -k LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (manual start)
RAS Asynchronous Media Driver: system32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: system32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: system32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: system32\DRIVERS\audstub.sys (manual start)
Background Intelligent Transfer Service: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
Computer Browser: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
CD-ROM Driver: system32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
COM+ System Application: C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Creative AC3 Software Decoder: system32\drivers\ctac32k.sys (manual start)
Creative Audio Driver (WDM): system32\drivers\ctaud2k.sys (manual start)
Creative DVD-Audio Device Driver: system32\drivers\ctdvda2k.sys (manual start)
Creative Proxy Driver: system32\drivers\ctprxy2k.sys (manual start)
Creative SoundFont Management Device Driver: system32\drivers\ctsfm2k.sys (manual start)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Disk Driver: system32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Logical Disk Manager Driver: System32\drivers\dmio.sys (system)
dmload: System32\drivers\dmload.sys (system)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\system32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
Media Center Receiver Service: C:\WINDOWS\eHome\ehRecvr.exe (autostart)
Media Center Scheduler Service: C:\WINDOWS\eHome\ehSched.exe (autostart)
E-mu Plug-in Architecture Driver: system32\drivers\emupia2k.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\system32\svchost.exe -k netsvcs (manual start)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Floppy Disk Controller Driver: system32\DRIVERS\fdc.sys (manual start)
FltMgr: system32\DRIVERS\fltMgr.sys (system)
Volume Manager Driver: system32\DRIVERS\ftdisk.sys (system)
Gmer: System32\DRIVERS\gmer.sys (manual start)
Generic Packet Classifier: system32\DRIVERS\msgpc.sys (manual start)
Creative Hardware Abstract Layer Driver: system32\drivers\ha10kx2k.sys (manual start)
Creative P16V HAL Driver: system32\drivers\hap16v2k.sys (manual start)
Creative P17V HAL Driver: system32\drivers\hap17v2k.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Microsoft HID Class Driver: system32\DRIVERS\hidusb.sys (manual start)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: system32\DRIVERS\i8042prt.sys (system)
CD-Burning Filter Driver: system32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\system32\imapi.exe (manual start)
IPv6 Windows Firewall Driver: system32\DRIVERS\Ip6Fw.sys (manual start)
IP Traffic Filter Driver: system32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: system32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: system32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: system32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: system32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: system32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: system32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
McAfee WSC Integration: c:\program files\mcafee.com\agent\mcdetect.exe (autostart)
Media Center Extender Service: C:\WINDOWS\ehome\mcrdsvc.exe (autostart)
McAfee.com McShield: c:\PROGRA~1\mcafee.com\vso\mcshield.exe (autostart)
McAfee Task Scheduler: c:\PROGRA~1\mcafee.com\agent\mctskshd.exe (autostart)
McAfee SecurityCenter Update Manager: C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (manual start)
Messenger: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
MHN: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
MHN driver: system32\DRIVERS\mhndrv.sys (manual start)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\system32\mnmsrvc.exe (manual start)
Mouse Class Driver: system32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: system32\DRIVERS\mouhid.sys (manual start)
WebDav Client Redirector: system32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: system32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\system32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\system32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: system32\DRIVERS\mssmbios.sys (manual start)
NaiAvFilter1: system32\drivers\naiavf5x.sys (manual start)
Remote Access NDIS TAPI Driver: system32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: system32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: system32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: system32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: system32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\system32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Network Location Awareness (NLA): %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
NT LM Security Support Provider: %SystemRoot%\system32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
nv: system32\DRIVERS\nv4_mini.sys (manual start)
nvata: system32\DRIVERS\nvata.sys (system)
NVIDIA nForce Networking Controller Driver: system32\DRIVERS\NVENETFD.sys (manual start)
NVIDIA Network Bus Enumerator: system32\DRIVERS\nvnetbus.sys (manual start)
NVIDIA Display Driver Service: %SystemRoot%\system32\nvsvc32.exe (autostart)
IPX Traffic Filter Driver: system32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: system32\DRIVERS\nwlnkfwd.sys (manual start)
Creative OS Services Driver: system32\drivers\ctoss2k.sys (manual start)
Parallel port driver: system32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: system32\DRIVERS\pci.sys (system)
PCIIde: system32\DRIVERS\pciide.sys (system)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\system32\lsass.exe (autostart)
WAN Miniport (PPTP): system32\DRIVERS\raspptp.sys (manual start)
Processor Driver: system32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
QoS Packet Scheduler: system32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: system32\DRIVERS\ptilink.sys (manual start)
PxHelp20: System32\Drivers\PxHelp20.sys (system)
Remote Access Auto Connection Driver: system32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): system32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: system32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: system32\DRIVERS\raspti.sys (manual start)
Rdbss: system32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Terminal Server Device Redirector Driver: system32\DRIVERS\rdpdr.sys (manual start)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: system32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Remote Procedure Call (RPC) Locator: %SystemRoot%\system32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\system32\rsvp.exe (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: system32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: system32\DRIVERS\serenum.sys (manual start)
Serial port driver: system32\DRIVERS\serial.sys (system)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: system32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Srv: system32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Windows Image Acquisition (WIA): %SystemRoot%\system32\svchost.exe -k imgsvc (manual start)
Software Bus Driver: system32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\system32\dllhost.exe /Processid:{63FCB6FC-E62D-4C70-B3A5-E1DD9EC2BC81} (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: system32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: system32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Telnet: C:\WINDOWS\system32\tlntsvr.exe (disabled)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows User Mode Driver Framework: C:\WINDOWS\system32\wdfmgr.exe (manual start)
Microcode Update Driver: system32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: system32\DRIVERS\usbehci.sys (manual start)
USB2 Enabled Hub: system32\DRIVERS\usbhub.sys (manual start)
Microsoft USB Open Host Controller Miniport Driver: system32\DRIVERS\usbohci.sys (manual start)
VgaSave: \SystemRoot\System32\drivers\vga.sys (system)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: system32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Windows Management Instrumentation Driver Extensions: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\system32\wbem\wmiapsrv.exe (manual start)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 32,856 bytes
Report generated in 0.188 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Edited by helpme6686, 11 July 2006 - 09:14 AM.

  • 0

#14
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
I need you to gather as much information from the next alert that appears,the more info you can share with me the better.


Download ComboFix to your desktop.
Doubleclick combo.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot, it should open a log, combofix.txt.

Post the contents of combofix.txt into the next reply.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP