[help_me_pls]

I see some files there we will need to address but I would like more information before continuing.

Download WinPFind2.zip and unzip it to your Desktop. It will create a folder named WinPFind2. Do NOT run the program directly from the zip file.

• Open the folder and double-click on winpfind2.exe to start the program.
• Keep the standard settings
• Now click the Run All Scans button on the toolbar.
• When the scans are complete click the Simple Report button in the lower right-hand corner to create a report file. Notepad will open with the report file loaded in it.
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Here's the WinPfind2 Log file

Logfile created on: 08/22/2006 15:36
WinPFind2 by OldTimer - Version 1.0.7 Folder = C:\Documents and Settings\User\Desktop\WinPFind2\
Microsoft Windows XP (Version = Service Pack 2)
Internet Explorer (Version - 6.0.2900.2180)


< Processes (Non-Microsoft Only) >
c:\windows\system32\ati2evxx.exe - (ATI Technologies Inc. )
c:\windows\system32\ati2evxx.exe - (ATI Technologies Inc. )
c:\program files\ray adams\ati tray tools\atitray.exe - (Ray Adams )
c:\progra~1\bandwi~1\bandwidth monitor pro.exe - (Pro²soft )
c:\progra~1\softwin\bitdef~1\bdmcon.exe - (SOFTWIN S.R.L. )
c:\progra~1\softwin\bitdef~1\bdnagent.exe - (SOFTWIN S.R.L )
c:\program files\softwin\bitdefender9\bdoesrv.exe - (SOFTWIN SRL )
c:\program files\common files\softwin\bitdefender scan server\bdss.exe - ( )
c:\progra~1\softwin\bitdef~1\bdswitch.exe - ( )
c:\program files\executive software\diskeeper\dkservice.exe - (Executive Software International, Inc. )
c:\windows\system32\dla\dlactrlw.exe - (Sonic Solutions )
c:\program files\java\jre1.5.0_06\bin\jusched.exe - (Sun Microsystems, Inc. )
c:\program files\common files\softwin\bitdefender update service\livesrv.exe - (SOFTWIN S.R.L. )
c:\program files\opera 9\opera.exe - (Opera Software )
c:\program files\analog devices\soundmax\smagent.exe - (Analog Devices, Inc. )
c:\program files\alcohol soft\alcohol 120\starwind\starwindservice.exe - (Rocket Division Software )
c:\program files\softwin\bitdefender9\vsserv.exe - (SOFTWIN S.R.L. )
c:\documents and settings\user\desktop\winpfind2\winpfind2.exe - (OldTimer Tools )
c:\program files\common files\softwin\bitdefender communicator\xcommsvr.exe - (Softwin )

< Registry Entries >

[>> Internet Explorer Settings <<]
HKLM->Main\\Start Page - http://www.microsoft...p...ER}&ar=home
HKLM->Main\\Search Page -
HKLM->Main\\Default Page - http://www.microsoft...p...&ar=msnhome
HKLM->Main\\Default Search - http://www.microsoft...amp;ar=iesearch
HKLM->Main\\Local Page - %SystemRoot%\system32\blank.htm
HKCU->Main\\Start Page - http://www.google.com.mt/en
HKCU->Main\\Search Page -
HKCU->Main\\Local Page - C:\WINDOWS\system32\blank.htm
HKCU->Internet Settings\\ProxyEnable - 0
HKCU->Internet Settings\\ProxyOverride -

[>> BHO's <<]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated )
{53707962-6F74-2D53-2644-206D7942484F} - = C:\PROGRA~1\SPYBOT~1\SDHelper.dll (Safer Networking Limited )
{5CA3D70E-1895-11CF-8E15-001234567890} - DriveLetterAccess = C:\WINDOWS\System32\DLA\DLASHX_W.DLL (Sonic Solutions )
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - SSVHelper Class = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (Sun Microsystems, Inc. )

[>> Internet Explorer Bars, Toolbars and Extensions <<]

[HKLM-> Internet Explorer Bars]
{4D5C8C25-D075-11d0-B416-00C04FB90376} - &Tip of the Day = %SystemRoot%\system32\shdocvw.dll (Microsoft Corporation )

[HKCU-> Internet Explorer Bars]
{21569614-B795-46B1-85F4-E737A8DC09AD} - Shell Search Band = %SystemRoot%\system32\browseui.dll (Microsoft Corporation )
{EFA24E64-B078-11D0-89E4-00C04FC9E26E} - Explorer Band = %SystemRoot%\system32\shdocvw.dll (Microsoft Corporation )
{FF059E31-CC5A-4E2E-BF3B-96E929D65503} - &Research = C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL (Microsoft Corporation )

[HKLM-> Internet Explorer ToolBars]
{E0E899AB-F487-11D5-8D29-0050BA6940E3} - FlashGet Bar = C:\PROGRA~1\FLASHGET\fgiebar.dll (Amaze Soft )

[HKCU-> Internet Explorer ToolBars]
ShellBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\system32\browseui.dll (Microsoft Corporation )
ShellBrowser\\{0E5CBF21-D15F-11D0-8301-00AA005B4383} - &Links = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation )
ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Reg Data missing or invalid = Reg Data missing or invalid (File not found))
WebBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\system32\browseui.dll (Microsoft Corporation )
WebBrowser\\{0E5CBF21-D15F-11D0-8301-00AA005B4383} - &Links = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation )

[HKCU-> Internet Explorer CmdMapping]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - 8194 - Sun Java Console
{905A31AA-BDD1-44bd-9920-53D34E5953A4} - 8195 - Reg Data missing or invalid
{92780B25-18CC-41C8-B9BE-3C9C571A8263} - 8193 -
{9543741D-4E79-4f0d-8E60-A702CDF8B2D2} - 8196 - Reg Data missing or invalid
{B863453A-26C3-4e1f-A54D-A2CD196348E9} - 8198 - Reg Data missing or invalid
{D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - 8197 - &FlashGet
{FB5F1910-F110-11d2-BB9E-00C04F795683} - 8192 - Windows Messenger
NextId - 8199

[HKLM-> Internet Explorer Extensions]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - MenuText: Sun Java Console = C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll (Sun Microsystems, Inc. )
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} (HKCU CLSID) - MenuText: Sun Java Console = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (Sun Microsystems, Inc. )
{92780B25-18CC-41C8-B9BE-3C9C571A8263} - ButtonText: Research = (File not found))
{D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - ButtonText: FlashGet = C:\PROGRA~1\FLASHGET\flashget.exe (Amaze Soft )
{FB5F1910-F110-11d2-BB9E-00C04F795683} - ButtonText: Messenger = C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation )

[HKCU-> Internet Explorer Menu Extensions]
Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm ( )
Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm ( )

[>> Approved Shell Extensions (Non-Microsoft only) <<]

[HKLM-> Approved Shell Extensions]
{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} - Autoplay for SlideShow = Reg Data missing or invalid (File not found))
{0DF44EAA-FF21-4412-828E-260A8728E7F1} - Taskbar and Start Menu = Reg Data missing or invalid (File not found))
{32020A01-506E-484D-A2A8-BE3CF17601C3} - AlcoholShellEx = C:\PROGRA~1\ALCOHO~2\ALCOHO~1\AXShlEx.dll (Alcohol Soft Development Team )
{36A21736-36C2-4C11-8ACB-D4136F2B57BD} - AutoCAD Digital Signatures Icon Overlay Handler = C:\WINDOWS\system32\AcSignIcon.dll (Autodesk )
{42071714-76d4-11d1-8b24-00a0c9068ff3} - Display Panning CPL Extension = deskpan.dll (File not found))
{506F4668-F13E-4AA1-BB04-B43203AB3CC0} - {506F4668-F13E-4AA1-BB04-B43203AB3CC0} = C:\Program Files\Microsoft Office\Visio11\VISSHE.DLL ( )
{5CA3D70E-1895-11CF-8E15-001234567890} - DriveLetterAccess = C:\WINDOWS\System32\DLA\DLASHX_W.DLL (Sonic Solutions )
{6DEA92E9-8682-4b6a-97DE-354772FE5727} - Autodesk DWF Preview = C:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcDwfThmbPrxy16.dll (Autodesk )
{73B24247-042E-4EF5-ADC2-42F62E6FD654} - ICQ Lite Shell Extension = Reg Data missing or invalid (File not found))
{764BF0E1-F219-11ce-972D-00AA00A14F56} - Shell extensions for file compression = Reg Data missing or invalid (File not found))
{7A9D77BD-5403-11d2-8785-2E0420524153} - User Accounts = Reg Data missing or invalid (File not found))
{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} - Encryption Context Menu = Reg Data missing or invalid (File not found))
{88895560-9AA2-1069-930E-00AA0030EBC8} - HyperTerminal Icon Ext = C:\WINDOWS\system32\hticons.dll (Hilgraeve, Inc. )
{9DED7A30-D572-4D21-8D82-6945EA697400} - Macromedia FlashPaper Context Menu = C:\Program Files\Macromedia\FlashPaper 2\FlashPaperContextMenu.dll ( )
{AC1DB655-4F9A-4c39-8AD2-A65324A4C446} - Autodesk Drawing Preview = C:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcThumbnail16.dll (Autodesk )
{B28C18DB-6816-4F31-9630-397683E3C2C3} - Filzip Shell Extension = Reg Data missing or invalid (File not found))
{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} - Adobe.Acrobat.ContextMenu = C:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll (Adobe Systems Inc. )
{D653647D-D607-4DF6-A5B8-48D2BA195F7B} - BitDefender Antivirus v9 = C:\Program Files\Softwin\BitDefender9\bdshelxt.dll ( )
{D66DC78C-4F61-447F-942B-3FB6980118CF} - {D66DC78C-4F61-447F-942B-3FB6980118CF} = C:\Program Files\Microsoft Office\Visio11\VISSHE.DLL ( )
{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} - Shell Extensions for RealOne Player = Reg Data missing or invalid (File not found))

[>> ContextMenuHandlers (Non-Microsoft only) <<]

[HKLM-> ContextMenuHandlers]
* - Adobe.Acrobat.ContextMenu - {D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} = C:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll (Adobe Systems Inc. )
* - BitDefender Antivirus v8 - {D653647D-D607-4DF6-A5B8-48D2BA195F7B} = C:\Program Files\Softwin\BitDefender9\bdshelxt.dll ( )
* - Macromedia.FlashPaper.ContextMenu - {9DED7A30-D572-4D21-8D82-6945EA697400} = C:\Program Files\Macromedia\FlashPaper 2\FlashPaperContextMenu.dll ( )
* - WinRAR - = Reg Data missing or invalid (File not found))
Directory - ICQLiteMenu - {73B24247-042E-4EF5-ADC2-42F62E6FD654} = Reg Data missing or invalid (File not found))
Directory - WinRAR - = Reg Data missing or invalid (File not found))
Folder - BitDefender Antivirus v8 - {D653647D-D607-4DF6-A5B8-48D2BA195F7B} = C:\Program Files\Softwin\BitDefender9\bdshelxt.dll ( )
Folder - WinRAR - = Reg Data missing or invalid (File not found))

[>> ColumnHandlers (Non-Microsoft only) <<]

[HKLM-> ColumnHandlers]
Folder - {F9DB5320-233E-11D1-9F84-707F02C10627} - PDF Shell Extension = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll (Adobe Systems, Inc. )

[>> Registry Run Keys <<]
HKLM->Run\\BDMCon - c:\PROGRA~1\softwin\BITDEF~1\bdmcon.exe (SOFTWIN S.R.L. )
HKLM->Run\\BDNewsAgent - "C:\PROGRA~1\softwin\BITDEF~1\bdnagent.exe" (SOFTWIN S.R.L )
HKLM->Run\\BDOESRV - "C:\Program Files\Softwin\BitDefender9\bdoesrv.exe" (SOFTWIN SRL )
HKLM->Run\\BDSwitchAgent - "C:\PROGRA~1\softwin\BITDEF~1\bdswitch.exe" ( )
HKLM->Run\\DiskeeperSystray - "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe" (Executive Software International, Inc. )
HKLM->Run\\DLA - C:\WINDOWS\System32\DLA\DLACTRLW.EXE (Sonic Solutions )
HKLM->Run\\NeroFilterCheck - C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh )
HKLM->Run\\QuickTime Task - "C:\Program Files\QuickTime\qttask.exe" -atboottime (Apple Computer, Inc. )
HKLM->Run\\SunJavaUpdateSched - C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe (Sun Microsystems, Inc. )
HKLM->Run\\Windows Defender - "C:\Program Files\Windows Defender\MSASCui.exe" -hide (Microsoft Corporation )
HKLM->Run\OptionalComponents\IMAIL - Installed = 1
HKLM->Run\OptionalComponents\MAPI - Installed = 1
HKLM->Run\OptionalComponents\MSFS - Installed = 1
HKCU->Run\\AtiTrayTools - "C:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe" (Ray Adams )
HKCU->Run\\ctfmon.exe - C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation )

[>> Startup Lnks <<]
HKLM->Common Startup - Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated )
HKLM->Common Startup - desktop.ini - C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini ( )
HKCU->Startup - desktop.ini - C:\Documents and Settings\User\Start Menu\Programs\Startup\desktop.ini ( )

[>> Disabled MSConfig Items <<]
Services - SymWSC
Services - VC6SecS
StartUpFolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk - Adobe Gamma Loader = C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE (Adobe Systems, Inc. )
StartUpFolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Metacafe.lnk - Metacafe = C:\PROGRA~1\Metacafe\METACA~1.EXE /startup ( )
StartUpFolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Metacafe.lnk.disabled - Metacafe.lnk = C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Metacafe.lnk.disabled (File not found))
StartUpFolder\C:^Documents and Settings^stephen^Start Menu^Programs^Startup^Konfabulator.lnk - Konfabulator = C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe (File not found))
StartUpFolder\C:^Documents and Settings^stephen^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk - MyWebSearch Email Plugin = C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE (File not found))
StartUpReg\areslite - AresLite = "C:\Documents and Settings\stephen\My Documents\Ares Lite Edition\AresLite.exe" -h (File not found))
StartUpReg\eZmmod - mmod = C:\PROGRA~1\ezula\mmod.exe (File not found))
StartUpReg\eZWO - wo = C:\PROGRA~1\Web Offer\wo.exe (File not found))
StartUpReg\gah95on6 - gah95on6 = C:\WINDOWS\system32\gah95on6.exe (File not found))
StartUpReg\hohkhkv - hohkhkv = C:\WINDOWS\hohkhkv.exe (File not found))
StartUpReg\Hot_Tarts_mc - Hot_Tarts_mc = C:\Program Files\Video1\Dialers\Hot_Tarts_mc\Hot_Tarts_mc.exe /dontdial (File not found))
StartUpReg\LiveRealLocksPop - OnceStop = C:\Documents and Settings\All Users\Application Data\flawbiblivereal\OnceStop.exe (File not found))
StartUpReg\Media Pass - MediaPassK = C:\Program Files\Media Pass\MediaPassK.exe (File not found))
StartUpReg\MessengerPlus3 - MsgPlus = "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" (Patchou )
StartUpReg\Mfcd Bias - Drivestop = C:\DOCUME~1\User\APPLIC~1\BINDMO~1\Drivestop.exe (File not found))
StartUpReg\MyWebSearch Email Plugin - mwsoemon = C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe (File not found))
StartUpReg\New.net Startup - NEWDOT~2 = rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s (File not found))
StartUpReg\NWEReboot - = (File not found))
StartUpReg\RTEGPRS - RTEGPRS = "C:\Program Files\Common Files\RTE\RTEGPRS.exe" tray (File not found))
StartUpReg\RTHRTGVL - rthrtgvl = c:\windows\system32\rthrtgvl.exe /install (File not found))
StartUpReg\saap - saap = c:\program files\kiwi alpha\partner\saap.exe (File not found))
StartUpReg\Shareaza - Shareaza = "C:\Program Files\Shareaza\Shareaza.exe" -tray (File not found))
StartUpReg\Skype - Skype = "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized ( )
StartUpReg\sp2ctr - sp2ctr = c:\windows\system32\sp2ctr.exe /nocomm (File not found))
StartUpReg\upsbwl - upsbwl = C:\WINDOWS\upsbwl.exe (File not found))
StartUpReg\webHancer Agent - whAgent = "C:\Program Files\webHancer\Programs\whAgent.exe" (File not found))
StartUpReg\webHancer Survey Companion - whSurvey = "C:\Program Files\webHancer\Programs\whSurvey.exe" (File not found))
StartUpReg\xhrmy - Xhrmy = C:\WINDOWS\Xhrmy.exe (File not found))

[>> User Agent Post Platform <<]
SV1 -

[>> AppInit DLLs <<]
AppInit_DLL - sockspy.dll ( )

[>> Image File Execution Options <<]
Your Image File Name Here without a path - Debugger = ntsd -d

[>> Shell Service Object Delay Load <<]
CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation )
PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation )
SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\system32\stobject.dll (Microsoft Corporation )
WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll (Microsoft Corporation )

[>> Shell Execute Hooks <<]
{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - Microsoft AntiMalware ShellExecuteHook = C:\PROGRA~1\WIFD1F~1\MpShHook.dll (Microsoft Corporation )
{93994DE8-8239-4655-B1D1-5F4E91300429} - DVDIdleShell Class = C:\Program Files\DVD Region-Free\DVDShell.dll (Fengtao Software )
{AEB6717E-7E19-11d0-97EE-00C04FD91972} - URL Exec Hook = shell32.dll (Microsoft Corporation )

[>> Shared Task Scheduler <<]
{438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader = %SystemRoot%\system32\browseui.dll (Microsoft Corporation )
{8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon = %SystemRoot%\system32\browseui.dll (Microsoft Corporation )

[>> Winlogon <<]
UserInit - C:\WINDOWS\system32\userinit.exe, (Microsoft Corporation )
Shell - Explorer.exe (Microsoft Corporation )
System - (File not found))
Notify\AtiExtEvent - Ati2evxx.dll (ATI Technologies Inc. )
Notify\crypt32chain - crypt32.dll (Microsoft Corporation )
Notify\cryptnet - cryptnet.dll (Microsoft Corporation )
Notify\cscdll - cscdll.dll (Microsoft Corporation )
Notify\LMIinit - LMIinit.dll (LogMeIn, Inc. )
Notify\ScCertProp - wlnotify.dll (Microsoft Corporation )
Notify\Schedule - wlnotify.dll (Microsoft Corporation )
Notify\sclgntfy - sclgntfy.dll (Microsoft Corporation )
Notify\SensLogn - WlNotify.dll (Microsoft Corporation )
Notify\termsrv - wlnotify.dll (Microsoft Corporation )
Notify\wlballoon - wlnotify.dll (Microsoft Corporation )

[>> DNS Name Servers <<]
{0FE2D37C-79C5-4389-B675-05116AD1B69B} - (Realtek RTL8139/810x Family Fast Ethernet NIC)
{969FFCCC-4983-4D3F-80A3-E820550DAD55} - ()
{A4F168BA-E08A-4F25-B61C-3F0F6EAA612C} - 194.158.37.196,194.158.37.211 (VIA Rhine II Fast Ethernet Adapter)

[>> All Winsock2 Catalogs <<]
NameSpace_Catalog5\Catalog_Entries\000000000001 - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation )
NameSpace_Catalog5\Catalog_Entries\000000000002 - %SystemRoot%\System32\winrnr.dll (Microsoft Corporation )
NameSpace_Catalog5\Catalog_Entries\000000000003 - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000001 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000002 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000003 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000004 - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000005 - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000006 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000007 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000008 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000009 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\00000000001 - 225,5temRoot%\system32\mswsock.dll (File not found))
Protocol_Catalog9\Catalog_Entries\000000000010 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000011 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000012 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000013 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000014 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000015 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000016 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000017 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000018 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000019 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000020 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )

[>> Protocol Handlers (Non-Microsoft only) <<]
ipp - (File not found))
msdaipp - (File not found))

[>> Protocol Filters (Non-Microsoft only) <<]

< Services (Non-Microsoft Only) >
Ati HotKey Poller (Ati HotKey Poller) - C:\WINDOWS\system32\Ati2evxx.exe (ATI Technologies Inc. ) [Automatic - Running - Win32, running in it's own process]
Bandwidth Monitor Pro (Bandwidth Monitor Pro) - C:\PROGRA~1\BANDWI~1\Bandwidth Monitor Pro.exe (Pro²soft ) [Automatic - Running - Win32, running in it's own process]
BitDefender Scan Server (bdss) - "C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service ( ) [Automatic - Running - Win32, running in it's own process]
Diskeeper (Diskeeper) - "C:\Program Files\Executive Software\Diskeeper\DkService.exe" (Executive Software International, Inc. ) [Automatic - Running - Win32, running in it's own process]
BitDefender Desktop Update Service (LIVESRV) - "C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (SOFTWIN S.R.L. ) [Automatic - Running - Win32, running in it's own process]
SoundMAX Agent Service (SoundMAX Agent Service (default)) - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe (Analog Devices, Inc. ) [Automatic - Running - Win32, running in it's own process]
StarWind iSCSI Service (StarWindService) - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe (Rocket Division Software ) [Automatic - Running - Win32, running in it's own process]
BitDefender Virus Shield (VSSERV) - "C:\Program Files\Softwin\BitDefender9\vsserv.exe" /service (SOFTWIN S.R.L. ) [Automatic - Running - Win32, running in it's own process]
BitDefender Communicator (XCOMM) - "C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (Softwin ) [Automatic - Running - Win32, running in it's own process]

< Files >

AllUsers ApplicationData Folder
C:\Documents and Settings\All Users\Application Data\desktop.ini - ( [Ver = | Size = 62 bytes | Date = 11/16/2004 16:29 | Attr = HS])
C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache - ( [Ver = | Size = 1763 bytes | Date = 06/14/2006 18:31 | Attr = ])

CurrentUser ApplicationData Folder
C:\Documents and Settings\User\Application Data\desktop.ini - ( [Ver = | Size = 62 bytes | Date = 11/16/2004 16:29 | Attr = HS])
C:\Documents and Settings\User\Application Data\Taxi4.MCS - ( [Ver = | Size = 369 bytes | Date = 02/04/2006 00:25 | Attr = ])
C:\Documents and Settings\User\Application Data\.googlewebacchosts - ( [Ver = | Size = 241 bytes | Date = 04/02/2006 22:52 | Attr = ])
C:\Documents and Settings\User\Application Data\mpauth.dat - ( [Ver = | Size = 784 bytes | Date = 07/14/2006 15:59 | Attr = ])

DPF files
{00B71CFB-6864-4346-A978-C0A14556272C} - Checkers Class - CodeBase = http://messenger.zon...kr.cab31267.cab
{01010E00-5E80-11D8-9E86-0007E96C65AE} - SupportSoft SmartIssue - CodeBase = http://www.symantec....trl/tgctlsi.cab
{01012101-5E80-11D8-9E86-0007E96C65AE} - SupportSoft Script Runner Class - CodeBase = http://www.symantec....trl/tgctlsr.cab
{0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - CKAVWebScan Object - CodeBase = http://www.kaspersky...can_unicode.cab
{14B87622-7E19-4EA8-93B3-97215F77A6BC} - MessengerStatsClient Class - CodeBase = http://messenger.zon...nt.cab31267.cab
{166B1BCA-3F9C-11CF-8075-444553540000} - Shockwave ActiveX Control - CodeBase = http://download.macr...director/sw.cab
{17492023-C23A-453E-A040-C7C580BBF700} - Windows Genuine Advantage Validation Tool - CodeBase = http://go.microsoft....k/?linkid=39204
{1F2F4C9E-6F09-47BC-970D-3C54734667FE} - LSSupCtl Class - CodeBase = http://www.symantec....rl/LSSupCtl.cab
{2917297F-F02B-4B9D-81DF-494B6333150B} - Minesweeper Flags Class - CodeBase = http://messenger.zon...er.cab31267.cab
{2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - Symantec AntiVirus scanner - CodeBase = http://security.syma...bin/AvSniff.cab
{31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} - Cult3D ActiveX Player - CodeBase = http://www.cult3d.co...wnload/cult.cab
{3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - Office Update Installation Engine - CodeBase = http://office.micros...ontent/opuc.cab
{556DDE35-E955-11D0-A707-000000521957} - - CodeBase = http://www.xblock.co...clean_micro.exe
{5ED80217-570B-4DA9-BF44-BE107C0EC166} - Windows Live Safety Center Base Module - CodeBase = https://scan.safety....lscbase3401.cab
{644E432F-49D3-41A1-8DD5-E099162EEEC5} - Symantec RuFSI Utility Class - CodeBase = http://security.syma...n/bin/cabsa.cab
{6E5A37BF-FD42-463A-877C-4EB7002E68AE} - Trend Micro ActiveX Scan Agent 6.5 - CodeBase = http://housecall65.t...ivex/hcImpl.cab
{74D05D43-3236-11D4-BDCD-00C04F9A3B61} - HouseCall Control - CodeBase = http://a840.g.akamai...all/xscan53.cab
{7B297BFD-85E4-4092-B2AF-16A91B2EA103} - WScanCtl Class - CodeBase = http://www3.ca.com/s...nfo/webscan.cab
{8AD9C840-044E-11D1-B3E9-00805F499D93} - Java Plug-in 1.5.0_06 - CodeBase = http://java.sun.com/...indows-i586.cab
{8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - MessengerStatsClient Class - CodeBase = http://messenger.zon...nt.cab31267.cab
{9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - ActiveScan Installer Class - CodeBase = http://acs.pandasoft...free/asinst.cab
{B8BE5E93-A60C-4D26-A2DC-220313175592} - ZoneIntro Class - CodeBase = http://messenger.zon...ro.cab32846.cab
{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - Java Plug-in 1.5.0_02 - CodeBase = http://java.sun.com/...indows-i586.cab
{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - Java Plug-in 1.5.0_04 - CodeBase = http://java.sun.com/...indows-i586.cab
{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - Java Plug-in 1.5.0_06 - CodeBase = http://java.sun.com/...indows-i586.cab
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - Java Plug-in 1.5.0_06 - CodeBase = http://java.sun.com/...indows-i586.cab
{D27CDB6E-AE6D-11CF-96B8-444553540000} - Shockwave Flash Object - CodeBase = http://download.macr...ash/swflash.cab
{E6187999-9FEC-46A1-A20F-F4CA977D5643} - ZoneChess Object - CodeBase = http://messenger.zon...ss.cab31267.cab
{EB387D2F-E27B-4D36-979E-847D1036C65D} - QDiagHUpdateObj Class - CodeBase = http://h30043.www3.h.../qdiagh.cab?326
{F6BF0D00-0B2A-4A75-BF7B-F385591623AF} - Solitaire Showdown Class - CodeBase = http://messenger.zon...wn.cab31267.cab
Microsoft XML Parser for Java - - CodeBase = file://C:\WINDOWS\Java\classes\xmldso.cab

Hosts file (Non-Standard entries only). File size = 504630 bytes. C:\WINDOWS\System32\drivers\etc\Hosts

< End of report >

[Advertisements]

Ok, have you installed both MIRC and Serv-U yourself?

[Vikesrock8411]

Ok, have you installed both MIRC and Serv-U yourself?

[help_me_pls]

Yes

mIRC has been installed by my brother and Serv-U is not being used anymore so I can easley uninstall it if you recommand.

If the source of the problem is mIRC, is there another client to replace it? (I don't use it, thats why I don't know).

Edited by help_me_pls, 23 August 2006 - 07:01 AM.

[Vikesrock8411]

Neither MIRC nor Serv-U is the problem. Some pieces of malware install one or both of these applications. They then use the applications to recieve instructions remotely. Since you installed these yourself this does not appear to be the case.

Open WinPFind2 and click Run All Scans. When it is finished click on the Registry Tab. Scroll down to the section labeled >> Disabled MSConfig Items <<
Place a check next to each of the following entries:

StartUpReg\eZmmod - mmod = C:\PROGRA~1\ezula\mmod.exe (File not found))
StartUpReg\eZWO - wo = C:\PROGRA~1\Web Offer\wo.exe (File not found))
StartUpReg\gah95on6 - gah95on6 = C:\WINDOWS\system32\gah95on6.exe (File not found))
StartUpReg\hohkhkv - hohkhkv = C:\WINDOWS\hohkhkv.exe (File not found))
StartUpReg\Hot_Tarts_mc - Hot_Tarts_mc = C:\Program Files\Video1\Dialers\Hot_Tarts_mc\Hot_Tarts_mc.exe /dontdial (File not found))
StartUpReg\LiveRealLocksPop - OnceStop = C:\Documents and Settings\All Users\Application Data\flawbiblivereal\OnceStop.exe (File not found))
StartUpReg\Media Pass - MediaPassK = C:\Program Files\Media Pass\MediaPassK.exe (File not found))
StartUpReg\MessengerPlus3 - MsgPlus = "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" (Patchou )
StartUpReg\Mfcd Bias - Drivestop = C:\DOCUME~1\User\APPLIC~1\BINDMO~1\Drivestop.exe (File not found))
StartUpReg\MyWebSearch Email Plugin - mwsoemon = C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe (File not found))
StartUpReg\New.net Startup - NEWDOT~2 = rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s (File not found))
StartUpReg\NWEReboot - = (File not found))
StartUpReg\RTEGPRS - RTEGPRS = "C:\Program Files\Common Files\RTE\RTEGPRS.exe" tray (File not found))
StartUpReg\RTHRTGVL - rthrtgvl = c:\windows\system32\rthrtgvl.exe /install (File not found))
StartUpReg\saap - saap = c:\program files\kiwi alpha\partner\saap.exe (File not found))
StartUpReg\Shareaza - Shareaza = "C:\Program Files\Shareaza\Shareaza.exe" -tray (File not found))
StartUpReg\sp2ctr - sp2ctr = c:\windows\system32\sp2ctr.exe /nocomm (File not found))
StartUpReg\upsbwl - upsbwl = C:\WINDOWS\upsbwl.exe (File not found))
StartUpReg\webHancer Agent - whAgent = "C:\Program Files\webHancer\Programs\whAgent.exe" (File not found))
StartUpReg\webHancer Survey Companion - whSurvey = "C:\Program Files\webHancer\Programs\whSurvey.exe" (File not found))
StartUpReg\xhrmy - Xhrmy = C:\WINDOWS\Xhrmy.exe (File not found))


Then click Delete entries

Please make sure you have the latest updates for Windows and Internet Explorer from the Microsoft Update Site.

Please download and install Spyware Blaster. Spyware Blaster is a powerful tool that prevents "drive-by" downloads and other unwanted installations. It also uses no system resources, run it once and you're all set.

Download and install IE-Spyad. IE-Spyad is a program that only needs to be run once to protect you from many malicious sites. It adds domains of known adware companies into the Restricted List of Internet Explorer, preventing them from performing malicious actions on your PC.

Then delete setup.exe and autorun.inf from C:\ and see if they return.

[help_me_pls]

I've done all of the above but the files have returned

[Vikesrock8411]

Something is bringing these back, we need to figure out what.

Download and Save Blacklight to your desktop:

Double-click blbeta.exe then accept the agreement, click > scan then > next

You'll see a list of all items found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers).

Copy and paste this log in your next reply. Don't choose the rename option yet! I want to see the log first, because legitimate items can also be present there, such as "wbemtest.exe"

Next, please reboot your computer in Safe Mode by doing the following:

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
• Instead of Windows loading as normal, a menu should appear
• Select the first option, to run Windows in Safe Mode.

Open HijackThis and Click the "Open Misc Tools Section" tab.

Select Generate StartUpList log and make sure that both Boxes beside it are checked:

Put a check by:
List all minor sections(Full)
and
List Empty Sections(Complete)

It will produce a NotePad Page,I need you to copy the entire contents of that page to the next reply.

Reboot to normal mode and post the contents of the Blacklight log and Startup list here.

[help_me_pls]

fsbl-20060825042849.log

08/25/06 06:28:49 [Info]: BlackLight Engine 1.0.46 initialized
08/25/06 06:28:49 [Info]: OS: 5.1 build 2600 (Service Pack 2)
08/25/06 06:28:50 [Note]: 7019 4
08/25/06 06:28:50 [Note]: 7005 0
08/25/06 06:28:55 [Note]: 7006 0
08/25/06 06:28:55 [Note]: 7011 3764
08/25/06 06:28:55 [Note]: 7026 0
08/25/06 06:28:55 [Note]: 7026 0
08/25/06 06:29:23 [Note]: FSRAW library version 1.7.1019
08/25/06 06:29:51 [Note]: 7007 0

startuplist.txt

StartupList report, 25/08/2006, 06:38:02
StartupList version: 1.52.2
Started from : C:\Program Files\HJT\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HJT\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\User\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

SunJavaUpdateSched = C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
NeroFilterCheck = C:\WINDOWS\system32\NeroCheck.exe
DiskeeperSystray = "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
BDMCon = c:\PROGRA~1\softwin\BITDEF~1\bdmcon.exe
BDOESRV = "C:\Program Files\Softwin\BitDefender9\bdoesrv.exe"
BDNewsAgent = "C:\PROGRA~1\softwin\BITDEF~1\bdnagent.exe"
BDSwitchAgent = "C:\PROGRA~1\softwin\BITDEF~1\bdswitch.exe"
Windows Defender = "C:\Program Files\Windows Defender\MSASCui.exe" -hide
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
DLA = C:\WINDOWS\System32\DLA\DLACTRLW.EXE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
AtiTrayTools = "C:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\AutoCADScriptFile\shell\open\command

(Default) = "C:\WINDOWS\system32\notepad.exe" "%1"

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\system32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mswmp.inf,PerUserStub

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{4b218e3e-bc98-4770-93d3-2731b9329278}] *
StubPath = %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\system32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\WINDOWS\System32\DLA\DLASHX_W.DLL - {5CA3D70E-1895-11CF-8E15-001234567890}
(no name) - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Restart.job
Shutdown.job
MP Scheduled Scan.job

--------------------------------------------------

Enumerating Download Program Files:

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINDOWS\Java\classes\xmldso.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

[Checkers Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\msgrchkr.dll
CODEBASE = http://messenger.zon...kr.cab31267.cab

[SupportSoft SmartIssue]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\tgctlsi.dll
CODEBASE = http://www.symantec....trl/tgctlsi.cab

[SupportSoft Script Runner Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\tgctlsr.dll
CODEBASE = http://www.symantec....trl/tgctlsr.cab

[CKAVWebScan Object]
InProcServer32 = C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
CODEBASE = http://www.kaspersky...can_unicode.cab

[MessengerStatsClient Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MessengerStatsPAClient.dll
CODEBASE = http://messenger.zon...nt.cab31267.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macr...director/sw.cab

[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\system32\legitcheckcontrol.dll
CODEBASE = http://go.microsoft....k/?linkid=39204

[LSSupCtl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\LSSupCtl.dll
CODEBASE = http://www.symantec....rl/LSSupCtl.cab

[Minesweeper Flags Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\minesweeper.dll
CODEBASE = http://messenger.zon...er.cab31267.cab

[Symantec AntiVirus scanner]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\avsniff.dll
CODEBASE = http://security.syma...bin/AvSniff.cab

[Cult3D ActiveX Player]
InProcServer32 = C:\WINDOWS\system32\Cult3D\IECult.dll
CODEBASE = http://www.cult3d.co...wnload/cult.cab

[Office Update Installation Engine]
InProcServer32 = C:\WINDOWS\opuc.dll
CODEBASE = http://office.micros...ontent/opuc.cab

[{556DDE35-E955-11D0-A707-000000521957}]
CODEBASE = http://www.xblock.co...clean_micro.exe

[Windows Live Safety Center Base Module]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\wlscBase.dll
CODEBASE = https://scan.safety....lscbase3401.cab

[Symantec RuFSI Utility Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\rufsi.dll
CODEBASE = http://security.syma...n/bin/cabsa.cab

[Trend Micro ActiveX Scan Agent 6.5]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\Housecall_ActiveX.dll
CODEBASE = http://housecall65.t...ivex/hcImpl.cab

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan53.ocx
CODEBASE = http://a840.g.akamai...all/xscan53.cab

[WScanCtl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\webscan.dll
CODEBASE = http://www3.ca.com/s...nfo/webscan.cab

[Java Plug-in]
InProcServer32 = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
CODEBASE = http://java.sun.com/...indows-i586.cab

[MessengerStatsClient Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\messengerstatsclient.dll
CODEBASE = http://messenger.zon...nt.cab31267.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
CODEBASE = http://acs.pandasoft...free/asinst.cab

[ZoneIntro Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ZIntro.ocx
CODEBASE = http://messenger.zon...ro.cab32846.cab

[Java Plug-in]
InProcServer32 = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
CODEBASE = http://java.sun.com/...indows-i586.cab

[Java Plug-in]
InProcServer32 = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
CODEBASE = http://java.sun.com/...indows-i586.cab

[Java Plug-in]
InProcServer32 = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
CODEBASE = http://java.sun.com/...indows-i586.cab

[Java Plug-in 1.5.0_06]
InProcServer32 = C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
CODEBASE = http://java.sun.com/...indows-i586.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash8.ocx
CODEBASE = http://download.macr...ash/swflash.cab

[ZoneChess Object]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\Chess.ocx
CODEBASE = http://messenger.zon...ss.cab31267.cab

[QDiagHUpdateObj Class]
InProcServer32 = C:\WINDOWS\system32\qdiagh.ocx
CODEBASE = http://h30043.www3.h.../qdiagh.cab?326

[Solitaire Showdown Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\solitaireshowdown.dll
CODEBASE = http://messenger.zon...wn.cab31267.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll
Protocol #16: C:\WINDOWS\system32\mswsock.dll
Protocol #17: C:\WINDOWS\system32\mswsock.dll
Protocol #18: C:\WINDOWS\system32\mswsock.dll
Protocol #19: C:\WINDOWS\system32\mswsock.dll
Protocol #20: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: system32\DRIVERS\ACPI.sys (system)
aeaudio: system32\drivers\aeaudio.sys (manual start)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD: \SystemRoot\System32\drivers\afd.sys (system)
Alerter: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (manual start)
RAS Asynchronous Media Driver: system32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: system32\DRIVERS\atapi.sys (system)
Ati HotKey Poller: %SystemRoot%\system32\Ati2evxx.exe (autostart)
ATI Smart: C:\WINDOWS\system32\ati2sgag.exe (autostart)
ati2mtag: system32\DRIVERS\ati2mtag.sys (manual start)
atitray: \??\C:\Program Files\Ray Adams\ATI Tray Tools\atitray.sys (system)
ATM ARP Client Protocol: system32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: system32\DRIVERS\audstub.sys (manual start)
Autodesk Licensing Service: "C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe" (manual start)
Automatic LiveUpdate Scheduler: "C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe" (disabled)
Bandwidth Monitor Pro: C:\PROGRA~1\BANDWI~1\Bandwidth Monitor Pro.exe (autostart)
bdfdll: \??\C:\Program Files\Softwin\BitDefender9\bdfdll.sys (manual start)
BDFsDrv: \??\C:\Program Files\Softwin\BitDefender9\bdfsdrv.sys (manual start)
BDRsDrv: \??\C:\Program Files\Softwin\BitDefender9\bdrsdrv.sys (manual start)
BitDefender Scan Server: "C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (autostart)
Background Intelligent Transfer Service: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Boonty Games: "C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe" (disabled)
Computer Browser: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Closed Caption Decoder: system32\DRIVERS\CCDECODE.sys (manual start)
CD-ROM Driver: system32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
.NET Runtime Optimization Service v2.0.50727_X86: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (manual start)
COM+ System Application: C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Disk Driver: system32\DRIVERS\disk.sys (system)
Diskeeper: "C:\Program Files\Executive Software\Diskeeper\DkService.exe" (autostart)
DLABOIOM: System32\DLA\DLABOIOM.SYS (autostart)
DLACDBHM: System32\Drivers\DLACDBHM.SYS (system)
DLADResN: System32\DLA\DLADResN.SYS (autostart)
DLAIFS_M: System32\DLA\DLAIFS_M.SYS (autostart)
DLAOPIOM: System32\DLA\DLAOPIOM.SYS (autostart)
DLAPoolM: System32\DLA\DLAPoolM.SYS (autostart)
DLARTL_N: System32\Drivers\DLARTL_N.SYS (system)
DLAUDFAM: System32\DLA\DLAUDFAM.SYS (autostart)
DLAUDF_M: System32\DLA\DLAUDF_M.SYS (autostart)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
dmio: System32\drivers\dmio.sys (disabled)
dmload: System32\drivers\dmload.sys (disabled)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\system32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
DRVMCDB: System32\Drivers\DRVMCDB.SYS (system)
DRVNDDM: System32\Drivers\DRVNDDM.SYS (autostart)
dtscsi: \SystemRoot\System32\Drivers\dtscsi.sys (manual start)
Symantec Eraser Control driver: \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys (system)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\system32\svchost.exe -k netsvcs (manual start)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Floppy Disk Controller Driver: system32\DRIVERS\fdc.sys (manual start)
VIA Rhine-Family Fast Ethernet Adapter Driver Service: system32\DRIVERS\fetnd5bv.sys (manual start)
VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver: system32\DRIVERS\fetnd5.sys (manual start)
FILESpy: \??\C:\Program Files\Softwin\BitDefender9\filespy.sys (autostart)
Floppy Disk Driver: system32\DRIVERS\flpydisk.sys (manual start)
FltMgr: system32\DRIVERS\fltMgr.sys (system)
Volume Manager Driver: system32\DRIVERS\ftdisk.sys (system)
Gmer: System32\DRIVERS\gmer.sys (manual start)
Generic Packet Classifier: system32\DRIVERS\msgpc.sys (manual start)
Hamachi Network Interface: system32\DRIVERS\hamachi.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Microsoft HID Class Driver: system32\DRIVERS\hidusb.sys (manual start)
hmonitor: \??\C:\WINDOWS\system32\drivers\hmonitor.sys (autostart)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: system32\DRIVERS\i8042prt.sys (system)
InstallDriver Table Manager: "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe" (manual start)
CD-Burning Filter Driver: system32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\system32\imapi.exe (manual start)
InCD File System: system32\drivers\InCDFs.sys (disabled)
InCDPass: system32\drivers\InCDPass.sys (system)
InCD Reader: system32\drivers\InCDRm.sys (system)
Intel Processor Driver: system32\DRIVERS\intelppm.sys (system)
IPv6 Windows Firewall Driver: system32\DRIVERS\Ip6Fw.sys (manual start)
IP Traffic Filter Driver: system32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: system32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: system32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: system32\DRIVERS\ipsec.sys (system)
IrDA Protocol: system32\DRIVERS\irda.sys (autostart)
IR Enumerator Service: system32\DRIVERS\irenum.sys (manual start)
Infrared Monitor: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
PnP ISA/EISA Bus Driver: system32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: system32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
BitDefender Desktop Update Service: "C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
LogMeIn Kernel Information Provider: \??\C:\Program Files\LogMeIn\RaInfo.sys (autostart)
LogMeIn Maintenance Service: "C:\Program Files\LogMeIn\RaMaint.exe" (disabled)
LMImirr: system32\DRIVERS\LMImirr.sys (manual start)
LogMeIn: "C:\Program Files\LogMeIn\LogMeIn.exe" (disabled)
Mobile Action MA-620 USB Infrared Adapter: system32\DRIVERS\MA-620.sys (manual start)
Machine Debug Manager: "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE" (autostart)
Messenger: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\system32\mnmsrvc.exe (manual start)
Mouse Class Driver: system32\DRIVERS\mouclass.sys (system)
WebDav Client Redirector: system32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: system32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\system32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\system32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: system32\DRIVERS\mssmbios.sys (manual start)
Microsoft Streaming Tee/Sink-to-Sink Converter: system32\drivers\MSTEE.sys (manual start)
NABTS/FEC VBI Codec: system32\DRIVERS\NABTSFEC.sys (manual start)
Microsoft TV/Video Connection: system32\DRIVERS\NdisIP.sys (manual start)
Remote Access NDIS TAPI Driver: system32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: system32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: system32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: system32\DRIVERS\netbios.sys (system)
NetBT: system32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\system32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Network Location Awareness (NLA): %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
NT LM Security Support Provider: %SystemRoot%\system32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
IPX Traffic Filter Driver: system32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: system32\DRIVERS\nwlnkfwd.sys (manual start)
Office Source Engine: "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE" (manual start)
papycpu: \SystemRoot\system32\drivers\papycpu.sys (system)
papyjoy: \SystemRoot\system32\drivers\papyjoy.sys (system)
Parallel port driver: system32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: system32\DRIVERS\pci.sys (system)
Low level access layer for CD devices: System32\Drivers\Pcouffin.sys (manual start)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\system32\lsass.exe (autostart)
WAN Miniport (PPTP): system32\DRIVERS\raspptp.sys (manual start)
StarForce Protection Environment Driver v6: \SystemRoot\System32\drivers\prodrv06.sys (system)
StarForce Protection Helper Driver v2: System32\drivers\prohlp02.sys (system)
StarForce Protection Synchronization Driver v1: System32\drivers\prosync1.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
QoS Packet Scheduler: system32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: system32\DRIVERS\ptilink.sys (manual start)
PxHelp20: System32\Drivers\PxHelp20.sys (system)
Remote Access Auto Connection Driver: system32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
WAN Miniport (IrDA): system32\DRIVERS\rasirda.sys (manual start)
WAN Miniport (L2TP): system32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: system32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: system32\DRIVERS\raspti.sys (manual start)
Rdbss: system32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: system32\DRIVERS\redbook.sys (system)
REGSpy: \??\C:\Program Files\Softwin\BitDefender9\regspy.sys (autostart)
Routing and Remote Access: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
Microsoft Legacy Modem Driver: System32\Drivers\RootMdm.sys (manual start)
Remote Procedure Call (RPC) Locator: %SystemRoot%\system32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\system32\rsvp.exe (manual start)
Realtek RTL8139/810x/8169/8110 all in one NDIS XP Driver: system32\DRIVERS\Rtlnicxp.sys (manual start)
Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver: system32\DRIVERS\RTL8139.SYS (manual start)
rxp: \??\C:\WINDOWS\system32\drivers\rxp.sys (system)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: system32\DRIVERS\secdrv.sys (autostart)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Prolific2 Serial port driver: system32\DRIVERS\ser2pl.sys (manual start)
Serenum Filter Driver: system32\DRIVERS\serenum.sys (manual start)
Serial port driver: system32\DRIVERS\serial.sys (system)
StarForce Protection Environment Driver (version 1.x): System32\drivers\sfdrv01.sys (system)
StarForce Protection Helper Driver: System32\drivers\sfhlp01.sys (system)
StarForce Protection Helper Driver (version 2.x): System32\drivers\sfhlp02.sys (system)
StarForce Protection Synchronization Driver (version 2.x): System32\drivers\sfsync02.sys (system)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
BDA Slip De-Framer: system32\DRIVERS\SLIP.sys (manual start)
smwdm: system32\drivers\smwdm.sys (manual start)
SoundMAX Agent Service: C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe (autostart)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
sptd: System32\Drivers\sptd.sys (system)
System Restore Filter Driver: system32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Srv: system32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)
StarWind iSCSI Service: C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe (autostart)
Windows Image Acquisition (WIA): %SystemRoot%\system32\svchost.exe -k imgsvc (autostart)
BDA IPSink: system32\DRIVERS\StreamIP.sys (manual start)
Software Bus Driver: system32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\system32\dllhost.exe /Processid:{7E92F0CB-4DDC-4F12-94E1-F6DF3389BC99} (manual start)
Symantec Core LC: "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" (disabled)
symlcbrd: \??\C:\WINDOWS\system32\drivers\symlcbrd.sys (autostart)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: system32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: system32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Microsoft AGPv3.5 Filter: system32\DRIVERS\uagp35.sys (system)
Universal Image Mounter Controller: system32\DRIVERS\UimBus.sys (system)
UIM Drive Backup Image Plugin: System32\Drivers\Uim_IM.sys (system)
Windows User Mode Driver Framework: C:\WINDOWS\system32\wdfmgr.exe (autostart)
Microcode Update Driver: system32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: system32\DRIVERS\usbehci.sys (manual start)
USB2 Enabled Hub: system32\DRIVERS\usbhub.sys (manual start)
USB Mass Storage Driver: system32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: system32\DRIVERS\usbuhci.sys (manual start)
Messenger Sharing USN Journal Reader service: C:\WINDOWS\system32\svchost.exe -k usnsvc (manual start)
User Privilege Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Vax347b: system32\DRIVERS\Vax347b.sys (system)
Vax347s: System32\Drivers\Vax347s.sys (system)
VgaSave: \SystemRoot\System32\drivers\vga.sys (system)
ViaIde: system32\DRIVERS\viaide.sys (system)
viasraid: system32\DRIVERS\viasraid.sys (system)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
BitDefender Virus Shield: "C:\Program Files\Softwin\BitDefender9\vsserv.exe" /service (autostart)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: system32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Windows Defender Service: "C:\Program Files\Windows Defender\MsMpEng.exe" (autostart)
WINIO: \??\C:\WINDOWS\system32\winio.sys (manual start)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\system32\wbem\wmiapsrv.exe (manual start)
Windows Socket 2.0 Non-IFS Service Provider Support Environment: \SystemRoot\System32\drivers\ws2ifsl.sys (disabled)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
World Standard Teletext Codec: system32\DRIVERS\WSTCODEC.SYS (manual start)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
BitDefender Communicator: "C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (autostart)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
XTrapD12: \??\C:\WINDOWS\system32\XTrapD12.sys (manual start)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 41,212 bytes
Report generated in 0.172 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

[Vikesrock8411]

Please navigate to C:\Windows\tasks

Right click on Shutdown.job and select properties. Please post what program is listed next to "Run". Do the same for Restart.job

[help_me_pls]

Note that, I created the Shutdown.job and Restart.job.

Shutdown.job
C:\WINDOWS\system32\shutdown.exe -s -f -t 60 -c "Il-kompjuter ser jintefa' kif jiskadi il-ħin indikat. GRAZZI"

Restart.job
C:\WINDOWS\system32\shutdown.exe -r -t 60 -c "Il-kompjuter ser jirristartja kif jiskadi il-ħin indikat. GRAZZI"

[Vikesrock8411]

OK, I was just trying to cover all bases. Let's return to something simple before we continue.

Run Cleanup and choose not to logoff or restart when prompted. If you do not still have Cleanup, please refer to my previous post for instructions.

Then do this:

Open Notepad and copy the text in the box below into it.

@echo off
dir "C:\Documents and Settings\Kurt\Local Settings\Temp" /a /o:n > C:\vikes.txt
Notepad C:\vikes.txt

Save it as Temp.bat and double click to run it. It will pop up Notepad with a log. Please copy the contents of that log here.

[help_me_pls]

Do I need to run cleanup in safe mode?

[Vikesrock8411]

Nope I want you to run it in normal mode please.

[help_me_pls]

Oops! I've done it in Safe Mode as it was noted in the previous post. My mistake, next time, I'll wait for an answer.
Should I redo it in Normal Mode now?

Hers is the log in Safe Mode:

Volume in drive C has no label.
Volume Serial Number is 3E71-1EE8

Directory of C:\Documents and Settings\Kurt\Local Settings\Temp

19/11/2004 15:41 <DIR> .
19/11/2004 15:41 <DIR> ..
17/03/2005 16:25 <DIR> History
17/03/2005 16:25 <DIR> Temporary Internet Files
0 File(s) 0 bytes
4 Dir(s) 34,462,728,192 bytes free

[Vikesrock8411]

No, don't worry about it. I was just trying to save you the trip into Safe Mode. I wanted to make sure that any temp files related to the infection were completely removed.

I would like to confer with my colleagues before proceeding further. I will post as soon as I have new instructions for you.

[Vikesrock8411]

Open GMER and Click the Tab labeled Autostart.

• Check the box labeled "Show All"
• Now Click Scan.
• Once done, click Copy to copy the results then paste them into Notepad. Post them in the next reply.

Open Notepad and copy the text in the box below into it.

@echo off
dir \smss.exe /a /s > File.txt
dir \setup.exe /a /s >> File.txt

Notepad File.txt

Save it as File.bat and double click to run it. It will pop up Notepad with a log. Please copy the contents of that log here.

Copy the URL of this topic to the clipboard, you will need it later. Click here to go to UploadMalware. Type in your username on this forum and paste the address of this topic in the second box. Click the first Browse button and locate the following file:
C:\Documents and Settings\User\Desktop\setup.zip.

Then click Submit File