Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Computer running very poorly! [RESOLVED]


  • This topic is locked This topic is locked

#1
racinmason001

racinmason001

    Member

  • Member
  • PipPipPip
  • 195 posts
[B][FONT=Impact][SIZE=7][COLOR=blue] :tazz: ;)
-OK- here we go I've been trying to get mt computer up and running for about three weeks now and everything I try I fail.I've run AVG,Spyware Doctor,Spyware Nuker,Xoftspy,and numerous other scan and repair programs and no success.I have recently discovered with regedit for windows XP hwclock I know this is bad so I removed it and cleaned up my C: drive and reset mt system restore like you tell evryone to do and nothing.I cant get anything to install unless I'm in safe mode and I'm sure you know that the installer does not run in safe mode,windows task manager will only open in my sys tray, and I cannot download anything from the internet once the downloads finish the window closes and I dont recieve the download so you might have your work cut out for you on my system.Anyway enough rambling on about things that just make me want to take my computer out back and blast it with my gauge ;) :) here is my log someone help me as soon as possible please.....

Logfile of HijackThis v1.99.1
Scan saved at 11:11:23 PM, on 4/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Hijackthis V1.99.1\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emachines.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [sysPersonalFirewall] msnmssgr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Veritas Patch] veritas.exe
O4 - HKLM\..\Run: [Spyware Nuker] C:\Program Files\Spyware Nuker 2004\swn2.exe /h
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\RunServices: [sysPersonalFirewall] msnmssgr.exe
O4 - HKLM\..\RunServices: [Veritas Patch] veritas.exe
O4 - HKLM\..\RunOnce: [sysPersonalFirewall] msnmssgr.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG6 Service (AvgServ) - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

Advertisements


#2
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
You have a worm and a virus that I can see.

Please run both of these online virus scans:
TrendMicro's HouseCall - check "Auto Clean"
ActiveScan

Copy the results of the ActiveScan and paste them here.
  • 0

#3
racinmason001

racinmason001

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 195 posts
-OK- See thats my problem I cannot download or install anything from the internet because my computer freezes up so we need to take a different aproach if ant to this. :tazz:
  • 0

#4
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Missed that part and went straight to your log, sorry :tazz:

At any rate, Reboot into Safe Mode, run HiJackThis and place and check next to the following and click FIX CHECKED:

O4 - HKLM\..\Run: [sysPersonalFirewall] msnmssgr.exe
O4 - HKLM\..\Run: [Veritas Patch] veritas.exe
O4 - HKLM\..\RunServices: [sysPersonalFirewall] msnmssgr.exe
O4 - HKLM\..\RunServices: [Veritas Patch] veritas.exe


Close HiJackThis.

CLICK THIS LINK TO MAKE SURE TO SHOW HIDDEN FILES

Then using windows explorer, look for the following files (in bold) - we're going to look in both the windows and the system32 folder for each one, to be sure. If you find the following files DELETE them!:

C:\Windows\System32\msnmssgr.exe
C:\Windows\System32\veritas.exe
C:\Windows\msnmssgr.exe
C:\Windows\veritas.exe

Post a new HiJackThis log and let me know if you had any problems.

Edited by bananafanafo, 27 April 2005 - 10:19 PM.

  • 0

#5
racinmason001

racinmason001

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 195 posts
-OK- I was able to find veritas.exe but it was in a prefetch folder if that matters and I could not find msnmssgr.exe anywhere and it still seems to be in my hijackthis log.A new issue has come up with norton anti virus it pops up at start up saying I've got a trojan horse file name is C:\Windows\System32\rdriv.sys but when I search for it I cant find it so here is my log and thank you for the help.I also wanted to know if paypal is the only way I can make a donation or is there another way. :tazz:

Logfile of HijackThis v1.99.1
Scan saved at 11:45:53 PM, on 4/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Spyware Nuker 2004\swn2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\BigFix\BigFix.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Hijackthis V1.99.1\HijackThis.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\INETSVC.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\joey\Application Data\Mozilla\Profiles\default\mf3wdok9.slt\prefs.js)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Spyware Nuker] C:\Program Files\Spyware Nuker 2004\swn2.exe /h
O4 - HKLM\..\Run: [CT Control Settings] CTSVCCD.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\RunServices: [CT Control Settings] CTSVCCD.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [sysPersonalFirewall] msnmssgr.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Internet Service Manager (INETSVC) - Unknown owner - C:\WINDOWS\INETSVC.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Smart Card Client (SCardClnt) - Unknown owner - C:\WINDOWS\System32\SCardClnt.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

#6
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
If you were performing a search, it's most likely the files won't show up that way. You did set your system to show hidden files? Go into windows explorer (Start > All Programs >Accessories > WIndows Explorer) to find those files. They are there and they are nasty! We need to get them out! It's good that you deleted it out of prefetch :tazz:

Edited by bananafanafo, 20 May 2005 - 01:47 AM.

  • 0

#7
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Since you can't download any programs...SOO glad you were able to get HiJackThis :tazz:

Let's try this to see if we can find any other files that need to go:

*Open HijackThis.
*Click on "None of the above, just start the program"
*Click Config (bottom right)
*Click Misc Tools
*make sure that both boxes beside "Generate StartupList Log" are checked:

List all minor sections(Full)

and

List Empty Sections(Complete)

Click "Generate StartupList Log".
Click "Yes" at the prompt

It will produce a NotePad Page. I need you to copy the entire contents of that page and paste it here.
  • 0

#8
racinmason001

racinmason001

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 195 posts
Alright I've deleted the files you told me to delete and even found a hwclock.exe file lingering around and deleted him here is my start up list log lookin forward to hearing from ya.

StartupList report, 4/28/2005, 1:08:14 AM
StartupList version: 1.52.2
Started from : C:\Hijackthis V1.99.1\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec

Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec

Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe
C:\Program Files\Spyware Nuker 2004\swn2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\BigFix\BigFix.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Panda

Software\PavShld\pavprsrv.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\wanmpsvc.exe
C:\Hijackthis V1.99.1\HijackThis.exe
C:\WINDOWS\INETSVC.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\joey\Start

Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start

Menu\Programs\Startup]
BigFix.lnk = C:\Program Files\BigFix\BigFix.exe

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon

]
*Registry key not found*

[HKCU\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon

]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ccApp = "C:\Program Files\Common Files\Symantec

Shared\ccApp.exe"
NAV CfgWiz = C:\Program Files\Common Files\Symantec

Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
NvCplDaemon = RUNDLL32.EXE

C:\WINDOWS\System32\NvCpl.dll,NvStartup
nwiz = nwiz.exe /install
Spyware Nuker = C:\Program Files\Spyware Nuker

2004\swn2.exe /h
CT Control Settings = CTSVCCD.EXE
Symantec NetDriver Monitor =

C:\PROGRA~1\SYMNET~1\SNDMon.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServic

es

CT Control Settings = CTSVCCD.EXE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServic

esOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MSMSGS = "C:\Program Files\Messenger\msmsgs.exe"

/background

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServic

es

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServic

esOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServic

es
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServic

esOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServic

es
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServic

esOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\System32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed

Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe

OCInstallUserConfigIE

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe

OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n

/i:/UserInstall %SystemRoot%\system32\themeui.dll

[{306D6C21-C1B6-4629-986C-E59E1875B8AF}]
StubPath = "C:\WINDOWS\System32\rundll32.exe"

"C:\Program Files\Messenger\msgsc.dll",ShowIconsUser

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe"

/APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection

C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection

C:\WINDOWS\INF\msmsgs.inf,BLC.Install.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection

C:\WINDOWS\INF\wmp.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe"

/APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*No subkeys found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon:

load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon:

run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry

key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry

key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon:

load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon:

run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry

key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry

key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry

value not found*
HKLM\..\Windows NT\CurrentVersion\Windows:

load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry

value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll -

{53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll -

{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}
(no name) - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll -

{B56A7D7D-6927-48C8-A975-17DF180C71AC}
NAV Helper - C:\Program Files\Norton

AntiVirus\NavShExt.dll -

{BDF3E430-B101-42AD-A544-FADC6B084872}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Norton AntiVirus - Scan my computer - joey.job
Norton AntiVirus - Scan my computer.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan53.ocx
CODEBASE =

http://a840.g.akamai...61001/housecall.

trendmicro.com/housecall/xscan53.cab

[Java Plug-in 1.3.1]
InProcServer32 = C:\Program

Files\JavaSoft\JRE\1.3.1\bin\npjava131.dll
CODEBASE =

http://java.sun.com/.../jinstall-131-w

in.cab

[Java Plug-in 1.3.1]
InProcServer32 = C:\Program

Files\JavaSoft\JRE\1.3.1\bin\npjava131.dll
CODEBASE =

http://java.sun.com/.../jinstall-131-w

in.cab

[Java Plug-in 1.3.1_02]
InProcServer32 = C:\Program

Files\JavaSoft\JRE\1.3.1_02\bin\npjava131_02.dll
CODEBASE =

http://java.sun.com/.../jinstall-131_0

2-win.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys

(system)
Microsoft Kernel Acoustic Echo Canceller:

system32\drivers\aec.sys (manual start)
AFD Networking Support Environment:

\SystemRoot\System32\drivers\afd.sys (autostart)
Service for Realtek AC97 Audio (WDM):

system32\drivers\ALCXWDM.SYS (manual start)
Alerter: %SystemRoot%\System32\svchost.exe -k

LocalService (manual start)
Application Layer Gateway Service:

%SystemRoot%\System32\alg.exe (manual start)
AOL Connectivity Service:

C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe (autostart)
Application Management:

%SystemRoot%\system32\svchost.exe -k netsvcs (manual

start)
RAS Asynchronous Media Driver:

System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller:

System32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys

(manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k

netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual

start)
Background Intelligent Transfer Service:

%SystemRoot%\System32\svchost.exe -k netsvcs (manual

start)
Computer Browser: %SystemRoot%\System32\svchost.exe -k

netsvcs (autostart)
Symantec Event Manager: "C:\Program Files\Common

Files\Symantec Shared\ccEvtMgr.exe" (autostart)
Symantec Password Validation: "C:\Program Files\Common

Files\Symantec Shared\ccPwdSvc.exe" (manual start)
Symantec Settings Manager: "C:\Program Files\Common

Files\Symantec Shared\ccSetMgr.exe" (autostart)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe

(manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (manual

start)
COM+ System Application: C:\WINDOWS\System32\dllhost.exe

/Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}

(manual start)
Cryptographic Services:

%SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k

netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service:

%SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
dmio: System32\drivers\dmio.sys (disabled)
dmload: System32\drivers\dmload.sys (disabled)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe

-k netsvcs (manual start)
Microsoft Kernel DLS Syntheiszer:

system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k

NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler:

system32\drivers\drmkaud.sys (manual start)
Error Reporting Service:

%SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe

(autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k

netsvcs (manual start)
Fast User Switching Compatibility:

%SystemRoot%\System32\svchost.exe -k netsvcs (manual

start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys

(manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys

(manual start)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys

(system)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys

(manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k

netsvcs (autostart)
Human Interface Device Access:

%SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
HSFHWBS2: System32\DRIVERS\HSFHWBS2.sys (manual start)
HSF_DP: System32\DRIVERS\HSF_DP.sys (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver:

System32\DRIVERS\i8042prt.sys (system)
ialm: System32\DRIVERS\ialmnt5.sys (manual start)
CD-Burning Filter Driver: System32\DRIVERS\imapi.sys

(system)
IMAPI CD-Burning COM Service:

C:\WINDOWS\System32\imapi.exe (manual start)
Internet Service Manager: "C:\WINDOWS\INETSVC.EXE"

(autostart)
IntelIde: System32\DRIVERS\intelide.sys (system)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys

(manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys

(manual start)
IP Network Address Translator:

System32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys

(manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys

(system)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys

(system)
Microsoft Kernel Wave Audio Mixer:

system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs

(autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k

netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe

-k LocalService (autostart)
mdmxsdk: System32\DRIVERS\mdmxsdk.sys (autostart)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs

(disabled)
NetMeeting Remote Desktop Sharing:

C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys

(system)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys

(manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator:

C:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\System32\msiexec.exe /V

(manual start)
Microsoft Streaming Service Proxy:

system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy:

system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy:

system32\drivers\MSPQM.sys (manual start)
Norton AntiVirus Auto Protect Service: "C:\Program

Files\Norton AntiVirus\navapsvc.exe" (autostart)
NAVENG:

\??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20050427.008\

NAVENG.Sys (manual start)
NAVEX15:

\??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20050427.008\

NavEx15.Sys (manual start)
Remote Access NDIS TAPI Driver:

System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys

(manual start)
Remote Access NDIS WAN Driver:

System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBT: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (manual

start)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe

(manual start)
Net Logon: %SystemRoot%\System32\lsass.exe (manual

start)
Network Connections: %SystemRoot%\System32\svchost.exe

-k netsvcs (manual start)
Network Location Awareness (NLA):

%SystemRoot%\System32\svchost.exe -k netsvcs (manual

start)
NT LM Security Support Provider:

%SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k

netsvcs (manual start)
nv: System32\DRIVERS\nv4_mini.sys (manual start)
NVIDIA Display Driver Service:

%SystemRoot%\System32\nvsvc32.exe (autostart)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys

(manual start)
IPX Traffic Forwarder Driver:

System32\DRIVERS\nwlnkfwd.sys (manual start)
Parallel port driver: System32\DRIVERS\parport.sys

(manual start)
Panda Process Protection Driver:

\??\C:\WINDOWS\System32\DRIVERS\PavProc.sys (autostart)
Panda Process Protection Service: "C:\Program

Files\Common Files\Panda Software\PavShld\pavprsrv.exe"

(autostart)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
PCIIde: System32\DRIVERS\pciide.sys (system)
Plug and Play: %SystemRoot%\system32\services.exe

(autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe

(autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys

(manual start)
Processor Driver: System32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe

(autostart)
QoS Packet Scheduler: System32\DRIVERS\psched.sys

(manual start)
Direct Parallel Link Driver:

System32\DRIVERS\ptilink.sys (manual start)
Remote Access Auto Connection Driver:

System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager:

%SystemRoot%\System32\svchost.exe -k netsvcs (manual

start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys

(manual start)
Remote Access Connection Manager:

%SystemRoot%\System32\svchost.exe -k netsvcs (manual

start)
Remote Access PPPOE Driver:

System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual

start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
rdriv: \??\C:\WINDOWS\system32\rdriv.sys (manual start)
Remote Desktop Help Session Manager:

C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver:

System32\DRIVERS\redbook.sys (system)
Routing and Remote Access:

%SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Procedure Call (RPC) Locator:

%SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC):

%SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Realtek RTL8139/810X Family PCI Fast Ethernet NIC NT

Driver: System32\DRIVERS\RTL8139.SYS (manual start)
Security Accounts Manager:

%SystemRoot%\system32\lsass.exe (autostart)
SAVRT: \??\C:\Program Files\Norton AntiVirus\SAVRT.SYS

(system)
SAVRTPEL: \??\C:\Program Files\Norton

AntiVirus\SAVRTPEL.SYS (system)
SAVScan: C:\Program Files\Norton AntiVirus\SAVScan.exe

(autostart)
ScriptBlocking Service:

C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

(autostart)
Smart Card Client: C:\WINDOWS\System32\SCardClnt.exe

(autostart)
Smart Card Helper: %SystemRoot%\System32\SCardSvr.exe

(manual start)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual

start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k

netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k

netsvcs (autostart)
System Event Notification:

%SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys

(manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Internet Connection Firewall (ICF) / Internet Connection

Sharing (ICS): %SystemRoot%\System32\svchost.exe -k

netsvcs (autostart)
Shell Hardware Detection:

%SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Symantec Network Drivers Service: "C:\Program

Files\Common Files\Symantec Shared\SNDSrvc.exe" (manual

start)
Microsoft Kernel Audio Splitter:

system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe

(autostart)
System Restore Filter Driver:

\SystemRoot\System32\DRIVERS\sr.sys (disabled)
System Restore Service:

%SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service:

%SystemRoot%\System32\svchost.exe -k LocalService

(manual start)
Windows Image Acquisition (WIA):

%SystemRoot%\System32\svchost.exe -k imgsvc (manual

start)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual

start)
Microsoft Kernel GS Wavetable Synthesizer:

system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider:

C:\WINDOWS\System32\dllhost.exe

/Processid:{96FFF8EF-18F1-4432-A5EA-B72198048EEF}

(manual start)
SymEvent: \??\C:\Program Files\Symantec\SYMEVENT.SYS

(manual start)
SYMREDRV: \SystemRoot\System32\Drivers\SYMREDRV.SYS

(manual start)
SYMTDI: \SystemRoot\System32\Drivers\SYMTDI.SYS (system)
Microsoft Kernel System Audio Device:

system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts:

%SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs

(manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys

(system)
Teefer for NT: SYSTEM32\Drivers\Teefer.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys

(system)
Terminal Services: %SystemRoot%\System32\svchost.exe -k

netsvcs (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs

(autostart)
Distributed Link Tracking Client:

%SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Microcode Update Driver: System32\DRIVERS\update.sys

(manual start)
Upload Manager: %SystemRoot%\System32\svchost.exe -k

netsvcs (autostart)
Universal Plug and Play Device Host:

%SystemRoot%\System32\svchost.exe -k LocalService

(manual start)
Uninterruptible Power Supply:

%SystemRoot%\System32\ups.exe (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport

Driver: System32\DRIVERS\usbehci.sys (manual start)
USB2 Enabled Hub: System32\DRIVERS\usbhub.sys (manual

start)
Microsoft USB Universal Host Controller Miniport Driver:

System32\DRIVERS\usbuhci.sys (manual start)
VgaSave: \SystemRoot\System32\drivers\vga.sys (system)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe

(manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k

netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys

(manual start)
WAN Miniport (ATW): System32\DRIVERS\wanatw4.sys (manual

start)
WAN Miniport (ATW) Service: "C:\WINDOWS\wanmpsvc.exe"

(autostart)
Microsoft WINMM WDM Audio Compatibility Driver:

system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k

LocalService (autostart)
winachsf: System32\DRIVERS\HSF_CNXT.sys (manual start)
Windows Management Instrumentation:

%systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service:

%SystemRoot%\System32\svchost.exe -k netsvcs (manual

start)
WMI Performance Adapter:

C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
wpsdrvnt: \??\C:\WINDOWS\System32\drivers\wpsdrvnt.sys

(system)
Automatic Updates: %systemroot%\system32\svchost.exe -k

netsvcs (autostart)
Wireless Zero Configuration:

%SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Intel® Graphics Platform (SoftBIOS) Driver:

system32\drivers\ialmsbw.sys (manual start)
Intel® Graphics Chipset (KCH) Driver:

system32\drivers\ialmkchw.sys (manual start)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\

Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\

Explorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 31,023 bytes
Report generated in 0.407 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and

unsuspicious data
/full - to include several rarely-important

sections
/force9x - to include Win9x-only startups even if

running on WinNT
/forcent - to include WinNT-only startups even if

running on Win9x
/forceall - to include all Win9x and WinNT startups,

regardless of platform
/history - to list version history only
  • 0

#9
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Ok, whew! Done looking over that log...what you have hiding is nasty, nasty! It's a Trojan Horse that basically roots itself. Adds itself to the registry, creates files, prevents Service Pack2 from being installed, changes security settings, and probably the reason you can't download programs. I'm going to have to figure out exactly what we have to do, but I need to go bed right now (4 am) and I will be back in a few hours.

I highly recommend staying off the Internet as much as possible, better yet, shutdown your computer!!

I'll see you in a few! :tazz:
  • 0

#10
racinmason001

racinmason001

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 195 posts
-OK- I'll get started tommorow after work its 4am where you are and its 2am where I am so you'll hear from me again around 7pm your time tommorow and I'll tell everyone to stay off the computer thanks for all your help :tazz: ;) ;)
  • 0

Advertisements


#11
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
You're welcome! :tazz:
  • 0

#12
racinmason001

racinmason001

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 195 posts
-OK- I got off work early so if your available I will be around the comp for a few hours. :tazz:
  • 0

#13
racinmason001

racinmason001

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 195 posts
-OK- I'm off work early and ready when you are!
  • 0

#14
racinmason001

racinmason001

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 195 posts
sorry for the double post.
  • 0

#15
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
:tazz: I'll be back in about 10-15 mintues so we can get this thing going!!
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP