Zonealarm keeps finding the virus not-a-virus:RemoteAdmin.Win32.WinVNC-based.f, located in H:\WINDOWS\Temp\$201D01EC.t$m (H is my main drive). I quarantine it and it keeps coming back. Please help. I had my Hotmail account hacked and couldnt figure out how they got password. I dont know what this virus does but I keep thinking this is how they got it.
I am running XP Pro SP2. Using ZoneAlarm and AVG Free Edition
I just ran Malware Bytes and it found HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> It was Quarantined and deleted successfully. I dont know if this was the problem or not. All help is appreciated.
Here is the Hijackthis log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:34:41 AM, on 6/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\svchost.exe
H:\Program Files\Windows Defender\MsMpEng.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\ZoneLabs\vsmon.exe
H:\WINDOWS\system32\spoolsv.exe
H:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
H:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWareService.exe
H:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
H:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
H:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
H:\WINDOWS\system32\cisvc.exe
H:\Program Files\Common Files\LightScribe\LSSrvc.exe
H:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
H:\WINDOWS\system32\mnmsrvc.exe
H:\WINDOWS\system32\rundll32.exe
H:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
H:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
H:\WINDOWS\system32\nvsvc32.exe
H:\WINDOWS\system32\HPZipm12.exe
H:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
H:\WINDOWS\system32\svchost.exe
H:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
H:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
H:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
H:\WINDOWS\system32\cidaemon.exe
H:\WINDOWS\system32\cidaemon.exe
H:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
H:\Program Files\ACD Systems\ACDSee\10.0\ACDSee10.exe
H:\WINDOWS\Explorer.EXE
H:\PROGRA~1\Grisoft\AVG7\avgcc.exe
H:\Program Files\Windows Defender\MSASCui.exe
H:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
H:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\Vidalia Bundle\Tor\tor.exe
H:\Program Files\Mozilla Firefox\firefox.exe
H:\WINDOWS\Explorer.EXE
H:\Program Files\TomTom HOME 2\HOMERunner.exe
H:\Program Files\NewsLeecher\newsLeecher.exe
H:\Program Files\Windows Media Player\wmplayer.exe
H:\Program Files\iPod\bin\iPodService.exe
H:\Documents and Settings\Administrator 2\Desktop\anapod_905_pw.exe
H:\Documents and Settings\Administrator 2\Desktop\anapod_905_pw.exe
H:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - H:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - H:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - H:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - H:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - H:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - H:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - H:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - H:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [AVG7_CC] H:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "H:\Program Files\RivaTuner v2.06\RivaTuner.exe" /S
O4 - HKLM\..\Run: [Windows Defender] "H:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE H:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ZoneAlarm Client] "H:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Vidalia] "H:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe"
O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "H:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [SpybotSD TeaTimer] H:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ccleaner] "H:\Program Files\CCleaner\CCleaner.exe" /AUTO
O4 - HKCU\..\Run: [TomTomHOME.exe] "H:\Program Files\TomTom HOME 2\HOMERunner.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] H:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] H:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] H:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] H:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - H:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - H:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - H:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1189774913359
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1189930557921
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - H:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - H:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ashampoo AntiSpyWare 2 Service (AASW2_Service) - Unknown owner - H:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWareService.exe
O23 - Service: Adobe LM Service - Adobe Systems - H:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - H:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - H:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - H:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - H:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - H:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - H:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - H:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - H:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - H:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - H:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LVCOMSer - Logitech Inc. - H:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - H:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - H:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - H:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - H:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - H:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - H:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - H:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - H:\WINDOWS\system32\HPZipm12.exe
O23 - Service: QuickBooks Database Manager Service (QBCFMonitorService) - - H:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - H:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - H:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - H:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 11779 bytes
Here is the Start up Log
StartupList report, 6/7/2008, 9:42:28 AM
StartupList version: 1.52.2
Started from : H:\Program Files\Trend Micro\HijackThis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.6000.16640)
* Using default options
* Showing rarely important sections
==================================================
Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\svchost.exe
H:\Program Files\Windows Defender\MsMpEng.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\ZoneLabs\vsmon.exe
H:\WINDOWS\system32\spoolsv.exe
H:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
H:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWareService.exe
H:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
H:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
H:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
H:\WINDOWS\system32\cisvc.exe
H:\Program Files\Common Files\LightScribe\LSSrvc.exe
H:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
H:\WINDOWS\system32\mnmsrvc.exe
H:\WINDOWS\system32\rundll32.exe
H:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
H:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
H:\WINDOWS\system32\nvsvc32.exe
H:\WINDOWS\system32\HPZipm12.exe
H:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
H:\WINDOWS\system32\svchost.exe
H:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
H:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
H:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
H:\WINDOWS\system32\cidaemon.exe
H:\WINDOWS\system32\cidaemon.exe
H:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
H:\Program Files\ACD Systems\ACDSee\10.0\ACDSee10.exe
H:\WINDOWS\Explorer.EXE
H:\PROGRA~1\Grisoft\AVG7\avgcc.exe
H:\Program Files\Windows Defender\MSASCui.exe
H:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
H:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\Vidalia Bundle\Tor\tor.exe
H:\Program Files\Mozilla Firefox\firefox.exe
H:\WINDOWS\Explorer.EXE
H:\Program Files\TomTom HOME 2\HOMERunner.exe
H:\Program Files\NewsLeecher\newsLeecher.exe
H:\Program Files\Windows Media Player\wmplayer.exe
H:\Program Files\iPod\bin\iPodService.exe
H:\Documents and Settings\Administrator 2\Desktop\anapod_905_pw.exe
H:\Documents and Settings\Administrator 2\Desktop\anapod_905_pw.exe
H:\Program Files\Trend Micro\HijackThis\HijackThis.exe
--------------------------------------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = H:\WINDOWS\system32\userinit.exe,
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
AVG7_CC = H:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
RivaTunerStartupDaemon = "H:\Program Files\RivaTuner v2.06\RivaTuner.exe" /S
Windows Defender = "H:\Program Files\Windows Defender\MSASCui.exe" -hide
NvCplDaemon = RUNDLL32.EXE H:\WINDOWS\system32\NvCpl.dll,NvStartup
ZoneAlarm Client = "H:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Vidalia = "H:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe"
ctfmon.exe = H:\WINDOWS\system32\ctfmon.exe
NVIDIA nTune = "H:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
SpybotSD TeaTimer = H:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
ccleaner = "H:\Program Files\CCleaner\CCleaner.exe" /AUTO
TomTomHOME.exe = "H:\Program Files\TomTom HOME 2\HOMERunner.exe"
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
[OptionalComponents]
=
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
[AdobeUpdater]
=
--------------------------------------------------
Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)
[<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}] *
StubPath = H:\WINDOWS\system32\ieudinit.exe
[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = H:\WINDOWS\inf\unregmp2.exe /ShowWMP
[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = H:\WINDOWS\system32\ie4uinit.exe -UserIconConfig
[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll
[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = H:\WINDOWS\system32\ie4uinit.exe -BaseSettings
[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = h:\WINDOWS\system32\Rundll32.exe h:\WINDOWS\system32\mscories.dll,Install
--------------------------------------------------
Shell & screensaver key from H:\WINDOWS\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*
--------------------------------------------------
Checking for EXPLORER.EXE instances:
H:\WINDOWS\Explorer.exe: PRESENT!
C:\Explorer.exe: not present
H:\WINDOWS\Explorer\Explorer.exe: not present
H:\WINDOWS\System\Explorer.exe: not present
H:\WINDOWS\System32\Explorer.exe: not present
H:\WINDOWS\Command\Explorer.exe: not present
H:\WINDOWS\Fonts\Explorer.exe: not present
--------------------------------------------------
Checking for superhidden extensions:
.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: *Registry value not found*
.jse: not hidden
--------------------------------------------------
Enumerating Browser Helper Objects:
(no name) - H:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll - {00C6482D-C502-44C8-8409-FCE54AD9C208}
(no name) - H:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll - {02478D38-C3F9-4efb-9B51-7695ECA05670}
(no name) - H:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
Skype add-on (mastermind) - H:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll - {22BF413B-C6D2-4d91-82A9-A0F997BA588C}
(no name) - H:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - H:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL - {72853161-30C5-4D22-B7F9-0BBC1D38A37E}
(no name) - H:\Program Files\Java\jre1.6.0_03\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
--------------------------------------------------
Enumerating Task Scheduler jobs:
AppleSoftwareUpdate.job
MP Scheduled Scan.job
--------------------------------------------------
Enumerating Download Program Files:
[Trend Micro ActiveX Scan Agent 6.6]
InProcServer32 = H:\WINDOWS\Downloaded Program Files\Housecall_ActiveX.dll
CODEBASE = http://housecall65.t...ivex/hcImpl.cab
[WUWebControl Class]
InProcServer32 = H:\WINDOWS\system32\wuweb.dll
CODEBASE = http://www.update.mi...b?1189774913359
[MUWebControl Class]
InProcServer32 = H:\WINDOWS\system32\muweb.dll
CODEBASE = http://www.update.mi...b?1189930557921
[{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}]
CODEBASE = http://fpdownload.ma...t/ultrashim.cab
[Shockwave Flash Object]
InProcServer32 = H:\WINDOWS\system32\Macromed\Flash\Flash9d.ocx
CODEBASE = http://fpdownload2.m...ash/swflash.cab
--------------------------------------------------
Enumerating Winsock LSP files:
NameSpace #4: H:\Program Files\Bonjour\mdnsNSP.dll
Protocol #1: H:\WINDOWS\system32\nvappfilter.dll
Protocol #2: H:\WINDOWS\system32\nvappfilter.dll
Protocol #3: H:\WINDOWS\system32\nvappfilter.dll
Protocol #9: H:\WINDOWS\system32\nvappfilter.dll
--------------------------------------------------
Enumerating Windows NT/2000/XP services
Ashampoo AntiSpyWare 2 Service: H:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWareService.exe (autostart)
Adobe Active File Monitor V6: H:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe (autostart)
AntiVir PersonalEdition Classic Scheduler: "H:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe" (autostart)
AntiVir PersonalEdition Classic Guard: "H:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe" (autostart)
Apple Mobile Device: "H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe" (autostart)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
AVG7 Alert Manager Server: H:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe (autostart)
AVG7 Update Service: H:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe (autostart)
Background Intelligent Transfer Service: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Computer Browser: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Indexing Service: %SystemRoot%\system32\cisvc.exe (autostart)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
GoProto Protocol Driver for LELA: system32\DRIVERS\elagopro.sys (autostart)
UniDriver for LELA: system32\DRIVERS\elaunidr.sys (autostart)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
ForceWare Intelligent Application Manager (IAM): H:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe (autostart)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
HID Input Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Server: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
LightScribeService Direct Disc Labeling Service: "H:\Program Files\Common Files\LightScribe\LSSrvc.exe" (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
LVCOMSer: "H:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe" (autostart)
Process Monitor: "H:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe" (autostart)
LVSrvLauncher: H:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe (autostart)
NetMeeting Remote Desktop Sharing: H:\WINDOWS\system32\mnmsrvc.exe (autostart)
Nero BackItUp Scheduler 3: H:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe (autostart)
ForceWare IP service: H:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe (autostart)
nTune Service: H:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe /StartService (autostart)
NVIDIA Display Driver Service: %SystemRoot%\system32\nvsvc32.exe (autostart)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
Pml Driver HPZ12: H:\WINDOWS\system32\HPZipm12.exe (autostart)
IPSEC Services: %SystemRoot%\system32\lsass.exe (autostart)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
QuickBooks Database Manager Service: "H:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe" (autostart)
Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Service: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows Image Acquisition (WIA): %SystemRoot%\system32\svchost.exe -k imgsvc (autostart)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Ulead Burning Helper: H:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe (autostart)
TrueVector Internet Monitor: H:\WINDOWS\system32\ZoneLabs\vsmon.exe -service (autostart)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
WebClient: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Windows Defender: "H:\Program Files\Windows Defender\MsMpEng.exe" (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
--------------------------------------------------
Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*
Windows NT checkdisk command:
BootExecute = autocheck autochk *
Windows NT 'Wininit.ini':
PendingFileRenameOperations: H:\DOCUME~1\ADMINI~2\LOCALS~1\TEMPOR~1\Content.IE5\index.dat||H:\DOCUME~1\ADMINI~2\Cookies\index.dat||H:\DOCUME~1\ADMINI~2\LOCALS~1\History\History.IE5\index.dat|||~
--------------------------------------------------
Enumerating ShellServiceObjectDelayLoad items:
PostBootReminder: H:\WINDOWS\system32\SHELL32.dll
CDBurn: H:\WINDOWS\system32\SHELL32.dll
WebCheck: H:\WINDOWS\system32\webcheck.dll
SysTray: H:\WINDOWS\system32\stobject.dll
WPDShServiceObj: H:\WINDOWS\system32\WPDShServiceObj.dll
UPnPMonitor: H:\WINDOWS\system32\upnpui.dll
--------------------------------------------------
End of report, 16,244 bytes
Report generated in 0.188 seconds
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only